LiveActive security incident?Get immediate response
CVE archive

December 2021

Browse CVE records published in December 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2052 matching CVEs · Page 4 of 42.

Medium · CVSS 5.5

CVE-2021-0934: In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion.

In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-169762606

Published Dec 13, 2022 · Updated Apr 22, 2025

Critical · CVSS 9.8

CVE-2021-4226: RSFirewall < 1.1.25 - IP Block Bypass

RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is implemented.

Published Dec 15, 2022 · Updated Apr 21, 2025

High · CVSS 7.5

CVE-2021-35252: Common Key Vulnerability in Serv-U FTP Server

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.

Published Dec 16, 2022 · Updated Apr 17, 2025

Medium · CVSS 6.5

CVE-2021-28655: Apache Zeppelin: Arbitrary file deletion vulnerability

The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Published Dec 16, 2022 · Updated Apr 17, 2025

Critical · CVSS 9.8

CVE-2021-4129: Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christ...

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 95, Firefox ESR < 91.4.0, and Thunderbird < 91.4.0.

Published Dec 22, 2022 · Updated Apr 16, 2025

Medium · CVSS 6.5

CVE-2021-4126: When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, f...

When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status. This vulnerability affects Thunderbird < 91.4.1.

Published Dec 22, 2022 · Updated Apr 16, 2025

Medium · CVSS 4.3

CVE-2021-4221: If a domain name contained a RTL character, it would cause the domain to be rendered to the right of the path.

If a domain name contained a RTL character, it would cause the domain to be rendered to the right of the path. This could lead to user confusion and spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*<br>*Note*: Due to a clerical error this advisory was not included in the original announcement, and was added in Feburary 2022. This vulnerability affects Firefox < 92.

Published Dec 22, 2022 · Updated Apr 16, 2025

Critical · CVSS 9.6

CVE-2021-32692: Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt

Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.

Published Dec 23, 2022 · Updated Apr 15, 2025

Low · CVSS 2.6

CVE-2021-4244: yikes-inc-easy-mailchimp-extender Plugin add_field_to_form.php cross site scripting

A vulnerability classified as problematic has been found in yikes-inc-easy-mailchimp-extender Plugin up to 6.8.5. This affects an unknown part of the file admin/partials/ajax/add_field_to_form.php. The manipulation of the argument field_name/merge_tag/field_type/list_id leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 6.8.6 is able to address this issue. The name of the patch is 3662c6593aa1bb4286781214891d26de2e947695. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215307.

Published Dec 12, 2022 · Updated Apr 15, 2025

Medium · CVSS 6.3

CVE-2021-4246: roxlukas LMeve Login Page sql injection

A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176.

Published Dec 17, 2022 · Updated Apr 15, 2025

Medium · CVSS 4.3

CVE-2021-4247: OWASP NodeGoat Query Parameter research.js denial of service

A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The name of the patch is 4a4d1db74c63fb4ff8d366551c3af006c25ead12. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216184.

Published Dec 18, 2022 · Updated Apr 15, 2025

Medium · CVSS 5.6

CVE-2021-4248: kapetan dns Request.cs entropy

A vulnerability was found in kapetan dns up to 6.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file DNS/Protocol/Request.cs. The manipulation leads to insufficient entropy in prng. The attack may be launched remotely. Upgrading to version 7.0.0 is able to address this issue. The name of the patch is cf7105aa2aae90d6656088fe5a8ee1d5730773b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216188.

Published Dec 18, 2022 · Updated Apr 15, 2025

Medium · CVSS 4.3

CVE-2021-4249: xml-conduit DOCTYPE Entity Expansion Parse.hs infinite loop

A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4251: as include.cdn.php getFullURL cross site scripting

A vulnerability classified as problematic was found in as. This vulnerability affects the function getFullURL of the file include.cdn.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 4acad1e3d2c34c017473ceea442fb3e3e078b2bd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216208.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4252: WP-Ban ban-options.php toggle_checkbox cross site scripting

A vulnerability, which was classified as problematic, has been found in WP-Ban. This issue affects the function toggle_checkbox of the file ban-options.php. The manipulation of the argument $_SERVER["HTTP_USER_AGENT"] leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 13e0b1e922f3aaa3f8fcb1dd6d50200dd693fd76. It is recommended to apply a patch to fix this issue. The identifier VDB-216209 was assigned to this vulnerability.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4253: ctrlo lenio Ticket Lenio.pm cross site scripting

A vulnerability, which was classified as problematic, was found in ctrlo lenio. Affected is an unknown function in the library lib/Lenio.pm of the component Ticket Handler. The manipulation of the argument site_id leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 7a1f90bd2a0ce95b8338ec0926902da975ec64d9. It is recommended to apply a patch to fix this issue. VDB-216210 is the identifier assigned to this vulnerability.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4254: ctrlo lenio Notice main.tt cross site scripting

A vulnerability has been found in ctrlo lenio and classified as problematic. Affected by this vulnerability is an unknown functionality of the file views/layouts/main.tt of the component Notice Handler. The manipulation of the argument notice.notice.text leads to cross site scripting. The attack can be launched remotely. The name of the patch is aa300555343c1c081951fcb68bfb6852fbba7451. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216211.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4255: ctrlo lenio contractor.tt cross site scripting

A vulnerability was found in ctrlo lenio and classified as problematic. Affected by this issue is some unknown functionality of the file views/contractor.tt. The manipulation of the argument contractor.name leads to cross site scripting. The attack may be launched remotely. The name of the patch is e1646d5cd0a2fbab9eb505196dd2ca1c9e4cdd97. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216212.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.5

CVE-2021-4256: ctrlo lenio index.tt cross site scripting

A vulnerability was found in ctrlo lenio. It has been classified as problematic. This affects an unknown part of the file views/index.tt. The manipulation of the argument task.name/task.site.org.name leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is e1646d5cd0a2fbab9eb505196dd2ca1c9e4cdd97. It is recommended to apply a patch to fix this issue. The identifier VDB-216213 was assigned to this vulnerability.

Published Dec 18, 2022 · Updated Apr 15, 2025

Low · CVSS 3.7

CVE-2021-4258: whohas Package Information cleartext transmission

A vulnerability was found in whohas. It has been rated as problematic. This issue affects some unknown processing of the component Package Information Handler. The manipulation leads to cleartext transmission of sensitive information. The attack may be initiated remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 667c3e2e9178f15c23d7918b5db25cd0792c8472. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216251. NOTE: Most sources redirect to the encrypted site which limits the possibilities of an attack.

Published Dec 19, 2022 · Updated Apr 15, 2025

Medium · CVSS 6.3

CVE-2021-4260: oils-js Web.js redirect

A vulnerability was found in oils-js. It has been declared as critical. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect. The attack can be initiated remotely. The name of the patch is fad8fbae824a7d367dacb90d56cb02c5cb999d42. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216268.

Published Dec 19, 2022 · Updated Apr 15, 2025

Medium · CVSS 6.3

CVE-2021-4261: pacman-canvas db-handler.php addHighscore sql injection

A vulnerability classified as critical has been found in pacman-canvas up to 1.0.5. Affected is the function addHighscore of the file data/db-handler.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 1.0.6 is able to address this issue. The name of the patch is 29522c90ca1cebfce6453a5af5a45281d99b0646. It is recommended to upgrade the affected component. VDB-216270 is the identifier assigned to this vulnerability.

Published Dec 19, 2022 · Updated Apr 15, 2025

Medium · CVSS 5.5

CVE-2021-4262: laravel-jqgrid EloquentRepositoryAbstract.php getRows sql injection

A vulnerability classified as critical was found in laravel-jqgrid. Affected by this vulnerability is the function getRows of the file src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php. The manipulation leads to sql injection. The name of the patch is fbc2d94f43d0dc772767a5bdb2681133036f935e. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216271.

Published Dec 19, 2022 · Updated Apr 15, 2025

Medium · CVSS 4

CVE-2021-4263: leanote history.js define cross site scripting

A vulnerability, which was classified as problematic, has been found in leanote 2.6.1. This issue affects the function define of the file public/js/plugins/history.js. The manipulation of the argument content leads to cross site scripting. The attack may be initiated remotely. The identifier of the patch is 0f9733c890077942150696dcc6d2b1482b7a0a19. It is recommended to apply a patch to fix this issue. The identifier VDB-216461 was assigned to this vulnerability.

Published Dec 21, 2022 · Updated Apr 14, 2025