Weekly Vulnerabilities Reports > January 4 to 10, 2021
Overview
302 new vulnerabilities reported during this period, including 46 critical vulnerabilities and 124 high severity vulnerabilities. This weekly summary report vulnerabilities in 298 products from 116 vendors including Google, Debian, IBM, Fedoraproject, and Netapp. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Deserialization of Untrusted Data", "Use After Free", and "Path Traversal".
- 230 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 200 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 48 reported vulnerabilities.
- Google has the most reported critical vulnerabilities, with 13 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
46 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-04 | CVE-2020-29492 | Dell | Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. | 10.0 |
2021-01-07 | CVE-2020-26085 | Cisco | OS Command Injection vulnerability in Cisco Jabber Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. | 9.9 |
2021-01-08 | CVE-2020-35131 | Agentejo | Code Injection vulnerability in Agentejo Cockpit Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. | 9.8 |
2021-01-08 | CVE-2020-8584 | Netapp | Unspecified vulnerability in Netapp products Element OS versions prior to 1.8P1 and 12.2 are susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code execution. | 9.8 |
2021-01-08 | CVE-2020-28468 | Pwntools Project | Injection vulnerability in Pwntools Project Pwntools This affects the package pwntools before 4.3.1. | 9.8 |
2021-01-07 | CVE-2020-13452 | Thecodingmachine | Incorrect Default Permissions vulnerability in Thecodingmachine Gotenberg In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution. | 9.8 |
2021-01-07 | CVE-2020-13451 | Thecodingmachine | Incomplete Cleanup vulnerability in Thecodingmachine Gotenberg An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros. | 9.8 |
2021-01-07 | CVE-2020-13450 | Thecodingmachine | Path Traversal vulnerability in Thecodingmachine Gotenberg A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. | 9.8 |
2021-01-07 | CVE-2020-17500 | Barco | Command Injection vulnerability in Barco Transform N Barco TransForm NDN-210 Lite, NDN-210 Pro, NDN-211 Lite, and NDN-211 Pro before 3.8 allows Command Injection (issue 1 of 4). | 9.8 |
2021-01-07 | CVE-2019-18643 | Sparkdevnetwork | Unrestricted Upload of File with Dangerous Type vulnerability in Sparkdevnetwork Rock RMS Rock RMS versions before 8.10 and versions 9.0 through 9.3 fails to properly validate files uploaded in the application. | 9.8 |
2021-01-07 | CVE-2019-18642 | Sparkdevnetwork | Unspecified vulnerability in Sparkdevnetwork Rock RMS Rock RMS version before 8.6 is vulnerable to account takeover by tampering with the user ID parameter in the profile update feature. | 9.8 |
2021-01-07 | CVE-2021-3029 | Evolucare | OS Command Injection vulnerability in Evolucare ECS Imaging 6.21.5 EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has an OS Command Injection vulnerability via shell metacharacters and an IFS manipulation. | 9.8 |
2021-01-07 | CVE-2020-26972 | Mozilla | Use After Free vulnerability in Mozilla Firefox The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. | 9.8 |
2021-01-06 | CVE-2020-36178 | TP Link | OS Command Injection vulnerability in Tp-Link Tl-Wr840N Firmware 6Eu0.9.14.16 oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables). | 9.8 |
2021-01-06 | CVE-2020-36177 | Wolfssl | Out-of-bounds Write vulnerability in Wolfssl RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. | 9.8 |
2021-01-06 | CVE-2012-10001 | Limit Login Attempts Project | Improper Authentication vulnerability in Limit Login Attempts Project Limit Login Attempts The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts. | 9.8 |
2021-01-06 | CVE-2020-10658 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteImage API. | 9.8 |
2021-01-06 | CVE-2020-10656 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouseWithChunksV2 API. | 9.8 |
2021-01-06 | CVE-2020-10655 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouse API. | 9.8 |
2021-01-06 | CVE-2020-26759 | Clickhouse Driver Project | Classic Buffer Overflow vulnerability in Clickhouse-Driver Project Clickhouse-Driver clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. | 9.8 |
2021-01-05 | CVE-2020-36052 | 1234N | Path Traversal vulnerability in 1234N Minicms 1.10 Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. | 9.8 |
2021-01-05 | CVE-2021-3021 | Ispconfig | SQL Injection vulnerability in Ispconfig ISPConfig before 3.2.2 allows SQL injection. | 9.8 |
2021-01-05 | CVE-2020-26045 | Thedaylightstudio | SQL Injection vulnerability in Thedaylightstudio Fuel CMS 1.4.11 FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. | 9.8 |
2021-01-05 | CVE-2021-3018 | Ipeak | SQL Injection vulnerability in Ipeak Ipeakcms 3.5 ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page. | 9.8 |
2021-01-04 | CVE-2020-36157 | Ultimatemember | Unspecified vulnerability in Ultimatemember Ultimate Member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Roles. | 9.8 |
2021-01-04 | CVE-2020-36155 | Ultimatemember | Improper Privilege Management vulnerability in Ultimatemember Ultimate Member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. | 9.8 |
2021-01-04 | CVE-2020-35219 | Asus | Improper Authentication vulnerability in Asus Dsl-N17U Firmware 1.1.0.2 The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings. | 9.8 |
2021-01-04 | CVE-2020-26292 | Chatter Social | Unspecified vulnerability in Chatter-Social Creeper 1.1.3 Creeper is an experimental dynamic, interpreted language. | 9.8 |
2021-01-04 | CVE-2020-36112 | CSE Bookstore Project | SQL Injection vulnerability in CSE Bookstore Project CSE Bookstore 1.0 CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. | 9.8 |
2021-01-04 | CVE-2020-7771 | Asciitable JS Project | Unspecified vulnerability in Asciitable.Js Project Asciitable.Js 1.0.0/1.0.1/1.0.2 The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | 9.8 |
2021-01-04 | CVE-2021-3007 | Getlaminas Zend | Deserialization of Untrusted Data vulnerability in multiple products Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. | 9.8 |
2021-01-08 | CVE-2021-21115 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2021-21111 | Google Fedoraproject Debian | Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products Insufficient policy enforcement in WebUI in Google Chrome prior to 87.0.4280.141 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. | 9.6 |
2021-01-08 | CVE-2021-21110 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2021-21109 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in payments in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2021-21108 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in media in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2021-21107 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in drag and drop in Google Chrome on Linux prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2021-21106 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-01-08 | CVE-2020-16025 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in clipboard in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-08 | CVE-2020-16024 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-08 | CVE-2020-16018 | Use After Free vulnerability in Google Chrome Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-08 | CVE-2020-16017 | Use After Free vulnerability in Google Chrome Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-08 | CVE-2020-16016 | Unspecified vulnerability in Google Chrome Inappropriate implementation in base in Google Chrome prior to 86.0.4240.193 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-08 | CVE-2020-16014 | Use After Free vulnerability in Google Chrome Use after free in PPAPI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2021-01-06 | CVE-2020-27285 | Redlion | Missing Authentication for Critical Function vulnerability in Redlion Crimson 3.1 The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. | 9.1 |
2021-01-05 | CVE-2020-4899 | IBM | Cleartext Transmission of Sensitive Information vulnerability in IBM API Connect IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. | 9.1 |
124 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-08 | CVE-2021-21116 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-01-08 | CVE-2021-21114 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-01-08 | CVE-2021-21113 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-01-08 | CVE-2021-21112 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Blink in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-01-08 | CVE-2020-16043 | Google Debian Fedoraproject | Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. | 8.8 |
2021-01-08 | CVE-2020-16039 | Use After Free vulnerability in Google Chrome Use after free in extensions in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16038 | Use After Free vulnerability in Google Chrome Use after free in media in Google Chrome on OS X prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16037 | Use After Free vulnerability in Google Chrome Use after free in clipboard in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16035 | Unspecified vulnerability in Google Chrome Insufficient data validation in cros-disks in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. | 8.8 | |
2021-01-08 | CVE-2020-16029 | Missing Authorization vulnerability in Google Chrome Inappropriate implementation in PDFium in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file. | 8.8 | |
2021-01-08 | CVE-2020-16028 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16026 | Use After Free vulnerability in Google Chrome Use after free in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16023 | Use After Free vulnerability in Google Chrome Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16022 | Unspecified vulnerability in Google Chrome Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16020 | Unspecified vulnerability in Google Chrome Inappropriate implementation in cryptohome in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass discretionary access control via a malicious file. | 8.8 | |
2021-01-08 | CVE-2020-16019 | Unspecified vulnerability in Google Chrome Inappropriate implementation in filesystem in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. | 8.8 | |
2021-01-08 | CVE-2020-16015 | Type Confusion vulnerability in Google Chrome Insufficient data validation in WASM in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-16013 | Out-of-bounds Write vulnerability in Google Chrome Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2021-01-08 | CVE-2020-5805 | Marvell | Cleartext Storage of Sensitive Information vulnerability in Marvell Qconvergeconslole GUI 5.5.0.74 In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored in cleartext in tomcat-users.xml. | 8.8 |
2021-01-08 | CVE-2021-3025 | Invisioncommunity | SQL Injection vulnerability in Invisioncommunity IPS Community Suite 4.5.2/4.5.3/4.5.4 Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php). | 8.8 |
2021-01-07 | CVE-2020-35745 | Phpgurukul | Missing Authorization vulnerability in PHPgurukul Hospital Management System 4.0 PHPGURUKUL Hospital Management System V 4.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, doctors, patients, change admin password, get appointment history and access all session logs. | 8.8 |
2021-01-07 | CVE-2020-26773 | Restaurant Reservation System Project | SQL Injection vulnerability in Restaurant Reservation System Project Restaurant Reservation System 1.0 Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. | 8.8 |
2021-01-07 | CVE-2020-35114 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 83. | 8.8 |
2021-01-07 | CVE-2020-35113 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox ESR Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. | 8.8 |
2021-01-07 | CVE-2020-35112 | Mozilla | Unspecified vulnerability in Mozilla Firefox If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. | 8.8 |
2021-01-07 | CVE-2020-26974 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox ESR When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. | 8.8 |
2021-01-07 | CVE-2020-26973 | Mozilla | Unspecified vulnerability in Mozilla Firefox ESR Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. | 8.8 |
2021-01-07 | CVE-2020-26971 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox ESR Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. | 8.8 |
2021-01-06 | CVE-2020-8884 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management rcdsvc in the Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) before 7.9 allows remote authenticated users to execute arbitrary code as SYSTEM because of improper deserialization over named pipes. | 8.8 |
2021-01-06 | CVE-2020-36169 | Veritas | Unspecified vulnerability in Veritas Netbackup and Opscenter An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCenter through 8.3.0.1. | 8.8 |
2021-01-06 | CVE-2020-36168 | Veritas | Unspecified vulnerability in Veritas Resiliency Platform 3.4/3.5 An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. | 8.8 |
2021-01-06 | CVE-2020-36167 | Veritas | Unrestricted Upload of File with Dangerous Type vulnerability in Veritas Backup Exec 20.0/21.0 An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. | 8.8 |
2021-01-06 | CVE-2020-36166 | Veritas | Unspecified vulnerability in Veritas products An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka VIOM) Windows Management Server 7.x through 7.4.2. | 8.8 |
2021-01-06 | CVE-2020-36165 | Veritas | Unspecified vulnerability in Veritas Desktop and Laptop Option An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. | 8.8 |
2021-01-06 | CVE-2020-36164 | Veritas | Unspecified vulnerability in Veritas Enterprise Vault An issue was discovered in Veritas Enterprise Vault through 14.0. | 8.8 |
2021-01-06 | CVE-2020-36163 | Veritas | Unspecified vulnerability in Veritas Netbackup and Opscenter An issue was discovered in Veritas NetBackup and OpsCenter through 8.3.0.1. | 8.8 |
2021-01-06 | CVE-2020-36162 | Veritas | Unspecified vulnerability in Veritas Cloudpoint and Netbackup Cloudpoint An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. | 8.8 |
2021-01-06 | CVE-2020-36161 | Veritas | Unspecified vulnerability in Veritas Aptare IT Analytics 10.4.00/10.5.00 An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. | 8.8 |
2021-01-06 | CVE-2020-36160 | Veritas | Unspecified vulnerability in Veritas System Recovery An issue was discovered in Veritas System Recovery before 21.2. | 8.8 |
2021-01-05 | CVE-2021-22492 | Classic Buffer Overflow vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Broadcom Bluetooth chipsets) software. | 8.8 | |
2021-01-05 | CVE-2020-13541 | Win911 | Incorrect Default Permissions vulnerability in Win911 Mobile-911 Server 2.5 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. | 8.8 |
2021-01-05 | CVE-2020-4762 | IBM | Unspecified vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow an authenticated user to create a privileged account due to improper access controls. | 8.8 |
2021-01-05 | CVE-2019-4728 | IBM | Deserialization of Untrusted Data vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. | 8.8 |
2021-01-04 | CVE-2020-36156 | Ultimatemember | Improper Privilege Management vulnerability in Ultimatemember Ultimate Member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. | 8.8 |
2021-01-04 | CVE-2020-4942 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Curam Social Program Management 7.0.11.0/7.0.9.0 IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 8.8 |
2021-01-04 | CVE-2020-4917 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 8.8 |
2021-01-04 | CVE-2021-21495 | MK Auth | Cross-Site Request Forgery (CSRF) vulnerability in Mk-Auth 19.01 MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI. | 8.8 |
2021-01-04 | CVE-2020-29491 | Dell | Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. | 8.6 |
2021-01-08 | CVE-2021-1051 | Nvidia | Improper Privilege Management vulnerability in Nvidia GPU Driver NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which a local user can get elevated privileges to modify display configuration data, which may result in denial of service of the display. | 8.4 |
2021-01-08 | CVE-2020-16041 | Out-of-bounds Read vulnerability in Google Chrome Out of bounds read in networking in Google Chrome prior to 87.0.4280.88 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. | 8.1 | |
2021-01-08 | CVE-2020-5804 | Marvell | Path Traversal vulnerability in Marvell Qconvergeconslole GUI 5.5.0.74 Marvell QConvergeConsole GUI <= 5.5.0.74 is affected by a path traversal vulnerability. | 8.1 |
2021-01-07 | CVE-2018-20316 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read, a different issue than CVE-2018-20310 because of a different opcode. | 8.1 |
2021-01-07 | CVE-2018-20315 | Foxitsoftware | Race Condition vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2018-20314 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyCheckLicence race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2018-20313 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyPreviewAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2018-20312 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read, a different issue than CVE-2018-20310 because of a different opcode. | 8.1 |
2021-01-07 | CVE-2018-20311 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyCPDFAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2018-20310 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2018-20309 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyGetAppEdition race condition that can cause a stack-based buffer overflow or an out-of-bounds read. | 8.1 |
2021-01-07 | CVE-2020-36183 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | 8.1 |
2021-01-07 | CVE-2020-36182 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | 8.1 |
2021-01-07 | CVE-2020-36180 | Netapp Debian Oracle Fasterxml | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | 8.1 |
2021-01-07 | CVE-2020-36179 | Netapp Debian Oracle Fasterxml | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | 8.1 |
2021-01-06 | CVE-2020-36189 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | 8.1 |
2021-01-06 | CVE-2020-36188 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | 8.1 |
2021-01-06 | CVE-2020-36187 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | 8.1 |
2021-01-06 | CVE-2020-36186 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | 8.1 |
2021-01-06 | CVE-2020-36185 | Fasterxml Netapp Debian Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | 8.1 |
2021-01-06 | CVE-2020-36184 | Netapp Debian Oracle Fasterxml | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | 8.1 |
2021-01-06 | CVE-2020-36181 | Netapp Debian Oracle Fasterxml | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | 8.1 |
2021-01-06 | CVE-2020-8265 | Nodejs Debian Fedoraproject Oracle Siemens | Use After Free vulnerability in multiple products Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. | 8.1 |
2021-01-05 | CVE-2019-20484 | Vikisolutions | Forced Browsing vulnerability in Vikisolutions Vera 4.9.1.26180 An issue was discovered in Viki Vera 4.9.1.26180. | 8.1 |
2021-01-05 | CVE-2020-29437 | Orangehrm | SQL Injection vulnerability in Orangehrm SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | 8.1 |
2021-01-08 | CVE-2020-26664 | Videolan Debian | Out-of-bounds Write vulnerability in multiple products A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | 7.8 |
2021-01-08 | CVE-2021-1063 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input offset is not validated, which may lead to a buffer overread, which in turn may cause tampering of data, information disclosure, or denial of service. | 7.8 |
2021-01-08 | CVE-2021-1059 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input index is not validated, which may lead to integer overflow, which in turn may cause tampering of data, information disclosure, or denial of service. | 7.8 |
2021-01-08 | CVE-2021-1057 | Nvidia | Allocation of Resources Without Limits or Throttling vulnerability in Nvidia Virtual GPU Manager NVIDIA Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin in which it allows guests to allocate some resources for which the guest is not authorized, which may lead to integrity and confidentiality loss, denial of service, or information disclosure. | 7.8 |
2021-01-08 | CVE-2021-1052 | Nvidia | Unspecified vulnerability in Nvidia GPU Driver NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL in which user-mode clients can access legacy privileged APIs, which may lead to denial of service, escalation of privileges, and information disclosure. | 7.8 |
2021-01-07 | CVE-2020-6656 | Eaton | Type Confusion vulnerability in Eaton Easysoft Eaton's easySoft software v7.xx prior to v7.22 are susceptible to file parsing type confusion remote code execution vulnerability. | 7.8 |
2021-01-07 | CVE-2020-6655 | Eaton | Out-of-bounds Read vulnerability in Eaton Easysoft The Eaton's easySoft software v7.xx prior to v7.22 are susceptible to Out-of-bounds remote code execution vulnerability. | 7.8 |
2021-01-07 | CVE-2018-19418 | Foxitsoftware | Command Injection vulnerability in Foxitsoftware PDF Activex 5.5.0 Foxit PDF ActiveX before 5.5.1 allows remote code execution via command injection because of the lack of a security permission control. | 7.8 |
2021-01-06 | CVE-2020-13545 | Softmaker | Incorrect Conversion between Numeric Types vulnerability in Softmaker Office 2021 An exploitable signed conversion vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. | 7.8 |
2021-01-06 | CVE-2020-13544 | Softmaker | Incorrect Conversion between Numeric Types vulnerability in Softmaker Office 2021 An exploitable sign extension vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. | 7.8 |
2021-01-05 | CVE-2020-26181 | Dell | Unspecified vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability on a SmartLock Compliance mode cluster. | 7.8 |
2021-01-05 | CVE-2020-27844 | Uclouvain Debian Oracle | A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. | 7.8 |
2021-01-05 | CVE-2020-13540 | Win911 | Incorrect Default Permissions vulnerability in Win911 Win-911 4.20.13 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. | 7.8 |
2021-01-05 | CVE-2020-13539 | Win911 | Incorrect Default Permissions vulnerability in Win911 Win-911 4.20.13 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. | 7.8 |
2021-01-04 | CVE-2020-36154 | Pearson | Incorrect Permission Assignment for Critical Resource vulnerability in Pearson VUE Testing System 2.3.1911 The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative privileges via a Trojan horse application. | 7.8 |
2021-01-05 | CVE-2021-21234 | Spring Boot Actuator Logview Project | Unspecified vulnerability in Spring-Boot-Actuator-Logview Project Spring-Boot-Actuator-Logview spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. | 7.7 |
2021-01-04 | CVE-2020-5361 | Dell | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Dell CPG Bios Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. | 7.6 |
2021-01-08 | CVE-2020-5018 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may include sensitive information in its URLs increasing the risk of such information being caputured by an attacker. | 7.5 |
2021-01-08 | CVE-2020-16021 | Race Condition vulnerability in Google Chrome Race in image burner in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to perform OS-level privilege escalation via a malicious file. | 7.5 | |
2021-01-08 | CVE-2020-24577 | Dlink | Cleartext Storage of Sensitive Information vulnerability in Dlink Dsl-2888A Firmware 2.30Au An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. | 7.5 |
2021-01-08 | CVE-2020-36049 | Socket | Allocation of Resources Without Limits or Throttling vulnerability in Socket Socket.Io-Parser socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. | 7.5 |
2021-01-08 | CVE-2020-36048 | Socket | Resource Exhaustion vulnerability in Socket Engine.Io Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. | 7.5 |
2021-01-07 | CVE-2020-13449 | Thecodingmachine | Path Traversal vulnerability in Thecodingmachine Gotenberg A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files. | 7.5 |
2021-01-07 | CVE-2020-4898 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Emptoris Strategic Supply Management IBM Emptoris Strategic Supply Management 10.1.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2021-01-07 | CVE-2020-13573 | Rockwellautomation | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rockwellautomation Rslinx 2.57.00.14 A denial-of-service vulnerability exists in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic 2.57.00.14 CPR 9 SR 3. | 7.5 |
2021-01-06 | CVE-2020-27279 | Redlion | NULL Pointer Dereference vulnerability in Redlion Crimson 3.1 A NULL pointer deference vulnerability has been identified in the protocol converter. | 7.5 |
2021-01-06 | CVE-2020-36176 | Ithemes | Improper Authentication vulnerability in Ithemes Security The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. | 7.5 |
2021-01-05 | CVE-2020-36051 | 1234N | Path Traversal vulnerability in 1234N Minicms 1.10 Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter. | 7.5 |
2021-01-05 | CVE-2020-36067 | Gjson Project | Improper Validation of Array Index vulnerability in Gjson Project Gjson GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call. | 7.5 |
2021-01-05 | CVE-2020-36066 | Gjson Project | Unspecified vulnerability in Gjson Project Gjson GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. | 7.5 |
2021-01-05 | CVE-2020-29478 | Broadcom | Unspecified vulnerability in Broadcom CA Service Catalog 17.2/17.3 CA Service Catalog 17.2 and 17.3 contain a vulnerability in the default configuration of the Setup Utility that may allow a remote attacker to cause a denial of service condition. | 7.5 |
2021-01-05 | CVE-2020-35488 | Nxlog | Deserialization of Untrusted Data vulnerability in Nxlog 2.10.2150 The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. | 7.5 |
2021-01-05 | CVE-2020-17519 | Apache | Files or Directories Accessible to External Parties vulnerability in Apache Flink 1.11.0/1.11.1/1.11.2 A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. | 7.5 |
2021-01-05 | CVE-2020-17518 | Apache | Path Traversal vulnerability in Apache Flink Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. | 7.5 |
2021-01-05 | CVE-2021-3019 | Lanproxy Project | Path Traversal vulnerability in Lanproxy Project Lanproxy 0.1 ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet. | 7.5 |
2021-01-04 | CVE-2020-25275 | Dovecot Debian Fedoraproject | Improper Input Validation vulnerability in multiple products Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. | 7.5 |
2021-01-04 | CVE-2020-22550 | Veno File Manager Project | Path Traversal vulnerability in Veno File Manager Project Veno File Manager 3.5.6 Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. | 7.5 |
2021-01-04 | CVE-2020-35965 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations. | 7.5 |
2021-01-09 | CVE-2020-5146 | Sonicwall | OS Command Injection vulnerability in Sonicwall SMA 100 Firmware A vulnerability in SonicWall SMA100 appliance allow an authenticated management-user to perform OS command injection using HTTP POST parameters. | 7.2 |
2021-01-08 | CVE-2020-17504 | Barco | Command Injection vulnerability in Barco Transform N The NDN-210 has a web administration panel which is made available over https. | 7.2 |
2021-01-08 | CVE-2020-17503 | Barco | Command Injection vulnerability in Barco Transform N The NDN-210 has a web administration panel which is made available over https. | 7.2 |
2021-01-08 | CVE-2020-17502 | Barco | Command Injection vulnerability in Barco Transform N Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). | 7.2 |
2021-01-07 | CVE-2020-28672 | Monocms | Unspecified vulnerability in Monocms 1.0 MonoCMS Blog 1.0 is affected by incorrect access control that can lead to remote arbitrary code execution. | 7.2 |
2021-01-06 | CVE-2020-10657 | Proofpoint | Deserialization of Untrusted Data vulnerability in Proofpoint Insider Threat Management Server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM web console's ImportAlertRules feature. | 7.2 |
2021-01-04 | CVE-2020-4912 | IBM | Unspecified vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. | 7.2 |
2021-01-08 | CVE-2021-1065 | Nvidia | Improper Input Validation vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which input data is not validated, which may lead to tampering of data or denial of service. | 7.1 |
2021-01-08 | CVE-2021-1064 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which it obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer, which may lead to information disclosure or denial of service. | 7.1 |
2021-01-08 | CVE-2021-1062 | Nvidia | Improper Validation of Specified Quantity in Input vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input data length is not validated, which may lead to tampering of data or denial of service. | 7.1 |
2021-01-08 | CVE-2021-1060 | Nvidia | Improper Input Validation vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and vGPU plugin, in which an input index is not validated, which may lead to tampering of data or denial of service. | 7.1 |
2021-01-08 | CVE-2021-1058 | Nvidia | Improper Validation of Specified Quantity in Input vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and vGPU plugin, in which an input data size is not validated, which may lead to tampering of data or denial of service. | 7.1 |
2021-01-08 | CVE-2021-1056 | Nvidia Debian | Incorrect Default Permissions vulnerability in multiple products NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. | 7.1 |
130 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-08 | CVE-2020-26186 | Dell | Exposure of Resource to Wrong Sphere vulnerability in Dell Inspiron 5675 Firmware Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. | 6.8 |
2021-01-04 | CVE-2020-24386 | Dovecot Debian Fedoraproject | An issue was discovered in Dovecot before 2.3.13. | 6.8 |
2021-01-05 | CVE-2020-29502 | Dell | Cleartext Storage of Sensitive Information vulnerability in Dell EMC Powerstore Firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. | 6.7 |
2021-01-05 | CVE-2020-29501 | Dell | Cleartext Storage of Sensitive Information vulnerability in Dell EMC Powerstore Firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. | 6.7 |
2021-01-05 | CVE-2020-29500 | Dell | Cleartext Storage of Sensitive Information vulnerability in Dell EMC Powerstore Firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore T environments. | 6.7 |
2021-01-05 | CVE-2020-29489 | Dell | Cleartext Storage of Sensitive Information vulnerability in Dell products Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. | 6.7 |
2021-01-05 | CVE-2020-26199 | Dell | Information Exposure Through Log Files vulnerability in Dell products Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a plain-text password storage vulnerability. | 6.7 |
2021-01-05 | CVE-2020-36158 | Linux Fedoraproject Debian Netapp | Classic Buffer Overflow vulnerability in multiple products mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332. | 6.7 |
2021-01-04 | CVE-2020-4928 | IBM | Unrestricted Upload of File with Dangerous Type vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 could allow a local privileged attacker to upload arbitrary files. | 6.7 |
2021-01-08 | CVE-2020-5019 | IBM | Injection vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 6.5 |
2021-01-08 | CVE-2020-16042 | Use of Uninitialized Resource vulnerability in Google Chrome Uninitialized Use in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 | |
2021-01-08 | CVE-2020-16040 | Integer Overflow or Wraparound vulnerability in Google Chrome Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 | |
2021-01-08 | CVE-2020-16036 | Unspecified vulnerability in Google Chrome Inappropriate implementation in cookies in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass cookie restrictions via a crafted HTML page. | 6.5 | |
2021-01-08 | CVE-2020-16027 | Missing Authorization vulnerability in Google Chrome Insufficient policy enforcement in developer tools in Google Chrome prior to 87.0.4280.66 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from the user's disk via a crafted Chrome Extension. | 6.5 | |
2021-01-07 | CVE-2020-4896 | IBM | Improper Input Validation vulnerability in IBM Emptoris Sourcing 10.1.0.0 IBM Emptoris Sourcing 10.1.0, 10.1.1, and 10.1.3 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. | 6.5 |
2021-01-07 | CVE-2020-26977 | Mozilla | Unspecified vulnerability in Mozilla Firefox 80.0/83.0 By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. | 6.5 |
2021-01-07 | CVE-2020-26976 | Mozilla Debian | When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. | 6.5 |
2021-01-07 | CVE-2020-26975 | Mozilla | Unspecified vulnerability in Mozilla Firefox 80.0/83.0 When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. | 6.5 |
2021-01-06 | CVE-2020-8287 | Nodejs Debian Fedoraproject Oracle Siemens | HTTP Request Smuggling vulnerability in multiple products Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). | 6.5 |
2021-01-06 | CVE-2020-8274 | Citrix | Code Injection vulnerability in Citrix Secure Mail Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. | 6.5 |
2021-01-06 | CVE-2020-36174 | Ninjaforms | Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | 6.5 |
2021-01-06 | CVE-2021-21235 | Kamadak Exif Project | Infinite Loop vulnerability in Kamadak-Exif Project Kamadak-Exif 0.5.2 kamadak-exif is an exif parsing library written in pure Rust. | 6.5 |
2021-01-05 | CVE-2020-7336 | Mcafee | Cross-Site Request Forgery (CSRF) vulnerability in Mcafee Network Security Management 10.0/10.1.7.7/9.0 Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via a carefully crafted HTTP request. | 6.5 |
2021-01-05 | CVE-2020-29490 | Dell | Resource Exhaustion vulnerability in Dell products Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a Denial of Service vulnerability on NAS Servers with NFS exports. | 6.5 |
2021-01-08 | CVE-2021-1061 | Nvidia | Race Condition vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which a race condition may cause the vGPU plugin to continue using a previously validated resource that has since changed, which may lead to denial of service or information disclosure. | 6.3 |
2021-01-08 | CVE-2020-5020 | IBM | Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to hijack the clicking action of the victim. | 6.1 |
2021-01-08 | CVE-2020-16030 | Cross-site Scripting vulnerability in Google Chrome Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | 6.1 | |
2021-01-07 | CVE-2020-25476 | Liferay | Cross-site Scripting vulnerability in Liferay Portal 7.1.3/7.2.1 Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. | 6.1 |
2021-01-07 | CVE-2020-26979 | Mozilla | Open Redirect vulnerability in Mozilla Firefox When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. | 6.1 |
2021-01-07 | CVE-2020-26978 | Mozilla | Unspecified vulnerability in Mozilla Firefox ESR Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. | 6.1 |
2021-01-07 | CVE-2020-26768 | Formstone | Cross-site Scripting vulnerability in Formstone Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. | 6.1 |
2021-01-07 | CVE-2020-24903 | Cutesoft | Cross-site Scripting vulnerability in Cutesoft Cute Editor 6.4 Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. | 6.1 |
2021-01-07 | CVE-2020-24902 | Quixplorer Project | Cross-site Scripting vulnerability in Quixplorer Project Quixplorer Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. | 6.1 |
2021-01-07 | CVE-2020-24901 | Krpano | Cross-site Scripting vulnerability in Krpano The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. | 6.1 |
2021-01-07 | CVE-2020-24900 | Krpano | Cross-site Scripting vulnerability in Krpano The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. | 6.1 |
2021-01-06 | CVE-2020-35262 | Digisol | Cross-site Scripting vulnerability in Digisol Dg-Hr3400 Firmware Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. | 6.1 |
2021-01-06 | CVE-2020-8264 | Rubyonrails | Cross-site Scripting vulnerability in Rubyonrails Rails In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. | 6.1 |
2021-01-06 | CVE-2020-8160 | Mendix | Cross-site Scripting vulnerability in Mendix Mendixsso 2.0.0/2.1.0/2.1.1 MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. | 6.1 |
2021-01-06 | CVE-2020-36172 | Advancedcustomfields | Cross-site Scripting vulnerability in Advancedcustomfields Advanced Custom Fields The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. | 6.1 |
2021-01-06 | CVE-2020-36171 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | 6.1 |
2021-01-05 | CVE-2021-3026 | Invisioncommunity | Cross-site Scripting vulnerability in Invisioncommunity IPS Community Suite 4.5.2/4.5.3/4.5.4 Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. | 6.1 |
2021-01-04 | CVE-2020-29498 | Dell | Open Redirect vulnerability in Dell Wyse Management Suite Dell Wyse Management Suite versions prior to 3.1 contain an open redirect vulnerability. | 6.1 |
2021-01-04 | CVE-2021-3014 | Mikrotik | Cross-site Scripting vulnerability in Mikrotik Routeros In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter. | 6.1 |
2021-01-04 | CVE-2020-26297 | Rust Lang | Unspecified vulnerability in Rust-Lang Mdbook mdBook is a utility to create modern online books from Markdown files and is written in Rust. | 6.1 |
2021-01-04 | CVE-2020-26293 | Htmlsanitizer Project | Cross-site Scripting vulnerability in Htmlsanitizer Project Htmlsanitizer HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. | 6.1 |
2021-01-04 | CVE-2020-35494 | GNU Fedoraproject Netapp Broadcom | There's a flaw in binutils /opcodes/tic4x-dis.c. | 6.1 |
2021-01-07 | CVE-2020-4893 | IBM | Cleartext Transmission of Sensitive Information vulnerability in IBM Emptoris Strategic Supply Management IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. | 5.9 |
2021-01-04 | CVE-2019-25013 | GNU Fedoraproject Netapp Broadcom Debian | Out-of-bounds Read vulnerability in multiple products The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. | 5.9 |
2021-01-08 | CVE-2020-5017 | IBM | Unspecified vulnerability in IBM Spectrum Protect 10.1.0/10.1.5/10.1.6 IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may allow a local user to obtain access to information beyond their intended role and permissions. | 5.5 |
2021-01-08 | CVE-2021-1066 | Nvidia | Improper Input Validation vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which input data is not validated, which may lead to unexpected consumption of resources, which in turn may lead to denial of service. | 5.5 |
2021-01-08 | CVE-2021-1054 | Nvidia | Incorrect Authorization vulnerability in Nvidia GPU Driver NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service. | 5.5 |
2021-01-08 | CVE-2021-1053 | Nvidia | Improper Input Validation vulnerability in Nvidia GPU Driver NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL in which improper validation of a user pointer may lead to denial of service. | 5.5 |
2021-01-06 | CVE-2021-21236 | Courtbouillon | Unspecified vulnerability in Courtbouillon Cairosvg CairoSVG is a Python (pypi) package. | 5.5 |
2021-01-05 | CVE-2021-3022 | Unspecified vulnerability in Google Android 10.0 An issue was discovered on LG mobile devices with Android OS 10 software. | 5.5 | |
2021-01-05 | CVE-2021-22495 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) (Exynos chipsets) software. | 5.5 | |
2021-01-05 | CVE-2021-22494 | Unspecified vulnerability in Google Android 10.0 An issue was discovered in the fingerprint scanner on Samsung Note20 mobile devices with Q(10.0) software. | 5.5 | |
2021-01-05 | CVE-2020-27845 | Uclouvain Fedoraproject Debian Oracle | There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. | 5.5 |
2021-01-05 | CVE-2020-27843 | Uclouvain Fedoraproject Oracle Debian | Out-of-bounds Read vulnerability in multiple products A flaw was found in OpenJPEG in versions prior to 2.4.0. | 5.5 |
2021-01-05 | CVE-2020-27842 | Uclouvain Fedoraproject Debian Redhat Oracle | There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. | 5.5 |
2021-01-05 | CVE-2020-27841 | Uclouvain Fedoraproject Debian Oracle | There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openjp2/pi.c. | 5.5 |
2021-01-04 | CVE-2020-35507 | GNU Redhat Netapp Broadcom | There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. | 5.5 |
2021-01-04 | CVE-2020-35496 | GNU Fedoraproject Netapp Broadcom | There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. | 5.5 |
2021-01-04 | CVE-2020-35495 | GNU Fedoraproject Netapp Broadcom | There's a flaw in binutils /bfd/pef.c. | 5.5 |
2021-01-04 | CVE-2020-35493 | GNU Fedoraproject Netapp Broadcom | A flaw exists in binutils in bfd/pef.c. | 5.5 |
2021-01-08 | CVE-2020-4733 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation products are vulnerable to cross-site scripting. | 5.4 |
2021-01-08 | CVE-2020-4697 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation products are vulnerable to cross-site scripting. | 5.4 |
2021-01-08 | CVE-2020-4691 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation Products are vulnerable to cross-site scripting. | 5.4 |
2021-01-08 | CVE-2020-27262 | Innokasmedical | Cross-site Scripting vulnerability in Innokasmedical Vital Signs Monitor Vc150 Firmware Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface. | 5.4 |
2021-01-08 | CVE-2020-4666 | IBM | Cross-site Scripting vulnerability in IBM Engineering Requirements Quality Assistant On-Premises IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. | 5.4 |
2021-01-08 | CVE-2020-4664 | IBM | Cross-site Scripting vulnerability in IBM Engineering Requirements Quality Assistant On-Premises IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. | 5.4 |
2021-01-08 | CVE-2020-4663 | IBM | Cross-site Scripting vulnerability in IBM Engineering Requirements Quality Assistant On-Premises IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. | 5.4 |
2021-01-07 | CVE-2020-4895 | IBM | Cross-site Scripting vulnerability in IBM Emptoris Strategic Supply Management IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 is vulnerable to stored cross-site scripting. | 5.4 |
2021-01-07 | CVE-2020-4892 | IBM | Cross-site Scripting vulnerability in IBM Emptoris Contract Management 10.1.3.0 IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting. | 5.4 |
2021-01-07 | CVE-2020-25680 | Redhat | Unspecified vulnerability in Redhat Jboss Core Services Httpd 2.4.37 A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. | 5.4 |
2021-01-06 | CVE-2020-8281 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Contacts A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | 5.4 |
2021-01-06 | CVE-2020-8280 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Contacts A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | 5.4 |
2021-01-06 | CVE-2019-16962 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Desktop Central 10.0.430 Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. | 5.4 |
2021-01-06 | CVE-2019-16954 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds web Help Desk 12.7.0 SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. | 5.4 |
2021-01-05 | CVE-2020-35170 | Dell | Cross-site Scripting vulnerability in Dell Powermax OS and Unisphere Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2021-01-05 | CVE-2019-20483 | Vikisolutions | Cross-site Scripting vulnerability in Vikisolutions Vera 4.9.1.26180 An issue was discovered in Viki Vera 4.9.1.26180. | 5.4 |
2021-01-05 | CVE-2020-26046 | Thedaylightstudio | Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.4.11 FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. | 5.4 |
2021-01-04 | CVE-2020-29497 | Dell | Cross-site Scripting vulnerability in Dell Wyse Management Suite Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. | 5.4 |
2021-01-04 | CVE-2019-16960 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds web Help Desk 12.7.0 SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | 5.4 |
2021-01-04 | CVE-2019-16956 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds web Help Desk 12.7.0 SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | 5.4 |
2021-01-09 | CVE-2020-5147 | Sonicwall | Unquoted Search Path or Element vulnerability in Sonicwall Netextender SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. | 5.3 |
2021-01-08 | CVE-2020-5022 | IBM | Missing Authorization vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may allow unauthenticated and unauthorized access to VDAP proxy which can result in an attacker obtaining information they are not authorized to access. | 5.3 |
2021-01-08 | CVE-2020-28208 | Rocket Chat | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. | 5.3 |
2021-01-08 | CVE-2020-27260 | Innokasmedical | Injection vulnerability in Innokasmedical Vital Signs Monitor Vc150 Firmware Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 HL7 v2.x injection vulnerabilities exist in the affected products that allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. | 5.3 |
2021-01-08 | CVE-2021-1055 | Nvidia | Unspecified vulnerability in Nvidia GPU Driver NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which improper access control may lead to denial of service and information disclosure. | 5.3 |
2021-01-07 | CVE-2021-23242 | Mercusys | Path Traversal vulnerability in Mercusys Mercury X18G Firmware 1.0.5 MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI. | 5.3 |
2021-01-07 | CVE-2021-23241 | Mercusys | Path Traversal vulnerability in Mercusys Mercury X18G Firmware 1.0.5 MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. | 5.3 |
2021-01-07 | CVE-2020-4897 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.3 |
2021-01-07 | CVE-2018-18689 | Avanquest Foxitsoftware Gonitro Iskysoft PDF Xchange Pdfforge Qoppa Sodapdf Soft Xpansion Tracker Software Visagesoft | Improper Verification of Cryptographic Signature vulnerability in multiple products The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. | 5.3 |
2021-01-07 | CVE-2018-18688 | Code Industry Foxitsoftware Gonitro Iskysoft Libreoffice Nuance Qoppa Soft Xpansion | Improper Verification of Cryptographic Signature vulnerability in multiple products The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. | 5.3 |
2021-01-06 | CVE-2020-29041 | Sesame System | Unspecified vulnerability in Sesame-System Web-Sesame 2020.1.1.3375 A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). | 5.3 |
2021-01-06 | CVE-2020-27283 | Redlion | Improper Resource Shutdown or Release vulnerability in Redlion Crimson 3.1 An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. | 5.3 |
2021-01-06 | CVE-2020-36175 | Ninjaforms | Improper Input Validation vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | 5.3 |
2021-01-06 | CVE-2020-36173 | Ninjaforms | Improper Encoding or Escaping of Output vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | 5.3 |
2021-01-06 | CVE-2020-36170 | Ultimatemember | Unspecified vulnerability in Ultimatemember Ultimate Member The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms. | 5.3 |
2021-01-06 | CVE-2020-4336 | IBM | Information Exposure vulnerability in IBM Websphere Extreme Scale IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. | 5.3 |
2021-01-05 | CVE-2020-36159 | Veritas | Unspecified vulnerability in Veritas Desktop and Laptop Option Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operational information on the backup processing status through a URL that did not require authentication. | 5.3 |
2021-01-05 | CVE-2020-7202 | HP | Unspecified vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4) firmware. | 5.3 |
2021-01-05 | CVE-2020-4761 | IBM | Information Exposure Through an Error Message vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.3 |
2021-01-04 | CVE-2020-26294 | Target | Unspecified vulnerability in Target Compiler Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. | 5.3 |
2021-01-08 | CVE-2021-3111 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. | 4.8 |
2021-01-06 | CVE-2020-25498 | Beetel | Cross-site Scripting vulnerability in Beetel 777Vr1 Firmware Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. | 4.8 |
2021-01-04 | CVE-2020-29496 | Dell | Cross-site Scripting vulnerability in Dell Wyse Management Suite Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. | 4.8 |
2021-01-04 | CVE-2020-4916 | IBM | Cross-site Scripting vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. | 4.8 |
2021-01-04 | CVE-2020-4910 | IBM | Cross-site Scripting vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. | 4.8 |
2021-01-04 | CVE-2020-4909 | IBM | Cross-site Scripting vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. | 4.8 |
2021-01-04 | CVE-2021-21494 | MK Auth | Incorrect Permission Assignment for Critical Resource vulnerability in Mk-Auth 19.01 MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. | 4.8 |
2021-01-05 | CVE-2020-23249 | Gigamon | Cleartext Storage of Sensitive Information vulnerability in Gigamon Gigavue-Os GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext. | 4.7 |
2021-01-08 | CVE-2020-5021 | IBM | Session Fixation vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 does not invalidate session after a password reset which could allow a local user to impersonate another user on the system. | 4.4 |
2021-01-08 | CVE-2020-25678 | Redhat Fedoraproject | A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. | 4.4 |
2021-01-08 | CVE-2020-4606 | IBM | XXE vulnerability in IBM Security Verify Privilege Manager IBM Security Verify Privilege Manager 10.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 4.4 |
2021-01-07 | CVE-2020-27835 | Linux | Unspecified vulnerability in Linux Infiniband Hfi1 Driver 5.10 A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. | 4.4 |
2021-01-04 | CVE-2020-4918 | IBM | Authorization Bypass Through User-Controlled Key vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. | 4.4 |
2021-01-04 | CVE-2020-4913 | IBM | Insufficiently Protected Credentials vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. | 4.4 |
2021-01-08 | CVE-2020-4544 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.3 |
2021-01-08 | CVE-2020-4487 | IBM | Information Exposure Through an Error Message vulnerability in IBM products IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.3 |
2021-01-08 | CVE-2020-16034 | Unspecified vulnerability in Google Chrome Inappropriate implementation in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a local attacker to bypass policy restrictions via a crafted HTML page. | 4.3 | |
2021-01-08 | CVE-2020-16033 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Chrome Inappropriate implementation in WebUSB in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof security UI via a crafted HTML page. | 4.3 | |
2021-01-08 | CVE-2020-16032 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Chrome Insufficient data validation in sharing in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2021-01-08 | CVE-2020-16031 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Chrome Insufficient data validation in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 | |
2021-01-08 | CVE-2020-16012 | Mozilla | Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 4.3 |
2021-01-08 | CVE-2020-4667 | IBM | Improper Input Validation vulnerability in IBM Engineering Requirements Quality Assistant On-Premises IBM Engineering Requirements Quality Assistant On-Premises could allow an authenticated user to obtain sensitive information due to improper input validation. | 4.3 |
2021-01-08 | CVE-2020-25950 | Totalonlinesolutions | Cross-Site Request Forgery (CSRF) vulnerability in Totalonlinesolutions Advanced Webhost Billing System 3.7.0 Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page. | 4.3 |
2021-01-07 | CVE-2020-35111 | Mozilla | Unspecified vulnerability in Mozilla Firefox ESR When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. | 4.3 |
2021-01-06 | CVE-2020-8275 | Citrix | Improper Privilege Management vulnerability in Citrix Secure Mail Citrix Secure Mail for Android before 20.11.0 suffers from improper access control allowing unauthenticated access to read limited calendar related data stored within Secure Mail. | 4.3 |
2021-01-07 | CVE-2021-3011 | Yubico NXP Ftsafe | Always-Incorrect Control Flow Implementation vulnerability in multiple products An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. | 4.2 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-04 | CVE-2020-4919 | IBM | Unspecified vulnerability in IBM Cloud PAK System IBM Cloud Pak System 2.3 has insufficient logout controls which could allow an authenticated privileged user to impersonate another user on the system. | 3.8 |
2021-01-05 | CVE-2020-23250 | Gigamon | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Gigamon Gigavue-Os GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in internal database. | 2.3 |