Weekly Vulnerabilities Reports > January 11 to 17, 2021

Overview

410 new vulnerabilities reported during this period, including 43 critical vulnerabilities and 206 high severity vulnerabilities. This weekly summary report vulnerabilities in 306 products from 110 vendors including Cisco, Siemens, SAP, Google, and IBM. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "OS Command Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Deserialization of Untrusted Data".

  • 328 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 131 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 207 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 96 reported vulnerabilities.
  • Huawei has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

43 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-14 CVE-2020-29495 Dell OS Command Injection vulnerability in Dell products

DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain an OS Command Injection Vulnerability in Fitness Analyzer.

10.0
2021-01-12 CVE-2021-21465 SAP SQL Injection vulnerability in SAP Business Warehouse

The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database.

9.9
2021-01-15 CVE-2021-21245 Onedev Project Unspecified vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

9.8
2021-01-15 CVE-2021-21242 Onedev Project Deserialization of Untrusted Data vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

9.8
2021-01-15 CVE-2021-21244 Onedev Project Code Injection vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

9.8
2021-01-15 CVE-2021-21243 Onedev Project Deserialization of Untrusted Data vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

9.8
2021-01-15 CVE-2020-24640 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave Glass

There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3.

9.8
2021-01-15 CVE-2020-24639 Arubanetworks Deserialization of Untrusted Data vulnerability in Arubanetworks Airwave Glass

There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3.

9.8
2021-01-14 CVE-2020-29493 Dell SQL Injection vulnerability in Dell products

DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer.

9.8
2021-01-14 CVE-2020-29016 Fortinet Out-of-bounds Write vulnerability in Fortinet Fortiweb

A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.5 and version before 6.2.4 may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.

9.8
2021-01-14 CVE-2020-29015 Fortinet SQL Injection vulnerability in Fortinet Fortiweb

A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.

9.8
2021-01-14 CVE-2021-20618 Acmailer Improper Privilege Management vulnerability in Acmailer and Acmailer DB

Privilege chaining vulnerability in acmailer ver.

9.8
2021-01-14 CVE-2021-20617 Acmailer Unspecified vulnerability in Acmailer and Acmailer DB

Improper access control vulnerability in acmailer ver.

9.8
2021-01-14 CVE-2020-27265 PTC
GE
Rockwellautomation
Softwaretoolbox
Out-of-bounds Write vulnerability in multiple products

KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions are vulnerable to a stack-based buffer overflow.

9.8
2021-01-13 CVE-2020-9140 Huawei Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui and Magic UI

There is a vulnerability with buffer access with incorrect length value in some Huawei Smartphone.Unauthorized users may trigger code execution when a buffer overflow occurs.

9.8
2021-01-13 CVE-2020-27488 Loxone Improper Authentication vulnerability in Loxone Miniserver GEN 1 Firmware

Loxone Miniserver devices with firmware before 11.1 (aka 11.1.9.3) are unable to use an authentication method that is based on the "signature of the update package." Therefore, these devices (or attackers who are spoofing these devices) can continue to use an unauthenticated cloud service for an indeterminate time period (possibly forever).

9.8
2021-01-13 CVE-2020-9144 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap overflow vulnerability in some Huawei smartphone, attackers can exploit this vulnerability to cause heap overflows due to improper restriction of operations within the bounds of a memory buffer.

9.8
2021-01-13 CVE-2020-23653 Thinkadmin Deserialization of Untrusted Data vulnerability in Thinkadmin 4.0/5.0/6.0

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

9.8
2021-01-13 CVE-2021-3028 GIT BIG Picture Project Improper Input Validation vulnerability in Git-Big-Picture Project Git-Big-Picture

git-big-picture before 1.0.0 mishandles ' characters in a branch name, leading to code execution.

9.8
2021-01-13 CVE-2021-23899 Owasp XXE vulnerability in Owasp Json-Sanitizer

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input.

9.8
2021-01-13 CVE-2020-5685 NEC OS Command Injection vulnerability in NEC Univerge Sv8500 Firmware and Univerge Sv9500 Firmware

UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to execute arbitrary OS commands or cause a denial-of-service (DoS) condition by sending a specially crafted request to a specific URL.

9.8
2021-01-13 CVE-2020-5633 NEC Improper Authentication vulnerability in NEC Baseboard Management Controller 1.07/1.09

Multiple NEC products (Express5800/T110j, Express5800/T110j-S, Express5800/T110j (2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti, and Express5800/GT110j) where Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied allows remote attackers to bypass authentication and then obtain/modify BMC setting information, obtain monitoring information, or reboot/shut down the vulnerable product via unspecified vectors.

9.8
2021-01-12 CVE-2020-25226 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

9.8
2021-01-12 CVE-2020-15800 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

9.8
2021-01-12 CVE-2021-3129 Facade Unspecified vulnerability in Facade Ignition

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().

9.8
2021-01-12 CVE-2020-35458 Clusterlabs OS Command Injection vulnerability in Clusterlabs Hawk 2.2.012/2.3.012

An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x.

9.8
2021-01-12 CVE-2020-26712 Vanderbilt SQL Injection vulnerability in Vanderbilt Redcap 10.0.20/10.3.4

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter.

9.8
2021-01-12 CVE-2020-14275 Hcltechsw Unspecified vulnerability in Hcltechsw HCL Commerce

Security vulnerability in HCL Commerce 9.0.0.5 through 9.0.0.13, 9.0.1.0 through 9.0.1.14 and 9.1 through 9.1.4 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations.

9.8
2021-01-12 CVE-2020-27637 R Project Path Traversal vulnerability in R-Project Cran 4.0.2

The R programming language’s default package manager CRAN is affected by a path traversal vulnerability that can lead to server compromise.

9.8
2021-01-11 CVE-2021-0316 Google Out-of-bounds Write vulnerability in Google Android

In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible out of bounds write due to a missing bounds check.

9.8
2021-01-11 CVE-2020-0471 Google Improper Input Validation vulnerability in Google Android

In reassemble_and_dispatch of packet_fragmenter.cc, there is a possible way to inject packets into an encrypted Bluetooth connection due to improper input validation.

9.8
2021-01-11 CVE-2020-24027 Live555 Out-of-bounds Write vulnerability in Live555 Liblivemedia 20200625

In Live Networks, Inc., liblivemedia version 20200625, there is a potential buffer overflow bug in the server handling of a RTSP "PLAY" command, when the command specifies seeking by absolute time.

9.8
2021-01-11 CVE-2020-11995 Apache Deserialization of Untrusted Data vulnerability in Apache Dubbo

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution.

9.8
2021-01-11 CVE-2021-3118 Medicalexpo SQL Injection vulnerability in Medicalexpo ECS Imaging 6.21.3/6.21.5

EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=).

9.8
2021-01-11 CVE-2020-35205 Quest Server-Side Request Forgery (SSRF) vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Server Side Request Forgery (SSRF) in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to scan internal ports and make outbound connections via the initFile.jsp file.

9.8
2021-01-14 CVE-2020-16045 Google Use After Free vulnerability in Google Chrome

Use after Free in Payments in Google Chrome on Android prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

9.6
2021-01-14 CVE-2021-23926 Apache
Netapp
Debian
Oracle
XML Entity Expansion vulnerability in multiple products

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input.

9.1
2021-01-14 CVE-2020-27267 PTC
GE
Rockwellautomation
Softwaretoolbox
Out-of-bounds Write vulnerability in multiple products

KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server v7.68.804 and v7.66, and Software Toolbox TOP Server all 6.x versions, are vulnerable to a heap-based buffer overflow.

9.1
2021-01-14 CVE-2020-27263 PTC
GE
Rockwellautomation
Softwaretoolbox
Out-of-bounds Write vulnerability in multiple products

KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions, are vulnerable to a heap-based buffer overflow.

9.1
2021-01-13 CVE-2020-9142 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap base buffer overflow vulnerability in some Huawei smartphone.Successful exploitation of this vulnerability can cause heap overflow and memory overwriting when the system incorrectly processes the update file.

9.1
2021-01-13 CVE-2020-9141 Huawei Improper Privilege Management vulnerability in Huawei Emui and Magic UI

There is a improper privilege management vulnerability in some Huawei smartphone.

9.1
2021-01-13 CVE-2020-9139 Huawei Improper Input Validation vulnerability in Huawei Emui and Magic UI

There is a improper input validation vulnerability in some Huawei Smartphone.Successful exploit of this vulnerability can cause memory access errors and denial of service.

9.1
2021-01-13 CVE-2020-9145 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is an Out-of-bounds Write vulnerability in some Huawei smartphone.

9.1

206 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-15 CVE-2021-21251 Onedev Project Unspecified vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

8.8
2021-01-15 CVE-2021-21249 Onedev Project Deserialization of Untrusted Data vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

8.8
2021-01-15 CVE-2021-21248 Onedev Project Code Injection vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

8.8
2021-01-15 CVE-2021-21247 Onedev Project Deserialization of Untrusted Data vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

8.8
2021-01-14 CVE-2020-27220 Eclipse Missing Authorization vulnerability in Eclipse Hono

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device.

8.8
2021-01-14 CVE-2020-6572 Google Use After Free vulnerability in Google Chrome

Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

8.8
2021-01-14 CVE-2021-21261 Flatpak
Debian
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
8.8
2021-01-14 CVE-2020-6776 Bosch Cross-Site Request Forgery (CSRF) vulnerability in Bosch Praesensa Firmware and Praesideo Firmware

A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery).

8.8
2021-01-14 CVE-2020-29018 Fortinet Use of Externally-Controlled Format String vulnerability in Fortinet Fortiweb

A format string vulnerability in FortiWeb 6.3.0 through 6.3.5 may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the redir parameter.

8.8
2021-01-14 CVE-2020-29017 Fortinet OS Command Injection vulnerability in Fortinet Fortideceptor 3.0.0/3.0.1/3.1.0

An OS command injection vulnerability in FortiDeceptor 3.1.0, 3.0.1, 3.0.0 may allow a remote authenticated attacker to execute arbitrary commands on the system by exploiting a command injection vulnerability on the Customization page.

8.8
2021-01-13 CVE-2021-1144 Cisco Incorrect Authorization vulnerability in Cisco Connected Mobile Experiences 10.6.0/10.6.1/10.6.2

A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.

8.8
2021-01-12 CVE-2020-26996 Siemens Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26995 Siemens Unspecified vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26994 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26991 Siemens Unspecified vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.2), Teamcenter Visualization (All versions < V13.1.0.2).

8.8
2021-01-12 CVE-2020-26990 Siemens Unspecified vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

8.8
2021-01-12 CVE-2020-26988 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26987 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26986 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26985 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26984 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26983 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26982 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2020-26980 Siemens Type Confusion vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

8.8
2021-01-12 CVE-2021-21466 SAP Code Injection vulnerability in SAP Business Warehouse and Bw/4Hana

SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network.

8.8
2021-01-12 CVE-2021-21463 SAP Out-of-bounds Read vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21462 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21461 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated BMP file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21460 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21459 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21458 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21457 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21456 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21455 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated DIB file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21454 SAP Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21453 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated RLE file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21452 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated GIF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21451 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated SGI file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21450 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PSD file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2021-21449 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated IFF file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

8.8
2021-01-12 CVE-2020-35654 Python
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

8.8
2021-01-11 CVE-2020-35701 Cacti
Fedoraproject
SQL Injection vulnerability in multiple products

An issue was discovered in Cacti 1.2.x through 1.2.16.

8.8
2021-01-11 CVE-2020-23960 Fork CMS Cross-Site Request Forgery (CSRF) vulnerability in Fork-Cms Fork CMS

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.

8.8
2021-01-11 CVE-2020-26118 Smartbear Deserialization of Untrusted Data vulnerability in Smartbear Collaborator

In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability.

8.8
2021-01-11 CVE-2020-23630 Zzcms SQL Injection vulnerability in Zzcms 201910

A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).

8.8
2021-01-14 CVE-2020-29494 Dell Path Traversal vulnerability in Dell products

Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM.

8.7
2021-01-13 CVE-2021-21006 Adobe Unspecified vulnerability in Adobe Photoshop

Adobe Photoshop version 22.1 (and earlier) is affected by a heap buffer overflow vulnerability when handling a specially crafted font file.

8.6
2021-01-11 CVE-2021-3121 Golang
Hashicorp
Improper Validation of Array Index vulnerability in multiple products

An issue was discovered in GoGo Protobuf before 1.3.2.

8.6
2021-01-13 CVE-2021-21013 Adobe Unspecified vulnerability in Adobe Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module.

8.1
2021-01-13 CVE-2019-4702 IBM Incorrect Permission Assignment for Critical Resource vulnerability in IBM Security Guardium Data Encrpytion 3.0.0.2

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

8.1
2021-01-13 CVE-2021-3139 Tcmu Runner Project Path Traversal vulnerability in Tcmu-Runner Project Tcmu-Runner

In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request.

8.1
2021-01-13 CVE-2020-28374 Linux
Fedoraproject
Debian
Path Traversal vulnerability in multiple products

In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3.

8.1
2021-01-13 CVE-2021-21605 Jenkins Path Traversal vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

8.0
2021-01-13 CVE-2021-21604 Jenkins Deserialization of Untrusted Data vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

8.0
2021-01-15 CVE-2021-3162 Docker Improper Certificate Validation vulnerability in Docker

Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.

7.8
2021-01-15 CVE-2021-21237 GIT Large File Storage Project Unspecified vulnerability in GIT Large File Storage Project GIT Large File Storage

Git LFS is a command line extension for managing large files with Git.

7.8
2021-01-14 CVE-2020-16119 Linux
Canonical
Debian
Use After Free vulnerability in multiple products

Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released.

7.8
2021-01-13 CVE-2021-1237 Cisco Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client

A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack.

7.8
2021-01-13 CVE-2021-20616 Skygroup Uncontrolled Search Path Element vulnerability in Skygroup Skysea Client View

Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

7.8
2021-01-13 CVE-2020-35686 Soundresearch Untrusted Search Path vulnerability in Soundresearch Dchu Model Software Component Modules 2.0.9.17

The SECOMN service in Sound Research DCHU model software component modules (APO) through 2.0.9.17, delivered on HP Windows 10 computers, may allow escalation of privilege via a fake DLL.

7.8
2021-01-12 CVE-2020-28386 Siemens Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2).

7.8
2021-01-12 CVE-2020-28384 Siemens Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2).

7.8
2021-01-12 CVE-2020-28383 Siemens Unspecified vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2), Teamcenter Visualization (All versions < V13.1.0.1).

7.8
2021-01-12 CVE-2020-28382 Siemens Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2).

7.8
2021-01-12 CVE-2020-28381 Siemens Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2).

7.8
2021-01-12 CVE-2020-26993 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

7.8
2021-01-12 CVE-2020-26992 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

7.8
2021-01-12 CVE-2020-26989 Siemens Unspecified vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2), Teamcenter Visualization (All versions < V13.1.0.1).

7.8
2021-01-12 CVE-2021-3134 Mubu Unspecified vulnerability in Mubu 2.2.1

Mubu 2.2.1 allows local users to gain privileges to execute commands, aka CNVD-2020-68878.

7.8
2021-01-12 CVE-2020-35459 Clusterlabs
Debian
OS Command Injection vulnerability in multiple products

An issue was discovered in ClusterLabs crmsh through 4.2.1.

7.8
2021-01-12 CVE-2021-23240 Sudo Project
Netapp
Fedoraproject
Link Following vulnerability in multiple products

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target.

7.8
2021-01-12 CVE-2020-26050 Safervpn Uncontrolled Search Path Element vulnerability in Safervpn 5.0.3.3/5.0.4.15

SaferVPN for Windows Ver 5.0.3.3 through 5.0.4.15 could allow local privilege escalation from low privileged users to SYSTEM via a crafted openssl configuration file.

7.8
2021-01-11 CVE-2021-0318 Google Use After Free vulnerability in Google Android

In appendEventsToCacheLocked of SensorEventConnection.cpp, there is a possible out of bounds write due to a use-after-free.

7.8
2021-01-11 CVE-2021-0317 Google Incorrect Authorization vulnerability in Google Android

In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error.

7.8
2021-01-11 CVE-2021-0310 Google Use After Free vulnerability in Google Android 11.0

In LazyServiceRegistrar of LazyServiceRegistrar.cpp, there is a possible memory corruption due to a use after free.

7.8
2021-01-11 CVE-2021-0307 Google Unspecified vulnerability in Google Android 10.0/11.0

In updatePermissionSourcePackage of PermissionManagerService.java, there is a possible automatic runtime permission grant due to a confused deputy.

7.8
2021-01-11 CVE-2021-0306 Google Improper Privilege Management vulnerability in Google Android

In addAllPermissions of PermissionManagerService.java, there is a possible permissions bypass when upgrading major Android versions which allows an app to gain the android.permission.ACTIVITY_RECOGNITION permission without user confirmation.

7.8
2021-01-11 CVE-2020-27059 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android

In onAuthenticated of AuthenticationClient.java, there is a possible tapjacking attack when requesting the user's fingerprint due to an overlaid window.

7.8
2021-01-11 CVE-2020-27293 Deltaww Type Confusion vulnerability in Deltaww Cncsoft-B 1.0.0.2

Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior has a type confusion issue while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27291 Deltaww Out-of-bounds Read vulnerability in Deltaww Cncsoft-B 1.0.0.2

Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior is vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27289 Deltaww NULL Pointer Dereference vulnerability in Deltaww Cncsoft-B 1.0.0.2

Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior has a null pointer dereference issue while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27287 Deltaww Out-of-bounds Write vulnerability in Deltaww Cncsoft-B 1.0.0.2

Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27281 Deltaww Out-of-bounds Write vulnerability in Deltaww Cncsoft Screeneditor

A stack-based buffer overflow may exist in Delta Electronics CNCSoft ScreenEditor versions 1.01.26 and prior when processing specially crafted project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27277 Deltaww NULL Pointer Dereference vulnerability in Deltaww Dopsoft 2.00.07/4.0.8.21/4.00.08.15

Delta Electronics DOPSoft Version 4.0.8.21 and prior has a null pointer dereference issue while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2020-27275 Deltaww Out-of-bounds Write vulnerability in Deltaww Dopsoft 2.00.07/4.0.8.21/4.00.08.15

Delta Electronics DOPSoft Version 4.0.8.21 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code.

7.8
2021-01-11 CVE-2018-9333 K7Computing Improper Privilege Management vulnerability in K7Computing products

K7Computing Pvt Ltd K7AntiVirus Premium 15.1.0.53 is affected by: Buffer Overflow.

7.8
2021-01-11 CVE-2018-9332 K7Computing Improper Privilege Management vulnerability in K7Computing products

K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Incorrect Access Control.

7.8
2021-01-11 CVE-2018-8726 K7Computing Classic Buffer Overflow vulnerability in K7Computing products

K7Computing Pvt Ltd K7Antivirus Premium 15.1.0.53 is affected by: Buffer Overflow.

7.8
2021-01-11 CVE-2018-8725 K7Computing Classic Buffer Overflow vulnerability in K7Computing products

K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Buffer Overflow.

7.8
2021-01-11 CVE-2018-8724 K7Computing Incorrect Authorization vulnerability in K7Computing products

K7Computing Pvt Ltd K7AntiVirus Premium 15.1.0.53 is affected by: Incorrect Access Control.

7.8
2021-01-11 CVE-2018-8044 K7Computing Incorrect Authorization vulnerability in K7Computing products

K7Computing Pvt Ltd K7Antivirus Premium 15.1.0.53 is affected by: Incorrect Access Control.

7.8
2021-01-11 CVE-2018-11010 K7Computing Out-of-bounds Write vulnerability in K7Computing products

A Buffer Overflow issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

7.8
2021-01-11 CVE-2018-11009 K7Computing Out-of-bounds Write vulnerability in K7Computing products

A Buffer Overflow issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

7.8
2021-01-11 CVE-2020-35483 Anydesk Uncontrolled Search Path Element vulnerability in Anydesk 5.4.2/6.0.8

AnyDesk before 6.1.0 on Windows, when run in portable mode on a system where the attacker has write access to the application directory, allows this attacker to compromise a local user account via a read-only setting for a Trojan horse gcapi.dll file.

7.8
2021-01-15 CVE-2020-35749 Presstigers Path Traversal vulnerability in Presstigers Simple Board JOB

Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.

7.7
2021-01-12 CVE-2020-4079 Combodo Unspecified vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

7.7
2021-01-17 CVE-2021-3113 Netsia Forced Browsing vulnerability in Netsia Seba+ 0.16.1

Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request.

7.5
2021-01-15 CVE-2021-21246 Onedev Project Unspecified vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

7.5
2021-01-15 CVE-2020-24641 Arubanetworks Server-Side Request Forgery (SSRF) vulnerability in Arubanetworks Airwave Glass

In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information.

7.5
2021-01-15 CVE-2021-22167 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.1.

7.5
2021-01-15 CVE-2021-22166 Gitlab Resource Exhaustion vulnerability in Gitlab 13.7.0/13.7.1

An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method

7.5
2021-01-15 CVE-2020-35733 Erlang
Fedoraproject
Improper Certificate Validation vulnerability in multiple products

An issue was discovered in Erlang/OTP before 23.2.2.

7.5
2021-01-14 CVE-2020-26732 Skyworth Missing Encryption of Sensitive Data vulnerability in Skyworth Gn542Vf BOA Firmware 0.94.13

SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

7.5
2021-01-14 CVE-2021-3138 Discourse Improper Restriction of Excessive Authentication Attempts vulnerability in Discourse

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

7.5
2021-01-13 CVE-2020-14101 MI Unspecified vulnerability in MI Ax1800 Firmware and Rm1800 Firmware

The data collection SDK of the router web management interface caused the leakage of the token.

7.5
2021-01-13 CVE-2020-14098 MI Improper Synchronization vulnerability in MI Ax1800 Firmware and Rm1800 Firmware

The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts.

7.5
2021-01-13 CVE-2020-14097 MI Unspecified vulnerability in MI Redmi AX6 Firmware

Wrong nginx configuration, causing specific paths to be downloaded without authorization.

7.5
2021-01-13 CVE-2021-1223 Cisco
Snort
Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP.
7.5
2021-01-13 CVE-2021-21252 Jqueryvalidation
Netapp
The jQuery Validation Plugin provides drop-in validation for your existing forms.
7.5
2021-01-13 CVE-2020-4596 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2021-01-13 CVE-2020-4595 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2021-01-13 CVE-2020-4594 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2021-01-13 CVE-2019-4160 IBM Inadequate Encryption Strength vulnerability in IBM Security Guardium Data Encrpytion 3.0.0.2

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2021-01-13 CVE-2021-3131 1C Inadequate Encryption Strength vulnerability in 1C 1C:Enterprise

The Web server in 1C:Enterprise 8 before 8.3.17.1851 sends base64 encoded credentials in the creds URL parameter.

7.5
2021-01-13 CVE-2021-23900 Owasp Unspecified vulnerability in Owasp Json-Sanitizer

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input.

7.5
2021-01-13 CVE-2020-5686 NEC Improper Authentication vulnerability in NEC Univerge Sv8500 Firmware and Univerge Sv9500 Firmware

Incorrect implementation of authentication algorithm issue in UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to access the remote system maintenance feature and obtain the information by sending a specially crafted request to a specific URL.

7.5
2021-01-12 CVE-2021-21469 SAP Information Exposure vulnerability in SAP Netweaver Master Data Management 7.10/7.10.750/710

When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration.

7.5
2021-01-12 CVE-2021-21446 SAP Unspecified vulnerability in SAP Netweaver Application Server Abap

SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, this has a high impact on the availability of the service.

7.5
2021-01-12 CVE-2020-14274 Hcltechsw Unspecified vulnerability in Hcltechsw HCL Commerce

Information disclosure vulnerability in HCL Commerce 9.0.1.9 through 9.0.1.14 and 9.1 through 9.1.4 could allow a remote attacker to obtain user personal data via unknown vectors.

7.5
2021-01-12 CVE-2020-16146 Espressif Classic Buffer Overflow vulnerability in Espressif Esp-Idf

Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c.

7.5
2021-01-11 CVE-2021-0313 Google Improper Input Validation vulnerability in Google Android

In isWordBreakAfter of LayoutUtils.cpp, there is a possible way to slow or crash a TextView due to improper input validation.

7.5
2021-01-11 CVE-2020-13559 Freyrscada Incorrect Comparison vulnerability in Freyrscada Iec-60879-5-104 Server Simulator 21.04.028

A denial-of-service vulnerability exists in the traffic-logging functionality of FreyrSCADA IEC-60879-5-104 Server Simulator 21.04.028.

7.5
2021-01-11 CVE-2018-11246 K7Computing Memory Leak vulnerability in K7Computing products

K7TSMngr.exe in K7Computing K7AntiVirus Premium 15.1.0.53 has a Memory Leak.

7.5
2021-01-11 CVE-2020-17509 Apache HTTP Request Smuggling vulnerability in Apache Traffic Server

ATS negative cache option is vulnerable to a cache poisoning attack.

7.5
2021-01-11 CVE-2020-17508 Apache Unspecified vulnerability in Apache Traffic Server

The ATS ESI plugin has a memory disclosure vulnerability.

7.5
2021-01-11 CVE-2021-3116 Proxy PY Project Incorrect Comparison vulnerability in Proxy.Py Project Proxy.Py

before_upstream_connection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion (and versus or).

7.5
2021-01-11 CVE-2021-21241 Flask Security TOO Project Unspecified vulnerability in Flask-Security-Too Project Flask-Security-Too

The Python "Flask-Security-Too" package is used for adding security features to your Flask application.

7.4
2021-01-13 CVE-2021-1240 Cisco Uncontrolled Search Path Element vulnerability in Cisco Proximity

A vulnerability in the loading process of specific DLLs in Cisco Proximity Desktop for Windows could allow an authenticated, local attacker to load a malicious library.

7.3
2021-01-11 CVE-2021-0319 Google Incorrect Authorization vulnerability in Google Android

In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass.

7.3
2021-01-11 CVE-2021-0315 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android

In onCreate of GrantCredentialsPermissionActivity.java, there is a possible way to convince the user to grant an app access to an account due to a tapjacking/overlay attack.

7.3
2021-01-15 CVE-2020-24638 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave Glass

Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli.

7.2
2021-01-13 CVE-2020-14102 MI Command Injection vulnerability in MI Ax1800 Firmware and Rm1800 Firmware

There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router.

7.2
2021-01-13 CVE-2021-1360 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1307 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1217 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1216 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1215 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1214 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1213 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1212 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1211 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1210 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1209 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1208 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1207 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1206 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1205 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1204 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1203 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1202 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1201 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1200 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1199 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1198 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1197 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1196 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1195 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1194 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1193 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1192 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1191 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1190 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1188 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1187 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1186 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1185 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1184 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1183 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1182 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1181 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1180 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1179 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1178 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1177 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1176 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1175 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1174 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1173 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1172 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1171 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1170 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1169 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1168 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1167 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1166 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1165 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1164 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1163 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1162 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1161 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1160 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1159 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2021-1150 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

7.2
2021-01-13 CVE-2021-1149 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

7.2
2021-01-13 CVE-2021-1148 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

7.2
2021-01-13 CVE-2021-1147 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

7.2
2021-01-13 CVE-2021-1146 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

7.2
2021-01-13 CVE-2021-1189 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

7.2
2021-01-13 CVE-2020-35578 Nagios OS Command Injection vulnerability in Nagios XI

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0.

7.2
2021-01-13 CVE-2020-26262 Coturn Project
Fedoraproject
Coturn is free open source implementation of TURN and STUN Server.
7.2
2021-01-11 CVE-2020-2508 Qnap Command Injection vulnerability in Qnap QTS

A command injection vulnerability has been reported to affect QTS and QuTS hero.

7.2
2021-01-12 CVE-2020-27148 Tibco XXE vulnerability in Tibco EBX Add-Ons

The TIBCO EBX Add-on for Oracle Hyperion EPM, TIBCO EBX Data Exchange Add-on, and TIBCO EBX Insight Add-on components of TIBCO Software Inc.'s TIBCO EBX Add-ons contain a vulnerability that theoretically allows a low privileged attacker with network access to execute an XML External Entity (XXE) attack.

7.1
2021-01-12 CVE-2020-35653 Python
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

7.1
2021-01-15 CVE-2020-25533 Malwarebytes Race Condition vulnerability in Malwarebytes

An issue was discovered in Malwarebytes before 4.0 on macOS.

7.0
2021-01-11 CVE-2021-0303 Google Use After Free vulnerability in Google Android 11.0

In dispatchGraphTerminationMessage() of packages/services/Car/computepipe/runner/graph/StreamSetObserver.cpp, there is a possible use after free due to a race condition.

7.0
2021-01-11 CVE-2020-17534 Apache Race Condition vulnerability in Apache Html/Java API 1.7

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in `webkit` subproject of HTML/Java API version 1.7.

7.0

157 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-13 CVE-2020-15218 Combodo Unspecified vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

6.8
2021-01-11 CVE-2021-0308 Google
Debian
Out-of-bounds Write vulnerability in multiple products

In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check.

6.8
2021-01-13 CVE-2020-9209 Huawei Missing Authorization vulnerability in Huawei Smc2.0 Firmware

There is a privilege escalation vulnerability in SMC2.0 product.

6.7
2021-01-11 CVE-2021-0301 Google Out-of-bounds Write vulnerability in Google Android

In ged, there is a possible out of bounds write due to a missing bounds check.

6.7
2021-01-11 CVE-2021-0342 Google Use After Free vulnerability in Google Android

In tun_get_user of tun.c, there is possible memory corruption due to a use after free.

6.7
2021-01-15 CVE-2021-21250 Onedev Project Unspecified vulnerability in Onedev Project Onedev

OneDev is an all-in-one devops platform.

6.5
2021-01-15 CVE-2021-0221 Juniper Infinite Loop vulnerability in Juniper Junos

In an EVPN/VXLAN scenario, if an IRB interface with a virtual gateway address (VGA) is configured on a PE, a traffic loop may occur upon receipt of specific IP multicast traffic.

6.5
2021-01-15 CVE-2021-0209 Juniper Access of Uninitialized Pointer vulnerability in Juniper Junos OS Evolved 19.4/20.1

In Juniper Networks Junos OS Evolved an attacker sending certain valid BGP update packets may cause Junos OS Evolved to access an uninitialized pointer causing RPD to core leading to a Denial of Service (DoS).

6.5
2021-01-15 CVE-2021-22171 Gitlab Improper Authentication vulnerability in Gitlab

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link

6.5
2021-01-15 CVE-2021-22168 Gitlab Resource Exhaustion vulnerability in Gitlab

A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.

6.5
2021-01-15 CVE-2020-26414 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.4.

6.5
2021-01-15 CVE-2021-23837 Flatcore SQL Injection vulnerability in Flatcore

An issue was discovered in flatCore before 2.0.0 build 139.

6.5
2021-01-13 CVE-2020-1866 Huawei Out-of-bounds Read vulnerability in Huawei products

There is an out-of-bounds read vulnerability in several products.

6.5
2021-01-13 CVE-2020-1865 Huawei Out-of-bounds Read vulnerability in Huawei products

There is an out-of-bounds read vulnerability in Huawei CloudEngine products.

6.5
2021-01-13 CVE-2021-1226 Cisco Information Exposure Through Log Files vulnerability in Cisco products

A vulnerability in the audit logging component of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp; Presence Service, Cisco Unity Connection, Cisco Emergency Responder, and Cisco Prime License Manager could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.

6.5
2021-01-13 CVE-2021-1145 Cisco Link Following vulnerability in Cisco Staros

A vulnerability in the Secure FTP (SFTP) of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an authenticated, remote attacker to read arbitrary files on an affected device.

6.5
2021-01-13 CVE-2021-21607 Jenkins Allocation of Resources Without Limits or Throttling vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

6.5
2021-01-13 CVE-2021-21602 Jenkins Link Following vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

6.5
2021-01-12 CVE-2020-26981 Siemens XXE vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0).

6.5
2021-01-12 CVE-2020-15799 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

6.5
2021-01-12 CVE-2021-3133 Sean Barton Cross-Site Request Forgery (CSRF) vulnerability in Sean-Barton Elementor Contact Form DB

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

6.5
2021-01-12 CVE-2021-21471 SAP Unspecified vulnerability in SAP Cla-Assistant

In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user.

6.5
2021-01-12 CVE-2021-21468 SAP Missing Authorization vulnerability in SAP Business Warehouse

The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.

6.5
2021-01-12 CVE-2021-21448 SAP Unspecified vulnerability in SAP Graphical User Interface 7.60

SAP GUI for Windows, version - 7.60, allows an attacker to spoof logon credentials for Application Server ABAP backend systems in the client PCs memory.

6.5
2021-01-11 CVE-2021-0312 Google Integer Overflow or Wraparound vulnerability in Google Android

In WAVSource::read of WAVExtractor.cpp, there is a possible out of bounds write due to an integer overflow.

6.5
2021-01-11 CVE-2021-0311 Google Out-of-bounds Write vulnerability in Google Android

In ElementaryStreamQueue::dequeueAccessUnitH264() of ESQueue.cpp, there is a possible out of bounds write due to a missing bounds check.

6.5
2021-01-11 CVE-2020-4869 IBM Classic Buffer Overflow vulnerability in IBM MQ Appliance 9.2.0.0

IBM MQ Appliance 9.2 CD and 9.2 LTS is vulnerable to a denial of service, caused by a buffer overflow.

6.5
2021-01-11 CVE-2020-13922 Apache Incorrect Default Permissions vulnerability in Apache Dolphinscheduler 1.2.0/1.2.1/1.3.1

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

6.5
2021-01-11 CVE-2020-35722 Quest Cross-Site Request Forgery (CSRF) vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file.

6.5
2021-01-12 CVE-2021-23927 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.

6.4
2021-01-17 CVE-2020-15864 Quali Cross-site Scripting vulnerability in Quali Cloudshell 9.3

An issue was discovered in Quali CloudShell 9.3.

6.1
2021-01-15 CVE-2020-16255 Owncloud Cross-site Scripting vulnerability in Owncloud

ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'

6.1
2021-01-14 CVE-2020-27219 Eclipse Cross-site Scripting vulnerability in Eclipse Hawkbit

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute.

6.1
2021-01-14 CVE-2020-16046 Google Cross-site Scripting vulnerability in Google Chrome

Script injection in iOSWeb in Google Chrome on iOS prior to 84.0.4147.105 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

6.1
2021-01-14 CVE-2020-28470 Scully Cross-site Scripting vulnerability in Scully

This affects the package @scullyio/scully before 1.0.9.

6.1
2021-01-13 CVE-2021-1246 Cisco Cross-site Scripting vulnerability in Cisco Finesse

Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface.

6.1
2021-01-13 CVE-2021-1245 Cisco Cross-site Scripting vulnerability in Cisco Finesse

Cisco Finesse and Cisco Unified CVP OpenSocial Gadget Editor Cross-Site Scripting Vulnerability A vulnerability in the web-based management interface of Cisco Finesse and Cisco Unified CVP could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input.

6.1
2021-01-13 CVE-2020-15220 Combodo Unspecified vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

6.1
2021-01-13 CVE-2021-21613 Jenkins Cross-site Scripting vulnerability in Jenkins Tics 2020.3.0.6

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

6.1
2021-01-13 CVE-2021-21610 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

6.1
2021-01-12 CVE-2021-23936 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via the subject of a task.

6.1
2021-01-12 CVE-2021-23935 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.

6.1
2021-01-12 CVE-2021-23934 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.

6.1
2021-01-12 CVE-2021-23933 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

6.1
2021-01-12 CVE-2021-23932 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.

6.1
2021-01-12 CVE-2021-23931 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via an inline binary file.

6.1
2021-01-12 CVE-2021-23930 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.

6.1
2021-01-12 CVE-2021-23929 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI.

6.1
2021-01-12 CVE-2021-23928 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.

6.1
2021-01-12 CVE-2021-23125 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.1.0 through 3.9.23.

6.1
2021-01-12 CVE-2021-23124 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.9.0 through 3.9.23.

6.1
2021-01-12 CVE-2020-36190 Rails Admin Project Cross-site Scripting vulnerability in Rails Admin Project Rails Admin

RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms.

6.1
2021-01-12 CVE-2020-26713 Vanderbilt Cross-site Scripting vulnerability in Vanderbilt Redcap 10.0.20/10.3.4

REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort.

6.1
2021-01-12 CVE-2020-24701 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

6.1
2021-01-11 CVE-2020-23631 Wdja Cross-Site Request Forgery (CSRF) vulnerability in Wdja CMS 1.5

Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter.

6.1
2021-01-11 CVE-2020-23849 Jsoneditoronline Cross-site Scripting vulnerability in Jsoneditoronline Jsoneditor

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript.

6.1
2021-01-11 CVE-2020-23644 Jizhicms Cross-site Scripting vulnerability in Jizhicms 1.7.1

XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.

6.1
2021-01-11 CVE-2020-23643 Jizhicms Cross-site Scripting vulnerability in Jizhicms 1.7.1

XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php.

6.1
2021-01-11 CVE-2020-35726 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter.

6.1
2021-01-11 CVE-2020-35725 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter.

6.1
2021-01-11 CVE-2020-35719 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter.

6.1
2021-01-11 CVE-2020-35206 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the cConn.jsp file via the ur parameter.

6.1
2021-01-11 CVE-2020-35204 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the PolicyAuthority/Common/FolderControl.jsp file via the unqID parameter.

6.1
2021-01-11 CVE-2020-35203 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the initFile.jsp file via the msg parameter.

6.1
2021-01-14 CVE-2021-24122 Apache
Debian
Oracle
Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations.

5.9
2021-01-12 CVE-2020-28395 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl.

5.9
2021-01-12 CVE-2020-28391 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

5.9
2021-01-12 CVE-2020-25657 M2Crypto Project
Redhat
Fedoraproject
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext.
5.9
2021-01-11 CVE-2020-25659 Cryptography IO
Oracle
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
5.9
2021-01-14 CVE-2020-27368 Totolink Files or Directories Accessible to External Parties vulnerability in Totolink A702R Firmware 1.0.0B20161227.1023

Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.

5.5
2021-01-13 CVE-2013-1053 Canonical Use of a Broken or Risky Cryptographic Algorithm vulnerability in Canonical Remote-Login-Service 1.0.00Ubuntu3

In crypt.c of remote-login-service, the cryptographic algorithm used to cache usernames and passwords is insecure.

5.5
2021-01-13 CVE-2021-1258 Cisco
Mcafee
Improper Privilege Management vulnerability in multiple products

A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device.

5.5
2021-01-13 CVE-2021-1126 Cisco Incorrect Permission Assignment for Critical Resource vulnerability in Cisco Secure Firewall Management Center

A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server.

5.5
2021-01-13 CVE-2021-21614 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Bumblebee HP ALM

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

5.5
2021-01-13 CVE-2021-21612 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Tracetronic Ecu-Test

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

5.5
2021-01-12 CVE-2020-28390 Siemens Insufficiently Protected Credentials vulnerability in Siemens Opcenter Execution Core 8.2/8.3

A vulnerability has been identified in Opcenter Execution Core (V8.2), Opcenter Execution Core (V8.3).

5.5
2021-01-11 CVE-2021-0321 Google Information Exposure Through Discrepancy vulnerability in Google Android 11.0

In enforceDumpPermissionForPackage of ActivityManagerService.java, there is a possible way to determine if a package is installed due to side channel information disclosure.

5.5
2021-01-11 CVE-2021-0309 Google Unspecified vulnerability in Google Android

In onCreate of grantCredentialsPermissionActivity, there is a confused deputy.

5.5
2021-01-11 CVE-2021-0304 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

In several functions of GlobalScreenshot.java, there is a possible permission bypass due to an unsafe PendingIntent.

5.5
2021-01-11 CVE-2018-11008 K7Computing Improper Privilege Management vulnerability in K7Computing products

An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

5.5
2021-01-11 CVE-2018-11007 K7Computing Out-of-bounds Write vulnerability in K7Computing products

A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

5.5
2021-01-11 CVE-2018-11006 K7Computing Improper Privilege Management vulnerability in K7Computing products

An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

5.5
2021-01-11 CVE-2018-11005 K7Computing Out-of-bounds Read vulnerability in K7Computing products

A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.

5.5
2021-01-11 CVE-2020-26800 Ethereum Out-of-bounds Write vulnerability in Ethereum Aleth

A stack overflow vulnerability in Aleth Ethereum C++ client version <= 1.8.0 using a specially crafted a config.json file may result in a denial of service.

5.5
2021-01-15 CVE-2020-35748 Foliovision Cross-site Scripting vulnerability in Foliovision FV Flowplayer Video Player

Cross-site scripting (XSS) vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the fv_wp_fvvideoplayer_src JSON field in the data parameter.

5.4
2021-01-15 CVE-2019-16961 Solarwinds Cross-site Scripting vulnerability in Solarwinds web Help Desk 12.7.0

SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.

5.4
2021-01-15 CVE-2020-35582 Enviragallery Cross-site Scripting vulnerability in Enviragallery Envira Gallery

A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.

5.4
2021-01-15 CVE-2020-35581 Enviragallery Cross-site Scripting vulnerability in Enviragallery Envira Gallery

A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.

5.4
2021-01-14 CVE-2020-29587 Simplcommerce Cross-site Scripting vulnerability in Simplcommerce 1.0.0

SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals.

5.4
2021-01-14 CVE-2020-26733 Skyworth Cross-site Scripting vulnerability in Skyworth Gn542Vf Firmware 2.0.0.16

Cross Site Scripting (XSS) in Configuration page in SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 allows authenticated attacker to inject their own script into the page via DDNS Configuration Section.

5.4
2021-01-13 CVE-2021-1311 Cisco Improper Restriction of Excessive Authentication Attempts vulnerability in Cisco Webex Meetings Server

A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting.

5.4
2021-01-13 CVE-2021-1127 Cisco Cross-site Scripting vulnerability in Cisco Enterprise NFV Infrastructure Software

A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface.

5.4
2021-01-13 CVE-2020-15221 Combodo Unspecified vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

5.4
2021-01-13 CVE-2021-21611 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

5.4
2021-01-13 CVE-2021-21608 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

5.4
2021-01-13 CVE-2021-21603 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

5.4
2021-01-12 CVE-2020-13116 Carbonite Cross-site Scripting vulnerability in Carbonite Server Backup Portal 8.81/8.85

OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation.

5.4
2021-01-12 CVE-2021-21447 SAP Cross-site Scripting vulnerability in SAP Businessobjects Business Intelligence 410/420

SAP BusinessObjects Business Intelligence platform, versions 410, 420, allows an authenticated attacker to inject malicious JavaScript payload into the custom value input field of an Input Control, which can be executed by User who views the relevant application content, which leads to Stored Cross-Site Scripting.

5.4
2021-01-12 CVE-2021-21445 SAP HTTP Request Smuggling vulnerability in SAP Commerce Cloud

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user.

5.4
2021-01-12 CVE-2020-4838 IBM Cross-site Scripting vulnerability in IBM API Connect

IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting.

5.4
2021-01-12 CVE-2020-35655 Python
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

5.4
2021-01-12 CVE-2020-24700 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig.

5.4
2021-01-11 CVE-2020-26298 Redcarpet Project
Debian
Redcarpet is a Ruby library for Markdown processing.
5.4
2021-01-11 CVE-2020-35727 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter.

5.4
2021-01-11 CVE-2020-35724 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter).

5.4
2021-01-11 CVE-2020-35723 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the ReportPreview.do file via the referer parameter.

5.4
2021-01-11 CVE-2020-35721 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter.

5.4
2021-01-11 CVE-2020-35720 Quest Cross-site Scripting vulnerability in Quest Policy Authority for Unified Communications 8.1.2.200

Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file.

5.4
2021-01-14 CVE-2020-29019 Fortinet Out-of-bounds Write vulnerability in Fortinet Fortiweb

A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow a remote, unauthenticated attacker to crash the httpd daemon thread by sending a request with a crafted cookie header.

5.3
2021-01-13 CVE-2021-1236 Cisco
Snort
Always-Incorrect Control Flow Implementation vulnerability in multiple products

Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system.

5.3
2021-01-13 CVE-2021-1224 Cisco
Snort
Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP.
5.3
2021-01-13 CVE-2020-9143 Huawei Missing Authentication for Critical Function vulnerability in Huawei Emui and Magic UI

There is a missing authentication vulnerability in some Huawei smartphone.Successful exploitation of this vulnerability may lead to low-sensitive information exposure.

5.3
2021-01-13 CVE-2020-9138 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap-based buffer overflow vulnerability in some Huawei Smartphone, Successful exploit of this vulnerability can cause process exceptions during updating.

5.3
2021-01-13 CVE-2020-4600 IBM Information Exposure Through an Error Message vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2021-01-13 CVE-2020-4599 IBM Information Exposure Through an Error Message vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2021-01-13 CVE-2019-4687 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Guardium Data Encrpytion 3.0.0.2

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive information in URL parameters.

5.3
2021-01-13 CVE-2021-21609 Jenkins Incorrect Authorization vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

5.3
2021-01-12 CVE-2021-23123 Joomla Missing Authorization vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.23.

5.3
2021-01-11 CVE-2020-24025 Sass Lang Improper Certificate Validation vulnerability in Sass-Lang Node-Sass

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

5.3
2021-01-11 CVE-2021-23253 Opera Unspecified vulnerability in Opera Mini

Opera Mini for Android below 53.1 displays URL left-aligned in the address field.

5.3
2021-01-11 CVE-2019-3405 360 Unspecified vulnerability in 360 360F5 Firmware 3.1.3.64296

In the 3.1.3.64296 and lower version of 360F5, the third party can trigger the device to send a deauth frame by constructing and sending a specific illegal 802.11 Null Data Frame, which will cause other wireless terminals connected to disconnect from the wireless, so as to attack the router wireless by DoS.

5.3
2021-01-11 CVE-2021-0322 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/9.0

In onCreate of SlicePermissionActivity.java, there is a possible misleading string displayed due to improper input validation.

5.0
2021-01-15 CVE-2021-23835 Flatcore Improper Input Validation vulnerability in Flatcore

An issue was discovered in flatCore before 2.0.0 build 139.

4.9
2021-01-15 CVE-2021-23838 Flatcore Cross-site Scripting vulnerability in Flatcore

An issue was discovered in flatCore before 2.0.0 build 139.

4.8
2021-01-15 CVE-2021-23836 Flatcore Cross-site Scripting vulnerability in Flatcore

An issue was discovered in flatCore before 2.0.0 build 139.

4.8
2021-01-14 CVE-2021-22132 Elastic
Oracle
Insufficiently Protected Credentials vulnerability in multiple products

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API.

4.8
2021-01-14 CVE-2020-6777 Bosch Cross-site Scripting vulnerability in Bosch Praesensa Firmware and Praesideo Firmware

A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin privileges to mount a stored Cross-Site-Scripting (XSS) attack against another user.

4.8
2021-01-13 CVE-2021-1239 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected system.

4.8
2021-01-13 CVE-2021-1238 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected system.

4.8
2021-01-13 CVE-2021-1158 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1157 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1156 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1155 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1154 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1153 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1152 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1151 Cisco Cross-site Scripting vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

4.8
2021-01-13 CVE-2021-1130 Cisco Cross-site Scripting vulnerability in Cisco DNA Center

A vulnerability in the web-based management interface of Cisco DNA Center software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

4.8
2021-01-13 CVE-2021-1310 Cisco Open Redirect vulnerability in Cisco Webex Meetings

A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page, bypassing the warning mechanism that should prompt the user before the redirection.

4.7
2021-01-11 CVE-2021-0320 Google Race Condition vulnerability in Google Android 10.0/11.0

In is_device_locked and set_device_locked of keystore_keymaster_enforcement.h, there is a possible bypass of lockscreen requirements for keyguard bound keys due to a race condition.

4.7
2021-01-13 CVE-2020-36191 Jupyter Cross-Site Request Forgery (CSRF) vulnerability in Jupyter Jupyterhub 1.1.0

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

4.5
2021-01-14 CVE-2021-21722 ZTE Information Exposure Through Log Files vulnerability in ZTE Zxv10 B860A Firmware V2.1Tv0032.1.1.04Jiangsutelecom

A ZTE Smart STB is impacted by an information leak vulnerability.

4.4
2021-01-13 CVE-2020-4604 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local privileged user.

4.4
2021-01-13 CVE-2020-4602 IBM Insufficiently Protected Credentials vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local user.

4.4
2021-01-12 CVE-2021-21470 SAP XXE vulnerability in SAP Enterprise Performance Management 1010/2.8

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files.

4.4
2021-01-13 CVE-2021-1267 Cisco XML Entity Expansion vulnerability in Cisco Secure Firewall Management Center

A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

4.3
2021-01-13 CVE-2021-1242 Cisco Unspecified vulnerability in Cisco Webex Teams

A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to manipulate file names within the messaging interface.

4.3
2021-01-13 CVE-2021-1143 Cisco Missing Authorization vulnerability in Cisco Connected Mobile Experiences 10.6.0/10.6.1/10.6.2

A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system.

4.3
2021-01-13 CVE-2021-1131 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products

A vulnerability in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause an affected IP camera to reload.

4.3
2021-01-13 CVE-2020-4597 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Security Guardium Insights 2.0.2

IBM Security Guardium Insights 2.0.2 does not set the secure attribute on authorization tokens or session cookies.

4.3
2021-01-13 CVE-2020-35687 PHP Fusion Cross-Site Request Forgery (CSRF) vulnerability in PHP-Fusion PHPfusion 9.03.90

PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.

4.3
2021-01-13 CVE-2020-15219 Combodo Unspecified vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

4.3
2021-01-13 CVE-2021-21606 Jenkins Improper Input Validation vulnerability in Jenkins

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

4.3
2021-01-12 CVE-2021-21467 SAP Missing Authorization vulnerability in SAP Banking Services

SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

4.3
2021-01-12 CVE-2021-21464 SAP Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

4.3
2021-01-12 CVE-2020-4674 IBM Insecure Storage of Sensitive Information vulnerability in IBM Workload Automation 9.5

IBM Workload Automation 9.5 stores the server path in URLs that could aid in further attacks against the system.

4.3
2021-01-12 CVE-2020-4673 IBM Insecure Storage of Sensitive Information vulnerability in IBM Workload Automation 9.5

IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system.

4.3

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-13 CVE-2020-9203 Huawei Resource Exhaustion vulnerability in Huawei P30 Firmware

There is a resource management errors vulnerability in Huawei P30.

3.3
2021-01-11 CVE-2020-24003 Microsoft Unspecified vulnerability in Microsoft Skype 8.59.0.77

Microsoft Skype through 8.59.0.77 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Skype Client's microphone and camera access.

3.3
2021-01-12 CVE-2020-14341 Redhat Unspecified vulnerability in Redhat Single Sign-On

The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation.

2.7
2021-01-12 CVE-2021-23239 Sudo Project
Netapp
Fedoraproject
Debian
Link Following vulnerability in multiple products

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

2.5