Weekly Vulnerabilities Reports > February 1 to 7, 2021
Overview
332 new vulnerabilities reported during this period, including 56 critical vulnerabilities and 116 high severity vulnerabilities. This weekly summary report vulnerabilities in 210 products from 111 vendors including Cisco, Google, Jetbrains, Trendmicro, and Huawei. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "OS Command Injection", and "Out-of-bounds Read".
- 245 reported vulnerabilities are remotely exploitables.
- 87 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 194 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 56 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
56 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-07 | CVE-2021-3122 | NCR | OS Command Injection vulnerability in NCR Command Center Agent 16.3 CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. | 9.8 |
2021-02-05 | CVE-2020-10857 | Zulip | Unspecified vulnerability in Zulip Desktop Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code execution. | 9.8 |
2021-02-05 | CVE-2021-3311 | Octobercms | Insufficient Session Expiration vulnerability in Octobercms October An issue was discovered in October through build 471. | 9.8 |
2021-02-05 | CVE-2021-20623 | Panasonic | Cleartext Transmission of Sensitive Information vulnerability in Panasonic Video Insight VMS 7.3.2.5/7.5 Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request. | 9.8 |
2021-02-05 | CVE-2020-18717 | Zzzcms | SQL Injection vulnerability in Zzzcms Zzzphp 1.7.1 SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php. | 9.8 |
2021-02-05 | CVE-2020-18716 | Rockoa | SQL Injection vulnerability in Rockoa 1.8.7 SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php. | 9.8 |
2021-02-05 | CVE-2020-18714 | Rockoa | SQL Injection vulnerability in Rockoa 1.8.7 SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function. | 9.8 |
2021-02-05 | CVE-2020-18713 | Rockoa | SQL Injection vulnerability in Rockoa 1.8.7 SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php | 9.8 |
2021-02-05 | CVE-2020-10539 | Epikur | Improper Authentication vulnerability in Epikur 20.1.0.1 An issue was discovered in Epikur before 20.1.1. | 9.8 |
2021-02-04 | CVE-2021-1295 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1294 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1293 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1292 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1291 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1290 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2021-1289 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. | 9.8 |
2021-02-04 | CVE-2020-14245 | Hcltechsw | Missing Authentication for Critical Function vulnerability in Hcltechsw Onetest Performance HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources. | 9.8 |
2021-02-04 | CVE-2021-26689 | Use After Free vulnerability in Google Android An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. | 9.8 | |
2021-02-04 | CVE-2021-26688 | Unspecified vulnerability in Google Android 10.0 An issue was discovered on LG Wing mobile devices with Android OS 10 software. | 9.8 | |
2021-02-04 | CVE-2021-26687 | Unspecified vulnerability in Google Android An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. | 9.8 | |
2021-02-04 | CVE-2021-20016 | Sonicwall | SQL Injection vulnerability in Sonicwall products A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. | 9.8 |
2021-02-04 | CVE-2021-3401 | Bitcoin | Argument Injection or Modification vulnerability in Bitcoin Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser. | 9.8 |
2021-02-03 | CVE-2021-25274 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. | 9.8 |
2021-02-03 | CVE-2020-17523 | Apache | Improper Authentication vulnerability in Apache Shiro Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | 9.8 |
2021-02-03 | CVE-2021-25770 | Jetbrains | Code Injection vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution. | 9.8 |
2021-02-03 | CVE-2020-35481 | Solarwinds | Unspecified vulnerability in Solarwinds Serv-U SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection. | 9.8 |
2021-02-03 | CVE-2020-28653 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. | 9.8 |
2021-02-03 | CVE-2020-2507 | Qnap | OS Command Injection vulnerability in Qnap Helpdesk The vulnerability have been reported to affect earlier versions of QTS. | 9.8 |
2021-02-03 | CVE-2020-2506 | Qnap | Unspecified vulnerability in Qnap Helpdesk The vulnerability have been reported to affect earlier versions of QTS. | 9.8 |
2021-02-03 | CVE-2020-29165 | Rainbowfishsoftware | Missing Authentication for Critical Function vulnerability in Rainbowfishsoftware Pacsone Server PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by incorrect access control, which can result in remotely gaining administrator privileges. | 9.8 |
2021-02-03 | CVE-2020-28144 | Moxa | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products Certain Moxa Inc products are affected by an improper restriction of operations in EDR-G903 Series Firmware Version 5.5 or lower, EDR-G902 Series Firmware Version 5.5 or lower, and EDR-810 Series Firmware Version 5.6 or lower. | 9.8 |
2021-02-02 | CVE-2021-25912 | Dotty Project | Unspecified vulnerability in Dotty Project Dotty 0.0.1/0.0.2/0.1.0 Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution. | 9.8 |
2021-02-02 | CVE-2020-18568 | Dlink | OS Command Injection vulnerability in Dlink Dsr-1000N Firmware and Dsr-250 Firmware The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution. | 9.8 |
2021-02-02 | CVE-2020-25506 | Dlink | OS Command Injection vulnerability in Dlink Dns-320 Firmware 2.06B01 D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | 9.8 |
2021-02-02 | CVE-2020-1896 | Out-of-bounds Write vulnerability in Facebook Hermes A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. | 9.8 | |
2021-02-01 | CVE-2021-3378 | Fortilogger | Unrestricted Upload of File with Dangerous Type vulnerability in Fortilogger FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp. | 9.8 |
2021-02-01 | CVE-2019-20468 | TK Star | Incorrect Default Permissions vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656 An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. | 9.8 |
2021-02-01 | CVE-2020-21180 | Koa2 Blog Project | SQL Injection vulnerability in Koa2-Blog Project Koa2-Blog 1.0.0 Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page. | 9.8 |
2021-02-01 | CVE-2020-21179 | Koa2 Blog Project | SQL Injection vulnerability in Koa2-Blog Project Koa2-Blog 1.0.0 Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page. | 9.8 |
2021-02-01 | CVE-2020-21176 | Thinkjs | SQL Injection vulnerability in Thinkjs 3.2.10 SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter. | 9.8 |
2021-02-01 | CVE-2020-20296 | Cmswing | SQL Injection vulnerability in Cmswing 1.3.8 An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands. | 9.8 |
2021-02-01 | CVE-2020-20295 | Cmswing | SQL Injection vulnerability in Cmswing 1.3.8 An issue was found in CMSWing project version 1.3.8. | 9.8 |
2021-02-01 | CVE-2020-20294 | Cmswing | SQL Injection vulnerability in Cmswing 1.3.8 An issue was found in CMSWing project version 1.3.8. | 9.8 |
2021-02-01 | CVE-2020-20289 | Yccms | SQL Injection vulnerability in Yccms 3.3 Sql injection vulnerability in the yccms 3.3 project. | 9.8 |
2021-02-01 | CVE-2020-20287 | Yccms | Unrestricted Upload of File with Dangerous Type vulnerability in Yccms 3.3 Unrestricted file upload vulnerability in the yccms 3.3 project. | 9.8 |
2021-02-01 | CVE-2020-36109 | Asus | Classic Buffer Overflow vulnerability in Asus Rt-Ax86U Firmware 3.0.0.4.386.46061/3.0.0.4.38649447 ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data. | 9.8 |
2021-02-01 | CVE-2020-28194 | Accel PPP | Integer Underflow (Wrap or Wraparound) vulnerability in Accel-Ppp 1.10.0/1.12.0/1.12.092G38B6104 Variable underflow exists in accel-ppp radius/packet.c when receiving a RADIUS vendor-specific attribute with length field is less than 2. | 9.8 |
2021-02-01 | CVE-2020-26547 | Monal | Insufficient Verification of Data Authenticity vulnerability in Monal Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. | 9.8 |
2021-02-01 | CVE-2020-15836 | Mofinetwork | Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. | 9.8 |
2021-02-01 | CVE-2020-15835 | Mofinetwork | Improper Authentication vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. | 9.8 |
2021-02-01 | CVE-2020-15833 | Mofinetwork | Use of Hard-coded Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. | 9.8 |
2021-02-01 | CVE-2020-13859 | Mofinetwork | Improper Handling of Exceptional Conditions vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. | 9.8 |
2021-02-01 | CVE-2020-13858 | Mofinetwork | Use of Hard-coded Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 3.6.1Std/4.0.8Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. | 9.8 |
2021-02-01 | CVE-2021-21276 | Polrproject | Unspecified vulnerability in Polrproject Polr Polr is an open source URL shortener. | 9.3 |
2021-02-07 | CVE-2020-36242 | Cryptography IO Fedoraproject Oracle | Integer Overflow or Wraparound vulnerability in multiple products In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. | 9.1 |
2021-02-02 | CVE-2020-15097 | Loklak Project | Unspecified vulnerability in Loklak Project Loklak 1.0/20200122 loklak is an open-source server application which is able to collect messages from various sources, including twitter. | 9.1 |
116 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-07 | CVE-2020-36243 | Open EMR | OS Command Injection vulnerability in Open-Emr Openemr 5.0.2.1 The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. | 8.8 |
2021-02-05 | CVE-2021-20652 | Name Directory Project | Cross-Site Request Forgery (CSRF) vulnerability in Name Directory Project Name Directory Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2021-02-05 | CVE-2020-35765 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. | 8.8 |
2021-02-04 | CVE-2020-27872 | Netgear | Exposure of Resource to Wrong Sphere vulnerability in Netgear products This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. | 8.8 |
2021-02-03 | CVE-2021-25765 | Jetbrains | Cross-Site Request Forgery (CSRF) vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. | 8.8 |
2021-02-03 | CVE-2020-29163 | Rainbowfishsoftware | SQL Injection vulnerability in Rainbowfishsoftware Pacsone Server PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection. | 8.8 |
2021-02-02 | CVE-2021-25310 | Belkin | OS Command Injection vulnerability in Belkin Linksys Wrt160Nl Firmware 1.0.04.002Us20130619 The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. | 8.8 |
2021-02-02 | CVE-2020-8101 | ADT | Command Injection vulnerability in ADT Lifeshield DIY HD Video Doorbell Firmware 1.0.02R09 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in HTTP interface of ADT LifeShield DIY HD Video Doorbell allows an attacker on the same network to execute commands on the device. | 8.8 |
2021-02-02 | CVE-2020-25036 | Ucopia | OS Command Injection vulnerability in Ucopia Wireless Appliance 6.0.5 UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command. | 8.8 |
2021-02-01 | CVE-2021-21286 | Wwbn | Unspecified vulnerability in Wwbn Avideo AVideo Platform is an open-source Audio and Video platform. | 8.8 |
2021-02-01 | CVE-2021-21277 | Peerigon | Code Injection vulnerability in Peerigon Angular-Expressions angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". | 8.8 |
2021-02-01 | CVE-2020-24271 | Easycms | Cross-Site Request Forgery (CSRF) vulnerability in Easycms 1.6 A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. | 8.8 |
2021-02-02 | CVE-2021-21289 | Mechanize Project Fedoraproject Debian | OS Command Injection vulnerability in multiple products Mechanize is an open-source ruby library that makes automated web interaction easy. | 8.3 |
2021-02-02 | CVE-2020-25037 | Ucopia | Unrestricted Upload of File with Dangerous Type vulnerability in Ucopia Wireless Appliance 6.0.5 UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command. | 8.2 |
2021-02-05 | CVE-2020-10552 | Psyprax | Insecure Default Initialization of Resource vulnerability in Psyprax An issue was discovered in Psyprax before 3.2.2. | 8.1 |
2021-02-03 | CVE-2020-25856 | Realtek | Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. | 8.1 |
2021-02-03 | CVE-2020-25855 | Realtek | Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. | 8.1 |
2021-02-03 | CVE-2020-25854 | Realtek | Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. | 8.1 |
2021-02-02 | CVE-2021-23271 | Tibco | Cross-site Scripting vulnerability in Tibco EBX The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system. | 8.0 |
2021-02-06 | CVE-2021-22299 | Huawei | Unspecified vulnerability in Huawei products There is a local privilege escalation vulnerability in some Huawei products. | 7.8 |
2021-02-05 | CVE-2020-12122 | Maxpcsecure | Improper Input Validation vulnerability in Maxpcsecure MAX Spyware Detector 1.0.0.044 In Max Secure Max Spyware Detector 1.0.0.044, the driver file (MaxProc64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2200019. | 7.8 |
2021-02-05 | CVE-2020-18750 | Flowpaper | Classic Buffer Overflow vulnerability in Flowpaper Pdf2Json 0.69 Buffer overflow in pdf2json 0.69 allows local users to execute arbitrary code by converting a crafted PDF file. | 7.8 |
2021-02-05 | CVE-2020-10537 | Epikur | Missing Authentication for Critical Function vulnerability in Epikur 20.1.0.1 An issue was discovered in Epikur before 20.1.1. | 7.8 |
2021-02-04 | CVE-2021-25249 | Trendmicro | Out-of-bounds Write vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An out-of-bounds write information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow a local attacker to escalate privileges on affected installations. | 7.8 |
2021-02-04 | CVE-2021-1370 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in a CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker to elevate their privilege to root. | 7.8 |
2021-02-04 | CVE-2020-27249 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. | 7.8 |
2021-02-04 | CVE-2020-27248 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. | 7.8 |
2021-02-04 | CVE-2020-27247 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. | 7.8 |
2021-02-04 | CVE-2020-13586 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). | 7.8 |
2021-02-04 | CVE-2020-13580 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 An exploitable heap-based buffer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application. | 7.8 |
2021-02-04 | CVE-2020-13579 | Softmaker | Integer Overflow or Wraparound vulnerability in Softmaker Planmaker 2021 1014 An exploitable integer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application. | 7.8 |
2021-02-03 | CVE-2021-25275 | Solarwinds | Use of Hard-coded Credentials vulnerability in Solarwinds Orion Platform SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. | 7.8 |
2021-02-03 | CVE-2021-25758 | Jetbrains | Deserialization of Untrusted Data vulnerability in Jetbrains Intellij Idea In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. | 7.8 |
2021-02-03 | CVE-2020-35152 | Cloudflare | Unquoted Search Path or Element vulnerability in Cloudflare Warp 1.2.2544.0 Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. | 7.8 |
2021-02-02 | CVE-2020-8672 | Intel | Out-of-bounds Read vulnerability in Intel Bios Out of bound read in BIOS firmware for 8th, 9th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 Series Processors may allow an unauthenticated user to potentially enable elevation of privilege or denial of service via local access. | 7.8 |
2021-02-02 | CVE-2020-1910 | Out-of-bounds Write vulnerability in Whatsapp and Whatsapp Business A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image. | 7.8 | |
2021-02-01 | CVE-2019-20471 | TK Star | Use of Hard-coded Credentials vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656 An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. | 7.8 |
2021-02-01 | CVE-2021-21287 | Minio | Unspecified vulnerability in Minio MinIO is a High Performance Object Storage released under Apache License v2.0. | 7.7 |
2021-02-07 | CVE-2021-26843 | Sthttpd Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Sthttpd Project Sthttpd 2.27.1 An issue was discovered in sthttpd through 2.27.1. | 7.5 |
2021-02-06 | CVE-2021-22293 | Huawei | HTTP Request Smuggling vulnerability in Huawei Campusinsight, Manageone and Taurus-Al00A Firmware Some Huawei products have an inconsistent interpretation of HTTP requests vulnerability. | 7.5 |
2021-02-06 | CVE-2021-22292 | Huawei | Unspecified vulnerability in Huawei Ecns280 Firmware V100R005C00/V100R005C10 There is a denial of service (DoS) vulnerability in eCNS280 versions V100R005C00, V100R005C10. | 7.5 |
2021-02-05 | CVE-2021-3229 | Asus | Unspecified vulnerability in Asus Rt-Ax3000 Firmware 3.0.0.4.38410177 Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error. | 7.5 |
2021-02-05 | CVE-2020-10554 | Psyprax | Insufficiently Protected Credentials vulnerability in Psyprax An issue was discovered in Psyprax beforee 3.2.2. | 7.5 |
2021-02-05 | CVE-2021-3382 | Gitea | Out-of-bounds Write vulnerability in Gitea Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path. | 7.5 |
2021-02-05 | CVE-2020-8806 | Electriccoin | Incorrect Authorization vulnerability in Electriccoin Zcashd Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending. | 7.5 |
2021-02-04 | CVE-2021-0351 | Unspecified vulnerability in Google Android In wlan driver, there is a possible system crash due to a missing bounds check. | 7.5 | |
2021-02-04 | CVE-2021-1313 | Cisco | Memory Leak vulnerability in Cisco IOS XR Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-02-04 | CVE-2021-1297 | Cisco | Path Traversal vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. | 7.5 |
2021-02-04 | CVE-2021-1296 | Cisco | Path Traversal vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. | 7.5 |
2021-02-04 | CVE-2021-1288 | Cisco | Unspecified vulnerability in Cisco IOS XR Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-02-04 | CVE-2021-1243 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device. | 7.5 |
2021-02-04 | CVE-2020-6088 | Rockwellautomation | Classic Buffer Overflow vulnerability in Rockwellautomation Flex IO 1794-Aent/B Firmware 4.003 An exploitable denial of service vulnerability exists in the ENIP Request Path Network Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. | 7.5 |
2021-02-04 | CVE-2020-14246 | Hcltechsw | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hcltechsw Onetest Performance 10.0.0/10.1.0/9.5.0 HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak. | 7.5 |
2021-02-03 | CVE-2020-25857 | Realtek | Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. | 7.5 |
2021-02-03 | CVE-2020-25853 | Realtek | Out-of-bounds Read vulnerability in Realtek Rtl8195A Firmware The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. | 7.5 |
2021-02-03 | CVE-2020-17516 | Apache | Authentication Bypass by Spoofing vulnerability in Apache Cassandra Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. | 7.5 |
2021-02-03 | CVE-2021-25776 | Jetbrains | Insecure Storage of Sensitive Information vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters. | 7.5 |
2021-02-03 | CVE-2021-25769 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments. | 7.5 |
2021-02-03 | CVE-2020-35667 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Teamcity JetBrains TeamCity Plugin before 2020.2.85695 SSRF. | 7.5 |
2021-02-03 | CVE-2020-27222 | Eclipse | Unspecified vulnerability in Eclipse Californium In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. | 7.5 |
2021-02-03 | CVE-2020-29166 | Rainbowfishsoftware | Path Traversal vulnerability in Rainbowfishsoftware Pacsone Server PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by file read/manipulation, which can result in remote information disclosure. | 7.5 |
2021-02-02 | CVE-2021-21294 | Typelevel | Allocation of Resources Without Limits or Throttling vulnerability in Typelevel Http4S Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. | 7.5 |
2021-02-02 | CVE-2021-21293 | Typelevel | Allocation of Resources Without Limits or Throttling vulnerability in Typelevel Blaze blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. | 7.5 |
2021-02-02 | CVE-2020-14255 | Hcltech | Unspecified vulnerability in Hcltech Digital Experience 9.5 HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. | 7.5 |
2021-02-02 | CVE-2019-25018 | MIT | Unspecified vulnerability in MIT Krb5-Appl In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . | 7.5 |
2021-02-02 | CVE-2020-24335 | UIP Project | Out-of-bounds Read vulnerability in UIP Project UIP An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG. | 7.5 |
2021-02-01 | CVE-2019-20470 | TK Star | Insecure Default Initialization of Resource vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656 An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. | 7.5 |
2021-02-01 | CVE-2020-20290 | Yccms | Path Traversal vulnerability in Yccms 3.3 Directory traversal vulnerability in the yccms 3.3 project. | 7.5 |
2021-02-01 | CVE-2021-3283 | Hashicorp | Unspecified vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. | 7.5 |
2021-02-01 | CVE-2021-3282 | Hashicorp | Improper Authentication vulnerability in Hashicorp Vault 1.6.0/1.6.1 HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. | 7.5 |
2021-02-01 | CVE-2020-15834 | Mofinetwork | Missing Authentication for Critical Function vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. | 7.5 |
2021-02-01 | CVE-2020-15832 | Mofinetwork | Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. | 7.5 |
2021-02-01 | CVE-2020-13860 | Mofinetwork | Use of Insufficiently Random Values vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. | 7.5 |
2021-02-01 | CVE-2020-13857 | Mofinetwork | Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 3.6.1Std/4.0.8Std/4.1.5Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. | 7.5 |
2021-02-01 | CVE-2020-13856 | Mofinetwork | Missing Authentication for Critical Function vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. | 7.5 |
2021-02-03 | CVE-2020-28895 | Windriver Oracle | Integer Overflow or Wraparound vulnerability in multiple products In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). | 7.3 |
2021-02-04 | CVE-2021-1348 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1347 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1346 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1345 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1344 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1343 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1342 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1341 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1340 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1339 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1338 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1337 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1336 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1335 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1334 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1333 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1332 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1331 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1330 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1329 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1328 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1327 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1326 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1325 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1324 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1323 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1322 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1321 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1320 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1319 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. | 7.2 |
2021-02-04 | CVE-2021-1318 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2021-02-04 | CVE-2021-1317 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2021-02-04 | CVE-2021-1316 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2021-02-04 | CVE-2021-1315 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2021-02-04 | CVE-2021-1314 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. | 7.2 |
2021-02-06 | CVE-2021-22302 | Huawei | Out-of-bounds Read vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1) There is an out-of-bound read vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). | 7.1 |
2021-02-05 | CVE-2021-1072 | Nvidia | Unspecified vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience, all versions prior to 3.21, contains a vulnerability in GameStream (rxdiag.dll) where an arbitrary file deletion due to improper handling of log files may lead to denial of service. | 7.1 |
2021-02-03 | CVE-2021-25276 | Solarwinds | Incorrect Permission Assignment for Critical Resource vulnerability in Solarwinds Serv-U In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. | 7.1 |
2021-02-05 | CVE-2021-26708 | Linux Netapp | Improper Locking vulnerability in multiple products A local privilege escalation was discovered in the Linux kernel before 5.10.13. | 7.0 |
2021-02-01 | CVE-2021-3348 | Linux Debian | Use After Free vulnerability in multiple products nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. | 7.0 |
148 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-06 | CVE-2020-9118 | Huawei | Improper Validation of Integrity Check Value vulnerability in Huawei Ais-Bw80H-00 Firmware There is an insufficient integrity check vulnerability in Huawei Sound X Product. | 6.8 |
2021-02-05 | CVE-2021-21303 | Helm | Unspecified vulnerability in Helm Helm is open-source software which is essentially "The Kubernetes Package Manager". | 6.8 |
2021-02-02 | CVE-2021-21284 | Docker Debian Netapp | Path Traversal vulnerability in multiple products In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. | 6.8 |
2021-02-01 | CVE-2019-20473 | TK Star | Unspecified vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656 An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. | 6.8 |
2021-02-06 | CVE-2021-22301 | Huawei | Classic Buffer Overflow vulnerability in Huawei Mate 30 Firmware 10.0.0.203(C00E201R7P2) Mate 30 10.0.0.203(C00E201R7P2) have a buffer overflow vulnerability. | 6.7 |
2021-02-04 | CVE-2021-0349 | Use After Free vulnerability in Google Android 10.0/11.0/9.0 In display driver, there is a possible memory corruption due to a use after free. | 6.7 | |
2021-02-04 | CVE-2021-0348 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0 In vpu, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-02-04 | CVE-2021-0346 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In vpu, there is a possible out of bounds write due to an incorrect bounds check. | 6.7 | |
2021-02-04 | CVE-2021-0345 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In mobile_log_d, there is a possible escalation of privilege due to improper input validation. | 6.7 | |
2021-02-04 | CVE-2021-0344 | Unspecified vulnerability in Google Android 10.0/11.0 In mtkpower, there is a possible memory corruption due to a missing bounds check. | 6.7 | |
2021-02-04 | CVE-2021-0343 | Out-of-bounds Write vulnerability in Google Android 11.0 In kisd, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-02-04 | CVE-2021-1244 | Cisco | Unspecified vulnerability in Cisco IOS XR Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. | 6.7 |
2021-02-04 | CVE-2021-1136 | Cisco | Unspecified vulnerability in Cisco IOS XR Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. | 6.7 |
2021-02-03 | CVE-2021-0365 | Use After Free vulnerability in Google Android 10.0/11.0 In display driver, there is a possible memory corruption due to a use after free. | 6.7 | |
2021-02-03 | CVE-2021-0364 | Command Injection vulnerability in Google Android 10.0/11.0 In mobile_log_d, there is a possible command injection due to improper input validation. | 6.7 | |
2021-02-03 | CVE-2021-0363 | Command Injection vulnerability in Google Android 10.0/11.0 In mobile_log_d, there is a possible command injection due to a missing bounds check. | 6.7 | |
2021-02-03 | CVE-2021-0362 | Out-of-bounds Write vulnerability in Google Android 11.0 In aee, there is a possible memory corruption due to a stack buffer overflow. | 6.7 | |
2021-02-03 | CVE-2021-0361 | Out-of-bounds Read vulnerability in Google Android 11.0 In kisd, there is a possible out of bounds read due to improper input validation. | 6.7 | |
2021-02-03 | CVE-2021-0360 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In netdiag, there is a possible out of bounds write due to an incorrect bounds check. | 6.7 | |
2021-02-03 | CVE-2021-0359 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In netdiag, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-02-03 | CVE-2021-0358 | Command Injection vulnerability in Google Android 10.0/11.0 In netdiag, there is a possible command injection due to improper input validation. | 6.7 | |
2021-02-03 | CVE-2021-0357 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In netdiag, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2021-02-03 | CVE-2021-0356 | Command Injection vulnerability in Google Android 10.0/11.0 In netdiag, there is a possible command injection due to improper input validation. | 6.7 | |
2021-02-03 | CVE-2021-0355 | Integer Overflow or Wraparound vulnerability in Google Android 11.0 In kisd, there is a possible out of bounds write due to an integer overflow. | 6.7 | |
2021-02-03 | CVE-2021-0354 | Integer Overflow or Wraparound vulnerability in Google Android In ged, there is a possible out of bounds write due to an integer overflow. | 6.7 | |
2021-02-03 | CVE-2021-0353 | Out-of-bounds Write vulnerability in Google Android 11.0 In kisd, there is a possible memory corruption due to a heap buffer overflow. | 6.7 | |
2021-02-02 | CVE-2020-8734 | Intel | Improper Input Validation vulnerability in Intel M10Jnp2Sb Firmware 7.209 Improper input validation in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2021-02-02 | CVE-2020-25035 | Ucopia | Unspecified vulnerability in Ucopia Express Wireless Appliance UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with root privileges using chroothole_client's PHP call, a related issue to CVE-2017-11322. | 6.7 |
2021-02-07 | CVE-2021-22161 | Openwrt | Infinite Loop vulnerability in Openwrt In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. | 6.5 |
2021-02-06 | CVE-2021-22500 | Microfocus | Cross-Site Request Forgery (CSRF) vulnerability in Microfocus Application Performance Management 9.40/9.50/9.51 Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. | 6.5 |
2021-02-06 | CVE-2021-22298 | Huawei | Unspecified vulnerability in Huawei Manageone 6.5.1.1/8.0.0 There is a logic vulnerability in Huawei Gauss100 OLTP Product. | 6.5 |
2021-02-05 | CVE-2020-10234 | Iobit | Unspecified vulnerability in Iobit Advanced Systemcare 13.2 The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 13.2 allows an unprivileged user to send an IOCTL to the device driver. | 6.5 |
2021-02-04 | CVE-2021-25246 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server that could be used then make valid configuration queries. | 6.5 |
2021-02-04 | CVE-2021-1389 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. | 6.5 |
2021-02-04 | CVE-2021-1268 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in the IPv6 protocol handling of the management interfaces of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause an IPv6 flood on the management interface network of an affected device. | 6.5 |
2021-02-04 | CVE-2021-1266 | Cisco | Unspecified vulnerability in Cisco Managed Services Accelerator 3.7.0 A vulnerability in the REST API of Cisco Managed Services Accelerator (MSX) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 6.5 |
2021-02-04 | CVE-2020-4828 | IBM | Improper Input Validation vulnerability in IBM API Connect IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. | 6.5 |
2021-02-04 | CVE-2020-27873 | Netgear | Incorrect Authorization vulnerability in Netgear products This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. | 6.5 |
2021-02-04 | CVE-2020-14247 | Hcltechsw | Insufficient Session Expiration vulnerability in Hcltechsw Onetest Performance 10.0.0/10.1.0/9.5.0 HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | 6.5 |
2021-02-03 | CVE-2020-9388 | Squaredup | Cross-Site Request Forgery (CSRF) vulnerability in Squaredup 4.6 CSRF protection was not present in SquaredUp before version 4.6.0. | 6.5 |
2021-02-03 | CVE-2021-25759 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user. | 6.5 |
2021-02-03 | CVE-2020-27994 | Solarwinds | Path Traversal vulnerability in Solarwinds Serv-U SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal. | 6.5 |
2021-02-02 | CVE-2020-24490 | Bluez | Unspecified vulnerability in Bluez Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2021-02-02 | CVE-2021-21285 | Docker Debian Netapp | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. | 6.5 |
2021-02-02 | CVE-2021-21292 | Traccar | Unspecified vulnerability in Traccar Traccar is an open source GPS tracking system. | 6.3 |
2021-02-06 | CVE-2021-26723 | Jenzabar | Cross-site Scripting vulnerability in Jenzabar 9.2.0/9.2.1/9.2.2 Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS. | 6.1 |
2021-02-05 | CVE-2021-26722 | Cross-site Scripting vulnerability in Linkedin Oncall LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar. | 6.1 | |
2021-02-05 | CVE-2020-18737 | Typora | Cross-site Scripting vulnerability in Typora 0.9.67 An issue was discovered in Typora 0.9.67. | 6.1 |
2021-02-05 | CVE-2021-3333 | Opmantek | Cross-site Scripting vulnerability in Opmantek Open-Audit 4.0.1 Opmantek Open-AudIT 4.0.1 is affected by cross-site scripting (XSS). | 6.1 |
2021-02-05 | CVE-2021-26710 | Redwood | Cross-site Scripting vulnerability in Redwood Report2Web 4.3.4.5/4.5.3 A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter. | 6.1 |
2021-02-03 | CVE-2021-26023 | Nagios | Cross-site Scripting vulnerability in Nagios Favorites The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS. | 6.1 |
2021-02-03 | CVE-2021-25773 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages. | 6.1 |
2021-02-03 | CVE-2021-25757 | Jetbrains | Open Redirect vulnerability in Jetbrains HUB In JetBrains Hub before 2020.1.12629, an open redirect was possible. | 6.1 |
2021-02-03 | CVE-2020-29164 | Rainbowfishsoftware | Cross-site Scripting vulnerability in Rainbowfishsoftware Pacsone Server PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS). | 6.1 |
2021-02-02 | CVE-2021-21043 | Adobe | Unspecified vulnerability in Adobe Consulting Services Commons ACS Commons version 4.9.2 (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly. | 6.1 |
2021-02-02 | CVE-2020-4081 | Hcltech | Cross-site Scripting vulnerability in Hcltech Digital Experience 8.5/9.0/9.5 In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | 6.1 |
2021-02-02 | CVE-2021-21291 | Oauth2 Proxy Project | Unspecified vulnerability in Oauth2 Proxy Project Oauth2 Proxy OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. | 6.1 |
2021-02-01 | CVE-2021-3340 | Wikindx Project | Cross-site Scripting vulnerability in Wikindx Project Wikindx A cross-site scripting (XSS) vulnerability in many forms of Wikindx before 5.7.0 and 6.x through 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter to index.php?action=initLogon or modules/admin/DELETEIMAGES.php. | 6.1 |
2021-02-01 | CVE-2020-13564 | Phpgacl Project Open EMR | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. | 6.1 |
2021-02-01 | CVE-2020-13563 | Phpgacl Project Open EMR | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. | 6.1 |
2021-02-01 | CVE-2020-13562 | Phpgacl Project Open EMR | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. | 6.1 |
2021-02-01 | CVE-2021-3350 | Delete Account Project | Cross-site Scripting vulnerability in Delete Account Project Delete Account 1.4 deleteaccount.php in the Delete Account plugin 1.4 for MyBB allows XSS via the deletereason parameter. | 6.1 |
2021-02-06 | CVE-2020-5812 | Tenable | Improper Certificate Validation vulnerability in Tenable Nessus Amazon Machine Image 8.12.0 Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. | 5.9 |
2021-02-06 | CVE-2020-14312 | Fedoraproject | Unspecified vulnerability in Fedoraproject Fedora A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. | 5.9 |
2021-02-02 | CVE-2021-20199 | Podman Project | Unspecified vulnerability in Podman Project Podman Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). | 5.9 |
2021-02-02 | CVE-2019-25017 | MIT | Incorrect Authorization vulnerability in MIT Krb5-Appl An issue was discovered in rcp in MIT krb5-appl through 1.0.3. | 5.9 |
2021-02-06 | CVE-2021-22307 | Huawei | Unspecified vulnerability in Huawei Mate 30 Firmware 10.0.0.203(C00E201R7P2) There is a weak algorithm vulnerability in Mate 3010.0.0.203(C00E201R7P2). | 5.5 |
2021-02-06 | CVE-2021-20176 | Imagemagick Debian | A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0.10-57 in gem.c. | 5.5 |
2021-02-06 | CVE-2020-11836 | Unspecified vulnerability in Google Android OPPO Android Phone with MTK chipset and Android 8.1/9/10/11 versions have an information leak vulnerability. | 5.5 | |
2021-02-05 | CVE-2020-9453 | Epson | NULL Pointer Dereference vulnerability in Epson Iprojection 2.30 In Epson iProjection v2.30, the driver file EMP_MPAU.sys allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402406 and IOCtl 0x9C40240A. | 5.5 |
2021-02-05 | CVE-2020-10553 | Psyprax | Incorrect Permission Assignment for Critical Resource vulnerability in Psyprax An issue was discovered in Psyprax before 3.2.2. | 5.5 |
2021-02-05 | CVE-2020-10375 | Newmediacompany | Inadequate Encryption Strength vulnerability in Newmediacompany Smarty An issue was discovered in New Media Smarty before 9.10. | 5.5 |
2021-02-05 | CVE-2020-9014 | Epson | Unspecified vulnerability in Epson Iprojection 2.30 In Epson iProjection v2.30, the driver file (EMP_NSAU.sys) allows local users to cause a denial of service (BSOD) via crafted input to the virtual audio device driver with IOCTL 0x9C402402, 0x9C402406, or 0x9C40240A. | 5.5 |
2021-02-05 | CVE-2020-4832 | IBM | Unspecified vulnerability in IBM Powerha 7.2 IBM PowerHA 7.2 could allow a local attacker to obtain sensitive information from temporary directories after a discovery failure occurs. | 5.5 |
2021-02-05 | CVE-2020-36241 | Gnome Fedoraproject | Link Following vulnerability in multiple products autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. | 5.5 |
2021-02-05 | CVE-2020-10538 | Epikur | Use of Password Hash With Insufficient Computational Effort vulnerability in Epikur 20.1.0.1 An issue was discovered in Epikur before 20.1.1. | 5.5 |
2021-02-04 | CVE-2021-25248 | Trendmicro | Out-of-bounds Read vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe. | 5.5 |
2021-02-04 | CVE-2021-1128 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in the CLI parser of Cisco IOS XR Software could allow an authenticated, local attacker to view more information than their privileges allow. | 5.5 |
2021-02-05 | CVE-2021-3258 | QA Themes | Cross-site Scripting vulnerability in Qa-Themes Q2A Ultimate SEO 1.3 Question2Answer Q2A Ultimate SEO Version 1.3 is affected by cross-site scripting (XSS), which may lead to arbitrary remote code execution. | 5.4 |
2021-02-04 | CVE-2020-4825 | IBM | Cross-site Scripting vulnerability in IBM API Connect IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site scripting. | 5.4 |
2021-02-03 | CVE-2020-9390 | Squaredup | Cross-site Scripting vulnerability in Squaredup SquaredUp allowed Stored XSS before version 4.6.0. | 5.4 |
2021-02-03 | CVE-2020-18724 | Altn | Cross-site Scripting vulnerability in Altn Mdaemon Webmail 14.0/20.0.0 Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list. | 5.4 |
2021-02-03 | CVE-2020-18723 | Altn | Cross-site Scripting vulnerability in Altn Mdaemon Webmail 14.0/20.0.0 Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities. | 5.4 |
2021-02-03 | CVE-2020-8294 | Nextcloud | Cross-site Scripting vulnerability in Nextcloud Server A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | 5.4 |
2021-02-03 | CVE-2020-35482 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS. | 5.4 |
2021-02-03 | CVE-2020-28001 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS. | 5.4 |
2021-02-02 | CVE-2021-3395 | Pryaniki | Cross-site Scripting vulnerability in Pryaniki 6.44.3 A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. | 5.4 |
2021-02-05 | CVE-2020-10858 | Zulip | Missing Authorization vulnerability in Zulip Desktop Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. | 5.3 |
2021-02-05 | CVE-2021-26711 | Redwood | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Redwood Report2Web 4.3.4.5 A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl parameter. | 5.3 |
2021-02-05 | CVE-2020-8807 | Electriccoin | Unspecified vulnerability in Electriccoin Zcashd In Electric Coin Company Zcashd before 2.1.1-1, the time offset between messages could be leveraged to obtain sensitive information about the relationship between a suspected victim's address and an IP address, aka a timing side channel. | 5.3 |
2021-02-04 | CVE-2021-25245 | Trendmicro | Unspecified vulnerability in Trendmicro Worry-Free Business Security 10.0 An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of settings informaiton. | 5.3 |
2021-02-04 | CVE-2021-25244 | Trendmicro | Unspecified vulnerability in Trendmicro Worry-Free Business Security 10.0 An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of configuration informaiton. | 5.3 |
2021-02-04 | CVE-2021-25243 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain patch level information. | 5.3 |
2021-02-04 | CVE-2021-25242 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain version and build information. | 5.3 |
2021-02-04 | CVE-2021-25241 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex ONE and Worry-Free Business Security A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a sweep. | 5.3 |
2021-02-04 | CVE-2021-25240 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain x64 agent hofitx information. | 5.3 |
2021-02-04 | CVE-2021-25239 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about x86 agent hotfixes. | 5.3 |
2021-02-04 | CVE-2021-25238 | Trendmicro | Unspecified vulnerability in Trendmicro Officescan and Worry-Free Business Security An improper access control information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about an agent's managing port. | 5.3 |
2021-02-04 | CVE-2021-25237 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE 2019 An improper access control vulnerability in Trend Micro Apex One (on-prem) could allow an unauthenticated user to obtain information about the managing port used by agents. | 5.3 |
2021-02-04 | CVE-2021-25236 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Officescan and Worry-Free Business Security A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a specific sweep. | 5.3 |
2021-02-04 | CVE-2021-25235 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about a content inspection configuration file. | 5.3 |
2021-02-04 | CVE-2021-25234 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific notification configuration file. | 5.3 |
2021-02-04 | CVE-2021-25233 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific configuration download file. | 5.3 |
2021-02-04 | CVE-2021-25232 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the SQL database. | 5.3 |
2021-02-04 | CVE-2021-25231 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific hotfix history file. | 5.3 |
2021-02-04 | CVE-2021-25230 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file. | 5.3 |
2021-02-04 | CVE-2021-25229 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server. | 5.3 |
2021-02-04 | CVE-2021-25228 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history. | 5.3 |
2021-02-04 | CVE-2020-16194 | Store Opart | Authorization Bypass Through User-Controlled Key vulnerability in Store-Opart Quote An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. | 5.3 |
2021-02-03 | CVE-2021-26024 | Nagios | Authorization Bypass Through User-Controlled Key vulnerability in Nagios Favorites The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account. | 5.3 |
2021-02-03 | CVE-2021-25778 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.1, permissions during user deletion were checked improperly. | 5.3 |
2021-02-03 | CVE-2021-25777 | Jetbrains | Incorrect Authorization vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly. | 5.3 |
2021-02-03 | CVE-2021-25772 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.2, TeamCity server DoS was possible via server integration. | 5.3 |
2021-02-03 | CVE-2021-25768 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly. | 5.3 |
2021-02-03 | CVE-2021-25767 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution. | 5.3 |
2021-02-03 | CVE-2021-25766 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made. | 5.3 |
2021-02-03 | CVE-2021-25763 | Jetbrains | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Jetbrains Ktor In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default. | 5.3 |
2021-02-03 | CVE-2021-25762 | Jetbrains | HTTP Request Smuggling vulnerability in Jetbrains Ktor In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible. | 5.3 |
2021-02-03 | CVE-2021-25761 | Jetbrains | Inadequate Encryption Strength vulnerability in Jetbrains Ktor In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible. | 5.3 |
2021-02-03 | CVE-2021-25760 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible. | 5.3 |
2021-02-03 | CVE-2021-25756 | Jetbrains | Unspecified vulnerability in Jetbrains Intellij Idea In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. | 5.3 |
2021-02-03 | CVE-2020-29582 | Jetbrains Oracle | Incorrect Default Permissions vulnerability in multiple products In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. | 5.3 |
2021-02-03 | CVE-2020-25208 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions. | 5.3 |
2021-02-02 | CVE-2020-29662 | Linuxfoundation | Cleartext Transmission of Sensitive Information vulnerability in Linuxfoundation Harbor In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path. | 5.3 |
2021-02-02 | CVE-2021-3281 | Djangoproject Fedoraproject Netapp | Path Traversal vulnerability in multiple products In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | 5.3 |
2021-02-01 | CVE-2020-28493 | Palletsprojects Fedoraproject | Resource Exhaustion vulnerability in multiple products This affects the package jinja2 from 0.0.0 and before 2.11.3. | 5.3 |
2021-02-01 | CVE-2021-3024 | Hashicorp | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. | 5.3 |
2021-02-01 | CVE-2020-25594 | Hashicorp | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. | 5.3 |
2021-02-01 | CVE-2021-21266 | Openhab | Unspecified vulnerability in Openhab openHAB is a vendor and technology agnostic open source automation software for your home. | 5.0 |
2021-02-06 | CVE-2020-9205 | Huawei | Improper Neutralization of Formula Elements in a CSV File vulnerability in Huawei Manageone 8.0.1 There has a CSV injection vulnerability in ManageOne 8.0.1. | 4.9 |
2021-02-02 | CVE-2020-14221 | Hcltech | Unspecified vulnerability in Hcltech Digital Experience 8.5/9.0/9.5 HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. | 4.9 |
2021-02-06 | CVE-2021-22499 | Microfocus | Cross-site Scripting vulnerability in Microfocus Application Performance Management 9.40/9.50/9.51 Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. | 4.8 |
2021-02-03 | CVE-2019-16268 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Remote Access Plus 10.0.259 Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | 4.8 |
2021-02-06 | CVE-2021-22306 | Huawei | Out-of-bounds Read vulnerability in Huawei Mate 30 Firmware 10.0.0.182(C00E180R6P2) There is an out-of-bound read vulnerability in Mate 30 10.0.0.182(C00E180R6P2). | 4.6 |
2021-02-04 | CVE-2021-0350 | Improper Input Validation vulnerability in Google Android In ged, there is a possible system crash due to an improper input validation. | 4.4 | |
2021-02-04 | CVE-2021-0347 | Out-of-bounds Read vulnerability in Google Android In ccu, there is a possible out of bounds read due to a missing bounds check. | 4.4 | |
2021-02-03 | CVE-2021-0352 | Type Confusion vulnerability in Google Android 10.0/11.0 In RT regmap driver, there is a possible memory corruption due to type confusion. | 4.4 | |
2021-02-04 | CVE-2020-5032 | IBM | Unspecified vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 in some configurations may be vulnerable to a temporary denial of service attack when sent particular payloads. | 4.3 |
2021-02-04 | CVE-2020-4827 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 4.3 |
2021-02-04 | CVE-2020-4826 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 4.3 |
2021-02-03 | CVE-2021-25774 | Jetbrains | Incorrect Authorization vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user. | 4.3 |
2021-02-03 | CVE-2021-25771 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed. | 4.3 |
2021-02-02 | CVE-2020-4934 | IBM | Path Traversal vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0.CD could allow a remote attacker to traverse directories on the system. | 4.3 |
2021-02-02 | CVE-2020-36231 | Atlassian | Authorization Bypass Through User-Controlled Key vulnerability in Atlassian products Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. | 4.3 |
2021-02-02 | CVE-2020-14192 | Atlassian | Information Exposure vulnerability in Atlassian Crucible Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. | 4.3 |
2021-02-06 | CVE-2021-22300 | Huawei | Cleartext Storage of Sensitive Information vulnerability in Huawei Ecns280 TD Firmware V100R005C00/V100R005C10 There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. | 4.1 |
2021-02-04 | CVE-2021-1221 | Cisco | Injection vulnerability in Cisco Webex Meetings Server A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. | 4.1 |
2021-02-04 | CVE-2020-4640 | IBM | Information Exposure vulnerability in IBM API Connect Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. | 4.1 |
12 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-03 | CVE-2021-25775 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.2.1, the server admin could create and see access tokens for any other users. | 3.8 |
2021-02-03 | CVE-2020-9389 | Squaredup | Information Exposure Through Discrepancy vulnerability in Squaredup 4.6 A username enumeration issue was discovered in SquaredUp before version 4.6.0. | 3.7 |
2021-02-04 | CVE-2021-1354 | Cisco | Unspecified vulnerability in Cisco Unified Computing System Central Software A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). | 3.5 |
2021-02-03 | CVE-2020-8589 | Netapp | Unspecified vulnerability in Netapp Clustered Data Ontap Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs. | 3.5 |
2021-02-03 | CVE-2020-8588 | Netapp | Unspecified vulnerability in Netapp Clustered Data Ontap Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs). | 3.5 |
2021-02-06 | CVE-2021-22305 | Huawei | Classic Buffer Overflow vulnerability in Huawei Mate 30 Firmware 10.1.0.126(C00E125R5P3) There is a buffer overflow vulnerability in Mate 30 10.1.0.126(C00E125R5P3). | 3.3 |
2021-02-06 | CVE-2021-22304 | Huawei | Use After Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1) There is a use after free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). | 3.3 |
2021-02-06 | CVE-2021-22303 | Huawei | Double Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1) There is a pointer double free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). | 3.3 |
2021-02-04 | CVE-2021-25227 | Trendmicro | Resource Exhaustion vulnerability in Trendmicro Antivirus Trend Micro Antivirus for Mac 2021 (Consumer) is vulnerable to a memory exhaustion vulnerability that could lead to disabling all the scanning functionality within the application. | 3.3 |
2021-02-03 | CVE-2021-23331 | Squareup | Unspecified vulnerability in Squareup Connect Java Software Development KIT This affects all versions of package com.squareup:connect. | 3.3 |
2021-02-01 | CVE-2021-3349 | Gnome | Insufficient Verification of Data Authenticity vulnerability in Gnome Evolution GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. | 3.3 |
2021-02-03 | CVE-2021-25755 | Jetbrains | Unspecified vulnerability in Jetbrains Code With ME In JetBrains Code With Me before 2020.3, an attacker on the local network, knowing a session ID, could get access to the encrypted traffic. | 2.5 |