Weekly Vulnerabilities Reports > February 1 to 7, 2021

Overview

340 new vulnerabilities reported during this period, including 54 critical vulnerabilities and 64 high severity vulnerabilities. This weekly summary report vulnerabilities in 201 products from 116 vendors including Cisco, Google, Jetbrains, Trendmicro, and Huawei. Vulnerabilities are notably categorized as "Stack-based Buffer Overflow", "Cross-site Scripting", "Out-of-bounds Write", "Information Exposure", and "Incorrect Authorization".

  • 263 reported vulnerabilities are remotely exploitables.
  • 94 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 264 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 56 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 44 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

54 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-07 CVE-2021-3122 NCR OS Command Injection vulnerability in NCR Command Center Agent 16.3

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021.

10.0
2021-02-05 CVE-2021-20623 Panasonic Code Injection vulnerability in Panasonic Video Insight VMS 7.3.2.5/7.5

Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request.

10.0
2021-02-04 CVE-2021-1295 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1294 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1293 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1292 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1291 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1290 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-04 CVE-2021-1289 Cisco External Control of Assumed-Immutable Web Parameter vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.

10.0
2021-02-03 CVE-2021-25274 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues.

10.0
2021-02-01 CVE-2020-15836 Mofinetwork Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices.

10.0
2021-02-01 CVE-2020-15835 Mofinetwork Improper Authentication vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices.

10.0
2021-02-01 CVE-2020-15833 Mofinetwork Use of Hard-coded Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices.

10.0
2021-02-04 CVE-2021-1297 Cisco Absolute Path Traversal vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system.

9.4
2021-02-04 CVE-2021-1296 Cisco Absolute Path Traversal vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system.

9.4
2021-02-07 CVE-2020-36243 Open EMR OS Command Injection vulnerability in Open-Emr Openemr 5.0.2.1

The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php.

9.0
2021-02-04 CVE-2021-1348 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1347 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1346 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1345 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1344 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1343 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1342 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1341 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1340 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1339 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1338 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1337 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1336 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1335 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1334 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1333 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1332 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1331 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1330 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1329 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1328 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1327 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1326 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1325 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1324 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1323 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1322 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1321 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1320 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1319 Cisco Stack-based Buffer Overflow vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.

9.0
2021-02-04 CVE-2021-1318 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

9.0
2021-02-04 CVE-2021-1317 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

9.0
2021-02-04 CVE-2021-1316 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

9.0
2021-02-04 CVE-2021-1315 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

9.0
2021-02-04 CVE-2021-1314 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

9.0
2021-02-03 CVE-2020-17523 Apache Incorrect Authorization vulnerability in Apache Shiro

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

9.0
2021-02-02 CVE-2021-25310 Belkin OS Command Injection vulnerability in Belkin Linksys Wrt160Nl Firmware 1.0.04.002Us20130619

** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint.

9.0
2021-02-02 CVE-2020-25036 Ucopia OS Command Injection vulnerability in Ucopia Wireless Appliance

UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command.

9.0

64 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-02 CVE-2020-8101 ADT Command Injection vulnerability in ADT Lifeshield DIY HD Video Doorbell Firmware

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in HTTP interface of ADT LifeShield DIY HD Video Doorbell allows an attacker on the same network to execute commands on the device.

8.3
2021-02-06 CVE-2021-22292 Huawei Resource Exhaustion vulnerability in Huawei Ecns280 Firmware V100R005C00/V100R005C10

There is a denial of service (DoS) vulnerability in eCNS280 versions V100R005C00, V100R005C10.

7.8
2021-02-05 CVE-2021-3229 Asus Unspecified vulnerability in Asus Rt-Ax3000 Firmware

Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error.

7.8
2021-02-04 CVE-2021-0351 Google Unspecified vulnerability in Google Android

In wlan driver, there is a possible system crash due to a missing bounds check.

7.8
2021-02-04 CVE-2021-1313 Cisco Resource Management Errors vulnerability in Cisco IOS XR

Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.8
2021-02-04 CVE-2021-1288 Cisco Resource Management Errors vulnerability in Cisco IOS XR

Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.8
2021-02-01 CVE-2020-15832 Mofinetwork Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices.

7.8
2021-02-01 CVE-2020-13857 Mofinetwork Unspecified vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 3.6.1Std/4.0.8Std/4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices.

7.8
2021-02-02 CVE-2021-21289 Mechanize Project
Fedoraproject
Debian
OS Command Injection vulnerability in multiple products

Mechanize is an open-source ruby library that makes automated web interaction easy.

7.6
2021-02-05 CVE-2020-10857 Zulip Unspecified vulnerability in Zulip Desktop

Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code execution.

7.5
2021-02-05 CVE-2020-18717 Zzzcms SQL Injection vulnerability in Zzzcms Zzzphp 1.7.1

SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.

7.5
2021-02-05 CVE-2020-18716 Rockoa SQL Injection vulnerability in Rockoa 1.8.7

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php.

7.5
2021-02-05 CVE-2020-18714 Rockoa SQL Injection vulnerability in Rockoa 1.8.7

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function.

7.5
2021-02-05 CVE-2020-18713 Rockoa SQL Injection vulnerability in Rockoa 1.8.7

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php

7.5
2021-02-05 CVE-2020-10539 Epikur Incorrect Authorization vulnerability in Epikur 20.1.0.1

An issue was discovered in Epikur before 20.1.1.

7.5
2021-02-04 CVE-2020-28450 Decal Project Unspecified vulnerability in Decal Project Decal

This affects all versions of package decal.

7.5
2021-02-04 CVE-2020-28449 Decal Project Unspecified vulnerability in Decal Project Decal

This affects all versions of package decal.

7.5
2021-02-04 CVE-2020-14245 Hcltechsw Improper Authentication vulnerability in Hcltechsw Onetest Performance

HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources.

7.5
2021-02-04 CVE-2021-26689 Google Use After Free vulnerability in Google Android

An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software.

7.5
2021-02-04 CVE-2021-26688 Google Unspecified vulnerability in Google Android 10.0

An issue was discovered on LG Wing mobile devices with Android OS 10 software.

7.5
2021-02-04 CVE-2021-26687 Google Unspecified vulnerability in Google Android

An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software.

7.5
2021-02-04 CVE-2021-20016 Sonicwall SQL Injection vulnerability in Sonicwall products

A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information.

7.5
2021-02-04 CVE-2021-3401 Bitcoin Command Injection vulnerability in Bitcoin

Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser.

7.5
2021-02-03 CVE-2021-25770 Jetbrains Code Injection vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.

7.5
2021-02-03 CVE-2021-25758 Jetbrains Deserialization of Untrusted Data vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

7.5
2021-02-03 CVE-2020-35481 Solarwinds Unspecified vulnerability in Solarwinds Serv-U 15.1.6/15.2.1

SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.

7.5
2021-02-03 CVE-2020-28895 Windriver Classic Buffer Overflow vulnerability in Windriver Vxworks

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc().

7.5
2021-02-03 CVE-2020-28653 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Opmanager

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

7.5
2021-02-03 CVE-2020-2507 Qnap OS Command Injection vulnerability in Qnap Helpdesk

The vulnerability have been reported to affect earlier versions of QTS.

7.5
2021-02-03 CVE-2020-2506 Qnap Incorrect Authorization vulnerability in Qnap Helpdesk

The vulnerability have been reported to affect earlier versions of QTS.

7.5
2021-02-03 CVE-2020-29165 Rainbowfishsoftware Incorrect Authorization vulnerability in Rainbowfishsoftware Pacsone Server

PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by incorrect access control, which can result in remotely gaining administrator privileges.

7.5
2021-02-03 CVE-2020-28144 Moxa Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Moxa products

Certain Moxa Inc products are affected by an improper restriction of operations in EDR-G903 Series Firmware Version 5.5 or lower, EDR-G902 Series Firmware Version 5.5 or lower, and EDR-810 Series Firmware Version 5.6 or lower.

7.5
2021-02-02 CVE-2021-25912 Dotty Project Unspecified vulnerability in Dotty Project Dotty 0.0.1/0.0.2/0.1.0

Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.

7.5
2021-02-02 CVE-2020-7775 Freediskspace Project OS Command Injection vulnerability in Freediskspace Project Freediskproject

This affects all versions of package freediskspace.

7.5
2021-02-02 CVE-2020-18568 Dlink Command Injection vulnerability in Dlink Dsr-1000N Firmware and Dsr-250 Firmware

The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution.

7.5
2021-02-02 CVE-2020-25506 Dlink Command Injection vulnerability in Dlink Dns-320 Firmware 2.06B01

D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.

7.5
2021-02-02 CVE-2020-28495 Totaljs Unspecified vulnerability in Totaljs Total.Js

This affects the package total.js before 3.4.7.

7.5
2021-02-02 CVE-2020-28494 Totaljs Command Injection vulnerability in Totaljs Total.Js

This affects the package total.js before 3.4.7.

7.5
2021-02-01 CVE-2021-3378 Fortilogger Unrestricted Upload of File with Dangerous Type vulnerability in Fortilogger

FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.

7.5
2021-02-01 CVE-2019-20468 TK Star Incorrect Default Permissions vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656

An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.

7.5
2021-02-01 CVE-2020-21180 Koa2 Blog Project SQL Injection vulnerability in Koa2-Blog Project Koa2-Blog 1.0.0

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page.

7.5
2021-02-01 CVE-2020-21179 Koa2 Blog Project SQL Injection vulnerability in Koa2-Blog Project Koa2-Blog 1.0.0

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page.

7.5
2021-02-01 CVE-2020-21176 Thinkjs SQL Injection vulnerability in Thinkjs 3.2.10

SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter.

7.5
2021-02-01 CVE-2020-20296 Cmswing SQL Injection vulnerability in Cmswing 1.3.8

An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands.

7.5
2021-02-01 CVE-2020-20295 Cmswing SQL Injection vulnerability in Cmswing 1.3.8

An issue was found in CMSWing project version 1.3.8.

7.5
2021-02-01 CVE-2020-20294 Cmswing SQL Injection vulnerability in Cmswing 1.3.8

An issue was found in CMSWing project version 1.3.8.

7.5
2021-02-01 CVE-2020-20289 Yccms SQL Injection vulnerability in Yccms 3.3

Sql injection vulnerability in the yccms 3.3 project.

7.5
2021-02-01 CVE-2020-20287 Yccms Unrestricted Upload of File with Dangerous Type vulnerability in Yccms 3.3

Unrestricted file upload vulnerability in the yccms 3.3 project.

7.5
2021-02-01 CVE-2020-28426 Kill Process ON Port Project Command Injection vulnerability in Kill-Process-On-Port Project Kill-Process-On-Port

All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.

7.5
2021-02-01 CVE-2021-23330 Bitovi Command Injection vulnerability in Bitovi Launchpad

All versions of package launchpad are vulnerable to Command Injection via stop.

7.5
2021-02-01 CVE-2020-36109 Asus Classic Buffer Overflow vulnerability in Asus Rt-Ax86U Firmware

ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data.

7.5
2021-02-01 CVE-2020-28194 Accel PPP Integer Underflow (Wrap or Wraparound) vulnerability in Accel-Ppp 1.12.092G38B6104

Variable underflow exists in accel-ppp radius/packet.c when receiving a RADIUS vendor-specific attribute with length field is less than 2.

7.5
2021-02-01 CVE-2020-13858 Mofinetwork Use of Hard-coded Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 3.6.1Std/4.0.8Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices.

7.5
2021-02-04 CVE-2021-25249 Trendmicro Out-of-bounds Write vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An out-of-bounds write information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow a local attacker to escalate privileges on affected installations.

7.2
2021-02-04 CVE-2021-0349 Google Use After Free vulnerability in Google Android 10.0/11.0/9.0

In display driver, there is a possible memory corruption due to a use after free.

7.2
2021-02-04 CVE-2021-0348 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0

In vpu, there is a possible out of bounds write due to a missing bounds check.

7.2
2021-02-04 CVE-2021-0346 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In vpu, there is a possible out of bounds write due to an incorrect bounds check.

7.2
2021-02-04 CVE-2021-0345 Google Improper Privilege Management vulnerability in Google Android 10.0/11.0

In mobile_log_d, there is a possible escalation of privilege due to improper input validation.

7.2
2021-02-04 CVE-2021-0344 Google Unspecified vulnerability in Google Android 10.0/11.0

In mtkpower, there is a possible memory corruption due to a missing bounds check.

7.2
2021-02-04 CVE-2021-0343 Google Out-of-bounds Write vulnerability in Google Android 11.0

In kisd, there is a possible out of bounds write due to a missing bounds check.

7.2
2021-02-04 CVE-2021-1370 Cisco OS Command Injection vulnerability in Cisco IOS XR

A vulnerability in a CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker to elevate their privilege to root.

7.2
2021-02-02 CVE-2020-25035 Ucopia Unspecified vulnerability in Ucopia Express Wireless Appliance

UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with root privileges using chroothole_client's PHP call, a related issue to CVE-2017-11322.

7.2
2021-02-02 CVE-2020-25037 Ucopia Unrestricted Upload of File with Dangerous Type vulnerability in Ucopia Wireless Appliance

UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command.

7.2
2021-02-01 CVE-2019-20471 TK Star Use of Hard-coded Credentials vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656

An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.

7.2

174 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-05 CVE-2021-26708 Linux Improper Privilege Management vulnerability in Linux Kernel

A local privilege escalation was discovered in the Linux kernel before 5.10.13.

6.9
2021-02-05 CVE-2020-10234 Iobit Unspecified vulnerability in Iobit Advanced Systemcare 13.2

The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 13.2 allows an unprivileged user to send an IOCTL to the device driver.

6.8
2021-02-05 CVE-2021-3311 Octobercms Insufficient Session Expiration vulnerability in Octobercms October

An issue was discovered in October through build 471.

6.8
2021-02-05 CVE-2021-20652 Name Directory Project Cross-Site Request Forgery (CSRF) vulnerability in Name Directory Project Name Directory

Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2021-02-04 CVE-2021-1266 Cisco Resource Exhaustion vulnerability in Cisco Managed Services Accelerator 3.7.0

A vulnerability in the REST API of Cisco Managed Services Accelerator (MSX) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

6.8
2021-02-04 CVE-2020-27249 Softmaker Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014

A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow.

6.8
2021-02-04 CVE-2020-27248 Softmaker Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014

A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow.

6.8
2021-02-04 CVE-2020-27247 Softmaker Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014

A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow.

6.8
2021-02-04 CVE-2020-13586 Softmaker Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014

A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014).

6.8
2021-02-04 CVE-2020-13580 Softmaker Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014

An exploitable heap-based buffer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application.

6.8
2021-02-04 CVE-2020-13579 Softmaker Integer Overflow or Wraparound vulnerability in Softmaker Planmaker 2021 1014

An exploitable integer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application.

6.8
2021-02-03 CVE-2020-25856 Realtek Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware

The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service.

6.8
2021-02-03 CVE-2020-25855 Realtek Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware

The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service.

6.8
2021-02-03 CVE-2020-25854 Realtek Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware

The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service.

6.8
2021-02-03 CVE-2021-25765 Jetbrains Cross-Site Request Forgery (CSRF) vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.

6.8
2021-02-02 CVE-2020-1910 Whatsapp Out-of-bounds Write vulnerability in Whatsapp

A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image.

6.8
2021-02-02 CVE-2020-1896 Facebook Out-of-bounds Write vulnerability in Facebook Hermes

A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript.

6.8
2021-02-01 CVE-2020-24271 Easycms Cross-Site Request Forgery (CSRF) vulnerability in Easycms 1.6

A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.

6.8
2021-02-05 CVE-2020-35765 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Applications Manager

doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

6.5
2021-02-03 CVE-2020-29163 Rainbowfishsoftware SQL Injection vulnerability in Rainbowfishsoftware Pacsone Server

PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection.

6.5
2021-02-01 CVE-2021-21286 Wwbn Incorrect Authorization vulnerability in Wwbn Avideo 10.1/8.9

AVideo Platform is an open-source Audio and Video platform.

6.5
2021-02-01 CVE-2021-21277 Peerigon Injection vulnerability in Peerigon Angular-Expressions

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node".

6.5
2021-02-07 CVE-2020-36242 Cryptography Project
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

6.4
2021-02-04 CVE-2021-25246 Trendmicro Incorrect Authorization vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected server that could be used then make valid configuration queries.

6.4
2021-02-04 CVE-2021-1389 Cisco Improper Access Control vulnerability in Cisco IOS XR

A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device.

6.4
2021-02-04 CVE-2020-4828 IBM Improper Input Validation vulnerability in IBM API Connect

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers.

6.4
2021-02-04 CVE-2020-14247 Hcltechsw Insufficient Session Expiration vulnerability in Hcltechsw Onetest Performance 10.0.0/10.1.0/9.5.0

HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.

6.4
2021-02-02 CVE-2020-15097 Loklak Project Path Traversal vulnerability in Loklak Project Loklak 1.0/20200122

loklak is an open-source server application which is able to collect messages from various sources, including twitter.

6.4
2021-02-01 CVE-2020-20290 Yccms Path Traversal vulnerability in Yccms 3.3

Directory traversal vulnerability in the yccms 3.3 project.

6.4
2021-02-01 CVE-2021-21276 Polrproject Incorrect Authorization vulnerability in Polrproject Polr

Polr is an open source URL shortener.

6.4
2021-02-02 CVE-2021-23271 Tibco Cross-site Scripting vulnerability in Tibco EBX

The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system.

6.0
2021-02-04 CVE-2020-27872 Netgear Exposure of Resource to Wrong Sphere vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers.

5.8
2021-02-03 CVE-2021-25757 Jetbrains Open Redirect vulnerability in Jetbrains HUB

In JetBrains Hub before 2020.1.12629, an open redirect was possible.

5.8
2021-02-02 CVE-2021-21291 Oauth2 Proxy Project Open Redirect vulnerability in Oauth2 Proxy Project Oauth2 Proxy

OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.

5.8
2021-02-02 CVE-2019-25017 MIT Unspecified vulnerability in MIT Krb5-Appl

An issue was discovered in rcp in MIT krb5-appl through 1.0.3.

5.8
2021-02-05 CVE-2020-10552 Psyprax Incorrect Permission Assignment for Critical Resource vulnerability in Psyprax

An issue was discovered in Psyprax before 3.2.2.

5.5
2021-02-03 CVE-2021-25775 Jetbrains Incorrect Permission Assignment for Critical Resource vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2.1, the server admin could create and see access tokens for any other users.

5.5
2021-02-07 CVE-2021-26843 Sthttpd Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Sthttpd Project Sthttpd 2.27.1

An issue was discovered in sthttpd through 2.27.1.

5.0
2021-02-06 CVE-2021-22293 Huawei HTTP Request Smuggling vulnerability in Huawei Campusinsight, Manageone and Taurus-Al00A Firmware

Some Huawei products have an inconsistent interpretation of HTTP requests vulnerability.

5.0
2021-02-05 CVE-2020-10858 Zulip Incorrect Permission Assignment for Critical Resource vulnerability in Zulip Desktop

Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler.

5.0
2021-02-05 CVE-2020-10554 Psyprax Use of a Broken or Risky Cryptographic Algorithm vulnerability in Psyprax

An issue was discovered in Psyprax beforee 3.2.2.

5.0
2021-02-05 CVE-2021-3382 Gitea Out-of-bounds Write vulnerability in Gitea

Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path.

5.0
2021-02-05 CVE-2021-26711 Redwood Externally Controlled Reference to a Resource in Another Sphere vulnerability in Redwood Report2Web 4.3.4.5

A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl parameter.

5.0
2021-02-05 CVE-2020-8807 Electriccoin Unspecified vulnerability in Electriccoin Zcashd

In Electric Coin Company Zcashd before 2.1.1-1, the time offset between messages could be leveraged to obtain sensitive information about the relationship between a suspected victim's address and an IP address, aka a timing side channel.

5.0
2021-02-05 CVE-2020-8806 Electriccoin Incorrect Authorization vulnerability in Electriccoin Zcashd

Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending.

5.0
2021-02-04 CVE-2021-25245 Trendmicro Incorrect Authorization vulnerability in Trendmicro Worry-Free Business Security 10.0

An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of settings informaiton.

5.0
2021-02-04 CVE-2021-25244 Trendmicro Incorrect Authorization vulnerability in Trendmicro Worry-Free Business Security 10.0

An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of configuration informaiton.

5.0
2021-02-04 CVE-2021-25243 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain patch level information.

5.0
2021-02-04 CVE-2021-25242 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain version and build information.

5.0
2021-02-04 CVE-2021-25241 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex ONE and Worry-Free Business Security

A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a sweep.

5.0
2021-02-04 CVE-2021-25240 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain x64 agent hofitx information.

5.0
2021-02-04 CVE-2021-25239 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about x86 agent hotfixes.

5.0
2021-02-04 CVE-2021-25238 Trendmicro Information Exposure vulnerability in Trendmicro Officescan and Worry-Free Business Security

An improper access control information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about an agent's managing port.

5.0
2021-02-04 CVE-2021-25237 Trendmicro Information Exposure vulnerability in Trendmicro Apex ONE 2019

An improper access control vulnerability in Trend Micro Apex One (on-prem) could allow an unauthenticated user to obtain information about the managing port used by agents.

5.0
2021-02-04 CVE-2021-25236 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Officescan and Worry-Free Business Security

A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a specific sweep.

5.0
2021-02-04 CVE-2021-25235 Trendmicro Information Exposure vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about a content inspection configuration file.

5.0
2021-02-04 CVE-2021-25234 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific notification configuration file.

5.0
2021-02-04 CVE-2021-25233 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific configuration download file.

5.0
2021-02-04 CVE-2021-25232 Trendmicro Information Exposure vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the SQL database.

5.0
2021-02-04 CVE-2021-25231 Trendmicro Information Exposure vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about a specific hotfix history file.

5.0
2021-02-04 CVE-2021-25230 Trendmicro Information Exposure vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file.

5.0
2021-02-04 CVE-2021-25229 Trendmicro Incorrect Authorization vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server.

5.0
2021-02-04 CVE-2021-25228 Trendmicro Incorrect Authorization vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history.

5.0
2021-02-04 CVE-2021-1243 Cisco Improper Access Control vulnerability in Cisco IOS XR

A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device.

5.0
2021-02-04 CVE-2020-16194 Store Opart Improper Input Validation vulnerability in Store-Opart Quote

An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2.

5.0
2021-02-04 CVE-2020-6088 Rockwellautomation Classic Buffer Overflow vulnerability in Rockwellautomation Flex IO 1794-Aent/B Firmware 4.003

An exploitable denial of service vulnerability exists in the ENIP Request Path Network Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003.

5.0
2021-02-04 CVE-2020-14246 Hcltechsw Insufficiently Protected Credentials vulnerability in Hcltechsw Onetest Performance 10.0.0/10.1.0/9.5.0

HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak.

5.0
2021-02-03 CVE-2021-26024 Nagios Unspecified vulnerability in Nagios Favorites

The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.

5.0
2021-02-03 CVE-2020-25857 Realtek Out-of-bounds Write vulnerability in Realtek Rtl8195A Firmware

The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service.

5.0
2021-02-03 CVE-2020-25853 Realtek Out-of-bounds Read vulnerability in Realtek Rtl8195A Firmware

The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service.

5.0
2021-02-03 CVE-2021-25778 Jetbrains Incorrect Permission Assignment for Critical Resource vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2.1, permissions during user deletion were checked improperly.

5.0
2021-02-03 CVE-2021-25777 Jetbrains Incorrect Authorization vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly.

5.0
2021-02-03 CVE-2021-25776 Jetbrains Insecure Storage of Sensitive Information vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.

5.0
2021-02-03 CVE-2021-25772 Jetbrains Unspecified vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2.2, TeamCity server DoS was possible via server integration.

5.0
2021-02-03 CVE-2021-25771 Jetbrains Information Exposure vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.

5.0
2021-02-03 CVE-2021-25769 Jetbrains Unspecified vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.

5.0
2021-02-03 CVE-2021-25768 Jetbrains Incorrect Permission Assignment for Critical Resource vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.

5.0
2021-02-03 CVE-2021-25767 Jetbrains Information Exposure vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.

5.0
2021-02-03 CVE-2021-25766 Jetbrains Unspecified vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.

5.0
2021-02-03 CVE-2021-25763 Jetbrains Use of a Broken or Risky Cryptographic Algorithm vulnerability in Jetbrains Ktor

In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default.

5.0
2021-02-03 CVE-2021-25762 Jetbrains HTTP Request Smuggling vulnerability in Jetbrains Ktor

In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible.

5.0
2021-02-03 CVE-2021-25761 Jetbrains Use of a Broken or Risky Cryptographic Algorithm vulnerability in Jetbrains Ktor

In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible.

5.0
2021-02-03 CVE-2021-25760 Jetbrains Information Exposure vulnerability in Jetbrains HUB

In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.

5.0
2021-02-03 CVE-2021-25756 Jetbrains Unspecified vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.

5.0
2021-02-03 CVE-2020-35667 Jetbrains Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Teamcity

JetBrains TeamCity Plugin before 2020.2.85695 SSRF.

5.0
2021-02-03 CVE-2020-29582 Jetbrains Incorrect Default Permissions vulnerability in Jetbrains Kotlin

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation.

5.0
2021-02-03 CVE-2020-27222 Eclipse Unspecified vulnerability in Eclipse Californium

In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state.

5.0
2021-02-03 CVE-2020-25208 Jetbrains Incorrect Default Permissions vulnerability in Jetbrains Youtrack

In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.

5.0
2021-02-03 CVE-2020-29166 Rainbowfishsoftware Server-Side Request Forgery (SSRF) vulnerability in Rainbowfishsoftware Pacsone Server

PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by file read/manipulation, which can result in remote information disclosure.

5.0
2021-02-02 CVE-2021-21294 Typelevel Resource Exhaustion vulnerability in Typelevel Http4S

Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services.

5.0
2021-02-02 CVE-2021-21293 Typelevel Resource Exhaustion vulnerability in Typelevel Blaze

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO.

5.0
2021-02-02 CVE-2020-29662 Linuxfoundation Cleartext Transmission of Sensitive Information vulnerability in Linuxfoundation Harbor

In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.

5.0
2021-02-02 CVE-2020-14255 Hcltech Information Exposure vulnerability in Hcltech Digital Experience 9.5

HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests.

5.0
2021-02-02 CVE-2019-25018 MIT Incorrect Authorization vulnerability in MIT Krb5-Appl

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of .

5.0
2021-02-02 CVE-2021-3281 Djangoproject
Fedoraproject
Netapp
Path Traversal vulnerability in multiple products

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

5.0
2021-02-02 CVE-2020-24335 UIP Project Out-of-bounds Read vulnerability in UIP Project UIP

An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG.

5.0
2021-02-01 CVE-2019-20470 TK Star Insufficiently Protected Credentials vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656

An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.

5.0
2021-02-01 CVE-2020-28493 Palletsprojects
Fedoraproject
This affects the package jinja2 from 0.0.0 and before 2.11.3.
5.0
2021-02-01 CVE-2021-3283 Hashicorp Unspecified vulnerability in Hashicorp Nomad

HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node.

5.0
2021-02-01 CVE-2021-3282 Hashicorp Improper Authentication vulnerability in Hashicorp Vault 1.6.0/1.6.1

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication.

5.0
2021-02-01 CVE-2021-3024 Hashicorp Unspecified vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests.

5.0
2021-02-01 CVE-2020-25594 Hashicorp Unspecified vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests.

5.0
2021-02-01 CVE-2020-26547 Monal Insufficient Verification of Data Authenticity vulnerability in Monal

Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results.

5.0
2021-02-01 CVE-2020-15834 Mofinetwork Information Exposure vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.1.5Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices.

5.0
2021-02-01 CVE-2020-13860 Mofinetwork Use of Insufficiently Random Values vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices.

5.0
2021-02-01 CVE-2020-13859 Mofinetwork Insufficiently Protected Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices.

5.0
2021-02-01 CVE-2020-13856 Mofinetwork Insufficiently Protected Credentials vulnerability in Mofinetwork Mofi4500-4Gxelte Firmware 4.0.8Std

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices.

5.0
2021-02-04 CVE-2021-0350 Google Improper Input Validation vulnerability in Google Android

In ged, there is a possible system crash due to an improper input validation.

4.9
2021-02-06 CVE-2021-22299 Huawei Improper Privilege Management vulnerability in Huawei products

There is a local privilege escalation vulnerability in some Huawei products.

4.6
2021-02-06 CVE-2020-9118 Huawei Improper Validation of Integrity Check Value vulnerability in Huawei Ais-Bw80H-00 Firmware

There is an insufficient integrity check vulnerability in Huawei Sound X Product.

4.6
2021-02-06 CVE-2021-22301 Huawei Classic Buffer Overflow vulnerability in Huawei Mate 30 Firmware 10.0.0.203(C00E201R7P2)

Mate 30 10.0.0.203(C00E201R7P2) have a buffer overflow vulnerability.

4.6
2021-02-05 CVE-2020-12122 Maxpcsecure Unspecified vulnerability in Maxpcsecure MAX Spyware Detector 1.0.0.044

In Max Secure Max Spyware Detector 1.0.0.044, the driver file (MaxProc64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2200019.

4.6
2021-02-05 CVE-2020-18750 Flowpaper Classic Buffer Overflow vulnerability in Flowpaper Pdf2Json 0.69

Buffer overflow in pdf2json 0.69 allows local users to execute arbitrary code by converting a crafted PDF file.

4.6
2021-02-05 CVE-2020-10537 Epikur Missing Authentication for Critical Function vulnerability in Epikur 20.1.0.1

An issue was discovered in Epikur before 20.1.1.

4.6
2021-02-04 CVE-2021-1244 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco IOS XR

Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device.

4.6
2021-02-04 CVE-2021-1136 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco IOS XR

Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device.

4.6
2021-02-03 CVE-2021-0365 Google Use After Free vulnerability in Google Android 10.0/11.0

In display driver, there is a possible memory corruption due to a use after free.

4.6
2021-02-03 CVE-2021-0364 Google Command Injection vulnerability in Google Android 10.0/11.0

In mobile_log_d, there is a possible command injection due to improper input validation.

4.6
2021-02-03 CVE-2021-0363 Google Command Injection vulnerability in Google Android 10.0/11.0

In mobile_log_d, there is a possible command injection due to a missing bounds check.

4.6
2021-02-03 CVE-2021-0362 Google Out-of-bounds Write vulnerability in Google Android 11.0

In aee, there is a possible memory corruption due to a stack buffer overflow.

4.6
2021-02-03 CVE-2021-0361 Google Out-of-bounds Read vulnerability in Google Android 11.0

In kisd, there is a possible out of bounds read due to improper input validation.

4.6
2021-02-03 CVE-2021-0360 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In netdiag, there is a possible out of bounds write due to an incorrect bounds check.

4.6
2021-02-03 CVE-2021-0359 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In netdiag, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-02-03 CVE-2021-0358 Google Command Injection vulnerability in Google Android 10.0/11.0

In netdiag, there is a possible command injection due to improper input validation.

4.6
2021-02-03 CVE-2021-0357 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In netdiag, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-02-03 CVE-2021-0356 Google Command Injection vulnerability in Google Android 10.0/11.0

In netdiag, there is a possible command injection due to improper input validation.

4.6
2021-02-03 CVE-2021-0355 Google Integer Overflow or Wraparound vulnerability in Google Android 11.0

In kisd, there is a possible out of bounds write due to an integer overflow.

4.6
2021-02-03 CVE-2021-0354 Google Integer Overflow or Wraparound vulnerability in Google Android

In ged, there is a possible out of bounds write due to an integer overflow.

4.6
2021-02-03 CVE-2021-0353 Google Out-of-bounds Write vulnerability in Google Android 11.0

In kisd, there is a possible memory corruption due to a heap buffer overflow.

4.6
2021-02-03 CVE-2020-35152 Cloudflare Unquoted Search Path or Element vulnerability in Cloudflare Warp

Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path.

4.6
2021-02-02 CVE-2020-8672 Intel Out-of-bounds Read vulnerability in Intel Bios

Out of bound read in BIOS firmware for 8th, 9th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 Series Processors may allow an unauthenticated user to potentially enable elevation of privilege or denial of service via local access.

4.6
2021-02-02 CVE-2020-8734 Intel Improper Input Validation vulnerability in Intel M10Jnp2Sb Firmware

Improper input validation in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-01 CVE-2019-20473 TK Star Unspecified vulnerability in Tk-Star Q90 Junior GPS Horloge Firmware 3.1042.9.8656

An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.

4.6
2021-02-01 CVE-2021-3348 Linux Use After Free vulnerability in Linux Kernel

nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.

4.4
2021-02-06 CVE-2021-26723 Jenzabar Cross-site Scripting vulnerability in Jenzabar 9.2.0/9.2.1/9.2.2

Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.

4.3
2021-02-06 CVE-2021-22500 Microfocus Cross-Site Request Forgery (CSRF) vulnerability in Microfocus Application Performance Management 9.40/9.50/9.51

Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51.

4.3
2021-02-06 CVE-2021-22303 Huawei Double Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1)

There is a pointer double free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1).

4.3
2021-02-06 CVE-2021-20176 Imagemagick
Debian
Divide By Zero vulnerability in multiple products

A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0.10-57 in gem.c.

4.3
2021-02-06 CVE-2020-5812 Tenable Improper Certificate Validation vulnerability in Tenable Nessus Amazon Machine Image

Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.

4.3
2021-02-06 CVE-2020-14312 Fedoraproject Improper Access Control vulnerability in Fedoraproject Fedora

A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet.

4.3
2021-02-05 CVE-2021-26722 Linkedin Cross-site Scripting vulnerability in Linkedin Oncall

LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar.

4.3
2021-02-05 CVE-2020-18737 Typora Cross-site Scripting vulnerability in Typora 0.9.67

An issue was discovered in Typora 0.9.67.

4.3
2021-02-05 CVE-2021-3333 Opmantek Cross-site Scripting vulnerability in Opmantek Open-Audit 4.0.1

Opmantek Open-AudIT 4.0.1 is affected by cross-site scripting (XSS).

4.3
2021-02-05 CVE-2021-26710 Redwood Cross-site Scripting vulnerability in Redwood Report2Web 4.3.4.5/4.5.3

A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter.

4.3
2021-02-04 CVE-2020-4827 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

4.3
2021-02-04 CVE-2020-4826 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM API Connect

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

4.3
2021-02-03 CVE-2021-26023 Nagios Cross-site Scripting vulnerability in Nagios Favorites

The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.

4.3
2021-02-03 CVE-2020-9389 Squaredup Information Exposure Through Discrepancy vulnerability in Squaredup

A username enumeration issue was discovered in SquaredUp before version 4.6.0.

4.3
2021-02-03 CVE-2020-9388 Squaredup Cross-Site Request Forgery (CSRF) vulnerability in Squaredup

CSRF protection was not present in SquaredUp before version 4.6.0.

4.3
2021-02-03 CVE-2020-17516 Apache Authentication Bypass by Spoofing vulnerability in Apache Cassandra

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections.

4.3
2021-02-03 CVE-2021-25773 Jetbrains Cross-site Scripting vulnerability in Jetbrains Teamcity

JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages.

4.3
2021-02-03 CVE-2020-29164 Rainbowfishsoftware Cross-site Scripting vulnerability in Rainbowfishsoftware Pacsone Server

PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS).

4.3
2021-02-02 CVE-2021-21043 Adobe Out-of-bounds Write vulnerability in Adobe Consulting Services Commons

ACS Commons version 4.9.2 (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly.

4.3
2021-02-02 CVE-2020-4081 Hcltech Cross-site Scripting vulnerability in Hcltech Digital Experience 8.5/9.0/9.5

In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).

4.3
2021-02-02 CVE-2021-20199 Podman Project Origin Validation Error vulnerability in Podman Project Podman

Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts).

4.3
2021-02-02 CVE-2020-28498 Elliptic Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Elliptic Project Elliptic

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js.

4.3
2021-02-02 CVE-2021-21285 Docker
Debian
Netapp
Resource Exhaustion vulnerability in multiple products

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon.

4.3
2021-02-01 CVE-2021-3340 Wikindx Project Cross-site Scripting vulnerability in Wikindx Project Wikindx

A cross-site scripting (XSS) vulnerability in many forms of Wikindx before 5.7.0 and 6.x through 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter to index.php?action=initLogon or modules/admin/DELETEIMAGES.php.

4.3
2021-02-01 CVE-2020-13564 Phpgacl Project
Open EMR
Cross-site Scripting vulnerability in multiple products

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7.

4.3
2021-02-01 CVE-2020-13563 Phpgacl Project
Open EMR
Cross-site Scripting vulnerability in multiple products

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7.

4.3
2021-02-01 CVE-2020-13562 Phpgacl Project
Open EMR
Cross-site Scripting vulnerability in multiple products

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7.

4.3
2021-02-01 CVE-2021-3350 Delete Account Project Cross-site Scripting vulnerability in Delete Account Project Delete Account 1.4

deleteaccount.php in the Delete Account plugin 1.4 for MyBB allows XSS via the deletereason parameter.

4.3
2021-02-06 CVE-2021-22298 Huawei Unspecified vulnerability in Huawei Manageone 6.5.1.1/8.0.0

There is a logic vulnerability in Huawei Gauss100 OLTP Product.

4.0
2021-02-06 CVE-2020-9205 Huawei Improper Neutralization of Formula Elements in a CSV File vulnerability in Huawei Manageone 8.0.1

There has a CSV injection vulnerability in ManageOne 8.0.1.

4.0
2021-02-05 CVE-2021-21303 Helm Injection vulnerability in Helm

Helm is open-source software which is essentially "The Kubernetes Package Manager".

4.0
2021-02-03 CVE-2021-25774 Jetbrains Incorrect Authorization vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.

4.0
2021-02-03 CVE-2021-25759 Jetbrains Incorrect Permission Assignment for Critical Resource vulnerability in Jetbrains HUB

In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.

4.0
2021-02-03 CVE-2020-27994 Solarwinds Path Traversal vulnerability in Solarwinds Serv-U 15.1.6/15.2.1

SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal.

4.0
2021-02-02 CVE-2020-14221 Hcltech Information Exposure vulnerability in Hcltech Digital Experience 8.5/9.0/9.5

HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.

4.0
2021-02-02 CVE-2020-4934 IBM Path Traversal vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0.CD could allow a remote attacker to traverse directories on the system.

4.0
2021-02-02 CVE-2020-36231 Atlassian Improper Input Validation vulnerability in Atlassian Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability.

4.0
2021-02-02 CVE-2020-14192 Atlassian Information Exposure vulnerability in Atlassian Crucible

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

4.0
2021-02-01 CVE-2021-21287 Minio Server-Side Request Forgery (SSRF) vulnerability in Minio

MinIO is a High Performance Object Storage released under Apache License v2.0.

4.0
2021-02-01 CVE-2021-21266 Openhab XXE vulnerability in Openhab

openHAB is a vendor and technology agnostic open source automation software for your home.

4.0

48 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-04 CVE-2020-4640 IBM Information Exposure vulnerability in IBM API Connect

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers.

3.8
2021-02-06 CVE-2021-22302 Huawei Out-of-bounds Read vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1)

There is an out-of-bound read vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1).

3.6
2021-02-05 CVE-2021-1072 Nvidia Unspecified vulnerability in Nvidia Geforce Experience

NVIDIA GeForce Experience, all versions prior to 3.21, contains a vulnerability in GameStream (rxdiag.dll) where an arbitrary file deletion due to improper handling of log files may lead to denial of service.

3.6
2021-02-03 CVE-2021-25276 Solarwinds Insecure Storage of Sensitive Information vulnerability in Solarwinds Serv-U 15.1.6/15.2.1/15.2.2

In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable.

3.6
2021-02-06 CVE-2021-22499 Microfocus Cross-site Scripting vulnerability in Microfocus Application Performance Management 9.40/9.50/9.51

Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51.

3.5
2021-02-05 CVE-2021-3258 QA Themes Cross-site Scripting vulnerability in Qa-Themes Q2A Ultimate SEO 1.3

Question2Answer Q2A Ultimate SEO Version 1.3 is affected by cross-site scripting (XSS), which may lead to arbitrary remote code execution.

3.5
2021-02-04 CVE-2021-1221 Cisco Improper Input Validation vulnerability in Cisco Webex Meetings

A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email.

3.5
2021-02-04 CVE-2020-4825 IBM Cross-site Scripting vulnerability in IBM API Connect

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site scripting.

3.5
2021-02-03 CVE-2020-9390 Squaredup Cross-site Scripting vulnerability in Squaredup

SquaredUp allowed Stored XSS before version 4.6.0.

3.5
2021-02-03 CVE-2020-18724 Altn Cross-site Scripting vulnerability in Altn Mdaemon Webmail 14.0/20.0.0

Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list.

3.5
2021-02-03 CVE-2020-18723 Altn Cross-site Scripting vulnerability in Altn Mdaemon Webmail 14.0/20.0.0

Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.

3.5
2021-02-03 CVE-2019-16268 Zohocorp Injection vulnerability in Zohocorp Manageengine Remote Access Plus 10.0.259

Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.

3.5
2021-02-03 CVE-2020-8294 Nextcloud Cross-site Scripting vulnerability in Nextcloud Server

A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.

3.5
2021-02-03 CVE-2020-35482 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U 15.1.6/15.2.1

SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.

3.5
2021-02-03 CVE-2020-28001 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U 15.1.6/15.2.1

SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS.

3.5
2021-02-02 CVE-2021-3395 Pryaniki Cross-site Scripting vulnerability in Pryaniki 6.44.3

A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file.

3.5
2021-02-07 CVE-2021-22161 Openwrt Infinite Loop vulnerability in Openwrt

In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router.

3.3
2021-02-04 CVE-2021-1268 Cisco Insufficient Adherence to Expected Conventions vulnerability in Cisco IOS XR

A vulnerability in the IPv6 protocol handling of the management interfaces of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause an IPv6 flood on the management interface network of an affected device.

3.3
2021-02-04 CVE-2020-5032 IBM Unspecified vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.3 and 7.4 in some configurations may be vulnerable to a temporary denial of service attack when sent particular payloads.

3.3
2021-02-04 CVE-2020-27873 Netgear Incorrect Authorization vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers.

3.3
2021-02-02 CVE-2020-24490 Bluez Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Bluez

Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.

3.3
2021-02-04 CVE-2021-1354 Cisco Improper Certificate Validation vulnerability in Cisco Unified Computing System Central Software

A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM).

2.7
2021-02-03 CVE-2020-8589 Netapp Unspecified vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs.

2.7
2021-02-03 CVE-2020-8588 Netapp Unspecified vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).

2.7
2021-02-02 CVE-2021-21284 Docker
Debian
Netapp
Path Traversal vulnerability in multiple products

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root.

2.7
2021-02-06 CVE-2021-22305 Huawei Classic Buffer Overflow vulnerability in Huawei Mate 30 Firmware 10.1.0.126(C00E125R5P3)

There is a buffer overflow vulnerability in Mate 30 10.1.0.126(C00E125R5P3).

2.1
2021-02-06 CVE-2021-22304 Huawei Use After Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1)

There is a use after free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1).

2.1
2021-02-06 CVE-2021-22306 Huawei Out-of-bounds Read vulnerability in Huawei Mate 30 Firmware 10.0.0.182(C00E180R6P2)

There is an out-of-bound read vulnerability in Mate 30 10.0.0.182(C00E180R6P2).

2.1
2021-02-06 CVE-2021-22307 Huawei Unspecified vulnerability in Huawei Mate 30 Firmware 10.0.0.203(C00E201R7P2)

There is a weak algorithm vulnerability in Mate 3010.0.0.203(C00E201R7P2).

2.1
2021-02-06 CVE-2020-11836 Google Unspecified vulnerability in Google Android

OPPO Android Phone with MTK chipset and Android 8.1/9/10/11 versions have an information leak vulnerability.

2.1
2021-02-05 CVE-2020-9453 Epson NULL Pointer Dereference vulnerability in Epson Iprojection 2.30

In Epson iProjection v2.30, the driver file EMP_MPAU.sys allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402406 and IOCtl 0x9C40240A.

2.1
2021-02-05 CVE-2020-10553 Psyprax Incorrect Permission Assignment for Critical Resource vulnerability in Psyprax

An issue was discovered in Psyprax before 3.2.2.

2.1
2021-02-05 CVE-2020-10375 Newmediacompany Insufficiently Protected Credentials vulnerability in Newmediacompany Smarty

An issue was discovered in New Media Smarty before 9.10.

2.1
2021-02-05 CVE-2020-9014 Epson Improper Input Validation vulnerability in Epson Iprojection 2.30

In Epson iProjection v2.30, the driver file (EMP_NSAU.sys) allows local users to cause a denial of service (BSOD) via crafted input to the virtual audio device driver with IOCTL 0x9C402402, 0x9C402406, or 0x9C40240A.

2.1
2021-02-05 CVE-2020-4832 IBM Information Exposure vulnerability in IBM Powerha 7.2

IBM PowerHA 7.2 could allow a local attacker to obtain sensitive information from temporary directories after a discovery failure occurs.

2.1
2021-02-05 CVE-2020-36241 Gnome
Fedoraproject
Link Following vulnerability in multiple products

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

2.1
2021-02-05 CVE-2020-10538 Epikur Insufficiently Protected Credentials vulnerability in Epikur 20.1.0.1

An issue was discovered in Epikur before 20.1.1.

2.1
2021-02-04 CVE-2021-25248 Trendmicro Out-of-bounds Read vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe.

2.1
2021-02-04 CVE-2021-0347 Google Out-of-bounds Read vulnerability in Google Android

In ccu, there is a possible out of bounds read due to a missing bounds check.

2.1
2021-02-04 CVE-2021-1128 Cisco Information Exposure Through Sent Data vulnerability in Cisco IOS XR

A vulnerability in the CLI parser of Cisco IOS XR Software could allow an authenticated, local attacker to view more information than their privileges allow.

2.1
2021-02-03 CVE-2021-23331 Sencha Unspecified vulnerability in Sencha Connect

This affects all versions of package com.squareup:connect.

2.1
2021-02-03 CVE-2021-25275 Solarwinds Use of Hard-coded Credentials vulnerability in Solarwinds Orion Platform

SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users.

2.1
2021-02-03 CVE-2021-0352 Google Type Confusion vulnerability in Google Android 10.0/11.0

In RT regmap driver, there is a possible memory corruption due to type confusion.

2.1
2021-02-01 CVE-2021-3349 Gnome Insufficient Verification of Data Authenticity vulnerability in Gnome Evolution

** DISPUTED ** GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API.

2.1
2021-02-06 CVE-2021-22300 Huawei Cleartext Storage of Sensitive Information vulnerability in Huawei Ecns280 TD Firmware V100R005C00/V100R005C10

There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10.

1.9
2021-02-04 CVE-2021-25227 Trendmicro Resource Exhaustion vulnerability in Trendmicro Antivirus

Trend Micro Antivirus for Mac 2021 (Consumer) is vulnerable to a memory exhaustion vulnerability that could lead to disabling all the scanning functionality within the application.

1.9
2021-02-03 CVE-2021-25755 Jetbrains Missing Authorization vulnerability in Jetbrains Code With ME

In JetBrains Code With Me before 2020.3, an attacker on the local network, knowing a session ID, could get access to the encrypted traffic.

1.9
2021-02-02 CVE-2021-21292 Traccar Unquoted Search Path or Element vulnerability in Traccar

Traccar is an open source GPS tracking system.

1.9