Weekly Vulnerabilities Reports > February 8 to 14, 2021

Overview

487 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 96 high severity vulnerabilities. This weekly summary report vulnerabilities in 322 products from 146 vendors including Google, Fiberhome, Adobe, Foxitsoftware, and IBM. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Use of Hard-coded Credentials", "Out-of-bounds Read", and "Use After Free".

  • 384 reported vulnerabilities are remotely exploitables.
  • 9 reported vulnerabilities have public exploit available.
  • 138 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 419 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 53 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

40 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-12 CVE-2021-22504 Microfocus Unspecified vulnerability in Microfocus Operations Bridge Manager

Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product, affecting versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.

10.0
2021-02-12 CVE-2020-27868 Qognify Deserialization of Untrusted Data vulnerability in Qognify Ocularis 5.9.0.395

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Qognify Ocularis 5.9.0.395.

10.0
2021-02-10 CVE-2021-27171 Fiberhome Out-Of-Bounds Write vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

10.0
2021-02-09 CVE-2020-14343 Pyyaml Improper Input Validation vulnerability in Pyyaml

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader.

10.0
2021-02-09 CVE-2020-13117 Wavlink Command Injection vulnerability in Wavlink Wn575A4 Firmware and Wn579X3 Firmware

Wavlink WN575A4 and WN579X3 devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request.

10.0
2021-02-09 CVE-2021-25140 HP Path Traversal vulnerability in HP Moonshot Provisioning Manager 1.20

A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20.

10.0
2021-02-09 CVE-2021-25139 HP Out-Of-Bounds Write vulnerability in HP Moonshot Provisioning Manager 1.20

A potential security vulnerability has been identified in the HPE Moonshot Provisioning Manager v1.20.

10.0
2021-02-08 CVE-2021-22502 Microfocus Code Injection vulnerability in Microfocus Operation Bridge Reporter 10.40

Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40.

10.0
2021-02-08 CVE-2020-11920 Svakom OS Command Injection vulnerability in Svakom Siime EYE Firmware 14.1.00000001.3.330.0.0.3.14

An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14.

10.0
2021-02-08 CVE-2021-26754 Wpdatatables SQL Injection vulnerability in Wpdatatables

wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.

10.0
2021-02-11 CVE-2021-21063 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Memory corruption vulnerability when parsing a specially crafted PDF file.

9.3
2021-02-11 CVE-2021-21062 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Memory corruption vulnerability when parsing a specially crafted PDF file.

9.3
2021-02-11 CVE-2021-21059 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Memory corruption vulnerability when parsing a specially crafted PDF file.

9.3
2021-02-11 CVE-2021-21058 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Memory corruption vulnerability when parsing a specially crafted PDF file.

9.3
2021-02-11 CVE-2021-21054 Adobe Out-Of-Bounds Write vulnerability in Adobe Illustrator

Adobe Illustrator version 25.1 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-02-11 CVE-2021-21053 Adobe Out-Of-Bounds Write vulnerability in Adobe Illustrator

Adobe Illustrator version 25.1 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-02-11 CVE-2021-21052 Adobe Out-Of-Bounds Write vulnerability in Adobe Animate 15.2.1.95/20.5/21.0

Adobe Animate version 21.0.2 (and earlier) is affected by an Out-of-bounds Write vulnerability.

9.3
2021-02-11 CVE-2021-21051 Adobe Classic Buffer Overflow vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.4 (and earlier) and 22.1.1 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted javascript file.

9.3
2021-02-11 CVE-2021-21050 Adobe Out-Of-Bounds Read vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.4 (and earlier) and 22.1.1 (and earlier) are affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

9.3
2021-02-11 CVE-2021-21049 Adobe Out-Of-Bounds Read vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.4 (and earlier) and 22.1.1 (and earlier) are affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

9.3
2021-02-11 CVE-2021-21048 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.4 (and earlier) and 22.1.1 (and earlier) are affected by a Memory Corruption vulnerability when parsing a specially crafted file.

9.3
2021-02-11 CVE-2021-21047 Adobe Out-Of-Bounds Write vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.4 (and earlier) and 22.1.1 (and earlier) are affected by an Out-of-bounds Write vulnerability.

9.3
2021-02-11 CVE-2021-21045 Adobe Improper Access Control vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an improper access control vulnerability.

9.3
2021-02-11 CVE-2021-21044 Adobe Out-Of-Bounds Write vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file.

9.3
2021-02-10 CVE-2021-0340 Google Improper Cross-Boundary Removal of Sensitive Data vulnerability in Google Android 10.0

In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation.

9.3
2021-02-10 CVE-2021-0339 Google Improper Check for Unusual OR Exceptional Conditions vulnerability in Google Android 10.0/8.1/9.0

In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground.

9.3
2021-02-10 CVE-2021-0325 Google Out-Of-Bounds Write vulnerability in Google Android

In ih264d_parse_pslice of ih264d_parse_pslice.c, there is a possible out of bounds write due to a heap buffer overflow.

9.3
2021-02-10 CVE-2021-0305 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android 10.0/8.1/9.0

In PackageInstaller, there is a possible tapjacking attack due to an insecure default value.

9.3
2021-02-10 CVE-2021-0302 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android 10.0/8.1/9.0

In PackageInstaller, there is a possible tapjacking attack due to an insecure default value.

9.3
2021-02-09 CVE-2020-15798 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl.

9.3
2021-02-08 CVE-2021-26915 Netmotionsoftware Deserialization of Untrusted Data vulnerability in Netmotionsoftware Netmotion Mobility 12.0

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in webrepdb StatusServlet.

9.3
2021-02-08 CVE-2021-26914 Netmotionsoftware Deserialization of Untrusted Data vulnerability in Netmotionsoftware Netmotion Mobility 12.0

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.

9.3
2021-02-08 CVE-2021-26913 Netmotionsoftware Deserialization of Untrusted Data vulnerability in Netmotionsoftware Netmotion Mobility 12.0

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet.

9.3
2021-02-08 CVE-2021-26912 Netmotionsoftware Deserialization of Untrusted Data vulnerability in Netmotionsoftware Netmotion Mobility 12.0

NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet.

9.3
2021-02-12 CVE-2020-27869 Solarwinds SQL Injection vulnerability in Solarwinds Network Performance Monitor 2020/2020.2

This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor 2020 HF1, NPM: 2020.2.

9.0
2021-02-11 CVE-2021-21018 Magento OS Command Injection vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module.

9.0
2021-02-11 CVE-2021-21016 Magento OS Command Injection vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI.

9.0
2021-02-10 CVE-2020-27871 Solarwinds Path Traversal vulnerability in Solarwinds Orion Platform 2020.2.1

This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1.

9.0
2021-02-09 CVE-2021-21477 SAP Code Injection vulnerability in SAP Commerce

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.

9.0
2021-02-09 CVE-2021-3191 HPE Unspecified vulnerability in HPE web Viewpoint

Idelji Web ViewPoint Suite, as used in conjunction with HPE NonStop, allows Remote Unauthorized Access for T0320L01^ABY and T0320L01^ACD, T0952L01^AAR through T0952L01^AAX, and T0986L01^AAD through T0986L01^AAJ (L) and T0320H01^ABW through T0320H01^ACC, T0952H01^AAQ through T0952H01^AAW, and T0986H01^AAC through T0986H01^AAI (J and H).

9.0

96 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-12 CVE-2021-27197 Pelco Origin Validation Error vulnerability in Pelco Digital Sentry Server

DSUtility.dll in Pelco Digital Sentry Server before 7.19.67 has an arbitrary file write vulnerability.

8.8
2021-02-11 CVE-2021-21015 Magento OS Command Injection vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller.

8.5
2021-02-12 CVE-2020-27866 Netgear Improper Authentication vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 firmware version 1.2.0.62_1.0.1 routers.

8.3
2021-02-12 CVE-2020-27865 Dlink Improper Authentication vulnerability in Dlink Dap-1860 Firmware 1.01B06/1.02B01/1.04B01

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders.

8.3
2021-02-12 CVE-2020-27864 Dlink Command Injection vulnerability in Dlink Dap-1860 Firmware 1.01B06/1.02B01/1.04B01

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders.

8.3
2021-02-12 CVE-2020-27861 Netgear OS Command Injection vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers.

8.3
2021-02-10 CVE-2021-0326 Google
Fedoraproject
Debian
Out-Of-Bounds Write vulnerability in multiple products

In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check.

7.9
2021-02-12 CVE-2021-22985 F5 Resource Exhaustion vulnerability in F5 Big-Ip Application Security Manager

On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions, when processing VPN traffic with APM, TMM consumes excessive memory.

7.8
2021-02-11 CVE-2020-35498 Openvswitch
Debian
Resource Exhaustion vulnerability in multiple products

A vulnerability was found in openvswitch.

7.8
2021-02-12 CVE-2021-20648 Elecom OS Command Injection vulnerability in Elecom Wrc-300Febk-S Firmware

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

7.7
2021-02-12 CVE-2021-20640 Logitec Classic Buffer Overflow vulnerability in Logitec Lan-W300N/Pgrb Firmware

Buffer overflow vulnerability in LOGITEC LAN-W300N/PGRB allows an attacker with administrative privilege to execute an arbitrary OS command via unspecified vectors.

7.7
2021-02-12 CVE-2021-20639 Logitec OS Command Injection vulnerability in Logitec Lan-W300N/Pgrb Firmware

LOGITEC LAN-W300N/PGRB allows an attacker with administrative privilege to execute arbitrary OS commands via unspecified vectors.

7.7
2021-02-12 CVE-2021-20638 Logitec OS Command Injection vulnerability in Logitec Lan-W300N/Pgrb Firmware

LOGITEC LAN-W300N/PGRB allows an attacker with administrative privilege to execute arbitrary OS commands via unspecified vectors.

7.7
2021-02-12 CVE-2020-27867 Netgear Command Injection vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 firmware version 1.2.0.62_1.0.1 routers.

7.7
2021-02-14 CVE-2021-27213 Pystemon Project Deserialization of Untrusted Data vulnerability in Pystemon Project Pystemon

config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used.

7.5
2021-02-14 CVE-2019-25019 Limesurvey SQL Injection vulnerability in Limesurvey

LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.

7.5
2021-02-11 CVE-2021-21032 Magento Insufficient Session Expiration vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions.

7.5
2021-02-11 CVE-2021-21031 Magento Insufficient Session Expiration vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions.

7.5
2021-02-11 CVE-2021-21307 Lucee Missing Authorization vulnerability in Lucee Server

Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development.

7.5
2021-02-11 CVE-2021-25689 Teradici Out-Of-Bounds Write vulnerability in Teradici Pcoip Soft Client 20.07.2/20.07.3/20.10.0

An out of bounds write in Teradici PCoIP soft client versions prior to version 20.10.1 could allow an attacker to remotely execute code.

7.5
2021-02-11 CVE-2021-22658 Advantech SQL Injection vulnerability in Advantech Iview 5.6

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'.

7.5
2021-02-11 CVE-2021-22652 Advantech Missing Authentication for Critical Function vulnerability in Advantech Iview 5.6

Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.

7.5
2021-02-11 CVE-2021-23334 Static Eval Project Code Injection vulnerability in Static-Eval Project Static-Eval

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals.

7.5
2021-02-10 CVE-2021-27185 Samba Client Project Injection vulnerability in Samba-Client Project Samba-Client

The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec.

7.5
2021-02-10 CVE-2020-13576 Genivia Integer Overflow OR Wraparound vulnerability in Genivia Gsoap 2.8.107

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107.

7.5
2021-02-10 CVE-2021-27177 Fiberhome Incorrect Authorization vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27164 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27163 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27162 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27161 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27160 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27159 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27158 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27157 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27156 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27155 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27154 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27153 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27152 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27151 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27150 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27149 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27148 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27147 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27146 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-27145 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

7.5
2021-02-10 CVE-2021-3033 Paloaltonetworks Improper Verification of Cryptographic Signature vulnerability in Paloaltonetworks Prisma Cloud

An improper verification of cryptographic signature vulnerability exists in the Palo Alto Networks Prisma Cloud Compute console.

7.5
2021-02-10 CVE-2021-27135 Invisible Island
Debian
xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
7.5
2021-02-10 CVE-2020-36244 Genivi Out-Of-Bounds Write vulnerability in Genivi Diagnostic LOG and Trace

The daemon in GENIVI Diagnostic Log and Trace (DLT) before 2.18.6 has a heap-based buffer overflow in dlt_buffer_write_block in shared/dlt_common.c.

7.5
2021-02-10 CVE-2020-28871 Monitorr Project Unrestricted Upload of File With Dangerous Type vulnerability in Monitorr Project Monitorr 1.7.6M

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

7.5
2021-02-10 CVE-2020-28870 Inoideas Improper Input Validation vulnerability in Inoideas Inoerp 0.7.2

In InoERP 0.7.2, an unauthorized attacker can execute arbitrary code on the server side due to lack of validations in /modules/sys/form_personalization/json_fp.php.

7.5
2021-02-09 CVE-2021-26957 XCB Project Out-Of-Bounds Read vulnerability in XCB Project XCB 20201210/20210204

An issue was discovered in the xcb crate through 2021-02-04 for Rust.

7.5
2021-02-09 CVE-2021-26956 XCB Project Unspecified vulnerability in XCB Project XCB 20201210/20210204

An issue was discovered in the xcb crate through 2021-02-04 for Rust.

7.5
2021-02-09 CVE-2021-26955 XCB Project Unchecked Return Value vulnerability in XCB Project XCB 20201210/20210204

An issue was discovered in the xcb crate through 2021-02-04 for Rust.

7.5
2021-02-09 CVE-2021-26951 Calamine Project Out-Of-Bounds Write vulnerability in Calamine Project Calamine

An issue was discovered in the calamine crate before 0.17.0 for Rust.

7.5
2021-02-09 CVE-2021-21502 Dell Improper Privilege Management vulnerability in Dell EMC Powerscale Onefs

Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability.

7.5
2021-02-09 CVE-2021-26937 GNU
Debian
Argument Injection OR Modification vulnerability in multiple products

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

7.5
2021-02-09 CVE-2019-17582 Libzip USE After Free vulnerability in Libzip 1.2.0

A use-after-free in the _zip_dirent_read function of zip_dirent.c in libzip 1.2.0 allows attackers to have an unspecified impact by attempting to unzip a malformed ZIP archive.

7.5
2021-02-09 CVE-2021-26918 Probot Unrestricted Upload of File With Dangerous Type vulnerability in Probot BOT

** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type.

7.5
2021-02-08 CVE-2021-25913 SET OR GET Project Unspecified vulnerability in Set-Or-Get Project Set-Or-Get

Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-02-08 CVE-2021-21305 Carrierwave Project Injection vulnerability in Carrierwave Project Carrierwave

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications.

7.5
2021-02-08 CVE-2020-7786 Macfromip Project Injection vulnerability in Macfromip Project Macfromip

This affects all versions of package macfromip.

7.5
2021-02-08 CVE-2020-7785 Node PS Project Injection vulnerability in Node-Ps Project Node-Ps

This affects all versions of package node-ps.

7.5
2021-02-08 CVE-2020-7782 Spritesheet JS Project Injection vulnerability in Spritesheet-Js Project Spritesheet-Js

This affects all versions of package spritesheet-js.

7.5
2021-02-08 CVE-2021-21304 Dynamoosejs Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Dynamoosejs Dynamoose

Dynamoose is an open-source modeling tool for Amazon's DynamoDB.

7.5
2021-02-08 CVE-2021-26541 Gitlog Project Command Injection vulnerability in Gitlog Project Gitlog

The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.

7.5
2021-02-08 CVE-2020-6649 Fortinet Insufficient Session Expiration vulnerability in Fortinet Fortiisolator

An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

7.5
2021-02-08 CVE-2020-16629 Phpok SQL Injection vulnerability in PHPok 5.4.137

PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.

7.5
2021-02-08 CVE-2020-26051 College Management System Project SQL Injection vulnerability in College Management System Project College Management System 1.0

College Management System Php 1.0 suffers from SQL injection vulnerabilities in the index.php page from POST parameters 'unametxt' and 'pwdtxt', which are not filtered before passing a SQL query.

7.5
2021-02-10 CVE-2021-26936 Replaysorcery Project Improper Privilege Management vulnerability in Replaysorcery Project Replaysorcery

The replay-sorcery program in ReplaySorcery 0.4.0 through 0.5.0, when using the default setuid-root configuration, allows a local attacker to escalate privileges to root by specifying video output paths in privileged locations.

7.2
2021-02-10 CVE-2021-0337 Google Cleartext Storage of Sensitive Information vulnerability in Google Android

In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata.

7.2
2021-02-10 CVE-2021-0336 Google Improper Privilege Management vulnerability in Google Android

In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent.

7.2
2021-02-10 CVE-2021-0334 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains.

7.2
2021-02-10 CVE-2021-0332 Google USE After Free vulnerability in Google Android 10.0/11.0

In bootFinished of SurfaceFlinger.cpp, there is a possible memory corruption due to a use after free.

7.2
2021-02-10 CVE-2021-0330 Google USE After Free vulnerability in Google Android 10.0/11.0/9.0

In add_user_ce and remove_user_ce of storaged.cpp, there is a possible use-after-free due to improper locking.

7.2
2021-02-10 CVE-2021-0329 Google Out-Of-Bounds Write vulnerability in Google Android

In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check.

7.2
2021-02-10 CVE-2021-0328 Google Improper Privilege Management vulnerability in Google Android

In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check.

7.2
2021-02-10 CVE-2021-0327 Google Improper Privilege Management vulnerability in Google Android

In getContentProviderImpl of ActivityManagerService.java, there is a possible permission bypass due to non-restored binder identities.

7.2
2021-02-10 CVE-2021-23876 Mcafee Improper Privilege Management vulnerability in Mcafee Total Protection

Bypass Remote Procedure call in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file modification as the SYSTEM user potentially causing Denial of Service via executing carefully constructed malware.

7.2
2021-02-09 CVE-2020-26193 Dell OS Command Injection vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability.

7.2
2021-02-09 CVE-2020-25245 Siemens Incorrect Default Permissions vulnerability in Siemens Digsi 4 4.94

A vulnerability has been identified in DIGSI 4 (All versions < V4.94 SP1 HF 1).

7.2
2021-02-09 CVE-2020-25238 Siemens Improper Access Control vulnerability in Siemens products

A vulnerability has been identified in PCS neo (Administration Console) (V3.0), TIA Portal (V15, V15.1 and V16).

7.2
2021-02-08 CVE-2021-26576 HPE Command Injection vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a command injection vulnerability in libifc.so uploadsshkey function.

7.2
2021-02-08 CVE-2021-26577 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so uploadsshkey function.

7.2
2021-02-08 CVE-2021-26575 HPE Path Traversal vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a path traversal vulnerability in libifc.so webdeletesolvideofile function.

7.2
2021-02-08 CVE-2021-26574 HPE Path Traversal vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a path traversal vulnerability in libifc.so webdeletevideofile function.

7.2
2021-02-08 CVE-2021-26573 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webgeneratesslcfg function.

7.2
2021-02-08 CVE-2021-25172 HPE Command Injection vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a command injection vulnerability in libifc.so websetdefaultlangcfg function.

7.2
2021-02-08 CVE-2021-26572 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webgetactivexcfg function.

7.2
2021-02-08 CVE-2021-26571 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webgetactivexcfg function.

7.2
2021-02-08 CVE-2021-26570 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webifc_setadconfig function.

7.2
2021-02-08 CVE-2021-25171 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so websetlicensecfg function.

7.2
2021-02-08 CVE-2021-25170 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so websetremoteimageinfo function.

7.2
2021-02-08 CVE-2021-25169 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so websetservicecfg function.

7.2
2021-02-08 CVE-2021-25168 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webupdatecomponent function.

7.2
2021-02-08 CVE-2021-25142 HPE Classic Buffer Overflow vulnerability in HPE Baseboard Management Controller

The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a local buffer overflow in libifc.so webstartflash function.

7.2

294 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-12 CVE-2021-22980 F5 Untrusted Search Path vulnerability in F5 products

In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could allow an attacker to load a malicious DLL library from its current directory.

6.9
2021-02-11 CVE-2021-20188 Podman Project
Redhat
Incorrect Authorization vulnerability in multiple products

A flaw was found in podman before 1.7.0.

6.9
2021-02-10 CVE-2021-0333 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android

In onCreate of BluetoothPermissionActivity.java, there is a possible permissions bypass due to a tapjacking overlay that obscures the phonebook permissions dialog when a Bluetooth device is connecting.

6.9
2021-02-10 CVE-2021-0331 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value.

6.9
2021-02-10 CVE-2021-0314 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android 10.0/8.1/9.0

In onCreate of UninstallerActivity, there is a possible way to uninstall an all without informed user consent due to a tapjacking/overlay attack.

6.9
2021-02-09 CVE-2021-21117 Google Improper Privilege Management vulnerability in Google Chrome

Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file.

6.9
2021-02-08 CVE-2021-26910 Firejail Project
Debian
Time-Of-Check Time-Of-Use (Toctou) Race Condition vulnerability in multiple products

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.

6.9
2021-02-12 CVE-2020-27860 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.0.1.35811.

6.8
2021-02-11 CVE-2019-19005 Autotrace Project Double Free vulnerability in Autotrace Project Autotrace 0.31.1

A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image.

6.8
2021-02-11 CVE-2019-19004 Autotrace Project Integer Overflow OR Wraparound vulnerability in Autotrace Project Autotrace 0.31.1

A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 allows attackers to provide an unexpected input value to malloc via a malformed bitmap image.

6.8
2021-02-11 CVE-2021-21041 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a use-after-free vulnerability.

6.8
2021-02-11 CVE-2021-21040 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21039 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21038 Adobe Out-Of-Bounds Write vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file.

6.8
2021-02-11 CVE-2021-21037 Adobe Path Traversal vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Path Traversal vulnerability.

6.8
2021-02-11 CVE-2021-21036 Adobe Integer Overflow OR Wraparound vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Integer Overflow vulnerability.

6.8
2021-02-11 CVE-2021-21035 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21033 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21028 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21021 Adobe USE After Free vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability.

6.8
2021-02-11 CVE-2021-21017 Adobe Out-Of-Bounds Write vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability.

6.8
2021-02-11 CVE-2021-21299 Hyper Http Request Smuggling vulnerability in Hyper

hyper is an open-source HTTP library for Rust (crates.io).

6.8
2021-02-11 CVE-2021-20403 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2021-02-10 CVE-2020-27874 Tencent Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tencent Wechat 7.0.18

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat 7.0.18.

6.8
2021-02-10 CVE-2020-28596 Prusa3D Out-Of-Bounds Write vulnerability in Prusa3D Prusaslicer 2.2.0

A stack-based buffer overflow vulnerability exists in the Objparser::objparse() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856).

6.8
2021-02-10 CVE-2020-28595 Prusa3D Out-Of-Bounds Write vulnerability in Prusa3D Prusaslicer 2.2.0

An out-of-bounds write vulnerability exists in the Obj.cpp load_obj() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856).

6.8
2021-02-10 CVE-2020-27250 Softmaker Out-Of-Bounds Write vulnerability in Softmaker Planmaker 2021 1014

In SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014), a specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow at Version/Instance 0x0005 and 0x0016.

6.8
2021-02-10 CVE-2020-13585 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the PSD Header processing functionality of Accusoft ImageGear 19.8.

6.8
2021-02-10 CVE-2020-13581 Softmaker Out-Of-Bounds Write vulnerability in Softmaker Planmaker 2021 1014

In SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014), a specially crafted document can cause the document parser to copy data from a particular record type into a buffer that is smaller than the size used for the copy which will cause a heap-based buffer overflow.

6.8
2021-02-10 CVE-2020-13572 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.8

A heap overflow vulnerability exists in the way the GIF parser decodes LZW compressed streams in Accusoft ImageGear 19.8.

6.8
2021-02-10 CVE-2020-13571 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the SGI RLE decompression functionality of Accusoft ImageGear 19.8.

6.8
2021-02-10 CVE-2020-13561 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the TIFF parser of Accusoft ImageGear 19.8.

6.8
2021-02-10 CVE-2020-13548 Foxitsoftware USE After Free vulnerability in Foxitsoftware Foxit Reader 10.1.0.37527

In Foxit Reader 10.1.0.37527, a specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution.

6.8
2021-02-10 CVE-2020-13546 Softmaker Out-Of-Bounds Write vulnerability in Softmaker Office Textmaker 2021 1014

In SoftMaker Software GmbH SoftMaker Office TextMaker 2021 (revision 1014), a specially crafted document can cause the document parser to miscalculate a length used to allocate a buffer, later upon usage of this buffer the application will write outside its bounds resulting in a heap-based buffer overflow.

6.8
2021-02-09 CVE-2020-35125 Acquia Cross-Site Scripting vulnerability in Acquia Mautic

A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).

6.8
2021-02-09 CVE-2020-35942 Imagely Cross-Site Request Forgery (CSRF) vulnerability in Imagely Nextgen Gallery

A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS.

6.8
2021-02-09 CVE-2020-27857 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-27856 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-27855 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17436 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17435 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17434 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17433 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17432 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17431 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17430 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17427 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17426 Foxitsoftware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17425 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17424 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17423 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17421 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17419 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2020-17418 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922.

6.8
2021-02-09 CVE-2021-22663 Siemens Out-Of-Bounds Read vulnerability in Siemens Cscape 9.90

Cscape (All versions prior to 9.90 SP3.5) lacks proper validation of user-supplied data when parsing project files.

6.8
2021-02-09 CVE-2021-21148 Google
Fedoraproject
Debian
Out-Of-Bounds Write vulnerability in multiple products

Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21146 Google
Fedoraproject
USE After Free vulnerability in multiple products

Use after free in Navigation in Google Chrome prior to 88.0.4324.146 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21145 Google
Fedoraproject
USE After Free vulnerability in multiple products

Use after free in Fonts in Google Chrome prior to 88.0.4324.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21144 Google
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

Heap buffer overflow in Tab Groups in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

6.8
2021-02-09 CVE-2021-21143 Google
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

Heap buffer overflow in Extensions in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

6.8
2021-02-09 CVE-2021-21142 Google
Fedoraproject
USE After Free vulnerability in multiple products

Use after free in Payments in Google Chrome on Mac prior to 88.0.4324.146 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-02-09 CVE-2020-27261 Omron Out-Of-Bounds Write vulnerability in Omron products

The Omron CX-One Version 4.60 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

6.8
2021-02-09 CVE-2020-27259 Omron Unspecified vulnerability in Omron products

The Omron CX-One Version 4.60 and prior may allow an attacker to supply a pointer to arbitrary memory locations, which may allow an attacker to remotely execute arbitrary code.

6.8
2021-02-09 CVE-2020-27257 Omron Type Confusion vulnerability in Omron products

This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices.

6.8
2021-02-09 CVE-2021-21138 Google USE After Free vulnerability in Google Chrome

Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file.

6.8
2021-02-09 CVE-2021-21132 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Chrome

Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension.

6.8
2021-02-09 CVE-2021-21128 Google Out-Of-Bounds Write vulnerability in Google Chrome

Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21127 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass content security policy via a crafted Chrome Extension.

6.8
2021-02-09 CVE-2021-21124 Google USE After Free vulnerability in Google Chrome

Potential user after free in Speech Recognizer in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21122 Google USE After Free vulnerability in Google Chrome

Use after free in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21121 Google USE After Free vulnerability in Google Chrome

Use after free in Omnibox in Google Chrome on Linux prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21120 Google USE After Free vulnerability in Google Chrome

Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21119 Google USE After Free vulnerability in Google Chrome

Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-02-09 CVE-2021-21118 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

6.8
2021-02-09 CVE-2020-16044 Google USE After Free vulnerability in Google Chrome

Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.

6.8
2021-02-09 CVE-2020-13460 Tufin Cross-Site Request Forgery (CSRF) vulnerability in Tufin Securetrack 18.1

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were present in Tufin SecureTrack, affecting all versions prior to R20-2 GA.

6.8
2021-02-08 CVE-2020-36152 Symonics Classic Buffer Overflow vulnerability in Symonics Libmysofa

Buffer overflow in readDataVar in hdf/dataobject.c in Symonics libmysofa 0.5 - 1.1 allows attackers to execute arbitrary code via a crafted SOFA.

6.8
2021-02-08 CVE-2021-26826 Godotengine Out-Of-Bounds Write vulnerability in Godotengine Godot Engine

A stack overflow issue exists in Godot Engine up to v3.2 and is caused by improper boundary checks when loading .TGA image files.

6.8
2021-02-08 CVE-2021-26825 Godotengine Integer Overflow OR Wraparound vulnerability in Godotengine Godot Engine

An integer overflow issue exists in Godot Engine up to v3.2 that can be triggered when loading specially crafted.TGA image files.

6.8
2021-02-12 CVE-2021-26753 Nedi Code Injection vulnerability in Nedi 1.9C

NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter.

6.5
2021-02-12 CVE-2021-26752 Nedi OS Command Injection vulnerability in Nedi 1.9C

NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter.

6.5
2021-02-12 CVE-2021-22982 F5 Classic Buffer Overflow vulnerability in F5 products

On BIG-IP DNS and GTM version 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x, big3d does not securely handle and parse certain payloads resulting in a buffer overflow.

6.5
2021-02-11 CVE-2021-21976 Vmware Command Injection vulnerability in VMWare Vsphere Replication

vSphere Replication 8.3.x prior to 8.3.1.2, 8.2.x prior to 8.2.1.1, 8.1.x prior to 8.1.2.3 and 6.5.x prior to 6.5.1.5 contain a post-authentication command injection vulnerability which may allow an authenticated admin user to perform a remote code execution.

6.5
2021-02-11 CVE-2021-21014 Magento Unrestricted Upload of File With Dangerous Type vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass.

6.5
2021-02-11 CVE-2021-21025 Magento XML Injection (Aka Blind Xpath Injection) vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates.

6.5
2021-02-11 CVE-2021-21024 Magento SQL Injection vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module.

6.5
2021-02-11 CVE-2021-21019 Magento XML Injection (Aka Blind Xpath Injection) vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module.

6.5
2021-02-10 CVE-2021-25251 Trendmicro Code Injection vulnerability in Trendmicro products

The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program's password protection and disable protection.

6.5
2021-02-09 CVE-2021-26958 XCB Project Unchecked Return Value vulnerability in XCB Project XCB 20201210/20210204

An issue was discovered in the xcb crate through 2021-02-04 for Rust.

6.5
2021-02-09 CVE-2021-21472 SAP Unspecified vulnerability in SAP Software Provisioning Manager 1.0

SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.

6.5
2021-02-09 CVE-2020-18215 Phpshe SQL Injection vulnerability in PHPshe 1.7

Multiple SQL Injection vulnerabilities in PHPSHE 1.7 in phpshe/admin.php via the (1) ad_id, (2) menu_id, and (3) cashout_id parameters, which could let a remote malicious user execute arbitrary code.

6.5
2021-02-09 CVE-2021-3394 Millewin Incorrect Default Permissions vulnerability in Millewin 13.39.028/13.39.146.1/13.39.28.3342

Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.

6.5
2021-02-08 CVE-2020-35700 Librenms SQL Injection vulnerability in Librenms

A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint.

6.5
2021-02-12 CVE-2021-20651 Elecom Path Traversal vulnerability in Elecom File Manager

Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges via unspecified vectors.

6.4
2021-02-11 CVE-2021-21311 Adminer Server-Side Request Forgery (SSRF) vulnerability in Adminer

Adminer is an open-source database management in a single PHP file.

6.4
2021-02-10 CVE-2021-20353 IBM XXE vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

6.4
2021-02-09 CVE-2021-21479 SAP Injection vulnerability in SAP Scimono

In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.

6.4
2021-02-09 CVE-2020-4795 IBM Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information to an unauthorized user using a specially crafted HTTP request.

6.4
2021-02-08 CVE-2021-26530 Cesanta Out-Of-Bounds Write vulnerability in Cesanta Mongoose 7.0

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.

6.4
2021-02-08 CVE-2021-26529 Cesanta Out-Of-Bounds Write vulnerability in Cesanta Mongoose

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.

6.4
2021-02-08 CVE-2021-26528 Cesanta Out-Of-Bounds Write vulnerability in Cesanta Mongoose 7.0

The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after exhausting memory pool.

6.4
2021-02-11 CVE-2020-9307 Belden Infinite Loop vulnerability in Belden Hirschmann Hios

Hirschmann OS2, RSP, and RSPE devices before HiOS 08.3.00 allow a denial of service.

6.1
2021-02-12 CVE-2021-22974 F5 Race Condition vulnerability in F5 products

On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level.

6.0
2021-02-09 CVE-2021-26551 Smartfoxserver Code Injection vulnerability in Smartfoxserver 2.17.0

An issue was discovered in SmartFoxServer 2.17.0.

6.0
2021-02-12 CVE-2021-22984 F5 Open Redirect vulnerability in F5 products

On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks.

5.8
2021-02-12 CVE-2021-22981 F5 Unspecified vulnerability in F5 products

On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627.

5.8
2021-02-12 CVE-2021-20649 Elecom Improper Certificate Validation vulnerability in Elecom Wrc-300Febk-S Firmware

ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability.

5.8
2021-02-12 CVE-2020-27862 Dlink Command Injection vulnerability in Dlink Dsl-2888A Firmware and Dva-2800 Firmware

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers.

5.8
2021-02-11 CVE-2021-22881 Rubyonrails Open Redirect vulnerability in Rubyonrails Rails

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability.

5.8
2021-02-10 CVE-2020-13565 Open EMR
Phpgacl Project
Open Redirect vulnerability in multiple products

An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce).

5.8
2021-02-09 CVE-2021-21478 SAP Open Redirect vulnerability in SAP web Dynpro Abap

SAP Web Dynpro ABAP allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

5.8
2021-02-09 CVE-2021-21476 SAP Open Redirect vulnerability in SAP UI

SAP UI5, versions - 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1, allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

5.8
2021-02-09 CVE-2021-21444 SAP Improper Restriction of Rendered UI Layers OR Frames vulnerability in SAP Businessobjects Business Intelligence 410/420/430

SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents.

5.8
2021-02-09 CVE-2021-26675 Intel
Debian
Opensuse
Out-Of-Bounds Write vulnerability in multiple products

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.

5.8
2021-02-09 CVE-2021-21125 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

5.8
2021-02-09 CVE-2020-22840 B2Evolution Open Redirect vulnerability in B2Evolution

Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.

5.8
2021-02-08 CVE-2021-26222 Ezxml Project Out-Of-Bounds Write vulnerability in Ezxml Project Ezxml

The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB write when opening XML file after exhausting the memory pool.

5.8
2021-02-08 CVE-2021-26221 Ezxml Project Out-Of-Bounds Write vulnerability in Ezxml Project Ezxml

The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB write when opening XML file after exhausting the memory pool.

5.8
2021-02-08 CVE-2021-26220 Ezxml Project Out-Of-Bounds Write vulnerability in Ezxml Project Ezxml

The ezxml_toxml function in ezxml 0.8.6 and earlier is vulnerable to OOB write when opening XML file after exhausting the memory pool.

5.8
2021-02-10 CVE-2020-26299 FTP SRV Project Path Traversal vulnerability in Ftp-Srv Project Ftp-Srv

ftp-srv is an open-source FTP server designed to be simple yet configurable.

5.5
2021-02-09 CVE-2021-21474 SAP Improper Verification of Cryptographic Signature vulnerability in SAP Hana Database 1.00/2.00

SAP HANA Database, versions - 1.0, 2.0, accepts SAML tokens with MD5 digest, an attacker who manages to obtain an MD5-digest signed SAML Assertion issued for an SAP HANA instance might be able to tamper with it and alter it in a way that the digest continues to be the same and without invalidating the digital signature, this allows them to impersonate as user in HANA database and be able to read the contents in the database.

5.5
2021-02-09 CVE-2020-25237 Siemens Path Traversal vulnerability in Siemens Sinec Network Management System and Sinema Server

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2).

5.5
2021-02-09 CVE-2021-26719 Gradle Path Traversal vulnerability in Gradle products

A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2.

5.5
2021-02-12 CVE-2021-22978 F5 Cross-Site Scripting vulnerability in F5 products

On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role.

5.1
2021-02-14 CVE-2021-27212 Openldap
Debian
Reachable Assertion vulnerability in multiple products

In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp.

5.0
2021-02-12 CVE-2021-22977 F5 Unspecified vulnerability in F5 products

On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file.

5.0
2021-02-12 CVE-2020-13949 Apache Resource Exhaustion vulnerability in Apache Thrift

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

5.0
2021-02-12 CVE-2013-20001 Openzfs Unspecified vulnerability in Openzfs

An issue was discovered in OpenZFS through 2.0.3.

5.0
2021-02-12 CVE-2021-22976 F5 Resource Exhaustion vulnerability in F5 products

On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process.

5.0
2021-02-12 CVE-2021-22973 F5 Out-Of-Bounds Write vulnerability in F5 products

On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes.

5.0
2021-02-12 CVE-2021-20412 IBM USE of Hard-Coded Credentials vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

5.0
2021-02-12 CVE-2021-20409 IBM Information Exposure vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

5.0
2021-02-12 CVE-2021-20407 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 discloses sensitive information in source code that could be used in further attacks against the system.

5.0
2021-02-12 CVE-2021-27188 XN B1Agzlht Improper Restriction of Excessive Authentication Attempts vulnerability in Xn--B1Agzlht FX Aggregator Terminal Client 1.0

The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account.

5.0
2021-02-12 CVE-2021-27187 XN B1Agzlht Insufficiently Protected Credentials vulnerability in Xn--B1Agzlht FX Aggregator Terminal Client 1.0

The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked.

5.0
2021-02-12 CVE-2021-20643 Elecom Incorrect Permission Assignment for Critical Resource vulnerability in Elecom Ld-Ps/U1 Firmware

Improper access control vulnerability in ELECOM LD-PS/U1 allows remote attackers to change the administrative password of the affected device by processing a specially crafted request.

5.0
2021-02-11 CVE-2021-27191 GET IP Range Project Unspecified vulnerability in Get-Ip-Range Project Get-Ip-Range

The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input.

5.0
2021-02-11 CVE-2021-27184 Pelco XXE vulnerability in Pelco Digital Sentry Server 7.18.72.11464

Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack.

5.0
2021-02-11 CVE-2021-25690 Teradici Null Pointer Dereference vulnerability in Teradici Pcoip Soft Client 20.07.2

A null pointer dereference in Teradici PCoIP Soft Client versions prior to 20.07.3 could allow an attacker to crash the software.

5.0
2021-02-11 CVE-2021-22880 Rubyonrails Resource Exhaustion vulnerability in Rubyonrails Rails

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability.

5.0
2021-02-11 CVE-2021-22656 Advantech Path Traversal vulnerability in Advantech Iview 5.6

Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.

5.0
2021-02-11 CVE-2021-22654 Advantech SQL Injection vulnerability in Advantech Iview 5.6

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information.

5.0
2021-02-11 CVE-2020-25493 Oclean USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Oclean 2.1.2

Oclean Mobile Application 2.1.2 communicates with an external website using HTTP so it is possible to eavesdrop the network traffic.

5.0
2021-02-11 CVE-2021-20405 IBM Improper Encoding OR Escaping of Output vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to perform unauthorized activities due to improper encoding of output.

5.0
2021-02-11 CVE-2021-20404 IBM Unspecified vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user on the network to cause a denial of service due to an invalid cookie value that could prevent future logins.

5.0
2021-02-11 CVE-2021-23335 IS User Valid Project Injection vulnerability in Is-User-Valid Project Is-User-Valid

All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure.

5.0
2021-02-10 CVE-2021-27186 Treasuredata Null Pointer Dereference vulnerability in Treasuredata Fluent BIT 1.6.10

Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c.

5.0
2021-02-10 CVE-2020-13583 Micrium Unspecified vulnerability in Micrium Uc-Http 3.01.00

A denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00.

5.0
2021-02-10 CVE-2020-13578 Genivia Null Pointer Dereference vulnerability in Genivia Gsoap 2.8.107

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107.

5.0
2021-02-10 CVE-2020-13577 Genivia Null Pointer Dereference vulnerability in Genivia Gsoap 2.8.107

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107.

5.0
2021-02-10 CVE-2020-13575 Genivia Null Pointer Dereference vulnerability in Genivia Gsoap 2.8.107

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107.

5.0
2021-02-10 CVE-2020-13574 Genivia Null Pointer Dereference vulnerability in Genivia Gsoap 2.8.107

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107.

5.0
2021-02-10 CVE-2021-27179 Fiberhome Improper Input Validation vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27178 Fiberhome Cleartext Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27176 Fiberhome Cleartext Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27175 Fiberhome Cleartext Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27174 Fiberhome Cleartext Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27173 Fiberhome Improper Authentication vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27172 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27170 Fiberhome Insecure Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27169 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome An5506-04-Fa Firmware Rp2631

An issue was discovered on FiberHome AN5506-04-FA devices with firmware RP2631.

5.0
2021-02-10 CVE-2021-27168 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27167 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27166 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27165 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27144 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27143 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27142 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27141 Fiberhome USE of Hard-Coded Credentials vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27140 Fiberhome Cleartext Storage of Sensitive Information vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-27139 Fiberhome Unspecified vulnerability in Fiberhome Hg6245D Firmware

An issue was discovered on FiberHome HG6245D devices through RP2613.

5.0
2021-02-10 CVE-2021-26939 Henriquedornas Information Exposure vulnerability in Henriquedornas 5.2.17

** DISPUTED ** An information disclosure issue exists in henriquedornas 5.2.17 because an attacker can dump phpMyAdmin SQL content.

5.0
2021-02-10 CVE-2021-0341 Google Improper Certificate Validation vulnerability in Google Android

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto.

5.0
2021-02-10 CVE-2020-5023 IBM Resource Exhaustion vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could allow a remote user to inject arbitrary data iwhich could cause the serivce to crash due to excess resource consumption.

5.0
2021-02-10 CVE-2020-24838 Issuer Project Integer Overflow OR Wraparound vulnerability in Issuer Project Issuer

An integer overflow has been found in the the latest version of Issuer.

5.0
2021-02-10 CVE-2020-24837 Zcfees Project Integer Underflow (Wrap OR Wraparound) vulnerability in Zcfees Project Zcfees

An integer underflow has been found in the latest version of ZCFees.

5.0
2021-02-09 CVE-2021-26954 Qwutils Project Double Free vulnerability in Qwutils Project Qwutils

An issue was discovered in the qwutils crate before 0.3.1 for Rust.

5.0
2021-02-09 CVE-2021-26953 Postscript Project USE of Uninitialized Resource vulnerability in Postscript Project Postscript

An issue was discovered in the postscript crate before 0.14.0 for Rust.

5.0
2021-02-09 CVE-2021-26952 Ms3D Project USE of Uninitialized Resource vulnerability in Ms3D Project Ms3D

An issue was discovered in the ms3d crate before 0.1.3 for Rust.

5.0
2021-02-09 CVE-2020-26195 Dell Improper Handling of Exceptional Conditions vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user.

5.0
2021-02-09 CVE-2021-21475 SAP Path Traversal vulnerability in SAP Netweaver Master Data Management Server 710/710.750

Under specific circumstances SAP Master Data Management, versions - 710, 710.750, allows an unauthorized attacker to exploit insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file APIs.

5.0
2021-02-09 CVE-2020-28645 Owncloud Improper Input Validation vulnerability in Owncloud

Deleting users with certain names caused system files to be deleted.

5.0
2021-02-09 CVE-2020-28388 Siemens Unspecified vulnerability in Siemens Nucleus NET and Nucleus Readystart

A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus ReadyStart for ARM, MIPS, and PPC (All versions < V2012.12).

5.0
2021-02-09 CVE-2021-26921 Linuxfoundation Insufficient Session Expiration vulnerability in Linuxfoundation Argo Continuous Delivery

In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.

5.0
2021-02-09 CVE-2020-4995 IBM Insufficient Session Expiration vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 does not invalidate session after logout which could allow a user to obtain sensitive information from another users' session.

5.0
2021-02-09 CVE-2020-13462 Tufin Unspecified vulnerability in Tufin Securetrack 18.1

Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA.

5.0
2021-02-09 CVE-2020-24685 ABB Allocation of Resources Without Limits OR Throttling vulnerability in ABB Ac500 CPU Firmware

An unauthenticated specially crafted packet sent by an attacker over the network will cause a denial-of-service (DoS) vulnerability.

5.0
2021-02-08 CVE-2021-21306 Marked Project Resource Exhaustion vulnerability in Marked Project Marked

Marked is an open-source markdown parser and compiler (npm package "marked").

5.0
2021-02-08 CVE-2020-24944 Privateoctopus Infinite Loop vulnerability in Privateoctopus Picoquic

picoquic (before 3rd of July 2020) allows attackers to cause a denial of service (infinite loop) via a crafted QUIC frame, related to the picoquic_decode_frames and picoquic_decode_stream_frame functions and epoch==3.

5.0
2021-02-08 CVE-2021-21240 Httplib2 Project Resource Exhaustion vulnerability in Httplib2 Project Httplib2

httplib2 is a comprehensive HTTP client library for Python.

5.0
2021-02-08 CVE-2021-25837 Chainsafe Unspecified vulnerability in Chainsafe Ethermint

Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module.

5.0
2021-02-08 CVE-2021-25836 Chainsafe Unspecified vulnerability in Chainsafe Ethermint

Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module.

5.0
2021-02-08 CVE-2021-25835 Chainsafe Authentication Bypass BY Capture-Replay vulnerability in Chainsafe Ethermint

Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module.

5.0
2021-02-08 CVE-2021-25834 Chainsafe Authentication Bypass BY Capture-Replay vulnerability in Chainsafe Ethermint

Cosmos Network Ethermint <= v0.4.0 is affected by a transaction replay vulnerability in the EVM module.

5.0
2021-02-08 CVE-2021-26540 Apostrophecms Unspecified vulnerability in Apostrophecms Sanitize-Html

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".

5.0
2021-02-08 CVE-2021-26539 Apostrophecms Unspecified vulnerability in Apostrophecms Sanitize-Html

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.

5.0
2021-02-08 CVE-2021-3293 Emlog Path Traversal vulnerability in Emlog 5.3.1

emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.

5.0
2021-02-10 CVE-2021-0338 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Android 10.0/11.0

In SystemSettingsValidators, there is a possible permanent denial of service due to missing bounds checks on UI settings.

4.9
2021-02-10 CVE-2021-23883 Mcafee Null Pointer Dereference vulnerability in Mcafee Endpoint Security

A Null Pointer Dereference vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows a local administrator to cause Windows to crash via a specific system call which is not handled correctly.

4.9
2021-02-09 CVE-2021-25141 Arubanetworks
HPE
A security vulnerability has been identified in in certain HPE and Aruba L2/L3 switch firmware.
4.9
2021-02-12 CVE-2021-20411 IBM Incorrect Resource Transfer Between Spheres vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to impersonate another user on the system due to incorrectly updating the session identifier.

4.8
2021-02-11 CVE-2020-8027 Opensuse Insecure Temporary File vulnerability in Opensuse Openldap2 2.4.260.74.13/2.4.4118.71.2/2.4.469.31.1

A Insecure Temporary File vulnerability in openldap2 of SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Leap 15.2 allows local attackers to overwrite arbitrary files and gain access to the openldap2 configuration This issue affects: SUSE Linux Enterprise Server 15-LTSS openldap2 versions prior to 2.4.46-9.37.1.

4.6
2021-02-10 CVE-2021-23874 Mcafee Improper Privilege Management vulnerability in Mcafee Total Protection

Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense.

4.6
2021-02-09 CVE-2020-26194 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs 8.1.2/8.2.2

Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability.

4.6
2021-02-09 CVE-2020-26192 Dell Missing Authentication for Critical Function vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability.

4.6
2021-02-09 CVE-2020-26191 Dell Improper Privilege Management vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain a privilege escalation vulnerability.

4.6
2021-02-09 CVE-2020-28392 Siemens Incorrect Default Permissions vulnerability in Siemens Simaris Configuration

A vulnerability has been identified in SIMARIS configuration (All versions).

4.6
2021-02-09 CVE-2020-27006 Siemens Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

4.6
2021-02-09 CVE-2020-27005 Siemens Out-Of-Bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

4.6
2021-02-09 CVE-2020-27003 Siemens Untrusted Pointer Dereference vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

4.6
2021-02-09 CVE-2020-27001 Siemens Stack-Based Buffer Overflow vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

4.6
2021-02-09 CVE-2020-27000 Siemens Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

4.6
2021-02-09 CVE-2021-21140 Google
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Uninitialized use in USB in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform out of bounds memory access via via a USB device.

4.6
2021-02-08 CVE-2020-11915 Svakom Improper Authentication vulnerability in Svakom Siime EYE Firmware 14.1.00000001.3.330.0.0.3.14

An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14.

4.6
2021-02-14 CVE-2021-26929 Horde
Debian
Cross-Site Scripting vulnerability in multiple products

An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used).

4.3
2021-02-12 CVE-2021-22979 F5 Cross-Site Scripting vulnerability in F5 products

On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user.

4.3
2021-02-12 CVE-2021-22975 F5 Unspecified vulnerability in F5 products

On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic.

4.3
2021-02-12 CVE-2021-20650 Elecom Cross-Site Request Forgery (CSRF) vulnerability in Elecom Ncc-Ewf100Rmwh2 Firmware

Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector.

4.3
2021-02-12 CVE-2021-20647 Elecom Cross-Site Request Forgery (CSRF) vulnerability in Elecom Wrc-300Febk-S Firmware

Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK-S allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector.

4.3
2021-02-12 CVE-2021-20646 Elecom Cross-Site Request Forgery (CSRF) vulnerability in Elecom Wrc-300Febk-A Firmware

Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK-A allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector.

4.3
2021-02-12 CVE-2021-20645 Elecom Cross-Site Scripting vulnerability in Elecom Wrc-300Febk-A Firmware

Cross-site scripting vulnerability in ELECOM WRC-300FEBK-A allows remote authenticated attackers to inject arbitrary script via unspecified vectors.

4.3
2021-02-12 CVE-2021-20644 Elecom Injection vulnerability in Elecom Wrc-1467Ghbk-A Firmware

ELECOM WRC-1467GHBK-A allows arbitrary scripts to be executed on the user's web browser by displaying a specially crafted SSID on the web setup page.

4.3
2021-02-12 CVE-2021-20642 Logitec Improper Handling of Exceptional Conditions vulnerability in Logitec Lan-W300N/Rs Firmware

Improper check or handling of exceptional conditions in LOGITEC LAN-W300N/RS allows a remote attacker to cause a denial-of-service (DoS) condition by sending a specially crafted URL.

4.3
2021-02-12 CVE-2021-20641 Logitec Cross-Site Request Forgery (CSRF) vulnerability in Logitec Lan-W300N/Rs Firmware

Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/RS allows remote attackers to hijack the authentication of administrators via a specially crafted URL.

4.3
2021-02-12 CVE-2021-20637 Logitec Improper Handling of Exceptional Conditions vulnerability in Logitec Lan-W300N/Pr5B Firmware

Improper check or handling of exceptional conditions in LOGITEC LAN-W300N/PR5B allows a remote attacker to cause a denial-of-service (DoS) condition by sending a specially crafted URL.

4.3
2021-02-12 CVE-2021-20636 Logitec Cross-Site Request Forgery (CSRF) vulnerability in Logitec Lan-W300N/Pr5B Firmware

Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/PR5B allows remote attackers to hijack the authentication of administrators via a specially crafted URL.

4.3
2021-02-11 CVE-2021-21310 Nextauth JS Authentication Bypass BY Spoofing vulnerability in Nextauth.Js Next-Auth

NextAuth.js (next-auth) is am open source authentication solution for Next.js applications.

4.3
2021-02-11 CVE-2021-21061 Adobe USE After Free vulnerability in Adobe products

Acrobat Pro DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use-after-free vulnerability when parsing a specially crafted PDF file.

4.3
2021-02-11 CVE-2021-21060 Adobe Improper Input Validation vulnerability in Adobe products

Adobe Acrobat Pro DC versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an improper input validation vulnerability.

4.3
2021-02-11 CVE-2021-21057 Adobe Null Pointer Dereference vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a null pointer dereference vulnerability when parsing a specially crafted PDF file.

4.3
2021-02-11 CVE-2021-21046 Adobe Access of Memory Location After END of Buffer vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an memory corruption vulnerability.

4.3
2021-02-11 CVE-2021-21042 Adobe Out-Of-Bounds Read vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Read vulnerability.

4.3
2021-02-11 CVE-2021-21034 Adobe Out-Of-Bounds Read vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Read vulnerability.

4.3
2021-02-11 CVE-2021-21030 Magento Cross-Site Scripting vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature.

4.3
2021-02-11 CVE-2021-21027 Magento Cross-Site Request Forgery (CSRF) vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API.

4.3
2021-02-11 CVE-2021-21022 Magento Improper Authorization vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module.

4.3
2021-02-11 CVE-2021-21020 Magento Improper Access Control vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module.

4.3
2021-02-11 CVE-2021-21301 Wire Information Exposure vulnerability in Wire

Wire is an open-source collaboration platform.

4.3
2021-02-11 CVE-2020-13185 Teradici Improper Authentication vulnerability in Teradici Cloud Access Connector

Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials.

4.3
2021-02-10 CVE-2020-24842 Sdgc Cross-Site Scripting vulnerability in Sdgc Pnpscada 2.200816204020

PNPSCADA 2.200816204020 allows cross-site scripting (XSS), which can execute arbitrary JavaScript in the victim's browser.

4.3
2021-02-10 CVE-2021-0335 Google USE After Free vulnerability in Google Android 11.0

In process of C2SoftHevcDec.cpp, there is a possible out of bounds write due to a use after free.

4.3
2021-02-10 CVE-2020-29171 Tipsandtricks HQ Cross-Site Scripting vulnerability in Tipsandtricks-Hq WP Security & Firewall

Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress.

4.3
2021-02-10 CVE-2021-23878 Mcafee Cleartext Storage of Sensitive Information vulnerability in Mcafee Endpoint Security

Clear text storage of sensitive Information in memory vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows a local user to view ENS settings and credentials via accessing process memory after the ENS administrator has performed specific actions.

4.3
2021-02-09 CVE-2020-22839 B2Evolution Cross-Site Scripting vulnerability in B2Evolution CMS 6.11.6

Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter.

4.3
2021-02-09 CVE-2021-22267 HPE Authentication Bypass BY Capture-Replay vulnerability in HPE web Viewpoint

Idelji Web ViewPoint Suite, as used in conjunction with HPE NonStop, allows a remote replay attack for T0320L01^ABP through T0320L01^ABZ, T0952L01^AAH through T0952L01^AAR, T0986L01 through T0986L01^AAF, T0665L01^AAP, and T0662L01^AAP (L) and T0320H01^ABO through T0320H01^ABY, T0952H01^AAG through T0952H01^AAQ, T0986H01 through T0986H01^AAE, T0665H01^AAO, and T0662H01^AAO (J and H).

4.3
2021-02-09 CVE-2020-28644 Owncloud Cross-Site Request Forgery (CSRF) vulnerability in Owncloud

The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints.

4.3
2021-02-09 CVE-2020-35943 Imagely Cross-Site Request Forgery (CSRF) vulnerability in Imagely Nextgen Gallery

A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload.

4.3
2021-02-09 CVE-2020-35572 Adminer Cross-Site Scripting vulnerability in Adminer

Adminer through 4.7.8 allows XSS via the history parameter to the default URI.

4.3
2021-02-09 CVE-2020-17429 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

4.3
2021-02-09 CVE-2020-17428 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

4.3
2021-02-09 CVE-2020-17422 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

4.3
2021-02-09 CVE-2020-17420 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo 3.6.6.922

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922.

4.3
2021-02-09 CVE-2021-21147 Google
Fedoraproject
Inappropriate implementation in Skia in Google Chrome prior to 88.0.4324.146 allowed a local attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
4.3
2021-02-09 CVE-2021-21141 Google
Microsoft
Improper Authentication vulnerability in multiple products

Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21139 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Chrome

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21137 Google Information Exposure vulnerability in Google Chrome

Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21136 Google Origin Validation Error vulnerability in Google Chrome

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21135 Google Origin Validation Error vulnerability in Google Chrome

Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21134 Google Authentication Bypass BY Spoofing vulnerability in Google Chrome

Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21133 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in Downloads in Google Chrome prior to 88.0.4324.96 allowed an attacker who convinced a user to download files to bypass navigation restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21131 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21130 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21129 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-21126 Google Improper Authentication vulnerability in Google Chrome

Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension.

4.3
2021-02-09 CVE-2021-21123 Google Improper Input Validation vulnerability in Google Chrome

Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

4.3
2021-02-09 CVE-2021-23327 Fusioncharts Cross-Site Scripting vulnerability in Fusioncharts Apexcharts

The package apexcharts before 3.24.0 are vulnerable to Cross-site Scripting (XSS) via lack of sanitization of graph legend fields.

4.3
2021-02-09 CVE-2020-13409 Tufin Cross-Site Scripting vulnerability in Tufin Securetrack 18.1

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users).

4.3
2021-02-09 CVE-2020-13408 Tufin Cross-Site Scripting vulnerability in Tufin Securetrack 18.1

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users).

4.3
2021-02-09 CVE-2020-13407 Tufin Cross-Site Scripting vulnerability in Tufin Securetrack 18.1

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users).

4.3
2021-02-08 CVE-2021-26916 Nopcommerce Cross-Site Scripting vulnerability in Nopcommerce 4.30

In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.

4.3
2021-02-08 CVE-2020-13947 Apache Cross-Site Scripting vulnerability in Apache Activemq

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.

4.3
2021-02-08 CVE-2020-36151 Symonics Out-Of-Bounds Write vulnerability in Symonics Libmysofa

Incorrect handling of input data in mysofa_resampler_reset_mem function in the libmysofa library 0.5 - 1.1 will lead to heap buffer overflow and overwriting large memory block.

4.3
2021-02-08 CVE-2020-36150 Symonics Out-Of-Bounds Write vulnerability in Symonics Libmysofa

Incorrect handling of input data in loudness function in the libmysofa library 0.5 - 1.1 will lead to heap buffer overflow and access to unallocated memory block.

4.3
2021-02-08 CVE-2020-36149 Symonics Null Pointer Dereference vulnerability in Symonics Libmysofa

Incorrect handling of input data in changeAttribute function in the libmysofa library 0.5 - 1.1 will lead to NULL pointer dereference and segmentation fault error in case of restrictive memory protection or near NULL pointer overwrite in case of no memory restrictions (e.g.

4.3
2021-02-08 CVE-2020-36148 Symonics Null Pointer Dereference vulnerability in Symonics Libmysofa

Incorrect handling of input data in verifyAttribute function in the libmysofa library 0.5 - 1.1 will lead to NULL pointer dereference and segmentation fault error in case of restrictive memory protection or near NULL pointer overwrite in case of no memory restrictions (e.g.

4.3
2021-02-08 CVE-2021-22122 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortiweb

An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points.

4.3
2021-02-08 CVE-2021-21435 Otrs Information Exposure vulnerability in Otrs

Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface.

4.3
2021-02-11 CVE-2021-20335 Mongodb Cleartext Transmission of Sensitive Information vulnerability in Mongodb OPS Manager

For MongoDB Ops Manager 4.2.X with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager 4.4.X triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster.

4.1
2021-02-13 CVE-2021-27210 TP Link Cleartext Storage of Sensitive Information vulnerability in Tp-Link Archer C5V Firmware 1.7181221

TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI.

4.0
2021-02-12 CVE-2021-26751 Nedi SQL Injection vulnerability in Nedi 1.9C

NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter.

4.0
2021-02-12 CVE-2021-20406 IBM USE of A Broken OR Risky Cryptographic Algorithm vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

4.0
2021-02-11 CVE-2021-21026 Magento Improper Authorization vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module.

4.0
2021-02-11 CVE-2020-1717 Redhat Information Exposure Through AN Error Message vulnerability in Redhat products

A flaw was found in Keycloak 7.0.1.

4.0
2021-02-11 CVE-2021-20402 IBM Information Exposure Through AN Error Message vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

4.0
2021-02-10 CVE-2020-27870 Solarwinds Path Traversal vulnerability in Solarwinds Orion Platform 2020.2.1

This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1.

4.0
2021-02-10 CVE-2020-8355 Lenovo Cleartext Transmission of Sensitive Information vulnerability in Lenovo Xclarity Administrator

An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating.

4.0
2021-02-10 CVE-2021-21296 Fleetdm Resource Exhaustion vulnerability in Fleetdm Fleet

Fleet is an open source osquery manager.

4.0
2021-02-10 CVE-2020-7021 Elastic Information Exposure Through LOG Files vulnerability in Elastic Elasticsearch

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled.

4.0
2021-02-08 CVE-2021-26905 1Password Insufficiently Protected Credentials vulnerability in 1Password Scim Bridge

1Password SCIM Bridge before 1.6.2 mishandles validation of authenticated requests for log files, leading to disclosure of a TLS private key.

4.0
2021-02-08 CVE-2021-21288 Carrierwave Project Server-Side Request Forgery (SSRF) vulnerability in Carrierwave Project Carrierwave

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications.

4.0
2021-02-08 CVE-2021-20359 IBM Information Exposure Through LOG Files vulnerability in IBM Cloud PAK for Automation 20.0.2/20.0.3

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user.

4.0
2021-02-08 CVE-2021-20358 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Cloud PAK for Automation 20.0.2/20.0.3

IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files.

4.0
2021-02-08 CVE-2021-21436 Otrs Incorrect Default Permissions vulnerability in Otrs CIS in Customer Frontend 7.0.0/7.0.14

Agents are able to see and link Config Items without permissions, which are defined in General Catalog.

4.0
2021-02-08 CVE-2020-1779 Otrs Information Exposure vulnerability in Otrs Ticket Forms

When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information.

4.0

57 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-13 CVE-2021-27209 TP Link Cleartext Transmission of Sensitive Information vulnerability in Tp-Link Archer C5V Firmware 1.7181221

In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP.

3.6
2021-02-11 CVE-2020-8030 Suse Insecure Temporary File vulnerability in Suse Caas Platform 4.5

A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to leak the bootstrapToken or modify the configuration file before it is processed, leading to arbitrary modifications of the machine/cluster.

3.6
2021-02-10 CVE-2021-23873 Mcafee Improper Privilege Management vulnerability in Mcafee Total Protection

Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and perform arbitrary file deletion as the SYSTEM user potentially causing Denial of Service via manipulating Junction link, after enumerating certain files, at a specific time.

3.6
2021-02-09 CVE-2020-27008 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

3.6
2021-02-09 CVE-2020-27007 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

3.6
2021-02-09 CVE-2020-27004 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

3.6
2021-02-09 CVE-2020-27002 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

3.6
2021-02-12 CVE-2021-22983 F5 Cross-Site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager

On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if they attempt to access a maliciously-crafted URL.

3.5
2021-02-12 CVE-2021-20410 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques.

3.5
2021-02-12 CVE-2021-27190 Peel Cross-Site Scripting vulnerability in Peel Shopping 9.3.0

A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 which is publicly available.

3.5
2021-02-11 CVE-2021-21029 Magento Cross-Site Scripting vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter.

3.5
2021-02-11 CVE-2021-21023 Magento Cross-Site Scripting vulnerability in Magento

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console.

3.5
2021-02-11 CVE-2020-4768 IBM Cross-Site Scripting vulnerability in IBM Business Automation Workflow and Case Manager

IBM Case Manager 5.2 and 5.3 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to cross-site scripting.

3.5
2021-02-11 CVE-2020-8031 Opensuse Cross-Site Scripting vulnerability in Opensuse Open Build Service

A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity.

3.5
2021-02-10 CVE-2021-26938 Henriquedornas Cross-Site Scripting vulnerability in Henriquedornas 5.2.17

** DISPUTED ** A stored XSS issue exists in henriquedornas 5.2.17 via online live chat.

3.5
2021-02-10 CVE-2021-23881 Mcafee Cross-Site Scripting vulnerability in Mcafee Endpoint Security

A stored cross site scripting vulnerability in ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 February 2021 Update allows an ENS ePO administrator to add a script to a policy event which will trigger the script to be run through a browser block page when a local non-administrator user triggers the policy.

3.5
2021-02-10 CVE-2021-20654 Wekan Project Cross-Site Scripting vulnerability in Wekan Project Wekan

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting.

3.5
2021-02-09 CVE-2021-26549 Smartfoxserver Cross-Site Scripting vulnerability in Smartfoxserver 2.17.0

An XSS issue was discovered in SmartFoxServer 2.17.0.

3.5
2021-02-09 CVE-2020-16144 Owncloud Incorrect Default Permissions vulnerability in Owncloud Files Antivirus

When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues.

3.5
2021-02-09 CVE-2020-22841 B2Evolution Cross-Site Scripting vulnerability in B2Evolution

Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.

3.5
2021-02-09 CVE-2021-26925 Roundcube
Fedoraproject
Cross-Site Scripting vulnerability in multiple products

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

3.5
2021-02-09 CVE-2021-3294 Casap Automated Enrollment System Project Cross-Site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php.

3.5
2021-02-08 CVE-2020-29021 Secomea Cross-Site Scripting vulnerability in Secomea products

A vulnerability in web UI input field of GateManager allows authenticated attacker to enter script tags that could cause XSS.

3.5
2021-02-08 CVE-2020-26052 Online Marriage Registration System Project Cross-Site Scripting vulnerability in Online Marriage Registration System Project Online Marriage Registration System 1.0

Online Marriage Registration System 1.0 is affected by stored cross-site scripting (XSS) vulnerabilities in multiple parameters.

3.5
2021-02-08 CVE-2021-21434 Otrs Cross-Site Scripting vulnerability in Otrs Survey

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e.

3.5
2021-02-12 CVE-2021-20635 Logitec Improper Restriction of Excessive Authentication Attempts vulnerability in Logitec Lan-Wh450N/Gr Firmware

Improper restriction of excessive authentication attempts in LOGITEC LAN-WH450N/GR allows an attacker in the wireless range of the device to recover PIN and access the network.

3.3
2021-02-12 CVE-2020-27863 Dlink Improper Authentication vulnerability in Dlink Dsl-2888A Firmware and Dva-2800 Firmware

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers.

3.3
2021-02-09 CVE-2021-25666 Siemens Allocation of Resources Without Limits OR Throttling vulnerability in Siemens Scalance W740 Firmware and Scalance W780 Firmware

A vulnerability has been identified in SCALANCE W780 and W740 (IEEE 802.11n) family (All versions < V6.3).

3.3
2021-02-09 CVE-2021-26676 Intel
Debian
Opensuse
gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.
3.3
2021-02-09 CVE-2020-4790 IBM Improper Input Validation vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 could allow a user to cause a denial of service due to improperly validating a supplied URL, rendering the application unusuable.

3.3
2021-02-09 CVE-2020-13461 Tufin Unspecified vulnerability in Tufin Securetrack

Username enumeration in present in Tufin SecureTrack.

3.3
2021-02-10 CVE-2021-22133 Elastic Information Exposure Through LOG Files vulnerability in Elastic APM Agent

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic.

2.7
2021-02-11 CVE-2020-13186 Teradici Cross-Site Request Forgery (CSRF) vulnerability in Teradici Cloud Access Connector

An Anti CSRF mechanism was discovered missing in the Teradici Cloud Access Connector v31 and earlier in a specific web form, which allowed an attacker with knowledge of both a machineID and user GUID to modify data if a user clicked a malicious link.

2.6
2021-02-12 CVE-2021-20408 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Verify Information Queue 1.0.6/1.0.7

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could disclose highly sensitive information to a local user due to inproper storage of a plaintext cryptographic key.

2.1
2021-02-12 CVE-2021-27205 Telegram Cleartext Storage of Sensitive Information vulnerability in Telegram

Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure.

2.1
2021-02-12 CVE-2021-27204 Telegram Cleartext Storage of Sensitive Information vulnerability in Telegram

Telegram before 7.4 (212543) Stable on macOS stores the local passcode in cleartext, leading to information disclosure.

2.1
2021-02-11 CVE-2021-21055 Adobe Untrusted Search Path vulnerability in Adobe Dreamweaver

Adobe Dreamweaver versions 21.0 (and earlier) and 20.2 (and earlier) is affected by an untrusted search path vulnerability that could result in information disclosure.

2.1
2021-02-11 CVE-2021-25688 Teradici Information Exposure Through LOG Files vulnerability in Teradici Pcoip Graphics Agent and Pcoip Standard Agent

Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user's password in the application logs.

2.1
2021-02-11 CVE-2020-10734 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat products

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection.

2.1
2021-02-11 CVE-2020-8029 Suse Incorrect Permission Assignment for Critical Resource vulnerability in Suse Caas Platform 4.5

A Incorrect Permission Assignment for Critical Resource vulnerability in skuba of SUSE CaaS Platform 4.5 allows local attackers to gain access to the kublet key.

2.1
2021-02-10 CVE-2020-16120 Linux
Canonical
Improper Privilege Management vulnerability in multiple products

Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed.

2.1
2021-02-10 CVE-2021-23880 Mcafee Improper Privilege Management vulnerability in Mcafee Endpoint Security

Improper Access Control in attribute in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows authenticated local administrator user to perform an uninstallation of the anti-malware engine via the running of a specific command with the correct parameters.

2.1
2021-02-09 CVE-2020-26196 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Powerscale Onefs

Dell EMC PowerScale OneFS versions 8.1.0-9.1.0 contain a Backup/Restore Privilege implementation issue.

2.1
2021-02-09 CVE-2021-26550 Smartfoxserver Cleartext Storage of Sensitive Information vulnerability in Smartfoxserver 2.17.0

An issue was discovered in SmartFoxServer 2.17.0.

2.1
2021-02-09 CVE-2020-28394 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

2.1
2021-02-09 CVE-2020-26999 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

2.1
2021-02-09 CVE-2020-26998 Siemens Out-Of-Bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1).

2.1
2021-02-09 CVE-2020-10048 Siemens Improper Authentication vulnerability in Siemens Simatic PCS 7 and Simatic Wincc

A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions < V7.5 SP2).

2.1
2021-02-09 CVE-2020-4996 IBM Unspecified vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 could allow a local user to obtain sensitive information via the capturing of screenshots of authentication credentials.

2.1
2021-02-08 CVE-2021-26917 Bitmessage Unspecified vulnerability in Bitmessage Pybitmessage

** DISPUTED ** PyBitmessage through 0.6.3.2 allows attackers to write screen captures to Potentially Unwanted Directories via a crafted apinotifypath value.

2.1
2021-02-08 CVE-2020-14391 Gnome Insufficiently Protected Credentials vulnerability in Gnome Control Center

A flaw was found in the GNOME Control Center in Red Hat Enterprise Linux 8 versions prior to 8.2, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface.

2.1
2021-02-08 CVE-2020-8590 Netapp Unspecified vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

2.1
2021-02-08 CVE-2020-8587 Netapp Unspecified vulnerability in Netapp Oncommand System Manager 9.3/9.4

OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to 9.4P3 are susceptible to a vulnerability that could allow HTTP clients to cache sensitive responses making them accessible to an attacker who has access to the system where the client runs.

2.1
2021-02-08 CVE-2020-8578 Netapp Unspecified vulnerability in Netapp Clustered Data Ontap

Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

2.1
2021-02-10 CVE-2021-23882 Mcafee Improper Privilege Management vulnerability in Mcafee Endpoint Security

Improper Access Control vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows local administrators to prevent the installation of some ENS files by placing carefully crafted files where ENS will be installed.

1.9
2021-02-08 CVE-2021-21290 Netty
Debian
Creation of Temporary File in Directory With Incorrect Permissions vulnerability in multiple products

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

1.9
2021-02-09 CVE-2020-4791 IBM Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to obtain sensitive information using main in the middle attacks due to improper certificate validation.

1.8