Weekly Vulnerabilities Reports > February 15 to 21, 2021

Overview

290 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 43 high severity vulnerabilities. This weekly summary report vulnerabilities in 318 products from 137 vendors including Intel, Mbconnectline, Fedoraproject, Debian, and Oracle. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Privilege Management", "Out-of-bounds Write", and "Incorrect Authorization".

  • 192 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 216 reported vulnerabilities are exploitable by an anonymous user.
  • Intel has the most reported vulnerabilities, with 58 reported vulnerabilities.
  • Nagios has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

13 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-19 CVE-2019-25024 Alleghenycreative OS Command Injection vulnerability in Alleghenycreative Openrepeater

OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.

10.0
2021-02-18 CVE-2021-26747 Netis Systems OS Command Injection vulnerability in Netis-Systems Wf2411 Firmware and Wf2780 Firmware

Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution.

10.0
2021-02-18 CVE-2021-27329 Frendi Server-Side Request Forgery (SSRF) vulnerability in Frendi Frendica 2021.01

Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.

10.0
2021-02-16 CVE-2021-27104 Accellion OS Command Injection vulnerability in Accellion FTA 912370

Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints.

10.0
2021-02-19 CVE-2021-3210 Bloodhound Project Cross-site Scripting vulnerability in Bloodhound Project Bloodhound

components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter.

9.3
2021-02-19 CVE-2020-12873 Atlassian Injection vulnerability in Atlassian Alfresco Enterprise Content Management

An issue was discovered in Alfresco Enterprise Content Management (ECM) before 6.2.1.

9.0
2021-02-17 CVE-2021-23885 Mcafee Improper Privilege Management vulnerability in Mcafee web Gateway

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.

9.0
2021-02-17 CVE-2021-20655 Soliton OS Command Injection vulnerability in Soliton Filezen

FileZen (V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2) allows a remote attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

9.0
2021-02-16 CVE-2021-20074 Racom OS Command Injection vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows users to escape the provided command line interface and execute arbitrary OS commands.

9.0
2021-02-16 CVE-2021-20987 Hilscher
Pepperl Fuchs
Out-of-bounds Write vulnerability in multiple products

A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

9.0
2021-02-15 CVE-2021-25298 Nagios OS Command Injection vulnerability in Nagios XI 5.7.5

Nagios XI version xi-5.7.5 is affected by OS command injection.

9.0
2021-02-15 CVE-2021-25297 Nagios OS Command Injection vulnerability in Nagios XI 5.7.5

Nagios XI version xi-5.7.5 is affected by OS command injection.

9.0
2021-02-15 CVE-2021-25296 Nagios OS Command Injection vulnerability in Nagios XI 5.7.5

Nagios XI version xi-5.7.5 is affected by OS command injection.

9.0

43 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-16 CVE-2021-20072 Racom Improper Privilege Management vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to arbitrarily access and delete files via an authenticated directory traveral.

8.7
2021-02-18 CVE-2021-20354 IBM Path Traversal vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories.

7.8
2021-02-17 CVE-2020-7848 Iptime Command Injection vulnerability in Iptime C200 Firmware 1.0.12

The EFM ipTIME C200 IP Camera is affected by a Command Injection vulnerability in /login.cgi?logout=1 script.

7.7
2021-02-19 CVE-2021-20588 Mitsubishielectric Improper Handling of Exceptional Conditions vulnerability in Mitsubishielectric products

Improper handling of length parameter inconsistency vulnerability in Mitsubishi Electric FA Engineering Software(C Controller module setting and monitoring tool all versions, CPU Module Logging Configuration Tool versions 1.112R and prior, CW Configurator versions 1.011M and prior, Data Transfer versions 3.44W and prior, EZSocket all versions, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 versions 1.24A and prior, GT Designer3 Version1(GOT1000) versions 1.250L and prior, GT Designer3 Version1(GOT2000) versions 1.250L and prior, GT SoftGOT1000 Version3 versions 3.245F and prior, GT SoftGOT2000 Version1 versions 1.250L and prior, GX Configurator-DP versions 7.14Q and prior, GX Configurator-QP all versions, GX Developer versions 8.506C and prior, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer versions 1.115U and prior, GX RemoteService-I all versions, GX Works2 versions 1.597X and prior, GX Works3 versions 1.070Y and prior, iQ Monozukuri ANDON (Data Transfer) all versions, iQ Monozukuri Process Remote Monitoring (Data Transfer) all versions, M_CommDTM-HART all versions, M_CommDTM-IO-Link all versions, MELFA-Works versions 4.4 and prior, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) all versions, MELSOFT Navigator versions 2.74C and prior, MH11 SettingTool Version2 versions 2.004E and prior, MI Configurator all versions, MT Works2 all versions, MX Component all versions, Network Interface Board CC IE Control utility all versions, Network Interface Board CC IE Field Utility all versions, Network Interface Board CC-Link Ver.2 Utility all versions, Network Interface Board MNETH utility all versions, PX Developer versions 1.53F and prior, RT ToolBox2 versions 3.73B and prior, RT ToolBox3 versions 1.82L and prior, Setting/monitoring tools for the C Controller module all versions, SLMP Data Collector all versions) allows a remote unauthenticated attacker to cause a DoS condition of the software products, and possibly to execute a malicious program on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.

7.5
2021-02-19 CVE-2021-20587 Mitsubishielectric Out-of-bounds Write vulnerability in Mitsubishielectric products

Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Engineering Software (C Controller module setting and monitoring tool all versions, CPU Module Logging Configuration Tool versions 1.112R and prior, CW Configurator versions 1.011M and prior, Data Transfer versions 3.44W and prior, EZSocket all versions, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 versions 1.24A and prior, GT Designer3 Version1(GOT1000) versions 1.250L and prior, GT Designer3 Version1(GOT2000) versions 1.250L and prior, GT SoftGOT1000 Version3 versions 3.245F and prior, GT SoftGOT2000 Version1 versions 1.250L and prior, GX Configurator-DP versions 7.14Q and prior, GX Configurator-QP all versions, GX Developer versions 8.506C and prior, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer versions 1.115U and prior, GX RemoteService-I all versions, GX Works2 versions 1.597X and prior, GX Works3 versions 1.070Y and prior, iQ Monozukuri ANDON (Data Transfer) all versions, iQ Monozukuri Process Remote Monitoring (Data Transfer) all versions, M_CommDTM-HART all versions, M_CommDTM-IO-Link all versions, MELFA-Works versions 4.4 and prior, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) all versions, MELSOFT Navigator versions 2.74C and prior, MH11 SettingTool Version2 versions 2.004E and prior, MI Configurator all versions, MT Works2 all versions, MX Component all versions, Network Interface Board CC IE Control utility all versions, Network Interface Board CC IE Field Utility all versions, Network Interface Board CC-Link Ver.2 Utility all versions, Network Interface Board MNETH utility all versions, PX Developer versions 1.53F and prior, RT ToolBox2 3.73B and prior, RT ToolBox3 versions 1.82L and prior, Setting/monitoring tools for the C Controller module all versions, SLMP Data Collector all versions) allows a remote unauthenticated attacker to cause a DoS condition of the software products, and possibly to execute a malicious program on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.

7.5
2021-02-18 CVE-2021-27335 Kollectapp Deserialization of Untrusted Data vulnerability in Kollectapp Kollect 4.8.16

KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter.

7.5
2021-02-18 CVE-2020-28499 Merge Project Unspecified vulnerability in Merge Project Merge

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

7.5
2021-02-18 CVE-2020-28490 Async GIT Project Argument Injection or Modification vulnerability in Async-Git Project Async-Git

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks).

7.5
2021-02-18 CVE-2021-27378 Rand Core Project Use of Insufficiently Random Values vulnerability in Rand Core Project Rand Core 0.6.0/0.6.1

An issue was discovered in the rand_core crate before 0.6.2 for Rust.

7.5
2021-02-18 CVE-2021-27377 Yottadb Use After Free vulnerability in Yottadb

An issue was discovered in the yottadb crate before 1.2.0 for Rust.

7.5
2021-02-18 CVE-2021-27376 NB Connect Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nb-Connect Project Nb-Connect 1.0.0/1.0.1/1.0.2

An issue was discovered in the nb-connect crate before 1.0.3 for Rust.

7.5
2021-02-17 CVE-2021-27362 Irfanview Out-of-bounds Read vulnerability in Irfanview WPG

The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133, which might allow remote attackers to execute arbitrary code.

7.5
2021-02-17 CVE-2021-26809 CAR Rental Portal Project Unrestricted Upload of File with Dangerous Type vulnerability in CAR Rental Portal Project CAR Rental Portal 2.0

PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php.

7.5
2021-02-17 CVE-2021-25779 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 is vulnerable to SQL injection via the 'id' parameter on the contentsectionpage.php page.

7.5
2021-02-17 CVE-2020-35339 74Cms Incorrect Permission Assignment for Critical Resource vulnerability in 74Cms 5.0.1

In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server.

7.5
2021-02-17 CVE-2021-22855 HR Portal Project Deserialization of Untrusted Data vulnerability in HR Portal Project HR Portal 7.3.2020.1013

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized.

7.5
2021-02-17 CVE-2020-2501 Qnap Out-of-bounds Write vulnerability in Qnap Surveillance Station

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station.

7.5
2021-02-16 CVE-2021-27103 Accellion Server-Side Request Forgery (SSRF) vulnerability in Accellion FTA 912370/912380/912411

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html.

7.5
2021-02-16 CVE-2021-27101 Accellion SQL Injection vulnerability in Accellion FTA 912370

Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html.

7.5
2021-02-16 CVE-2021-25648 Testes Codigo Incorrect Authorization vulnerability in Testes-Codigo Testes DE Codigo

Mobile application "Testes de Codigo" 11.4 and prior allows an attacker to gain access to the administrative interface and premium features by tampering the boolean value of parameters "isAdmin" and "isPremium" located on device storage.

7.5
2021-02-16 CVE-2020-24841 SDG SQL Injection vulnerability in SDG Pnpscada 2.200816204020

PNPSCADA 2.200816204020 allows SQL injection via parameter 'interf' in /browse.jsp.

7.5
2021-02-16 CVE-2021-27236 Mutare Code Injection vulnerability in Mutare Voice 3.0.0/3.2.6/3.3.7

An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8.

7.5
2021-02-16 CVE-2021-27234 Mutare SQL Injection vulnerability in Mutare Voice 3.0.0/3.2.6/3.3.7

An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8.

7.5
2021-02-15 CVE-2021-3239 E Learning System Project SQL Injection vulnerability in E-Learning System Project E-Learning System 1.0

E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.

7.5
2021-02-15 CVE-2021-26822 Teachers Record Management System Project SQL Injection vulnerability in Teachers Record Management System Project Teachers Record Management System 1.0

Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php.

7.5
2021-02-15 CVE-2021-26201 Casap Automated Enrollment System Project SQL Injection vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass.

7.5
2021-02-15 CVE-2021-26200 Library System Project SQL Injection vulnerability in Library System Project Library System 1.0

The user area for Library System 1.0 is vulnerable to SQL injection where a user can bypass the authentication and login as the admin user.

7.5
2021-02-15 CVE-2021-3375 Atomisystems Out-of-bounds Write vulnerability in Atomisystems Activepresenter 6.1.6

ActivePresenter 6.1.6 is affected by a memory corruption vulnerability that may result in a denial of service (DoS) or arbitrary code execution.

7.5
2021-02-15 CVE-2020-35775 Citsmart Injection vulnerability in Citsmart

CITSmart before 9.1.2.23 allows LDAP Injection.

7.5
2021-02-19 CVE-2020-35499 Linux NULL Pointer Dereference vulnerability in Linux Kernel

A NULL pointer dereference flaw in Linux kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets.

7.2
2021-02-19 CVE-2020-13549 Sytech Improper Privilege Management vulnerability in Sytech Xlreporter 14.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory.

7.2
2021-02-19 CVE-2020-24908 Tribe29 Unspecified vulnerability in Tribe29 Checkmk

Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\checkmk\agent\local directory.

7.2
2021-02-19 CVE-2020-36246 Amaze File Manager Project Improper Privilege Management vulnerability in Amaze File Manager Project Amaze File Manager

Amaze File Manager before 3.5.1 allows attackers to obtain root privileges via shell metacharacters in a symbolic link.

7.2
2021-02-18 CVE-2020-29664 DJI Command Injection vulnerability in DJI Mavic 2 Firmware

A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet.

7.2
2021-02-18 CVE-2020-12878 Digi Link Following vulnerability in Digi Connectport X2E Firmware

Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.

7.2
2021-02-17 CVE-2020-13555 Advantech Improper Privilege Management vulnerability in Advantech Webaccess/Scada 9.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation.

7.2
2021-02-17 CVE-2020-13553 Advantech Improper Privilege Management vulnerability in Advantech Webaccess/Scada 9.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation.

7.2
2021-02-17 CVE-2020-13552 Advantech Improper Privilege Management vulnerability in Advantech Webaccess/Scada 9.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation.

7.2
2021-02-17 CVE-2020-13551 Advantech Improper Privilege Management vulnerability in Advantech Webaccess/Scada 9.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation.

7.2
2021-02-16 CVE-2021-27102 Accellion OS Command Injection vulnerability in Accellion FTA 912370/912380/912411

Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call.

7.2
2021-02-16 CVE-2021-20075 Racom Improper Privilege Management vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows for privilege escalation via configd.

7.2
2021-02-16 CVE-2020-11635 Zscaler Improper Privilege Management vulnerability in Zscaler Client Connector

The Zscaler Client Connector prior to 3.1.0 did not sufficiently validate RPC clients, which allows a local adversary to execute code with system privileges or perform limited actions for which they did not have privileges.

7.2
2021-02-15 CVE-2020-35512 D BUS Project Use After Free vulnerability in D-Bus Project D-Bus 1.12.20

A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID.

7.2

176 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-17 CVE-2021-1366 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco Anyconnect Secure Mobility Client

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client.

6.9
2021-02-20 CVE-2020-28248 PNG IMG Project Integer Overflow or Wraparound vulnerability in Png-Img Project Png-Img

An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.

6.8
2021-02-19 CVE-2020-27997 Smartstore Improper Privilege Management vulnerability in Smartstore Smartstorenet

An issue was discovered in SmartStoreNET before 4.1.0.

6.8
2021-02-19 CVE-2020-12668 Hubspot Information Exposure vulnerability in Hubspot Jinjava

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context.

6.8
2021-02-19 CVE-2020-25171 Fujielectric Out-of-bounds Write vulnerability in Fujielectric V-Server

The affected Fuji Electric V-Server Lite versions prior to 3.3.24.0 are vulnerable to an out-of-bounds write, which may allow an attacker to remotely execute arbitrary code.

6.8
2021-02-19 CVE-2020-36247 OSC Cross-Site Request Forgery (CSRF) vulnerability in OSC Open Ondemand

Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF.

6.8
2021-02-17 CVE-2021-27138 Denx Unspecified vulnerability in Denx U-Boot

The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.

6.8
2021-02-17 CVE-2021-27097 Denx Unspecified vulnerability in Denx U-Boot

The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.

6.8
2021-02-17 CVE-2020-8625 ISC
Debian
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

6.8
2021-02-17 CVE-2020-7849 Uprism Improper Input Validation vulnerability in Uprism Curix 1.3.6

A vulnerability of uPrism.io CURIX(Video conferecing solution) could allow an unauthenticated attacker to execute arbitrary code.

6.8
2021-02-16 CVE-2021-20073 Racom Cross-Site Request Forgery (CSRF) vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows for cross-site request forgeries.

6.8
2021-02-16 CVE-2021-20066 Jsdom Project Unspecified vulnerability in Jsdom Project Jsdom

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

6.8
2021-02-16 CVE-2021-21316 Less Openui5 Project Injection vulnerability in Less-Openui5 Project Less-Openui5

less-openui5 is an npm package which enables building OpenUI5 themes with Less.js.

6.8
2021-02-16 CVE-2021-27232 Pelco Out-of-bounds Write vulnerability in Pelco Digital Sentry Server 7.18.72.11464

The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Server 7.18.72.11464 has a SetCameraConnectionParameter stack-based buffer overflow.

6.8
2021-02-16 CVE-2021-27229 Mumble
Debian
Link Following vulnerability in multiple products

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

6.8
2021-02-19 CVE-2020-10252 Owncloud Server-Side Request Forgery (SSRF) vulnerability in Owncloud

An issue was discovered in ownCloud before 10.4.

6.5
2021-02-18 CVE-2021-20443 IBM Inclusion of Functionality from Untrusted Control Sphere vulnerability in IBM Maximo for Civil Infrastructure 7.6.2

IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

6.5
2021-02-17 CVE-2021-3396 Opennms Incorrect Authorization vulnerability in Opennms Horizon and Meridian

OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.

6.5
2021-02-17 CVE-2021-25780 Baby Care System Project Unrestricted Upload of File with Dangerous Type vulnerability in Baby Care System Project Baby Care System 1.0

An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0.

6.5
2021-02-17 CVE-2020-12339 Intel Unspecified vulnerability in Intel Collaboration Suite

Insufficient control flow management in the API for the Intel(R) Collaboration Suite for WebRTC before version 4.3.1 may allow an authenticated user to potentially enable escalation of privilege via network access.

6.5
2021-02-17 CVE-2021-22858 Changjia Property Management System Project Improper Authentication vulnerability in Changjia Property Management System Project Changjia Property Management System 1.00

Attackers can access the CGE account management function without privilege for permission elevation and execute arbitrary commands or files after obtaining user permissions.

6.5
2021-02-15 CVE-2020-35734 Batflat Injection vulnerability in Batflat 1.3.6

** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab.

6.5
2021-02-15 CVE-2020-29143 Open EMR SQL Injection vulnerability in Open-Emr Openemr

A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.

6.5
2021-02-15 CVE-2020-29140 Open EMR SQL Injection vulnerability in Open-Emr Openemr

A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.

6.5
2021-02-15 CVE-2020-29139 Open EMR SQL Injection vulnerability in Open-Emr Openemr

A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter.

6.5
2021-02-15 CVE-2020-29142 Open EMR SQL Injection vulnerability in Open-Emr Openemr

A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings.

6.5
2021-02-15 CVE-2020-28337 Microweber Path Traversal vulnerability in Microweber

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature.

6.5
2021-02-15 CVE-2021-27201 Endian Argument Injection or Modification vulnerability in Endian Firewall Community 3.3.2

Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment.

6.5
2021-02-15 CVE-2020-24899 Nagios Command Injection vulnerability in Nagios XI 5.7.2

Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability.

6.5
2021-02-15 CVE-2020-22427 Nagios Code Injection vulnerability in Nagios XI 5.6.11

** DISPUTED ** NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability.

6.5
2021-02-15 CVE-2020-22425 Centreon SQL Injection vulnerability in Centreon 19.10

Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, where an authorized user is able to inject additional SQL queries to perform remote command execution.

6.5
2021-02-15 CVE-2021-23338 Microsoft Deserialization of Untrusted Data vulnerability in Microsoft Qlib

This affects all versions of package qlib.

6.5
2021-02-15 CVE-2021-23337 Lodash
Oracle
Netapp
Command Injection vulnerability in multiple products

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

6.5
2021-02-17 CVE-2021-23339 Lightbend HTTP Request Smuggling vulnerability in Lightbend Akka-Http

This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core.

6.4
2021-02-19 CVE-2020-24617 Mailtrain SQL Injection vulnerability in Mailtrain

Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribersByColumn in lib/models/campaigns.js via /campaigns/clicked/ajax because variable column names are not properly escaped.

6.0
2021-02-18 CVE-2021-27379 XEN Improper Privilege Management vulnerability in XEN

An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges.

5.9
2021-02-19 CVE-2021-3189 Google Open Redirect vulnerability in Google Slashify 1.0.0

The slashify package 1.0.0 for Node.js allows open-redirect attacks, as demonstrated by a localhost:3000///example.com/ substring.

5.8
2021-02-19 CVE-2021-27404 Asus Open Redirect vulnerability in Asus Askey Rtf8115Vw Firmware Brsvg11.11Rtftef001V6.54V014

Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header.

5.8
2021-02-18 CVE-2020-35591 PI Hole Session Fixation vulnerability in Pi-Hole 5.0/5.1/5.1.1

Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation.

5.8
2021-02-18 CVE-2020-9306 Tesla Use of Hard-coded Credentials vulnerability in Tesla Solarcity Solar Monitoring Gateway

Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.

5.8
2021-02-17 CVE-2020-36245 Gramaddict Code Injection vulnerability in Gramaddict

GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent.

5.8
2021-02-17 CVE-2021-26911 Canarymail
Libmailcore
Improper Certificate Validation vulnerability in multiple products

core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode.

5.8
2021-02-16 CVE-2020-35560 Mbconnectline Open Redirect vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.8
2021-02-18 CVE-2021-21318 Apereo Incorrect Authorization vulnerability in Apereo Opencast

Opencast is a free, open-source platform to support the management of educational audio and video content.

5.5
2021-02-18 CVE-2021-23340 Pimcore Path Traversal vulnerability in Pimcore

This affects the package pimcore/pimcore before 6.8.8.

5.5
2021-02-17 CVE-2021-22853 HR Portal Project Improper Privilege Management vulnerability in HR Portal Project HR Portal 7.3.2020.1013

The HR Portal of Soar Cloud System fails to manage access control.

5.5
2021-02-16 CVE-2021-27231 Hestiacp Unspecified vulnerability in Hestiacp Control Panel

Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.

5.5
2021-02-15 CVE-2021-21511 Dell Incorrect Authorization vulnerability in Dell products

Dell EMC Avamar Server, versions 19.3 and 19.4 contain an Improper Authorization vulnerability in the web UI.

5.5
2021-02-15 CVE-2020-29031 Secomea Improper Privilege Management vulnerability in Secomea products

An Insecure Direct Object Reference vulnerability exists in the web UI of the GateManager which allows an authenticated attacker to reset the password of any user in its domain or any sub-domain, via escalation of privileges.

5.5
2021-02-15 CVE-2020-29026 Secomea Path Traversal vulnerability in Secomea products

A directory traversal vulnerability exists in the file upload function of the GateManager that allows an authenticated attacker with administrative permissions to read and write arbitrary files in the Linux file system.

5.5
2021-02-15 CVE-2020-4955 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation.

5.2
2021-02-19 CVE-2021-26296 Apache
Netapp
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens.

5.1
2021-02-19 CVE-2021-27509 Visualware Incorrect Authorization vulnerability in Visualware Myconnection Server

In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code.

5.0
2021-02-19 CVE-2021-27351 Telegram Insufficient Session Expiration vulnerability in Telegram

The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.

5.0
2021-02-19 CVE-2020-9050 Johnsoncontrols Path Traversal vulnerability in Johnsoncontrols Metasys Reporting Engine 2.0/2.1

Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated attacker to access and download arbitrary files from the system.

5.0
2021-02-19 CVE-2021-22703 SE Cleartext Transmission of Sensitive Information vulnerability in SE products

A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts HTTP network traffic between a user and the device.

5.0
2021-02-19 CVE-2021-22702 SE Cleartext Transmission of Sensitive Information vulnerability in SE products

A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts Telnet network traffic between a user and the device.

5.0
2021-02-19 CVE-2020-36249 Owncloud Unspecified vulnerability in Owncloud File Firewall

The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares.

5.0
2021-02-19 CVE-2021-27405 Scrapbox Parser Project Resource Exhaustion vulnerability in Scrapbox-Parser Project Scrapbox-Parser

A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js.

5.0
2021-02-18 CVE-2021-26712 Digium Unspecified vulnerability in Digium Asterisk

Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets.

5.0
2021-02-18 CVE-2021-26717 Digium Unspecified vulnerability in Digium Asterisk and Certified Asterisk

An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6.

5.0
2021-02-18 CVE-2021-23341 Prismjs Unspecified vulnerability in Prismjs Prism

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

5.0
2021-02-18 CVE-2020-28491 Fasterxml Resource Exhaustion vulnerability in Fasterxml Jackson-Dataformats-Binary

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1.

5.0
2021-02-18 CVE-2020-28496 Three Project Resource Exhaustion vulnerability in Three Project Three

This affects the package three before 0.125.0.

5.0
2021-02-18 CVE-2021-27375 Containous Exposure of Resource to Wrong Sphere vulnerability in Containous Traefik 1.0

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.

5.0
2021-02-17 CVE-2021-27374 Vertigis Unspecified vulnerability in Vertigis Weboffice 10.7/10.8

VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve "Zugriff auf Inhalte der WebOffice Applikation."

5.0
2021-02-17 CVE-2021-27367 Boltcms Path Traversal vulnerability in Boltcms Bolt

Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.

5.0
2021-02-17 CVE-2021-1378 Cisco Resource Exhaustion vulnerability in Cisco Staros

A vulnerability in the SSH service of the Cisco StarOS operating system could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service (DoS) condition.

5.0
2021-02-17 CVE-2021-27224 Irfanview Out-of-bounds Write vulnerability in Irfanview WPG

The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code.

5.0
2021-02-17 CVE-2021-26697 Apache Improper Authentication vulnerability in Apache Airflow 2.0.0

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0.

5.0
2021-02-17 CVE-2021-22174 Wireshark
Fedoraproject
Oracle
Resource Exhaustion vulnerability in multiple products

Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file

5.0
2021-02-17 CVE-2021-22173 Wireshark
Fedoraproject
Oracle
Memory Leak vulnerability in multiple products

Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file

5.0
2021-02-17 CVE-2020-36003 Online Book Store Project SQL Injection vulnerability in Online Book Store Project Online Book Store 1.0

The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases.

5.0
2021-02-17 CVE-2020-36002 Seat Reservation System Project SQL Injection vulnerability in Seat-Reservation-System Project Seat-Reservation-System 1.0

Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information.

5.0
2021-02-17 CVE-2021-22854 HR Portal Project SQL Injection vulnerability in HR Portal Project HR Portal 7.3.2020.1013

The HR Portal of Soar Cloud System fails to filter specific parameters.

5.0
2021-02-17 CVE-2020-24482 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel XMM 7360 Firmware

Improper buffer restrictions in firmware for Intel(R) 7360 Cell Modem before UDE version 9.4.370 may allow unauthenticated user to potentially enable denial of service via network access.

5.0
2021-02-17 CVE-2021-22553 Google Resource Exhaustion vulnerability in Google Gerrit

Any git operation is passed through Jetty and a session is created.

5.0
2021-02-17 CVE-2021-22857 Changjia Property Management System Project Path Traversal vulnerability in Changjia Property Management System Project Changjia Property Management System 1.00

The CGE page with download function contains a Directory Traversal vulnerability.

5.0
2021-02-17 CVE-2021-22856 Changjia Property Management System Project SQL Injection vulnerability in Changjia Property Management System Project Changjia Property Management System 1.00

The CGE property management system contains SQL Injection vulnerabilities.

5.0
2021-02-17 CVE-2021-20653 NEC Incorrect Default Permissions vulnerability in NEC products

Calsos CSDJ (CSDJ-B 01.08.00 and earlier, CSDJ-H 01.08.00 and earlier, CSDJ-D 01.08.00 and earlier, and CSDJ-A 03.08.00 and earlier) allows remote attackers to bypass access restriction and to obtain unauthorized historical data without access privileges via unspecified vectors.

5.0
2021-02-16 CVE-2021-20067 Racom Information Exposure vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to view sensitive syslog events without authentication.

5.0
2021-02-16 CVE-2020-28918 Deepnetsecurity Unspecified vulnerability in Deepnetsecurity Dualshield 5.9.8.0821

DualShield 5.9.8.0821 allows username enumeration on its login form.

5.0
2021-02-16 CVE-2021-21317 UAP Core Project Resource Exhaustion vulnerability in Uap-Core Project Uap-Core

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser.

5.0
2021-02-16 CVE-2021-23840 Openssl
Debian
Tenable
Oracle
Mcafee
Integer Overflow or Wraparound vulnerability in multiple products

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform.

5.0
2021-02-16 CVE-2021-20986 Hilscher
Pepperl Fuchs
Out-of-bounds Write vulnerability in multiple products

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7.

5.0
2021-02-16 CVE-2020-35570 Mbconnectline Forced Browsing vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-35566 Mbconnectline Use of Incorrectly-Resolved Name or Reference vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-35565 Mbconnectline Improper Restriction of Excessive Authentication Attempts vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-35564 Mbconnectline Injection vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-35561 Mbconnectline Server-Side Request Forgery (SSRF) vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-35558 Mbconnectline Server-Side Request Forgery (SSRF) vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

5.0
2021-02-16 CVE-2020-29024 Secomea Missing Encryption of Sensitive Data vulnerability in Secomea products

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in (GTA) GoToAppliance of Secomea GateManager could allow an attacker to gain access to sensitive cookies.

5.0
2021-02-16 CVE-2020-29022 Secomea Unspecified vulnerability in Secomea products

Failure to Sanitize host header value on output in the GateManager Web server could allow an attacker to conduct web cache poisoning attacks.

5.0
2021-02-15 CVE-2021-27211 Steghide Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Steghide Project Steghide 0.5.1

steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data.

5.0
2021-02-15 CVE-2021-27219 Gnome
Fedoraproject
Incorrect Conversion between Numeric Types vulnerability in multiple products

An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3.

5.0
2021-02-15 CVE-2021-27218 Gnome
Fedoraproject
Incorrect Conversion between Numeric Types vulnerability in multiple products

An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4.

5.0
2021-02-15 CVE-2020-28500 Lodash
Oracle
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
5.0
2021-02-15 CVE-2021-21702 PHP
Debian
Netapp
Oracle
NULL Pointer Dereference vulnerability in multiple products

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

5.0
2021-02-15 CVE-2020-7071 PHP
Debian
Netapp
Improper Input Validation vulnerability in multiple products

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL.

5.0
2021-02-15 CVE-2020-36237 Atlassian Information Exposure vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint.

5.0
2021-02-15 CVE-2020-36235 Atlassian Information Exposure vulnerability in Atlassian Jira

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view.

5.0
2021-02-16 CVE-2021-27203 Dekart NULL Pointer Dereference vulnerability in Dekart Private Disk 2.15

In Dekart Private Disk 2.15, invalid use of the Type3 user buffer for IOCTL codes using METHOD_NEITHER results in arbitrary memory dereferencing.

4.9
2021-02-16 CVE-2020-29023 Secomea Improper Encoding or Escaping of Output vulnerability in Secomea products

Improper Encoding or Escaping of Output from CSV Report Generator of Secomea GateManager allows an authenticated administrator to generate a CSV file that may run arbitrary commands on a victim's computer when opened in a spreadsheet program (like Excel).

4.9
2021-02-15 CVE-2020-4954 IBM Session Fixation vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation .

4.8
2021-02-19 CVE-2020-12374 Intel Classic Buffer Overflow vulnerability in Intel BMC Firmware 1.06.06

Buffer overflow in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-19 CVE-2020-19513 Aida64 Improper Neutralization of Formula Elements in a CSV File vulnerability in Aida64 6.00.5100

Buffer overflow in FinalWire Ltd AIDA64 Engineer 6.00.5100 allows attackers to execute arbitrary code by creating a crafted input that will overwrite the SEH handler.

4.6
2021-02-18 CVE-2020-36233 Atlassian Incorrect Default Permissions vulnerability in Atlassian Bitbucket

The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

4.6
2021-02-17 CVE-2021-26720 Avahi
Debian
Link Following vulnerability in multiple products

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon.

4.6
2021-02-17 CVE-2021-0109 Intel Unspecified vulnerability in Intel Compute Stick Stk1A32Sc Firmware

Insecure inherited permissions for the Intel(R) SOC driver package for STK1A32SC before version 604 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-8765 Intel Incorrect Default Permissions vulnerability in Intel Realsense Depth Camera Manager

Incorrect default permissions in the installer for the Intel(R) RealSense(TM) DCM may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-8701 Intel Incorrect Default Permissions vulnerability in Intel Solid-State Drive Toolbox 3.3.6

Incorrect default permissions in installer for the Intel(R) SSD Toolbox versions before 2/9/2021 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-8678 Intel Unspecified vulnerability in Intel Graphics Drivers

Improper access control for Intel(R) Graphics Drivers before version 15.45.33.5164 and 27.20.100.8280 may allow an authenticated user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-24481 Intel Unspecified vulnerability in Intel Quartus

Insecure inherited permissions for the Intel(R) Quartus Prime Pro and Standard edition software may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-24462 Intel Out-of-bounds Write vulnerability in Intel Graphics Drivers

Out of bounds write in the Intel(R) Graphics Driver before version 15.33.53.5161, 15.36.40.5162, 15.40.47.5166, 15.45.33.5164 and 27.20.100.8336 may allow an authenticated user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-24453 Intel Improper Input Validation vulnerability in Intel Epid Software Development KIT

Improper input validation in the Intel(R) EPID SDK before version 8, may allow an authenticated user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-24450 Intel Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Graphics Drivers

Improper conditions check in some Intel(R) Graphics Drivers before versions 26.20.100.8141, 15.45.32.5145 and 15.40.46.5144 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12385 Intel Improper Input Validation vulnerability in Intel Graphics Drivers

Improper input validation in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12384 Intel Unspecified vulnerability in Intel Graphics Drivers

Improper access control in some Intel(R) Graphics Drivers before version 26.20.100.8476 may allow an authenticated user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12380 Intel Out-of-bounds Read vulnerability in Intel BMC Firmware 1.06.06

Out of bounds read in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12377 Intel Improper Input Validation vulnerability in Intel BMC Firmware 1.06.06

Insufficient input validation in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12375 Intel Out-of-bounds Write vulnerability in Intel BMC Firmware 1.06.06

Heap overflow in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12373 Intel Classic Buffer Overflow vulnerability in Intel BMC Firmware 1.06.06

Expired pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.

4.6
2021-02-17 CVE-2020-12369 Intel Out-of-bounds Write vulnerability in Intel Graphics Drivers

Out of bound write in some Intel(R) Graphics Drivers before version 26.20.100.8336 may allow a privileged user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12368 Intel Integer Overflow or Wraparound vulnerability in Intel Graphics Drivers

Integer overflow in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12367 Intel Integer Overflow or Wraparound vulnerability in Intel Graphics Drivers

Integer overflow in some Intel(R) Graphics Drivers before version 26.20.100.8476 may allow a privileged user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12366 Intel Improper Input Validation vulnerability in Intel Graphics Drivers

Insufficient input validation in some Intel(R) Graphics Drivers before version 27.20.100.8587 may allow a privileged user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-12362 Intel Integer Overflow or Wraparound vulnerability in Intel Graphics Drivers

Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-0544 Intel Unspecified vulnerability in Intel Graphics Drivers

Insufficient control flow management in the kernel mode driver for some Intel(R) Graphics Drivers before version 15.36.39.5145 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2020-0521 Intel Unspecified vulnerability in Intel Graphics Drivers

Insufficient control flow management in some Intel(R) Graphics Drivers before version 15.45.32.5145 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2021-02-17 CVE-2021-26934 Linux
Fedoraproject
An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen.
4.6
2021-02-17 CVE-2021-26930 Linux
Fedoraproject
Debian
An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen.
4.6
2021-02-16 CVE-2021-21315 Systeminformation
Apache
OS Command Injection vulnerability in multiple products

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.

4.6
2021-02-16 CVE-2020-35567 Mbconnectline Use of Hard-coded Credentials vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

4.6
2021-02-17 CVE-2020-24485 Intel Uncontrolled Search Path Element vulnerability in Intel Trace Analyzer and Collector

Improper conditions check in the Intel(R) FPGA OPAE Driver for Linux before kernel version 4.17 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.4
2021-02-17 CVE-2020-24451 Intel Uncontrolled Search Path Element vulnerability in Intel Optane DC Persistent Memory Module Management

Uncontrolled search path in the Intel(R) Optane(TM) DC Persistent Memory installer for Windows* before version 1.00.00.3506 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.4
2021-02-21 CVE-2021-26716 Openenergymonitor Cross-site Scripting vulnerability in Openenergymonitor Emoncms

Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS via the node parameter.

4.3
2021-02-19 CVE-2020-24393 Tweetstream Project Improper Certificate Validation vulnerability in Tweetstream Project Tweetstream 2.6.1

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation.

4.3
2021-02-19 CVE-2020-24392 Twitter Stream Project Improper Certificate Validation vulnerability in Twitter-Stream Project Twitter-Stream 0.1.10

In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).

4.3
2021-02-19 CVE-2021-27214 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Adselfservice Plus 6.0

A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.

4.3
2021-02-19 CVE-2021-23342 Docsifyjs Cross-site Scripting vulnerability in Docsifyjs Docsify

This affects the package docsify before 4.12.0.

4.3
2021-02-19 CVE-2020-10254 Owncloud Improper Authentication vulnerability in Owncloud

An issue was discovered in ownCloud before 10.4.

4.3
2021-02-19 CVE-2021-26746 Chamilo Cross-site Scripting vulnerability in Chamilo 1.11.14

Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.

4.3
2021-02-19 CVE-2021-27403 Asus Cross-site Scripting vulnerability in Asus Askey Rtf8115Vw Firmware Brsvg11.11Rtftef001V6.54V014

Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS.

4.3
2021-02-18 CVE-2021-26906 Digium Improper Resource Shutdown or Release vulnerability in Digium Asterisk

An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through 16.8-cert5.

4.3
2021-02-18 CVE-2020-35776 Digium Classic Buffer Overflow vulnerability in Digium Asterisk

A buffer overflow in res_pjsip_diversion.c in Sangoma Asterisk versions 13.38.1, 16.15.1, 17.9.1, and 18.1.1 allows remote attacker to crash Asterisk by deliberately misusing SIP 181 responses.

4.3
2021-02-18 CVE-2021-20444 IBM Cross-site Scripting vulnerability in IBM Maximo for Civil Infrastructure 7.6.2

IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting.

4.3
2021-02-17 CVE-2020-25605 Agora Cleartext Transmission of Sensitive Information vulnerability in Agora Video Software Development KIT

Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic.

4.3
2021-02-17 CVE-2021-1351 Cisco Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cisco Webex Meetings 41.1.0

A vulnerability in the web-based interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected service.

4.3
2021-02-17 CVE-2020-2502 Qnap Cross-site Scripting vulnerability in Qnap Photo Station

This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code.

4.3
2021-02-16 CVE-2021-23841 Openssl
Debian
Tenable
Apple
Netapp
Oracle
Integer Overflow or Wraparound vulnerability in multiple products

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate.

4.3
2021-02-16 CVE-2021-23839 Openssl
Oracle
Inadequate Encryption Strength vulnerability in multiple products

OpenSSL 1.0.2 supports SSLv2.

4.3
2021-02-16 CVE-2020-35569 Mbconnectline Cross-site Scripting vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

4.3
2021-02-16 CVE-2020-29025 Secomea Cross-site Scripting vulnerability in Secomea Sitemanager Embedded

A vulnerability in SiteManager-Embedded (SM-E) Web server which may allow attacker to construct a URL that if visited by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

4.3
2021-02-15 CVE-2021-25299 Nagios Cross-site Scripting vulnerability in Nagios XI 5.7.5

Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS).

4.3
2021-02-15 CVE-2020-36236 Atlassian Cross-site Scripting vulnerability in Atlassian Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints.

4.3
2021-02-17 CVE-2020-24458 Intel Incomplete Cleanup vulnerability in Intel Killer and Proset/Wireless Wifi

Incomplete cleanup in some Intel(R) PROSet/Wireless WiFi and Killer (TM) drivers before version 22.0 may allow a privileged user to potentially enable information disclosure and denial of service<b>&nbsp;</b>via adjacent access.

4.1
2021-02-19 CVE-2021-26713 Digium Out-of-bounds Write vulnerability in Digium Asterisk and Certified Asterisk

A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by sending multiple hold/unhold requests in quick succession.

4.0
2021-02-19 CVE-2021-27328 Yeastar Path Traversal vulnerability in Yeastar Neogate Tg400 Firmware 91.3.0.3

Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal.

4.0
2021-02-19 CVE-2021-3204 Webware Server-Side Request Forgery (SSRF) vulnerability in Webware Webdesktop 5.1.15

SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server.

4.0
2021-02-19 CVE-2021-3339 Microsoft Improper Authentication vulnerability in Microsoft Modernflow

ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen.

4.0
2021-02-19 CVE-2020-36251 Owncloud Improper Privilege Management vulnerability in Owncloud

ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.

4.0
2021-02-18 CVE-2020-28463 Reportlab
Fedoraproject
Server-Side Request Forgery (SSRF) vulnerability in multiple products

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags.

4.0
2021-02-18 CVE-2021-20445 IBM Insufficiently Protected Credentials vulnerability in IBM Maximo for Civil Infrastructure 7.6.2

IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials.

4.0
2021-02-18 CVE-2020-35577 Endalia Unspecified vulnerability in Endalia Selection Portal 4.205.0

In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number).

4.0
2021-02-18 CVE-2021-27124 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0 allows an authenticated patient user to dump the database credentials via a SQL injection attack.

4.0
2021-02-17 CVE-2020-13550 Advantech Path Traversal vulnerability in Advantech Webaccess/Scada 9.0.1

A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1.

4.0
2021-02-17 CVE-2021-1416 Cisco Incorrect Privilege Assignment vulnerability in Cisco Identity Services Engine

Multiple vulnerabilities in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information.

4.0
2021-02-17 CVE-2021-1412 Cisco Incorrect Privilege Assignment vulnerability in Cisco Identity Services Engine

Multiple vulnerabilities in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information.

4.0
2021-02-17 CVE-2021-26559 Apache Improper Privilege Management vulnerability in Apache Airflow 2.0.0

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`.

4.0
2021-02-16 CVE-2020-35568 Mbconnectline Information Exposure vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

4.0
2021-02-16 CVE-2020-35559 Mbconnectline Resource Exhaustion vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

4.0
2021-02-16 CVE-2020-35557 Mbconnectline Information Exposure vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2.

4.0
2021-02-16 CVE-2021-27235 Mutare Unspecified vulnerability in Mutare Voice 3.2.6/3.3.7

An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8.

4.0
2021-02-16 CVE-2021-27233 Mutare Cleartext Storage of Sensitive Information vulnerability in Mutare Voice 3.0.0/3.2.6/3.3.7

An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8.

4.0
2021-02-15 CVE-2021-23336 Python
Fedoraproject
Debian
Netapp
Djangoproject
Oracle
HTTP Request Smuggling vulnerability in multiple products

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking.

4.0
2021-02-15 CVE-2020-29451 Atlassian Information Exposure vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page.

4.0

58 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-02-19 CVE-2021-21512 Dell Information Exposure vulnerability in Dell EMC Powerprotect Cyber Recovery 19.7.0.1

Dell EMC PowerProtect Cyber Recovery, version 19.7.0.1, contains an Information Disclosure vulnerability.

3.6
2021-02-20 CVE-2021-26544 Apache Cross-site Scripting vulnerability in Apache Livy 0.7.0Incubating

Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name.

3.5
2021-02-19 CVE-2021-22701 SE Cross-Site Request Forgery (CSRF) vulnerability in SE products

A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface.

3.5
2021-02-18 CVE-2020-35592 PI Hole Cross-site Scripting vulnerability in Pi-Hole 5.0/5.1/5.1.1

Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI.

3.5
2021-02-18 CVE-2021-3271 Pressbooks Cross-site Scripting vulnerability in Pressbooks

PressBooks 5.17.3 contains a cross-site scripting (XSS).

3.5
2021-02-18 CVE-2021-20446 IBM Cross-site Scripting vulnerability in IBM Maximo for Civil Infrastructure 7.6.2

IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting.

3.5
2021-02-18 CVE-2020-4933 IBM Cross-site Scripting vulnerability in IBM Jazz Reporting Service

IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting.

3.5
2021-02-16 CVE-2021-20071 Racom Cross-site Scripting vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the sms.php dialogs.

3.5
2021-02-16 CVE-2021-20070 Racom Cross-site Scripting vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scriptings attacks via the virtualization.php dialogs.

3.5
2021-02-16 CVE-2021-20069 Racom Cross-site Scripting vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the regionalSettings.php dialogs.

3.5
2021-02-16 CVE-2021-20068 Racom Cross-site Scripting vulnerability in Racom M!Dge Firmware 4.4.40.105

Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to conduct cross-site scripting attacks via the error handling functionality of web pages.

3.5
2021-02-16 CVE-2021-27237 Blackcat CMS Cross-site Scripting vulnerability in Blackcat-Cms Blackcat CMS 1.3.6

The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.

3.5
2021-02-16 CVE-2020-35563 Mbconnectline Cross-site Scripting vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2.

3.5
2021-02-16 CVE-2020-29027 Secomea Cross-site Scripting vulnerability in Secomea products

Cross-site Scripting (XSS) vulnerability in GUI of Secomea SiteManager could allow an attacker to cause an XSS Attack.

3.5
2021-02-15 CVE-2020-36234 Atlassian Cross-site Scripting vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view.

3.5
2021-02-17 CVE-2020-24501 Intel Classic Buffer Overflow vulnerability in Intel Ethernet Network Adapter E810 Firmware

Buffer overflow in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

3.3
2021-02-19 CVE-2020-36252 Owncloud Exposure of Resource to Wrong Sphere vulnerability in Owncloud

ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.

2.7
2021-02-15 CVE-2020-4956 IBM Resource Exhaustion vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a denial of service, caused by a RPC that allows certain cache values to be set and dumped to a file.

2.3
2021-02-19 CVE-2020-36248 Owncloud Cleartext Storage of Sensitive Information vulnerability in Owncloud

The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.

2.1
2021-02-19 CVE-2020-36250 Owncloud Inadequate Encryption Strength vulnerability in Owncloud

In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

2.1
2021-02-18 CVE-2019-18243 GE Incorrect Permission Assignment for Critical Resource vulnerability in GE Ifix

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry.

2.1
2021-02-18 CVE-2019-18255 GE Incorrect Permission Assignment for Critical Resource vulnerability in GE Ifix

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects.

2.1
2021-02-17 CVE-2021-1372 Cisco Exposure of Sensitive Data Through Data Queries vulnerability in Cisco Webex Meetings and Webex Meetings Server

A vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system.

2.1
2021-02-17 CVE-2020-12365 Intel NULL Pointer Dereference vulnerability in Intel Graphics Drivers

Untrusted pointer dereference in some Intel(R) Graphics Drivers before versions 15.33.51.5146, 15.45.32.5145, 15.36.39.5144 and 15.40.46.5143 may allow an authenticated user to potentially denial of service via local access.

2.1
2021-02-17 CVE-2020-24505 Intel Improper Input Validation vulnerability in Intel Ethernet Network Adapter 700 Firmware

Insufficient input validation in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 7.3 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24504 Intel Resource Exhaustion vulnerability in Intel Ethernet Network Adapter E810 Firmware

Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24503 Intel Incorrect Authorization vulnerability in Intel Ethernet Network Adapter E810 Firmware

Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.

2.1
2021-02-17 CVE-2020-24502 Intel Improper Input Validation vulnerability in Intel Ethernet Network Adapter E810 Firmware

Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-24500 Intel Classic Buffer Overflow vulnerability in Intel Ethernet Network Adapter E810 Firmware

Buffer overflow in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-24498 Intel Classic Buffer Overflow vulnerability in Intel Ethernet Network Adapter E810 Firmware

Buffer overflow in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24497 Intel Incorrect Authorization vulnerability in Intel Ethernet Network Adapter E810 Firmware 1.0.4

Insufficient Access Control in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24496 Intel Improper Input Validation vulnerability in Intel products

Insufficient input validation in the firmware for Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24495 Intel Incorrect Authorization vulnerability in Intel Ethernet Network Adapter 700 Firmware

Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 7.3 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24494 Intel Incorrect Authorization vulnerability in Intel products

Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24493 Intel Incorrect Authorization vulnerability in Intel Ethernet Network Adapter 700 Firmware 7.3

Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 8.0 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24492 Intel Incorrect Authorization vulnerability in Intel products

Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.5 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-24480 Intel Out-of-bounds Write vulnerability in Intel Extreme Tuning Utility 6.4.1.21/6.5.1.360

Out-of-bounds write in the Intel(R) XTU before version 6.5.3.25 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-24452 Intel Improper Input Validation vulnerability in Intel SGX Platform

Improper input validation in the Intel(R) SGX Platform Software for Windows* may allow an authenticated user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-24448 Intel Unspecified vulnerability in Intel Graphics Drivers

Uncaught exception in some Intel(R) Graphics Drivers before version 15.33.51.5146 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-12386 Intel Out-of-bounds Write vulnerability in Intel Graphics Drivers

Out-of-bounds write in some Intel(R) Graphics Drivers before version 15.36.39.5143 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-12376 Intel Use of Hard-coded Credentials vulnerability in Intel BMC Firmware 1.06.06

Use of hard-coded key in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow authenticated user to potentially enable information disclosure via local access.

2.1
2021-02-17 CVE-2020-12372 Intel Unchecked Return Value vulnerability in Intel Graphics Drivers

Unchecked return value in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-12371 Intel Divide By Zero vulnerability in Intel Graphics Drivers

Divide by zero in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-12370 Intel NULL Pointer Dereference vulnerability in Intel Graphics Drivers

Untrusted pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-12364 Intel NULL Pointer Dereference vulnerability in Intel Graphics Drivers

Null pointer reference in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before version Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-12363 Intel Improper Input Validation vulnerability in Intel Graphics Drivers

Improper input validation in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-12361 Intel Use After Free vulnerability in Intel Graphics Drivers

Use after free in some Intel(R) Graphics Drivers before version 15.33.51.5146 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-0525 Intel Incorrect Authorization vulnerability in Intel Ethernet Controller I210 Firmware

Improper access control in firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-0524 Intel Incorrect Default Permissions vulnerability in Intel Ethernet Controller I210 Firmware

Improper default permissions in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-0523 Intel Incorrect Authorization vulnerability in Intel Ethernet Controller I210 Firmware

Improper access control in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may potentially allow a privileged user to enable a denial of service via local access.

2.1
2021-02-17 CVE-2020-0522 Intel Improper Initialization vulnerability in Intel Ethernet Controller I210 Firmware

Improper initialization in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow a privileged user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2020-0518 Intel Unspecified vulnerability in Intel Graphics Drivers

Improper access control in the Intel(R) HD Graphics Control Panel before version 15.40.46.5144 and 15.36.39.5143 may allow an authenticated user to potentially enable denial of service via local access.

2.1
2021-02-17 CVE-2021-26933 XEN
Fedoraproject
An issue was discovered in Xen 4.9 through 4.14.x.
2.1
2021-02-16 CVE-2020-29457 Opcfoundation Improper Certificate Validation vulnerability in Opcfoundation Ua-.Netstandard

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could allow a rogue application to establish a secure connection.

2.1
2021-02-16 CVE-2020-25340 Nfstream Allocation of Resources Without Limits or Throttling vulnerability in Nfstream 5.2.0

An issue was discovered in NFStream 5.2.0.

2.1
2021-02-17 CVE-2020-24491 Intel Cleartext Storage of Sensitive Information vulnerability in Intel Core I3, Core I5 and Core I7

Debug message containing addresses of memory transactions in some Intel(R) 10th Generation Core Processors supporting SGX may allow a privileged user to potentially enable information disclosure via local access.

1.9
2021-02-17 CVE-2021-26932 Linux
Fedoraproject
Debian
An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen.
1.9
2021-02-17 CVE-2021-26931 Linux
Fedoraproject
Debian
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen.

1.9