Weekly Vulnerabilities Reports > February 22 to 28, 2021
Overview
338 new vulnerabilities reported during this period, including 42 critical vulnerabilities and 99 high severity vulnerabilities. This weekly summary report vulnerabilities in 1468 products from 121 vendors including Microsoft, Fedoraproject, Qualcomm, Debian, and Mozilla. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Information Exposure", "Improper Privilege Management", and "Use After Free".
- 239 reported vulnerabilities are remotely exploitables.
- 5 reported vulnerabilities have public exploit available.
- 82 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 238 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 58 reported vulnerabilities.
- Fedoraproject has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
42 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-26 | CVE-2021-27198 | Visualware | Unrestricted Upload of File with Dangerous Type vulnerability in Visualware Myconnection Server An issue was discovered in Visualware MyConnection Server before v11.1a. | 10.0 |
2021-02-26 | CVE-2019-11684 | Bosch | Incorrect Authorization vulnerability in Bosch products Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. | 10.0 |
2021-02-24 | CVE-2021-1388 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. | 10.0 |
2021-02-24 | CVE-2021-22667 | Advantech | Use of Hard-coded Credentials vulnerability in Advantech Bb-Eswgp506-2Sfp-T Firmware BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior). | 10.0 |
2021-02-24 | CVE-2021-20658 | Contec | OS Command Injection vulnerability in Contec Sv-Cpt-Mc310 Firmware SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to execute arbitrary OS commands with the web server privilege via unspecified vectors. | 10.0 |
2021-02-22 | CVE-2020-21224 | Inspur | Argument Injection or Modification vulnerability in Inspur Clusterengine 4.0 A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. | 10.0 |
2021-02-22 | CVE-2020-11272 | Qualcomm | Use After Free vulnerability in Qualcomm products Before enqueuing a frame to the PE queue for further processing, an entry in a hash table can be deleted and using a stale version later can lead to use after free condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
2021-02-22 | CVE-2020-11170 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Out of bound memory access while playing music playbacks with crafted vorbis content due to improper checks in header extraction in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 10.0 |
2021-02-22 | CVE-2020-11163 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Possible buffer overflow while updating ikev2 parameters due to lack of check of input validation for certain parameters received from the ePDG server in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 10.0 |
2021-02-27 | CVE-2021-3197 | Saltstack Fedoraproject Debian | Injection vulnerability in multiple products An issue was discovered in SaltStack Salt before 3002.5. | 9.8 |
2021-02-27 | CVE-2021-3148 | Saltstack Fedoraproject Debian | Command Injection vulnerability in multiple products An issue was discovered in SaltStack Salt before 3002.5. | 9.8 |
2021-02-27 | CVE-2021-25283 | Saltstack Fedoraproject Debian | Code Injection vulnerability in multiple products An issue was discovered in through SaltStack Salt before 3002.5. | 9.8 |
2021-02-27 | CVE-2021-25281 | Saltstack Fedoraproject Debian | Improper Authentication vulnerability in multiple products An issue was discovered in through SaltStack Salt before 3002.5. | 9.8 |
2021-02-25 | CVE-2021-24094 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Remote Code Execution Vulnerability | 9.8 |
2021-02-25 | CVE-2021-24078 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-02-25 | CVE-2021-24077 | Microsoft | Unspecified vulnerability in Microsoft products Windows Fax Service Remote Code Execution Vulnerability | 9.8 |
2021-02-25 | CVE-2021-24074 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Remote Code Execution Vulnerability | 9.8 |
2021-02-25 | CVE-2021-3406 | Keylime Fedoraproject | Improper Certificate Validation vulnerability in multiple products A flaw was found in keylime 5.8.1 and older. | 9.8 |
2021-02-24 | CVE-2021-1393 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco products Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. | 9.8 |
2021-02-24 | CVE-2021-21972 | Vmware | Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. | 9.8 |
2021-02-22 | CVE-2021-3120 | Yithemes | Unrestricted Upload of File with Dangerous Type vulnerability in Yithemes Yith Woocommerce Gift Cards An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. | 9.8 |
2021-02-22 | CVE-2021-26120 | Smarty Debian | Code Injection vulnerability in multiple products Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. | 9.8 |
2021-02-22 | CVE-2021-21155 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Tab Strip in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-02-22 | CVE-2021-21154 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Tab Strip in Google Chrome prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-02-22 | CVE-2021-21151 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Payments in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-02-22 | CVE-2021-21150 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2021-02-22 | CVE-2020-11276 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over read while processing P2P IE and NOA attribute of beacon and probe response frames due to improper validation of P2P IE and NOA attribute lengths in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.4 |
2021-02-22 | CVE-2020-11275 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer over-read while parsing quiet IE in Rx beacon frame due to improper check of IE length in received beacon in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.4 |
2021-02-24 | CVE-2020-27224 | Eclipse | Cross-site Scripting vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. | 9.3 |
2021-02-27 | CVE-2021-3144 | Saltstack Fedoraproject Debian | Insufficient Session Expiration vulnerability in multiple products In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. | 9.1 |
2021-02-27 | CVE-2021-25282 | Saltstack Fedoraproject Debian | Path Traversal vulnerability in multiple products An issue was discovered in through SaltStack Salt before 3002.5. | 9.1 |
2021-02-24 | CVE-2021-1361 | Cisco | Files or Directories Accessible to External Parties vulnerability in Cisco Nx-Os 9.3(5)/9.3(6) A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device. | 9.1 |
2021-02-23 | CVE-2021-27582 | Mitreid | Unspecified vulnerability in Mitreid Connect org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. | 9.1 |
2021-02-26 | CVE-2021-26566 | Synology | Information Exposure vulnerability in Synology products Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic. | 9.0 |
2021-02-25 | CVE-2021-3273 | Nagios | Code Injection vulnerability in Nagios XI Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. | 9.0 |
2021-02-23 | CVE-2021-26680 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 9.0 |
2021-02-23 | CVE-2021-26679 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 9.0 |
2021-02-23 | CVE-2021-26684 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 9.0 |
2021-02-23 | CVE-2021-26683 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 9.0 |
2021-02-23 | CVE-2021-26681 | Arubanetworks | Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 9.0 |
2021-02-22 | CVE-2021-26068 | Atlassian | Injection vulnerability in Atlassian Jira Server for Slack An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability. | 9.0 |
2021-02-22 | CVE-2021-3149 | Netshieldcorp | OS Command Injection vulnerability in Netshieldcorp Nano 25 Firmware 10.2.18 On Netshield NANO 25 10.2.18 devices, /usr/local/webmin/System/manual_ping.cgi allows OS command injection (after authentication by the attacker) because the system C library function is used unsafely. | 9.0 |
99 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-26 | CVE-2021-21309 | Redislabs | Integer Overflow or Wraparound vulnerability in Redislabs Redis Redis is an open-source, in-memory database that persists on disk. | 8.8 |
2021-02-25 | CVE-2021-24093 | Microsoft | Unspecified vulnerability in Microsoft products Windows Graphics Component Remote Code Execution Vulnerability | 8.8 |
2021-02-25 | CVE-2021-24088 | Microsoft | Unspecified vulnerability in Microsoft products Windows Local Spooler Remote Code Execution Vulnerability | 8.8 |
2021-02-25 | CVE-2021-24072 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.8 |
2021-02-25 | CVE-2021-24066 | Microsoft | Deserialization of Untrusted Data vulnerability in Microsoft products Microsoft SharePoint Remote Code Execution Vulnerability | 8.8 |
2021-02-25 | CVE-2021-1728 | Microsoft | Improper Privilege Management vulnerability in Microsoft System Center Operations Manager 2019 System Center Operations Manager Elevation of Privilege Vulnerability | 8.8 |
2021-02-25 | CVE-2020-17162 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows Security Feature Bypass Vulnerability | 8.8 |
2021-02-24 | CVE-2021-1368 | Cisco | Out-of-bounds Write vulnerability in Cisco Nx-Os and Unified Computing System A vulnerability in the Unidirectional Link Detection (UDLD) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device. | 8.8 |
2021-02-24 | CVE-2021-21617 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Configuration Slicing A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations. | 8.8 |
2021-02-23 | CVE-2021-26594 | Rangerstudio | Improper Privilege Management vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. | 8.8 |
2021-02-23 | CVE-2021-22112 | Vmware Pivotal Software Oracle | Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). | 8.8 |
2021-02-22 | CVE-2021-21157 | Microsoft Fedoraproject | Use After Free vulnerability in multiple products Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-02-22 | CVE-2021-21156 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted script. | 8.8 |
2021-02-22 | CVE-2021-21153 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |
2021-02-22 | CVE-2021-21152 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Media in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-02-22 | CVE-2021-21149 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Stack buffer overflow in Data Transfer in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | 8.8 |
2021-02-24 | CVE-2021-1387 | Cisco | Memory Leak vulnerability in Cisco Nx-Os and Unified Computing System A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2021-02-25 | CVE-2021-24105 | Microsoft | Unspecified vulnerability in Microsoft Package Manager Configurations <p>Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. | 8.4 |
2021-02-22 | CVE-2020-11269 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible memory corruption while processing EAPOL frames due to lack of validation of key length before using it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 8.3 |
2021-02-24 | CVE-2020-11988 | Apache Fedoraproject | Server-Side Request Forgery (SSRF) vulnerability in multiple products Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. | 8.2 |
2021-02-24 | CVE-2020-11987 | Apache Fedoraproject Oracle Debian | Server-Side Request Forgery (SSRF) vulnerability in multiple products Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. | 8.2 |
2021-02-25 | CVE-2021-26701 | Microsoft Fedoraproject | .NET Core Remote Code Execution Vulnerability | 8.1 |
2021-02-25 | CVE-2021-24112 | Microsoft | Unspecified vulnerability in Microsoft products .NET Core Remote Code Execution Vulnerability | 8.1 |
2021-02-25 | CVE-2021-1722 | Microsoft | Unspecified vulnerability in Microsoft products Windows Fax Service Remote Code Execution Vulnerability | 8.1 |
2021-02-26 | CVE-2019-18945 | Microfocus | Unspecified vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability. | 8.0 |
2021-02-26 | CVE-2019-18943 | Microfocus | XXE vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | 8.0 |
2021-02-25 | CVE-2021-1726 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 8.0 |
2021-02-27 | CVE-2020-28243 | Saltstack Fedoraproject Debian | Command Injection vulnerability in multiple products An issue was discovered in SaltStack Salt before 3002.5. | 7.8 |
2021-02-26 | CVE-2021-26567 | Synology Faad2 Project | Out-of-bounds Write vulnerability in multiple products Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. | 7.8 |
2021-02-25 | CVE-2021-26700 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Npm-Script Extension Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-25195 | Microsoft | Unspecified vulnerability in Microsoft products Windows PKU2U Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24103 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24102 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24096 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24092 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Microsoft Defender Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24091 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Windows Camera Codec Pack Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24083 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Windows Address Book Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24081 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Microsoft Windows Codecs Library Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24070 | Microsoft | Use After Free vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24069 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24068 | Microsoft | Unspecified vulnerability in Microsoft Excel and Office web Apps Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-24067 | Microsoft | Use After Free vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-02-25 | CVE-2021-1733 | Microsoft | Improper Privilege Management vulnerability in Microsoft Psexec Sysinternals PsExec Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-1732 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-1727 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-1698 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-02-25 | CVE-2021-21066 | Adobe | Out-of-bounds Write vulnerability in Adobe Bridge Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. | 7.8 |
2021-02-24 | CVE-2020-28599 | Openscad Fedoraproject | Out-of-bounds Write vulnerability in multiple products A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. | 7.8 |
2021-02-23 | CVE-2021-3410 | Libcaca Project Debian Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products A flaw was found in libcaca v0.99.beta19. | 7.8 |
2021-02-23 | CVE-2021-20194 | Linux Redhat | Improper Input Validation vulnerability in multiple products There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). | 7.8 |
2021-02-23 | CVE-2020-28587 | Softmaker | Out-of-bounds Write vulnerability in Softmaker Planmaker 2021 1014 A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. | 7.8 |
2021-02-23 | CVE-2020-27782 | Redhat | Resource Exhaustion vulnerability in Redhat products A flaw was found in the Undertow AJP connector. | 7.8 |
2021-02-23 | CVE-2021-20226 | Linux Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. | 7.8 |
2021-02-23 | CVE-2021-22649 | Luxion Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 have multiple NULL pointer dereference issues while processing project files, which may allow an attacker to execute arbitrary code. | 7.8 |
2021-02-22 | CVE-2020-11297 | Qualcomm | Unspecified vulnerability in Qualcomm products Denial of service in WLAN module due to improper check of subtypes in logic where excessive frames are dropped in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.8 |
2021-02-22 | CVE-2020-11280 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Denial of service while processing fine timing measurement request (FTMR) frame with reserved bits set in the FTM parameter IE due to improper error handling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
2021-02-22 | CVE-2020-11278 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible denial of service while handling host WMI command due to improper validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
2021-02-22 | CVE-2020-11270 | Qualcomm | Resource Exhaustion vulnerability in Qualcomm products Possible denial of service due to RTT responder consistently rejects all FTMR by transmitting FTM1 with failure status in the FTM parameter IE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
2021-02-27 | CVE-2021-27132 | Sercomm | Injection vulnerability in Sercomm Agcombo Vd625 Firmware Agsot2.1.0 SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header. | 7.5 |
2021-02-27 | CVE-2019-25022 | Scytl | Code Injection vulnerability in Scytl Secure Vote 2.1 An issue was discovered in Scytl sVote 2.1. | 7.5 |
2021-02-26 | CVE-2021-27803 | W1 FI Fedoraproject Debian | A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. | 7.5 |
2021-02-26 | CVE-2021-26904 | Isida | SQL Injection vulnerability in Isida Retriever 5.2 LMA ISIDA Retriever 5.2 allows SQL Injection. | 7.5 |
2021-02-25 | CVE-2021-24111 | Microsoft | Unspecified vulnerability in Microsoft .Net Framework .NET Framework Denial of Service Vulnerability | 7.5 |
2021-02-25 | CVE-2021-24086 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Denial of Service Vulnerability | 7.5 |
2021-02-25 | CVE-2021-1734 | Microsoft | Unspecified vulnerability in Microsoft products Windows Remote Procedure Call Information Disclosure Vulnerability | 7.5 |
2021-02-25 | CVE-2020-23534 | Masterlab | Server-Side Request Forgery (SSRF) vulnerability in Masterlab 2.1.5 A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter. | 7.5 |
2021-02-25 | CVE-2021-27670 | Appspace | Server-Side Request Forgery (SSRF) vulnerability in Appspace 6.2.4 Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. | 7.5 |
2021-02-24 | CVE-2021-1230 | Cisco | Unspecified vulnerability in Cisco Nx-Os A vulnerability with the Border Gateway Protocol (BGP) for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a routing process to crash, which could lead to a denial of service (DoS) condition. | 7.5 |
2021-02-23 | CVE-2021-26593 | Rangerstudio | Information Exposure vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. | 7.5 |
2021-02-23 | CVE-2020-28429 | Geojson2Kml Project | Command Injection vulnerability in Geojson2Kml Project Geojson2Kml All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. | 7.5 |
2021-02-23 | CVE-2020-14359 | Redhat | Authentication Bypass by Primary Weakness vulnerability in Redhat Louketo Proxy A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. | 7.5 |
2021-02-22 | CVE-2021-27228 | Shinobi | Use of Hard-coded Credentials vulnerability in Shinobi PRO An issue was discovered in Shinobi through ocean version 1. | 7.5 |
2021-02-22 | CVE-2020-11296 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Arithmetic overflow can happen while processing NOA IE due to improper error handling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
2021-02-22 | CVE-2020-11283 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products A buffer overflow can occur when playing an MKV clip due to lack of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.5 |
2021-02-22 | CVE-2021-26119 | Smarty Debian | Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode. | 7.5 |
2021-02-22 | CVE-2021-24115 | Botan Project | Unspecified vulnerability in Botan Project Botan In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex). | 7.5 |
2021-02-22 | CVE-2021-27516 | URI JS Project | Unspecified vulnerability in Uri.Js Project Uri.Js URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. | 7.5 |
2021-02-22 | CVE-2021-27514 | Eyesofnetwork | Improper Restriction of Excessive Authentication Attempts vulnerability in Eyesofnetwork 5.310 EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). | 7.5 |
2021-02-27 | CVE-2020-35662 | Saltstack Fedoraproject Debian | Improper Certificate Validation vulnerability in multiple products In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. | 7.4 |
2021-02-23 | CVE-2021-20247 | Mbsync Project Debian Fedoraproject | Path Traversal vulnerability in multiple products A flaw was found in mbsync before v1.3.5 and v1.4.1. | 7.4 |
2021-02-26 | CVE-2020-36079 | Zenphoto | Unrestricted Upload of File with Dangerous Type vulnerability in Zenphoto Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. | 7.2 |
2021-02-26 | CVE-2021-0406 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In cameraisp, there is a possible out of bounds write due to a missing bounds check. | 7.2 | |
2021-02-26 | CVE-2021-0405 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In performance driver, there is a possible out of bounds write due to a missing bounds check. | 7.2 | |
2021-02-26 | CVE-2021-0402 | Out-of-bounds Write vulnerability in Google Android 11.0 In jpeg, there is a possible out of bounds write due to improper input validation. | 7.2 | |
2021-02-23 | CVE-2021-26677 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A local authenticated escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 7.2 |
2021-02-23 | CVE-2021-25630 | Collaboraoffice | Improper Privilege Management vulnerability in Collaboraoffice Online "loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. | 7.2 |
2021-02-22 | CVE-2021-26724 | Nozominetworks | OS Command Injection vulnerability in Nozominetworks Central Management Control and Guardian OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. | 7.2 |
2021-02-22 | CVE-2020-11271 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Possible out of bounds while accessing global control elements due to race condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-02-22 | CVE-2020-11253 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Arbitrary memory write issue in video driver while setting the internal buffers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.2 |
2021-02-22 | CVE-2020-11223 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Out of bound in camera driver due to lack of check of validation of array index before copying into array in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 7.2 |
2021-02-22 | CVE-2020-11204 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Possible memory corruption and information leakage in sub-system due to lack of check for validity and boundary compliance for parameters that are read from shared MSG RAM in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-02-22 | CVE-2020-11198 | Qualcomm | Information Exposure vulnerability in Qualcomm products Key material used for TZ diag buffer encryption and other data related to log buffer is not wiped securely due to improper usage of memset in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-02-22 | CVE-2020-11195 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Out of bound write and read in TA while processing command from NS side due to improper length check on command and response buffers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.2 |
2021-02-22 | CVE-2020-11194 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Possible out of bound access in TA while processing a command from NS side due to improper length check of response buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-02-22 | CVE-2020-11187 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Possible memory corruption in BSI module due to improper validation of parameter count in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Mobile | 7.2 |
2021-02-22 | CVE-2020-11177 | Qualcomm | Unspecified vulnerability in Qualcomm products User can overwrite Security Code NV item without knowing current SPC due to improper validation of SPC code setting and device lock in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-02-23 | CVE-2021-26926 | Jasper Project Fedoraproject | Out-of-bounds Read vulnerability in multiple products A flaw was found in jasper before 2.0.25. | 7.1 |
2021-02-25 | CVE-2021-24087 | Azure IOT CLI Extension | Improper Privilege Management vulnerability in Azure-Iot-Cli-Extension - Azure IoT CLI extension Elevation of Privilege Vulnerability | 7.0 |
2021-02-25 | CVE-2021-1639 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.0 |
173 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-26 | CVE-2021-0401 | Race Condition vulnerability in Google Android 10.0/11.0 In vow, there is a possible memory corruption due to a race condition. | 6.9 | |
2021-02-26 | CVE-2021-0367 | Race Condition vulnerability in Google Android 10.0/11.0 In vpu, there is a possible memory corruption due to a race condition. | 6.9 | |
2021-02-26 | CVE-2021-0366 | Race Condition vulnerability in Google Android 10.0/11.0 In vpu, there is a possible memory corruption due to a race condition. | 6.9 | |
2021-02-25 | CVE-2020-8032 | Opensuse | Insecure Temporary File vulnerability in Opensuse Cyrus-Sasl A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. | 6.9 |
2021-02-22 | CVE-2020-11277 | Qualcomm | Use After Free vulnerability in Qualcomm products Possible race condition during async fastrpc session after sending RPC message due to the fastrpc ctx gets free during async session in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile | 6.9 |
2021-02-26 | CVE-2021-26562 | Synology | Out-of-bounds Write vulnerability in Synology products Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. | 6.8 |
2021-02-26 | CVE-2021-26561 | Synology | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Synology products Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. | 6.8 |
2021-02-26 | CVE-2021-23979 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 85. | 6.8 |
2021-02-26 | CVE-2021-23978 | Mozilla Debian | Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. | 6.8 |
2021-02-26 | CVE-2021-23965 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 84. | 6.8 |
2021-02-26 | CVE-2021-23964 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. | 6.8 |
2021-02-26 | CVE-2021-23962 | Mozilla | Unspecified vulnerability in Mozilla Firefox Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. | 6.8 |
2021-02-26 | CVE-2021-23960 | Mozilla | Unspecified vulnerability in Mozilla Firefox Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. | 6.8 |
2021-02-26 | CVE-2021-23954 | Mozilla | Type Confusion vulnerability in Mozilla Firefox Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. | 6.8 |
2021-02-26 | CVE-2021-23972 | Mozilla | Unspecified vulnerability in Mozilla Firefox One phishing tactic on the web is to provide a link with HTTP Auth. | 6.8 |
2021-02-25 | CVE-2021-24109 | Microsoft | Unspecified vulnerability in Microsoft Azure Kubernetes Service Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | 6.8 |
2021-02-25 | CVE-2021-24075 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows VMSwitch Denial of Service Vulnerability | 6.8 |
2021-02-25 | CVE-2021-20328 | Mongodb Quarkus | Improper Certificate Validation vulnerability in multiple products Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. | 6.8 |
2021-02-25 | CVE-2021-20327 | Mongodb | Improper Certificate Validation vulnerability in Mongodb Libmongocrypt 1.2.0 A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. | 6.8 |
2021-02-25 | CVE-2020-36254 | Dropbear SSH Project | Unspecified vulnerability in Dropbear SSH Project Dropbear SSH scp.c in Dropbear before 2020.79 mishandles the filename of . | 6.8 |
2021-02-24 | CVE-2020-7836 | Voiceye Wsactivebridgees Project | Out-of-bounds Write vulnerability in Voiceye Wsactivebridgees Project Voiceye Wsactivebridges VOICEYE WSActiveBridgeES versions prior to 2.1.0.3 contains a stack-based buffer overflow vulnerability caused by improper bound checking parameter given by attack. | 6.8 |
2021-02-24 | CVE-2020-7846 | Cnesty | Use of Hard-coded Credentials vulnerability in Cnesty Helpcom Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. | 6.8 |
2021-02-23 | CVE-2021-20252 | Redhat | Improper Input Validation vulnerability in Redhat 3Scale API Management 2.0 A flaw was found in Red Hat 3scale API Management Platform 2. | 6.8 |
2021-02-23 | CVE-2021-22651 | Luxion Siemens | Path Traversal vulnerability in multiple products When loading a specially crafted file, Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are, while processing the extraction of temporary files, suffering from a directory traversal vulnerability, which allows an attacker to store arbitrary scripts into automatic startup folders. | 6.8 |
2021-02-23 | CVE-2021-20198 | Redhat | Missing Authentication for Critical Function vulnerability in Redhat Openshift Installer A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. | 6.8 |
2021-02-23 | CVE-2020-16243 | WE CON | Out-of-bounds Write vulnerability in We-Con Levistudiou Multiple buffer overflow vulnerabilities exist when LeviStudioU (Version 2019-09-21 and prior) processes project files. | 6.8 |
2021-02-23 | CVE-2021-22647 | Luxion Siemens | Out-of-bounds Write vulnerability in multiple products Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to multiple out-of-bounds write issues while processing project files, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-02-23 | CVE-2021-22645 | Luxion Siemens | Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an attack because the .bip documents display a “load” command, which can be pointed to a .dll from a remote network share. | 6.8 |
2021-02-23 | CVE-2021-22643 | Luxion Siemens | Out-of-bounds Read vulnerability in multiple products Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-02-23 | CVE-2020-25690 | Fontforge | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fontforge An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. | 6.8 |
2021-02-22 | CVE-2020-24175 | YZ1 | Out-of-bounds Write vulnerability in YZ1 0.30/0.32 Buffer overflow in Yz1 0.30 and 0.32, as used in IZArc 4.4, ZipGenius 6.3.2.3116, and Explzh (extension) 8.14, allows attackers to execute arbitrary code via a crafted archive file, related to filename handling. | 6.8 |
2021-02-26 | CVE-2020-24455 | Tpm2 Software Stack Project Fedoraproject | Missing Initialization of Resource vulnerability in multiple products Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. | 6.7 |
2021-02-26 | CVE-2021-21302 | Prestashop | Improper Neutralization of Formula Elements in a CSV File vulnerability in Prestashop PrestaShop is a fully scalable open source e-commerce solution. | 6.5 |
2021-02-26 | CVE-2021-21274 | Matrix Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). | 6.5 |
2021-02-26 | CVE-2021-21298 | Nodered | Path Traversal vulnerability in Nodered Node-Red Node-Red is a low-code programming for event-driven applications built using nodejs. | 6.5 |
2021-02-26 | CVE-2021-21297 | Nodered | Unspecified vulnerability in Nodered Node-Red Node-Red is a low-code programming for event-driven applications built using nodejs. | 6.5 |
2021-02-25 | CVE-2021-24101 | Microsoft | Unspecified vulnerability in Microsoft Dynamics 365 8.2/9.0 Microsoft Dataverse Information Disclosure Vulnerability | 6.5 |
2021-02-25 | CVE-2021-24099 | Microsoft | Unspecified vulnerability in Microsoft Lync Server and Skype for Business Server Skype for Business and Lync Denial of Service Vulnerability | 6.5 |
2021-02-25 | CVE-2021-24085 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Spoofing Vulnerability | 6.5 |
2021-02-25 | CVE-2021-24080 | Microsoft | Unspecified vulnerability in Microsoft products Windows Trust Verification API Denial of Service Vulnerability | 6.5 |
2021-02-25 | CVE-2021-24073 | Microsoft | Unspecified vulnerability in Microsoft Lync Server and Skype for Business Server Skype for Business and Lync Spoofing Vulnerability | 6.5 |
2021-02-25 | CVE-2021-1721 | Microsoft | Unspecified vulnerability in Microsoft products .NET Core and Visual Studio Denial of Service Vulnerability | 6.5 |
2021-02-24 | CVE-2021-1396 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco products Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. | 6.5 |
2021-02-24 | CVE-2021-1228 | Cisco | Unspecified vulnerability in Cisco Nx-Os A vulnerability in the fabric infrastructure VLAN connection establishment of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. | 6.5 |
2021-02-24 | CVE-2021-20659 | Contec | Unrestricted Upload of File with Dangerous Type vulnerability in Contec Sv-Cpt-Mc310 Firmware SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to upload arbitrary files via unspecified vectors. | 6.5 |
2021-02-23 | CVE-2021-20182 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat Openshift Container Platform A privilege escalation flaw was found in openshift4/ose-docker-builder. | 6.5 |
2021-02-23 | CVE-2021-3405 | Matroska Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in libebml before 1.4.2. | 6.5 |
2021-02-23 | CVE-2020-25161 | Advantech | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Advantech Webaccess/Scada The WADashboard component of WebAccess/SCADA Versions 9.0 and prior may allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator. | 6.5 |
2021-02-22 | CVE-2021-27513 | Eyesofnetwork | Unrestricted Upload of File with Dangerous Type vulnerability in Eyesofnetwork 5.310 The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside." | 6.5 |
2021-02-27 | CVE-2019-25023 | Scytl | Authentication Bypass by Spoofing vulnerability in Scytl Secure Vote 2.1 An issue was discovered in Scytl sVote 2.1. | 6.4 |
2021-02-26 | CVE-2021-21308 | Prestashop | Improper Authentication vulnerability in Prestashop PrestaShop is a fully scalable open source e-commerce solution. | 6.4 |
2021-02-26 | CVE-2020-28199 | Bestit | Information Exposure vulnerability in Bestit Amazon PAY best it Amazon Pay Plugin before 9.4.2 for Shopware exposes Sensitive Information to an Unauthorized Actor. | 6.4 |
2021-02-26 | CVE-2021-21273 | Matrix Fedoraproject | Open Redirect vulnerability in multiple products Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). | 6.1 |
2021-02-26 | CVE-2021-21330 | Aiohttp Debian Fedoraproject | Open Redirect vulnerability in multiple products aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. | 6.1 |
2021-02-25 | CVE-2021-1724 | Microsoft | Cross-site Scripting vulnerability in Microsoft Dynamics 365 Business Central and Dynamics NAV Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | 6.1 |
2021-02-27 | CVE-2020-28972 | Saltstack Fedoraproject Debian | Improper Certificate Validation vulnerability in multiple products In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. | 5.9 |
2021-02-23 | CVE-2021-27568 | Json Smart Project Oracle | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. | 5.9 |
2021-02-26 | CVE-2021-26564 | Synology | Cleartext Transmission of Sensitive Information vulnerability in Synology products Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. | 5.8 |
2021-02-26 | CVE-2021-26560 | Synology | Cleartext Transmission of Sensitive Information vulnerability in Synology products Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. | 5.8 |
2021-02-26 | CVE-2021-23976 | Mozilla | Improper Restriction of Rendered UI Layers or Frames vulnerability in Mozilla Firefox When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. | 5.8 |
2021-02-24 | CVE-2021-1227 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Nx-Os A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. | 5.8 |
2021-02-24 | CVE-2021-21974 | Vmware | Out-of-bounds Write vulnerability in VMWare Cloud Foundation and Esxi OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. | 5.8 |
2021-02-23 | CVE-2021-20220 | Redhat Netapp | HTTP Request Smuggling vulnerability in multiple products A flaw was found in Undertow. | 5.8 |
2021-02-22 | CVE-2020-35681 | Djangoproject | Information Exposure vulnerability in Djangoproject Channels 3.0.0/3.0.1/3.0.2 Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. | 5.8 |
2021-02-25 | CVE-2021-24114 | Microsoft | Unspecified vulnerability in Microsoft Teams Microsoft Teams iOS Information Disclosure Vulnerability | 5.7 |
2021-02-26 | CVE-2020-27618 | GNU Netapp Oracle Debian | Infinite Loop vulnerability in multiple products The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. | 5.5 |
2021-02-25 | CVE-2021-24106 | Microsoft | Unspecified vulnerability in Microsoft products Windows DirectX Information Disclosure Vulnerability | 5.5 |
2021-02-25 | CVE-2021-24098 | Microsoft | Unspecified vulnerability in Microsoft products Windows Console Driver Denial of Service Vulnerability | 5.5 |
2021-02-25 | CVE-2021-24084 | Microsoft | Link Following vulnerability in Microsoft products Windows Mobile Device Management Information Disclosure Vulnerability | 5.5 |
2021-02-25 | CVE-2021-24079 | Microsoft | Unspecified vulnerability in Microsoft products Windows Backup Engine Information Disclosure Vulnerability | 5.5 |
2021-02-25 | CVE-2021-24076 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows VMSwitch Information Disclosure Vulnerability | 5.5 |
2021-02-25 | CVE-2021-1731 | Microsoft | Insufficiently Protected Credentials vulnerability in Microsoft products PFX Encryption Security Feature Bypass Vulnerability | 5.5 |
2021-02-24 | CVE-2021-1450 | Cisco | Improper Input Validation vulnerability in Cisco Anyconnect Secure Mobility Client 4.9(5086) A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. | 5.5 |
2021-02-24 | CVE-2021-20661 | Contec | Path Traversal vulnerability in Contec Sv-Cpt-Mc310 Firmware Directory traversal vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors. | 5.5 |
2021-02-24 | CVE-2021-20657 | Contec | Unspecified vulnerability in Contec Sv-Cpt-Mc310 Firmware Improper access control vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to obtain and/or alter the setting information without the access privilege via unspecified vectors. | 5.5 |
2021-02-23 | CVE-2021-3407 | Artifex Fedoraproject Debian | Double Free vulnerability in multiple products A flaw was found in mupdf 1.18.0. | 5.5 |
2021-02-23 | CVE-2021-26927 | Jasper Project Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A flaw was found in jasper before 2.0.25. | 5.5 |
2021-02-23 | CVE-2021-26686 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 5.5 |
2021-02-23 | CVE-2021-26685 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 5.5 |
2021-02-25 | CVE-2021-24113 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | 5.4 |
2021-02-25 | CVE-2021-1730 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2016/2019 <p>A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.</p> <p>This update addresses this vulnerability.</p> <p>To prevent these types of attacks, Microsoft recommends customers to download inline images from different DNSdomains than the rest of OWA. | 5.4 |
2021-02-24 | CVE-2021-21622 | Jenkins | Cross-site Scripting vulnerability in Jenkins Artifact Repository Parameter 1.0.0 Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
2021-02-24 | CVE-2021-21619 | Jenkins | Cross-site Scripting vulnerability in Jenkins Claim Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. | 5.4 |
2021-02-24 | CVE-2021-21618 | Jenkins | Cross-site Scripting vulnerability in Jenkins Repository Connector Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2021-02-26 | CVE-2020-27223 | Eclipse Apache Netapp Debian Oracle | Resource Exhaustion vulnerability in multiple products In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. | 5.3 |
2021-02-25 | CVE-2021-24071 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Information Disclosure Vulnerability | 5.3 |
2021-02-24 | CVE-2021-1229 | Cisco | Memory Leak vulnerability in Cisco Nx-Os 15.1(2.31)/5.2(1)Sv5(1.3A)/8.4(3.53) A vulnerability in ICMP Version 6 (ICMPv6) processing in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a slow system memory leak, which over time could lead to a denial of service (DoS) condition. | 5.3 |
2021-02-24 | CVE-2021-21973 | Vmware | Server-Side Request Forgery (SSRF) vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. | 5.3 |
2021-02-24 | CVE-2021-21621 | Jenkins | Information Exposure vulnerability in Jenkins Support Core Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations. | 5.3 |
2021-02-23 | CVE-2021-20256 | Redhat | Information Exposure vulnerability in Redhat Satellite 6.0 A flaw was found in Red Hat Satellite. | 5.3 |
2021-02-23 | CVE-2021-27583 | Rangerstudio | Information Exposure Through Discrepancy vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. | 5.3 |
2021-02-23 | CVE-2021-26595 | Rangerstudio | Cleartext Storage of Sensitive Information vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. | 5.3 |
2021-02-22 | CVE-2021-27549 | Genymobile | Cleartext Storage of Sensitive Information vulnerability in Genymobile Genymotion Desktop Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. | 5.3 |
2021-02-22 | CVE-2021-27515 | URL Parse Project | Unspecified vulnerability in Url-Parse Project Url-Parse url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. | 5.3 |
2021-02-23 | CVE-2020-7847 | Iptime | Unrestricted Upload of File with Dangerous Type vulnerability in Iptime products The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. | 5.2 |
2021-02-27 | CVE-2019-25021 | Scytl | Use of Hard-coded Credentials vulnerability in Scytl Secure Vote 2.1 An issue was discovered in Scytl sVote 2.1. | 5.0 |
2021-02-27 | CVE-2019-25020 | Scytl | Missing Authentication for Critical Function vulnerability in Scytl Secure Vote 2.1 An issue was discovered in Scytl sVote 2.1. | 5.0 |
2021-02-26 | CVE-2021-27799 | Zint | Out-of-bounds Write vulnerability in Zint Barcode Generator 2.9.1 ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code. | 5.0 |
2021-02-26 | CVE-2021-23345 | Thecodingmachine | Server-Side Request Forgery (SSRF) vulnerability in Thecodingmachine Gotenberg All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>. | 5.0 |
2021-02-26 | CVE-2020-24686 | ABB | Resource Exhaustion vulnerability in ABB products The vulnerabilities can be exploited to cause the web visualization component of the PLC to stop and not respond, leading to genuine users losing remote visibility of the PLC state. | 5.0 |
2021-02-26 | CVE-2021-22661 | Prosoft Technology | Unspecified vulnerability in Prosoft-Technology Icx35-Hwc-A Firmware and Icx35-Hwc-E Firmware Changing the password on the module webpage does not require the user to type in the current password first. | 5.0 |
2021-02-26 | CVE-2021-21328 | Vapor Project | Resource Exhaustion vulnerability in Vapor Project Vapor 4.29.4 Vapor is a web framework for Swift. | 5.0 |
2021-02-25 | CVE-2021-24100 | Microsoft | Unspecified vulnerability in Microsoft Edge Microsoft Edge for Android Information Disclosure Vulnerability | 5.0 |
2021-02-25 | CVE-2020-27543 | Restify Paginate Project | Improper Handling of Exceptional Conditions vulnerability in Restify-Paginate Project Restify-Paginate 0.0.5 The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. | 5.0 |
2021-02-24 | CVE-2021-20662 | Contec | Missing Authentication for Critical Function vulnerability in Contec Sv-Cpt-Mc310 Firmware Missing authentication for critical function in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to alter the setting information without the access privileges via unspecified vectors. | 5.0 |
2021-02-23 | CVE-2021-22882 | UI | Unspecified vulnerability in UI Unifi Protect Controller UniFi Protect before v1.17.1 allows an attacker to use spoofed cameras to perform a denial-of-service attack that may cause the UniFi Protect controller to crash. | 5.0 |
2021-02-23 | CVE-2021-20230 | Stunnel | Improper Certificate Validation vulnerability in Stunnel A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. | 5.0 |
2021-02-23 | CVE-2021-3252 | Kaco Newenergy | Insufficiently Protected Credentials vulnerability in Kaco-Newenergy Xp100U Firmware Xpjava2.0 KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. | 5.0 |
2021-02-22 | CVE-2020-29453 | Atlassian | Path Traversal vulnerability in Atlassian Data Center, Jira Data Center and Jira Server The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | 5.0 |
2021-02-22 | CVE-2020-29448 | Atlassian | Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | 5.0 |
2021-02-22 | CVE-2020-11287 | Qualcomm | Unspecified vulnerability in Qualcomm products Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. | 5.0 |
2021-02-22 | CVE-2020-11281 | Qualcomm | Information Exposure vulnerability in Qualcomm products Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. | 5.0 |
2021-02-22 | CVE-2020-35556 | Acronis | Origin Validation Error vulnerability in Acronis Cyber Protect 15 An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. | 5.0 |
2021-02-22 | CVE-2021-26725 | Nozominetworks | Path Traversal vulnerability in Nozominetworks Central Management Control and Guardian Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. | 4.9 |
2021-02-26 | CVE-2019-18946 | Microfocus | Session Fixation vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation. | 4.8 |
2021-02-26 | CVE-2019-18944 | Microfocus | Cross-site Scripting vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS. | 4.8 |
2021-02-26 | CVE-2019-18942 | Microfocus | Cross-site Scripting vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. | 4.8 |
2021-02-24 | CVE-2021-1231 | Cisco | Origin Validation Error vulnerability in Cisco Nx-Os A vulnerability in the Link Layer Discovery Protocol (LLDP) for Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, adjacent attacker to disable switching on a small form-factor pluggable (SFP) interface. | 4.7 |
2021-02-26 | CVE-2021-26563 | Synology | Incorrect Authorization vulnerability in Synology products Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. | 4.6 |
2021-02-26 | CVE-2020-26200 | Kaspersky | Incorrect Authorization vulnerability in Kaspersky Endpoint Security and Rescue Disk A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. | 4.6 |
2021-02-24 | CVE-2021-21616 | Jenkins | Cross-site Scripting vulnerability in Jenkins Active Choices Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 4.6 |
2021-02-23 | CVE-2020-7120 | Arubanetworks | Classic Buffer Overflow vulnerability in Arubanetworks Clearpass Policy Manager A local authenticated buffer overflow vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 4.6 |
2021-02-22 | CVE-2020-22475 | Tasks | Incorrect Default Permissions vulnerability in Tasks "Tasks" application version before 9.7.3 is affected by insecure permissions. | 4.6 |
2021-02-22 | CVE-2020-11286 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products An Untrusted Pointer Dereference can occur while doing USB control transfers, if multiple requests of different standard request categories like device, interface & endpoint are made together. | 4.6 |
2021-02-22 | CVE-2020-11282 | Qualcomm | Incorrect Authorization vulnerability in Qualcomm products Improper access control when using mmap with the kgsl driver with a special offset value that can be provided to map the memstore of the GPU to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 4.6 |
2021-02-22 | CVE-2020-11147 | Qualcomm | Use After Free vulnerability in Qualcomm products Use after free issue in audio modules while removing and freeing objects during list iteration due to incorrect usage of macro in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile | 4.6 |
2021-02-27 | CVE-2021-25284 | Saltstack Fedoraproject Debian | Insufficiently Protected Credentials vulnerability in multiple products An issue was discovered in through SaltStack Salt before 3002.5. | 4.4 |
2021-02-26 | CVE-2020-28646 | Owncloud | Uncontrolled Search Path Element vulnerability in Owncloud Desktop Client ownCloud owncloud/client before 2.7 allows DLL Injection. | 4.4 |
2021-02-23 | CVE-2021-27579 | Snowsoftware | Unspecified vulnerability in Snowsoftware Snow Inventory Agent Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. | 4.4 |
2021-02-26 | CVE-2021-26565 | Synology | Cleartext Transmission of Sensitive Information vulnerability in Synology products Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session. | 4.3 |
2021-02-26 | CVE-2021-26903 | Isida | Cross-site Scripting vulnerability in Isida Retriever 5.2 LMA ISIDA Retriever 5.2 is vulnerable to XSS via query['text']. | 4.3 |
2021-02-26 | CVE-2021-23963 | Mozilla | Improper Preservation of Permissions vulnerability in Mozilla Firefox When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. | 4.3 |
2021-02-26 | CVE-2021-23961 | Mozilla Debian | Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. | 4.3 |
2021-02-26 | CVE-2021-23959 | Mozilla | Cross-site Scripting vulnerability in Mozilla Firefox 80.0/83.0/84.0 An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. | 4.3 |
2021-02-26 | CVE-2021-23958 | Mozilla | Exposure of Resource to Wrong Sphere vulnerability in Mozilla Firefox The browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. | 4.3 |
2021-02-26 | CVE-2021-23957 | Mozilla | Unspecified vulnerability in Mozilla Firefox 80.0/83.0/84.0 Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. | 4.3 |
2021-02-26 | CVE-2021-23956 | Mozilla | Unspecified vulnerability in Mozilla Firefox An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. | 4.3 |
2021-02-26 | CVE-2021-23955 | Mozilla | Improper Restriction of Rendered UI Layers or Frames vulnerability in Mozilla Firefox The browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. | 4.3 |
2021-02-26 | CVE-2021-23953 | Mozilla | Unspecified vulnerability in Mozilla Firefox If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. | 4.3 |
2021-02-26 | CVE-2021-23975 | Mozilla | Missing Authorization vulnerability in Mozilla Firefox The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. | 4.3 |
2021-02-26 | CVE-2021-23974 | Mozilla | Unspecified vulnerability in Mozilla Firefox The DOMParser API did not properly process '<noscript>' elements for escaping. | 4.3 |
2021-02-26 | CVE-2021-23973 | Mozilla Debian | Information Exposure Through an Error Message vulnerability in multiple products When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. | 4.3 |
2021-02-26 | CVE-2021-23971 | Mozilla | Unspecified vulnerability in Mozilla Firefox When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. | 4.3 |
2021-02-26 | CVE-2021-23970 | Mozilla | Reachable Assertion vulnerability in Mozilla Firefox Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. | 4.3 |
2021-02-26 | CVE-2021-23969 | Mozilla Debian | As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. | 4.3 |
2021-02-26 | CVE-2021-23968 | Mozilla Debian | Information Exposure Through an Error Message vulnerability in multiple products If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. | 4.3 |
2021-02-25 | CVE-2021-24082 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | 4.3 |
2021-02-25 | CVE-2021-27330 | Triconsole | Cross-site Scripting vulnerability in Triconsole Datepicker Calendar Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. | 4.3 |
2021-02-25 | CVE-2021-27671 | Comrak Project | Cross-site Scripting vulnerability in Comrak Project Comrak An issue was discovered in the comrak crate before 0.9.1 for Rust. | 4.3 |
2021-02-24 | CVE-2021-1367 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os 9.3(5) A vulnerability in the Protocol Independent Multicast (PIM) feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. | 4.3 |
2021-02-24 | CVE-2021-21620 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Claim A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims. | 4.3 |
2021-02-24 | CVE-2021-20660 | Contec | Cross-site Scripting vulnerability in Contec Sv-Cpt-Mc310 Firmware Cross-site scripting vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-02-23 | CVE-2021-21323 | Brave | Information Exposure vulnerability in Brave Brave is an open source web browser with a focus on privacy and security. | 4.3 |
2021-02-23 | CVE-2021-26682 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager A remote reflected cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 4.3 |
2021-02-23 | CVE-2021-26678 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager A remote unauthenticated stored cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. | 4.3 |
2021-02-23 | CVE-2021-22113 | Vmware | Incorrect Authorization vulnerability in VMWare Spring Cloud Netflix Zuul Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. | 4.3 |
2021-02-23 | CVE-2021-27550 | Polarisoffice | Divide By Zero vulnerability in Polarisoffice Polaris Office 9.102.66 Polaris Office v9.102.66 is affected by a divide-by-zero error in PolarisOffice.exe and EngineDLL.dll that may cause a local denial of service. | 4.3 |
2021-02-23 | CVE-2020-8902 | Server-Side Request Forgery (SSRF) vulnerability in Google Rendertron Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. | 4.3 | |
2021-02-23 | CVE-2020-13697 | Nanohttpd | Cross-site Scripting vulnerability in Nanohttpd An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. | 4.3 |
2021-02-23 | CVE-2020-29075 | Adobe | Information Exposure vulnerability in Adobe products Acrobat Reader DC versions 2020.013.20066 (and earlier), 2020.001.30010 (and earlier) and 2017.011.30180 (and earlier) are affected by an information exposure vulnerability, that could enable an attacker to get a DNS interaction and track if the user has opened or closed a PDF file when loaded from the filesystem without a prompt. | 4.3 |
2021-02-23 | CVE-2020-27819 | Libxls Project | NULL Pointer Dereference vulnerability in Libxls Project Libxls An issue was discovered in libxls before and including 1.6.1 when reading Microsoft Excel files. | 4.3 |
2021-02-23 | CVE-2020-35852 | Getgist | Cross-site Scripting vulnerability in Getgist Chatbox 1.0 Chatbox is affected by cross-site scripting (XSS). | 4.3 |
2021-02-23 | CVE-2021-27189 | Cira | Improper Certificate Validation vulnerability in Cira Canadian Shield The CIRA Canadian Shield app before 4.0.13 for iOS lacks SSL Certificate Validation. | 4.3 |
2021-02-22 | CVE-2020-19762 | Carrier | Cross-site Scripting vulnerability in Carrier Webctrl System Automated Logic Corporation (ALC) WebCTRL System 6.5 and prior allows remote attackers to execute any JavaScript code via a XSS payload for the first parameter in a GET request. | 4.3 |
2021-02-22 | CVE-2020-35664 | Acronis | Cross-site Scripting vulnerability in Acronis Cyber Protect 15 An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. | 4.3 |
2021-02-22 | CVE-2020-35571 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt An issue was discovered in MantisBT through 2.24.3. | 4.3 |
2021-02-24 | CVE-2020-4931 | IBM | Unspecified vulnerability in IBM MQ 9.1.0/9.1.0.0/9.2.0.0 IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. | 4.0 |
2021-02-24 | CVE-2021-20656 | Contec | Information Exposure vulnerability in Contec Sv-Cpt-Mc310 Firmware Exposure of information through directory listing in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to obtain the information inside the system, such as directories and/or file configurations via unspecified vectors. | 4.0 |
2021-02-23 | CVE-2020-8297 | Nextcloud | Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Deck Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. | 4.0 |
2021-02-23 | CVE-2021-20229 | Postgresql Redhat Fedoraproject | Incorrect Authorization vulnerability in multiple products A flaw was found in PostgreSQL in versions before 13.2. | 4.0 |
2021-02-23 | CVE-2020-4953 | IBM | Information Exposure vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics 2.0 could allow a remote authenticated attacker to obtain information about an organization's internal structure by exposing sensitive information in HTTP repsonses. | 4.0 |
2021-02-22 | CVE-2020-36232 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Atlassian-Gadgets The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled. | 4.0 |
2021-02-22 | CVE-2020-22474 | Weberp | Incorrect Permission Assignment for Critical Resource vulnerability in Weberp 4.15 In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion. | 4.0 |
24 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-02-22 | CVE-2020-3664 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bound read access in hypervisor due to an invalid read access attempt by passing invalid addresses in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 3.6 |
2021-02-22 | CVE-2020-11203 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Stack overflow may occur if GSM/WCDMA broadcast config size received from user is larger than variable length array in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 3.6 |
2021-02-27 | CVE-2021-3151 | I Doit | Cross-site Scripting vulnerability in I-Doit i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS, or SM2__C__MONITORING__CONFIG__ADDRESS. | 3.5 |
2021-02-26 | CVE-2021-3010 | Opentext | Cross-site Scripting vulnerability in Opentext Content Server 20.3 There are multiple persistent cross-site scripting (XSS) vulnerabilities in the web interface of OpenText Content Server Version 20.3. | 3.5 |
2021-02-26 | CVE-2019-18947 | Microfocus | Information Exposure Through an Error Message vulnerability in Microfocus Solutions Business Manager Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to information disclosure. | 3.5 |
2021-02-25 | CVE-2021-3124 | Newtarget | Cross-site Scripting vulnerability in Newtarget Custom Global Variables 1.0.5 Stored cross-site scripting (XSS) in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars[0][name] field. | 3.5 |
2021-02-24 | CVE-2021-3355 | Lightcms Project | Cross-site Scripting vulnerability in Lightcms Project Lightcms 1.3.4 A stored-self XSS exists in LightCMS v1.3.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords. | 3.5 |
2021-02-23 | CVE-2020-26609 | Fastadmin | Cross-site Scripting vulnerability in Fastadmin 1.0.0.20200506 fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) vulnerability which may allow an attacker to obtain administrator credentials to log in to the background. | 3.5 |
2021-02-22 | CVE-2021-27279 | Mybb | Cross-site Scripting vulnerability in Mybb MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode). | 3.5 |
2021-02-22 | CVE-2021-27564 | Appspace | Cross-site Scripting vulnerability in Appspace 6.2.4 A stored XSS issue exists in Appspace 6.2.4. | 3.5 |
2021-02-22 | CVE-2021-27559 | Monicahq | Cross-site Scripting vulnerability in Monicahq Monica 2.19.1 The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. | 3.5 |
2021-02-22 | CVE-2021-27371 | Monicahq | Cross-site Scripting vulnerability in Monicahq Monica 2.19.1 The Contact page in Monica 2.19.1 allows stored XSS via the Description field. | 3.5 |
2021-02-22 | CVE-2021-27370 | Monicahq | Cross-site Scripting vulnerability in Monicahq Monica 2.19.1 The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. | 3.5 |
2021-02-22 | CVE-2021-27369 | Monicahq | Cross-site Scripting vulnerability in Monicahq Monica 2.19.1 The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. | 3.5 |
2021-02-22 | CVE-2021-27368 | Monicahq | Cross-site Scripting vulnerability in Monicahq Monica 2.19.1 The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. | 3.5 |
2021-02-23 | CVE-2020-27768 | Imagemagick Debian | Integer Overflow or Wraparound vulnerability in multiple products In ImageMagick, there is an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h. | 3.3 |
2021-02-25 | CVE-2021-20203 | Qemu Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. | 3.2 |
2021-02-26 | CVE-2021-23977 | Mozilla | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Mozilla Firefox Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. | 2.6 |
2021-02-24 | CVE-2021-27645 | GNU Fedoraproject Debian | Double Free vulnerability in multiple products The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. | 2.5 |
2021-02-26 | CVE-2021-0404 | Improper Input Validation vulnerability in Google Android 11.0 In mobile_log_d, there is a possible information disclosure due to improper input validation. | 2.1 | |
2021-02-26 | CVE-2021-0403 | Missing Authorization vulnerability in Google Android 11.0 In netdiag, there is a possible information disclosure due to a missing permission check. | 2.1 | |
2021-02-26 | CVE-2021-21724 | ZTE | Memory Leak vulnerability in ZTE Zxr10 8900E Firmware A ZTE product has a memory leak vulnerability. | 2.1 |
2021-02-24 | CVE-2020-12702 | Coolkit | Inadequate Encryption Strength vulnerability in Coolkit Ewelink Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. | 2.1 |
2021-02-23 | CVE-2021-23827 | Keybase | Cleartext Storage of Sensitive Information vulnerability in Keybase Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. | 2.1 |