Weekly Vulnerabilities Reports > March 1 to 7, 2021

Overview

261 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 58 high severity vulnerabilities. This weekly summary report vulnerabilities in 236 products from 119 vendors including Fedoraproject, IBM, Google, Arubanetworks, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "Incorrect Authorization", "Out-of-bounds Write", "Path Traversal", and "Improper Authentication".

  • 213 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 192 reported vulnerabilities are exploitable by an anonymous user.
  • Fedoraproject has the most reported vulnerabilities, with 22 reported vulnerabilities.
  • Arubanetworks has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-04 CVE-2020-8298 FS Path Project Command Injection vulnerability in Fs-Path Project Fs-Path

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods.

10.0
2021-03-05 CVE-2021-26963 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

9.0
2021-03-05 CVE-2021-26962 Arubanetworks Command Injection vulnerability in Arubanetworks Airwave

A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

9.0
2021-03-01 CVE-2021-27878 Veritas Improper Authentication vulnerability in Veritas Backup Exec

An issue was discovered in Veritas Backup Exec before 21.2.

9.0

58 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-05 CVE-2021-28042 Deutschepost Path Traversal vulnerability in Deutschepost Mailoptimizer 4.3

Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component.

8.3
2021-03-05 CVE-2021-27256 Netgear OS Command Injection vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76.

8.3
2021-03-05 CVE-2021-27255 Netgear Missing Authentication for Critical Function vulnerability in Netgear products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76.

8.3
2021-03-05 CVE-2021-27254 Netgear USE of Hard-Coded Password vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800.

8.3
2021-03-05 CVE-2020-29134 Totvs Path Traversal vulnerability in Totvs Fluig 1.6.4/1.6.5/1.7.0

The TOTVS Fluig platform allows path traversal through the parameter "file = ..

7.8
2021-03-03 CVE-2021-22883 Nodejs
Fedoraproject
Netapp
Oracle
Resource Exhaustion vulnerability in multiple products

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established.

7.8
2021-03-02 CVE-2021-25306 Gigaset Classic Buffer Overflow vulnerability in Gigaset Dx600A Firmware V41.00175

A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands.

7.8
2021-03-01 CVE-2021-25829 Onlyoffice Unspecified vulnerability in Onlyoffice Document Server

An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3.

7.8
2021-03-05 CVE-2021-27581 Kentico SQL Injection vulnerability in Kentico CMS 5.5

The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.

7.5
2021-03-05 CVE-2021-3420 Newlib Project
Fedoraproject
Integer Overflow OR Wraparound vulnerability in multiple products

A flaw was found in newlib in versions prior to 4.0.0.

7.5
2021-03-05 CVE-2021-28037 Internment Project Unspecified vulnerability in Internment Project Internment

An issue was discovered in the internment crate before 0.4.2 for Rust.

7.5
2021-03-05 CVE-2021-28035 Stack DST Project Unspecified vulnerability in Stack DST Project Stack DST

An issue was discovered in the stack_dst crate before 0.6.1 for Rust.

7.5
2021-03-05 CVE-2021-28034 Stack DST Project Double Free vulnerability in Stack DST Project Stack DST

An issue was discovered in the stack_dst crate before 0.6.1 for Rust.

7.5
2021-03-05 CVE-2021-28033 Byte Struct Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Byte Struct Project Byte Struct

An issue was discovered in the byte_struct crate before 0.6.1 for Rust.

7.5
2021-03-05 CVE-2021-28032 Nano Arena Project Unspecified vulnerability in Nano Arena Project Nano Arena

An issue was discovered in the nano_arena crate before 0.5.2 for Rust.

7.5
2021-03-05 CVE-2021-28031 Scratchpad Project Double Free vulnerability in Scratchpad Project Scratchpad

An issue was discovered in the scratchpad crate before 1.3.1 for Rust.

7.5
2021-03-05 CVE-2021-28028 Toodee Project Double Free vulnerability in Toodee Project Toodee

An issue was discovered in the toodee crate before 0.3.0 for Rust.

7.5
2021-03-05 CVE-2021-28027 BAM Project Integer Underflow (Wrap OR Wraparound) vulnerability in BAM Project BAM

An issue was discovered in the bam crate before 0.1.3 for Rust.

7.5
2021-03-05 CVE-2020-29658 Zohocorp Inadequate Encryption Strength vulnerability in Zohocorp Manageengine Applications Control Plus

Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.

7.5
2021-03-05 CVE-2021-27965 MSI Classic Buffer Overflow vulnerability in MSI Dragon Center

The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2.0.98.0 has a buffer overflow that allows privilege escalation via a crafted 0x80102040, 0x80102044, 0x80102050, or 0x80102054 IOCTL request.

7.5
2021-03-05 CVE-2021-27964 Sfcyazilim Unrestricted Upload of File With Dangerous Type vulnerability in Sfcyazilim Sonlogger

SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload.

7.5
2021-03-05 CVE-2021-27314 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.

7.5
2021-03-04 CVE-2021-25346 Google Out-Of-Bounds Write vulnerability in Google Android

A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.

7.5
2021-03-04 CVE-2020-35636 Cgal
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

7.5
2021-03-04 CVE-2020-35628 Cgal
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

7.5
2021-03-04 CVE-2020-28636 Cgal
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

7.5
2021-03-04 CVE-2020-28601 Cgal
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

7.5
2021-03-04 CVE-2021-23344 Totaljs Code Injection vulnerability in Totaljs Total.Js

The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.

7.5
2021-03-04 CVE-2020-24914 Qcubed Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Qcubed

A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.

7.5
2021-03-04 CVE-2020-24913 Qcubed SQL Injection vulnerability in Qcubed

A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.

7.5
2021-03-03 CVE-2021-22681 Rockwellautomation Insufficiently Protected Credentials vulnerability in Rockwellautomation Rslogix 500 and Studio 5000 Logix Designer

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.

7.5
2021-03-03 CVE-2021-21978 Vmware Unrestricted Upload of File With Dangerous Type vulnerability in VMWare View Planner 4.6

VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability.

7.5
2021-03-03 CVE-2020-29047 Thimpress Deserialization of Untrusted Data vulnerability in Thimpress WP Hotel Booking

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.

7.5
2021-03-03 CVE-2021-21979 Bitnami Incorrect Authorization vulnerability in Bitnami Containers

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions.

7.5
2021-03-03 CVE-2021-27215 Genua Improper Authentication vulnerability in Genua Genuagate 10.1/9.0/9.6.0

An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4.

7.5
2021-03-03 CVE-2021-26855 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

7.5
2021-03-02 CVE-2020-28657 Bittacora SQL Injection vulnerability in Bittacora Bpanel 2.0

In bPanel 2.0, the administrative ajax endpoints (aka ajax/aj_*.php) are accessible without authentication and allow SQL injections, which could lead to platform compromise.

7.5
2021-03-02 CVE-2021-21513 Dell Improper Authentication vulnerability in Dell Openmanage Server Administrator

Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability.

7.5
2021-03-02 CVE-2021-21322 Fastify Http Proxy Project Improper Input Validation vulnerability in Fastify-Http-Proxy Project Fastify-Http-Proxy

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks.

7.5
2021-03-02 CVE-2021-21321 Fastify Reply From Project Improper Input Validation vulnerability in Fastify-Reply-From Project Fastify-Reply-From

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server.

7.5
2021-03-02 CVE-2021-27730 Accellion Injection vulnerability in Accellion FTA

Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint.

7.5
2021-03-02 CVE-2021-27804 Libjxl Project Out-Of-Bounds Write vulnerability in Libjxl Project Libjxl

JPEG XL (aka jpeg-xl) through 0.3.2 allows writable memory corruption.

7.5
2021-03-02 CVE-2021-27886 Docker Dashboard Project Command Injection vulnerability in Docker Dashboard Project Docker Dashboard

rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request.

7.5
2021-03-01 CVE-2021-27877 Veritas Improper Authentication vulnerability in Veritas Backup Exec

An issue was discovered in Veritas Backup Exec before 21.2.

7.5
2021-03-01 CVE-2021-27876 Veritas Improper Authentication vulnerability in Veritas Backup Exec

An issue was discovered in Veritas Backup Exec before 21.2.

7.5
2021-03-01 CVE-2021-26703 Eprints XXE vulnerability in Eprints 3.4.2

EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.

7.5
2021-03-01 CVE-2021-26476 Eprints OS Command Injection vulnerability in Eprints 3.4.2

EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI.

7.5
2021-03-01 CVE-2021-25914 Fireblink Unspecified vulnerability in Fireblink Object-Collider

Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-03-01 CVE-2021-25833 Onlyoffice Path Traversal vulnerability in Onlyoffice Document Server

A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21.

7.5
2021-03-01 CVE-2021-25832 Onlyoffice Out-Of-Bounds Write vulnerability in Onlyoffice Document Server

A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0.

7.5
2021-03-01 CVE-2021-25831 Onlyoffice Unspecified vulnerability in Onlyoffice Document Server

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3.

7.5
2021-03-01 CVE-2021-25830 Onlyoffice Unspecified vulnerability in Onlyoffice Document Server

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13.

7.5
2021-03-03 CVE-2021-20233 GNU
Redhat
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

7.2
2021-03-03 CVE-2021-20225 GNU
Redhat
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

7.2
2021-03-03 CVE-2020-27749 GNU
Redhat
Fedoraproject
Stack-Based Buffer Overflow vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

7.2
2021-03-03 CVE-2020-25647 GNU
Redhat
Fedoraproject
Out-Of-Bounds Write vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

7.2
2021-03-03 CVE-2020-25632 GNU
Redhat
Fedoraproject
USE After Free vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

7.2
2021-03-03 CVE-2020-13554 Advantech Improper Privilege Management vulnerability in Advantech Webaccess/Scada 9.0.1

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation.

7.2

151 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-03 CVE-2020-27779 GNU
Redhat
Fedoraproject
Improper Authorization vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06.

6.9
2021-03-05 CVE-2020-29030 Secomea Cross-Site Request Forgery (CSRF) vulnerability in Secomea Gatemanager Firmware

Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code.

6.8
2021-03-05 CVE-2020-28502 Xmlhttprequest Project Code Injection vulnerability in Xmlhttprequest Project Xmlhttprequest

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl.

6.8
2021-03-05 CVE-2021-26961 Arubanetworks Cross-Site Request Forgery (CSRF) vulnerability in Arubanetworks Airwave

A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

6.8
2021-03-05 CVE-2021-26960 Arubanetworks Cross-Site Request Forgery (CSRF) vulnerability in Arubanetworks Airwave

A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

6.8
2021-03-05 CVE-2021-28026 Jpeg Out-Of-Bounds Write vulnerability in Jpeg Jpeg-Xl 0.3.2

jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation.

6.8
2021-03-04 CVE-2021-3404 Ytnef Project
Redhat
Fedoraproject
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

In ytnef 1.9.3, the SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted file.

6.8
2021-03-04 CVE-2021-3403 Ytnef Project
Redhat
Fedoraproject
USE After Free vulnerability in multiple products

In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file.

6.8
2021-03-04 CVE-2021-26293 Afterlogic Path Traversal vulnerability in Afterlogic Aurora and Webmail PRO

An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled.

6.8
2021-03-04 CVE-2019-18629 Xerox Unspecified vulnerability in Xerox products

Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install.

6.8
2021-03-03 CVE-2020-13558 Webkitgtk USE After Free vulnerability in Webkitgtk 2.30.1

A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2.30.1.

6.8
2021-03-03 CVE-2021-27927 Zabbix Cross-Site Request Forgery (CSRF) vulnerability in Zabbix

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism.

6.8
2021-03-03 CVE-2021-22683 Fatek Out-Of-Bounds Write vulnerability in Fatek Fvdesigner

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.

6.8
2021-03-03 CVE-2021-22670 Fatek Access of Uninitialized Pointer vulnerability in Fatek Fvdesigner

An uninitialized pointer may be exploited in Fatek FvDesigner Version 1.5.76 and prior while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.

6.8
2021-03-03 CVE-2021-22666 Fatek Out-Of-Bounds Write vulnerability in Fatek Fvdesigner

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to a stack-based buffer overflow while project files are being processed, allowing an attacker to craft a special project file that may permit arbitrary code execution.

6.8
2021-03-03 CVE-2021-22662 Fatek USE After Free vulnerability in Fatek Fvdesigner

A use after free issue has been identified in Fatek FvDesigner Version 1.5.76 and prior in the way the application processes project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.

6.8
2021-03-03 CVE-2021-22638 Fatek Out-Of-Bounds Read vulnerability in Fatek Fvdesigner

Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds read while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.

6.8
2021-03-03 CVE-2021-21353 Pugjs Injection vulnerability in Pugjs PUG

Pug is an npm package which is a high-performance template engine.

6.8
2021-03-03 CVE-2021-27065 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

6.8
2021-03-03 CVE-2021-26858 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.

6.8
2021-03-03 CVE-2021-26857 Microsoft Unspecified vulnerability in Microsoft Exchange Server

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

6.8
2021-03-02 CVE-2021-27885 E107 Inadequate Encryption Strength vulnerability in E107

usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.

6.8
2021-03-01 CVE-2021-3342 Eprints OS Command Injection vulnerability in Eprints 3.4.2

EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI.

6.8
2021-03-06 CVE-2021-26814 Wazuh Improper Input Validation vulnerability in Wazuh

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI.

6.5
2021-03-05 CVE-2020-29020 Secomea Incorrect Authorization vulnerability in Secomea Sitemanager Firmware

Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials.

6.5
2021-03-05 CVE-2021-26971 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

6.5
2021-03-05 CVE-2021-26970 Arubanetworks Command Injection vulnerability in Arubanetworks Airwave

A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

6.5
2021-03-05 CVE-2020-29032 Secomea Unrestricted Upload of File With Dangerous Type vulnerability in Secomea Gatemanager 8250 Firmware 9.2C

Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server.

6.5
2021-03-04 CVE-2021-22189 Gitlab Improper Certificate Validation vulnerability in Gitlab

Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.

6.5
2021-03-04 CVE-2020-24036 Fork CMS Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Fork-Cms Fork CMS

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.

6.5
2021-03-03 CVE-2021-20076 Tenable Deserialization of Untrusted Data vulnerability in Tenable Tenable.Sc 5.14.0/5.14.1/5.17.0

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the Tenable.sc server via Hypertext Preprocessor unserialization.

6.5
2021-03-03 CVE-2020-10519 Github Command Injection vulnerability in Github

A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site.

6.5
2021-03-03 CVE-2021-27078 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

6.5
2021-03-03 CVE-2021-26854 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

6.5
2021-03-03 CVE-2021-26412 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

6.5
2021-03-01 CVE-2021-26704 Eprints OS Command Injection vulnerability in Eprints 3.4.2

EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.

6.5
2021-03-05 CVE-2021-26705 Squarebox Missing Authentication for Critical Function vulnerability in Squarebox Catdv

An issue was discovered in SquareBox CatDV Server through 9.2.

6.4
2021-03-05 CVE-2020-28050 Zohocorp Incorrect Authorization vulnerability in Zohocorp Manageengine Desktop Central

Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.

6.4
2021-03-05 CVE-2020-5148 Sonicwall Improper Authentication vulnerability in Sonicwall Directory Services Connector

SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall access controls.

6.4
2021-03-05 CVE-2021-27963 Sfcyazilim Incorrect Permission Assignment for Critical Resource vulnerability in Sfcyazilim Sonlogger

SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin).

6.4
2021-03-04 CVE-2021-23128 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.2.0 through 3.9.24.

6.4
2021-03-04 CVE-2021-23127 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.2.0 through 3.9.24.

6.4
2021-03-03 CVE-2021-27931 Lumis XXE vulnerability in Lumis Experience Platform

LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp.

6.4
2021-03-01 CVE-2021-21517 Dell XXE vulnerability in Dell EMC SRS Policy Manager 6.6/6.8.3/6.9.0

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation.

6.4
2021-03-03 CVE-2020-14372 GNU
Redhat
Fedoraproject
Incomplete Blacklist vulnerability in multiple products

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled.

6.2
2021-03-04 CVE-2021-25337 Google Incorrect Authorization vulnerability in Google Android 10.0/11.0/9.0

Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.

5.8
2021-03-03 CVE-2021-27839 Bigprof Improper Neutralization of Formula Elements in A CSV File vulnerability in Bigprof Online Invoicing System

A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to.

5.8
2021-03-07 CVE-2009-20001 Mantisbt Insufficient Session Expiration vulnerability in Mantisbt

An issue was discovered in MantisBT before 2.24.5.

5.5
2021-03-05 CVE-2021-27098 Cncf Improper Certificate Validation vulnerability in Cncf Spire

In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute.

5.5
2021-03-05 CVE-2021-26969 Arubanetworks XXE vulnerability in Arubanetworks Airwave

A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

5.5
2021-03-05 CVE-2021-26966 Arubanetworks SQL Injection vulnerability in Arubanetworks Airwave

A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

5.5
2021-03-05 CVE-2021-26965 Arubanetworks SQL Injection vulnerability in Arubanetworks Airwave

A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

5.5
2021-03-05 CVE-2021-26964 Arubanetworks Incorrect Authorization vulnerability in Arubanetworks Airwave

A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

5.5
2021-03-03 CVE-2021-22877 Nextcloud Improper Privilege Management vulnerability in Nextcloud

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

5.5
2021-03-03 CVE-2021-22863 Github Incorrect Authorization vulnerability in Github

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization.

5.5
2021-03-01 CVE-2021-27225 Dataiku Incorrect Authorization vulnerability in Dataiku Data Science Studio

In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.

5.5
2021-03-03 CVE-2021-22884 Nodejs
Fedoraproject
Netapp
Oracle
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”.
5.1
2021-03-07 CVE-2020-28466 Nats Unspecified vulnerability in Nats Server 2.0.0/2.0.2

This affects all versions of package github.com/nats-io/nats-server/server.

5.0
2021-03-07 CVE-2021-26294 Afterlogic Path Traversal vulnerability in Afterlogic Aurora and Webmail PRO

An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9.

5.0
2021-03-05 CVE-2021-28040 Ossec Uncontrolled Recursion vulnerability in Ossec 3.6.0

An issue was discovered in OSSEC 3.6.0.

5.0
2021-03-05 CVE-2021-28036 Quinn Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Quinn Project Quinn

An issue was discovered in the quinn crate before 0.7.0 for Rust.

5.0
2021-03-05 CVE-2021-28030 Truetype Project USE of Uninitialized Resource vulnerability in Truetype Project Truetype

An issue was discovered in the truetype crate before 0.30.1 for Rust.

5.0
2021-03-05 CVE-2021-28029 Toodee Project Unspecified vulnerability in Toodee Project Toodee

An issue was discovered in the toodee crate before 0.3.0 for Rust.

5.0
2021-03-05 CVE-2019-25025 Rubyonrails Unspecified vulnerability in Rubyonrails Active Record Session Store

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid.

5.0
2021-03-05 CVE-2020-36255 Identitymodel Project Unspecified vulnerability in Identitymodel Project Identitymodel

An issue was discovered in IdentityModel (aka ScottBrady.IdentityModel) before 1.3.0.

5.0
2021-03-04 CVE-2019-18630 Xerox Inadequate Encryption Strength vulnerability in Xerox products

On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.

5.0
2021-03-04 CVE-2021-26029 Joomla Improper Input Validation vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 1.6.0 through 3.9.24.

5.0
2021-03-04 CVE-2021-26027 Joomla Exposure of Resource TO Wrong Sphere vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.24.

5.0
2021-03-04 CVE-2021-23132 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.24.

5.0
2021-03-04 CVE-2021-23131 Joomla Improper Input Validation vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.2.0 through 3.9.24.

5.0
2021-03-04 CVE-2021-23126 Joomla Inadequate Encryption Strength vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.2.0 through 3.9.24.

5.0
2021-03-04 CVE-2021-23346 Html Parse Stringify Project Unspecified vulnerability in Html-Parse-Stringify Project Html-Parse-Stringify

This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2.

5.0
2021-03-03 CVE-2021-27935 Adguard Improper Restriction of Excessive Authentication Attempts vulnerability in Adguard Home

An issue was discovered in AdGuard before 0.105.2.

5.0
2021-03-03 CVE-2021-22188 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting with 13.0.

5.0
2021-03-03 CVE-2020-28597 Epignosishq Incorrect Usage of Seeds in Pseudo-Random Number Generator (Prng) vulnerability in Epignosishq Efront 5.2.17/5.2.21

A predictable seed vulnerability exists in the password reset functionality of Epignosis EfrontPro 5.2.21.

5.0
2021-03-03 CVE-2021-20442 IBM USE of Hard-Coded Credentials vulnerability in IBM Security Verify Bridge

IBM Security Verify Bridge contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

5.0
2021-03-03 CVE-2021-26813 Markdown2 Project Unspecified vulnerability in Markdown2 Project Markdown2

markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.

5.0
2021-03-03 CVE-2020-35296 Ctolog USE of Hard-Coded Credentials vulnerability in Ctolog Thinkadmin 6.0

ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access.

5.0
2021-03-03 CVE-2021-27923 Python
Fedoraproject
Resource Exhaustion vulnerability in multiple products

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

5.0
2021-03-03 CVE-2021-27922 Python
Fedoraproject
Resource Exhaustion vulnerability in multiple products

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

5.0
2021-03-03 CVE-2021-27921 Python
Fedoraproject
Resource Exhaustion vulnerability in multiple products

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

5.0
2021-03-03 CVE-2021-21352 Anuko USE of Insufficiently Random Values vulnerability in Anuko Time Tracker 1.19.23.5311/1.19.23.5324/1.19.23.5325

Anuko Time Tracker is an open source, web-based time tracking application written in PHP.

5.0
2021-03-02 CVE-2020-12529 Mbconnectline Server-Side Request Forgery (SSRF) vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports.

5.0
2021-03-02 CVE-2021-3384 Stormshield Unspecified vulnerability in Stormshield Network Security

A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts via IPv4 or IPv6.

5.0
2021-03-02 CVE-2021-25330 Google Unspecified vulnerability in Google Android 10.0

Calling of non-existent provider in MobileWips application prior to SMR Feb-2021 Release 1 allows unauthorized actions including denial of service attack by hijacking the provider.

5.0
2021-03-02 CVE-2021-25309 Gigaset Improper Privilege Management vulnerability in Gigaset Dx600A Firmware V41.00175

The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality.

5.0
2021-03-01 CVE-2021-3332 Wpserveur Incorrect Authorization vulnerability in Wpserveur WPS Hide Login 1.6.1

WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password.

5.0
2021-03-01 CVE-2021-22114 Vmware Path Traversal vulnerability in VMWare Spring Integration ZIP

Addresses partial fix in CVE-2018-1263.

5.0
2021-03-01 CVE-2020-36240 Atlassian Information Exposure vulnerability in Atlassian Crowd

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

5.0
2021-03-01 CVE-2021-25122 Apache
Debian
Information Exposure vulnerability in multiple products

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

5.0
2021-03-05 CVE-2021-28038 Linux
XEN
Debian
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV.

4.9
2021-03-05 CVE-2021-27099 Cncf Incorrect Authorization vulnerability in Cncf Spire

In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the value of an EC2 tag prior to attestation, and the attestor is configured for agent ID templating where the tag value is the last element in the path.

4.9
2021-03-04 CVE-2021-25345 Google Unspecified vulnerability in Google Android 10.0/11.0

Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.

4.9
2021-03-04 CVE-2020-25639 Linux
Fedoraproject
Redhat
Null Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC.

4.9
2021-03-03 CVE-2021-25252 Trendmicro Resource Exhaustion vulnerability in Trendmicro products

Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.

4.9
2021-03-02 CVE-2021-22296 Huawei Unspecified vulnerability in Huawei Harmonyos 2.0

A component of HarmonyOS 2.0 has a DoS vulnerability.

4.9
2021-03-04 CVE-2021-25334 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/9.0

Improper input check in wallpaper service in Samsung mobile devices prior to SMR Feb-2021 Release 1 allows untrusted application to cause permanent denial of service.

4.7
2021-03-07 CVE-2021-27365 Linux
Debian
Out-Of-Bounds Write vulnerability in multiple products

An issue was discovered in the Linux kernel through 5.11.3.

4.6
2021-03-05 CVE-2021-28041 Openbsd
Fedoraproject
Netapp
Double Free vulnerability in multiple products

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

4.6
2021-03-04 CVE-2021-25347 Google Unspecified vulnerability in Google Android 10.0/11.0/9.0

Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed.

4.6
2021-03-03 CVE-2020-8296 Nextcloud Weak Password Requirements vulnerability in Nextcloud Server

Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

4.6
2021-03-03 CVE-2021-25315 A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials.
4.6
2021-03-02 CVE-2021-27901 Google Unspecified vulnerability in Google Android 11.0

An issue was discovered on LG mobile devices with Android OS 11 software.

4.6
2021-03-01 CVE-2021-25329 Apache
Debian
The fix for CVE-2020-9484 was incomplete.
4.4
2021-03-05 CVE-2021-3377 Ansi UP Project Cross-Site Scripting vulnerability in Ansi UP Project Ansi UP

The npm package ansi_up converts ANSI escape codes into HTML.

4.3
2021-03-05 CVE-2020-29029 Secomea Cross-Site Scripting vulnerability in Secomea Gatemanager Firmware

Improper Input Validation, Cross-site Scripting (XSS) vulnerability in Web GUI of Secomea GateManager allows an attacker to execute arbitrary javascript code.

4.3
2021-03-05 CVE-2020-29028 Secomea Cross-Site Scripting vulnerability in Secomea Gatemanager Firmware

Cross-site Scripting (XSS) vulnerability in web GUI of Secomea GateManager allows an attacker to inject arbitrary javascript code.

4.3
2021-03-05 CVE-2021-26967 Arubanetworks Cross-Site Scripting vulnerability in Arubanetworks Airwave

A remote reflected cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

4.3
2021-03-05 CVE-2020-35594 Zohocorp Cross-Site Scripting vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus before 7066 allows XSS.

4.3
2021-03-05 CVE-2021-20665 Movabletype Cross-Site Scripting vulnerability in Movabletype products

Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

4.3
2021-03-05 CVE-2021-20664 Movabletype Cross-Site Scripting vulnerability in Movabletype products

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

4.3
2021-03-05 CVE-2021-20663 Movabletype Cross-Site Scripting vulnerability in Movabletype products

Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

4.3
2021-03-05 CVE-2021-25313 Rancher Cross-Site Scripting vulnerability in Rancher

A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links.

4.3
2021-03-04 CVE-2021-25336 Google Incorrect Authorization vulnerability in Google Android 10.0/9.0

Improper access control in NotificationManagerService in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to acquire notification access via sending a crafted malicious intent.

4.3
2021-03-04 CVE-2021-26028 Joomla Path Traversal vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.24.

4.3
2021-03-04 CVE-2021-23130 Joomla Cross-Site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.24.

4.3
2021-03-04 CVE-2021-23129 Joomla Cross-Site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.24.

4.3
2021-03-04 CVE-2020-15938 Fortinet Unspecified vulnerability in Fortinet Fortios

When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate in version below 6.2.5 and below 6.4.2 on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header.

4.3
2021-03-04 CVE-2020-24912 Qcubed Cross-Site Scripting vulnerability in Qcubed

A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.

4.3
2021-03-03 CVE-2021-21331 Datadoghq Unspecified vulnerability in Datadoghq Datadog-Api-Client-Java 1.0.0

The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client.

4.3
2021-03-03 CVE-2021-27940 Openark Cross-Site Scripting vulnerability in Openark Orchestrator

resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.

4.3
2021-03-03 CVE-2020-28591 Slic3R
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability exists in the AMF File AMFParserContext::endElement() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42.

4.3
2021-03-03 CVE-2021-20441 IBM USE of A Broken OR Risky Cryptographic Algorithm vulnerability in IBM Security Verify Bridge

IBM Security Verify Bridge uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

4.3
2021-03-03 CVE-2020-15937 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortios

An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.

4.3
2021-03-02 CVE-2020-12530 Mbconnectline Cross-Site Scripting vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2.

4.3
2021-03-02 CVE-2020-25902 Blackboard Cross-Site Scripting vulnerability in Blackboard Collaborate Ultra 20.02

** DISPUTED ** Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability.

4.3
2021-03-02 CVE-2020-1936 Apache Cross-Site Scripting vulnerability in Apache Ambari

A cross-site scripting issue was found in Apache Ambari Views.

4.3
2021-03-02 CVE-2021-21320 Matrix React SDK Project Insufficient Verification of Data Authenticity vulnerability in Matrix-React-Sdk Project Matrix-React-Sdk

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript.

4.3
2021-03-02 CVE-2021-27888 Zend Cross-Site Scripting vulnerability in Zend Zendto

ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters.

4.3
2021-03-02 CVE-2021-27731 Accellion Cross-Site Scripting vulnerability in Accellion FTA

Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint.

4.3
2021-03-01 CVE-2021-26702 Eprints Cross-Site Scripting vulnerability in Eprints 3.4.2

EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI.

4.3
2021-03-01 CVE-2021-26475 Eprints Cross-Site Scripting vulnerability in Eprints 3.4.2

EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI.

4.3
2021-03-01 CVE-2021-27318 Doctor Appointment System Project Cross-Site Scripting vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter.

4.3
2021-03-01 CVE-2021-27317 Doctor Appointment System Project Cross-Site Scripting vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.

4.3
2021-03-01 CVE-2020-9479 Apache Path Traversal vulnerability in Apache Asterixdb

When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory.

4.3
2021-03-03 CVE-2021-2138 Oracle Unspecified vulnerability in Oracle Cloud Infrastructure Data Science

Vulnerability in the Oracle Cloud Infrastructure Data Science Notebook Sessions.

4.1
2021-03-05 CVE-2019-18351 Digium Incorrect Permission Assignment for Critical Resource vulnerability in Digium Asterisk

An issue was discovered in channels/chan_sip.c in Sangoma Asterisk through 13.29.1, through 16.6.1, and through 17.0.0; and Certified Asterisk through 13.21-cert4.

4.0
2021-03-04 CVE-2021-22128 Fortinet Incorrect Authorization vulnerability in Fortinet Fortiproxy

An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.

4.0
2021-03-04 CVE-2020-35329 Courier Management System Project SQL Injection vulnerability in Courier Management System Project Courier Management System 1.0

Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.

4.0
2021-03-04 CVE-2020-35327 Courier Management System Project SQL Injection vulnerability in Courier Management System Project Courier Management System 1.0

SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php

4.0
2021-03-04 CVE-2019-18628 Xerox Unspecified vulnerability in Xerox products

Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information disclosure.

4.0
2021-03-03 CVE-2021-21313 Glpi Project Injection vulnerability in Glpi-Project Glpi

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package.

4.0
2021-03-03 CVE-2021-22862 Github Incorrect Authorization vulnerability in Github 3.0.0

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork.

4.0
2021-03-03 CVE-2021-22861 Github Incorrect Authorization vulnerability in Github

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests.

4.0
2021-03-02 CVE-2020-12528 Mbconnectline Improper Privilege Management vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2.

4.0
2021-03-02 CVE-2020-12527 Mbconnectline Improper Privilege Management vulnerability in Mbconnectline Mbconnect24 and Mymbconnect24

An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2.

4.0
2021-03-02 CVE-2021-22187 Gitlab Resource Exhaustion vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7.

4.0
2021-03-02 CVE-2020-4719 IBM USE of Incorrectly-Resolved Name OR Reference vulnerability in IBM Cloud Application Performance Management 8.1.4

The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition.

4.0
2021-03-02 CVE-2021-21514 Dell Path Traversal vulnerability in Dell Openmanage Server Administrator

Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability.

4.0
2021-03-01 CVE-2018-25004 Mongodb Improper Input Validation vulnerability in Mongodb

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query.

4.0
2021-03-01 CVE-2020-7929 Mongodb Unspecified vulnerability in Mongodb

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex.

4.0

48 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-07 CVE-2021-27364 Linux
Debian
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in the Linux kernel through 5.11.3.

3.6
2021-03-07 CVE-2021-27363 Linux
Debian
An issue was discovered in the Linux kernel through 5.11.3.
3.6
2021-03-04 CVE-2021-25338 Google Incorrect Authorization vulnerability in Google Android 10.0/11.0

Improper memory access control in RKP in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to write certain part of RKP EL2 memory region.

3.6
2021-03-01 CVE-2021-27884 Ymfe USE of Insufficiently Random Values vulnerability in Ymfe Yapi 1.3.22

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens.

3.6
2021-03-05 CVE-2021-26968 Arubanetworks Cross-Site Scripting vulnerability in Arubanetworks Airwave

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0.

3.5
2021-03-05 CVE-2021-27907 Apache Cross-Site Scripting vulnerability in Apache Superset

Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information.

3.5
2021-03-04 CVE-2021-26989 Netapp Unspecified vulnerability in Netapp Data Ontap

Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P9 and 9.8 are susceptible to a vulnerability which could allow a remote authenticated attacker to cause a Denial of Service (DoS) on clustered Data ONTAP configured for SMB access.

3.5
2021-03-04 CVE-2021-20351 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-03-04 CVE-2021-20350 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-03-04 CVE-2021-20340 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-03-04 CVE-2020-4975 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-03-04 CVE-2020-4866 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to cross-site scripting.

3.5
2021-03-04 CVE-2020-4863 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to stored cross-site scripting.

3.5
2021-03-04 CVE-2020-4857 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to stored cross-site scripting.

3.5
2021-03-04 CVE-2020-4856 IBM Cross-Site Scripting vulnerability in IBM products

IBM Engineering products are vulnerable to stored cross-site scripting.

3.5
2021-03-04 CVE-2021-27217 Yubico Out-Of-Bounds Read vulnerability in Yubico Yubihsm-Shell

An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3.

3.5
2021-03-04 CVE-2020-35328 Courier Management System Project Cross-Site Scripting vulnerability in Courier Management System Project Courier Management System 1.0

Courier Management System 1.0 - 'First Name' Stored XSS

3.5
2021-03-04 CVE-2021-22183 Gitlab Cross-Site Scripting vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting with 11.8.

3.5
2021-03-03 CVE-2021-21314 Glpi Project Cross-Site Scripting vulnerability in Glpi-Project Glpi

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package.

3.5
2021-03-03 CVE-2021-21312 Glpi Project Cross-Site Scripting vulnerability in Glpi-Project Glpi

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package.

3.5
2021-03-03 CVE-2021-22878 Nextcloud Cross-Site Scripting vulnerability in Nextcloud Server

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

3.5
2021-03-03 CVE-2021-22182 Gitlab Cross-Site Scripting vulnerability in Gitlab 13.7.0/13.7.2

An issue has been discovered in GitLab affecting all versions starting with 13.7.

3.5
2021-03-03 CVE-2021-23347 Linuxfoundation Cross-Site Scripting vulnerability in Linuxfoundation Argo Continuous Delivery

The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.

3.5
2021-03-02 CVE-2021-21258 Glpi Project Cross-Site Scripting vulnerability in Glpi-Project Glpi

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

3.5
2021-03-02 CVE-2021-21255 Glpi Project Missing Authorization vulnerability in Glpi-Project Glpi 9.5.3

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

3.5
2021-03-02 CVE-2020-4725 IBM Unspecified vulnerability in IBM Cloud Application Performance Management 8.1.4

IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user.

3.5
2021-03-02 CVE-2020-23518 Ultimatekode Cross-Site Scripting vulnerability in Ultimatekode NEO Billing

Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML.

3.5
2021-03-01 CVE-2021-21515 Dell Cross-Site Scripting vulnerability in Dell EMC Sourceone 7.2

Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability.

3.5
2021-03-05 CVE-2021-27257 Netgear Improper Certificate Validation vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76.

3.3
2021-03-05 CVE-2021-21725 ZTE Incorrect Authorization vulnerability in ZTE Zxhn H196Q Firmware 9.1.0C2

A ZTE product has an information leak vulnerability.

2.7
2021-03-04 CVE-2021-26988 Netapp Missing Authorization vulnerability in Netapp Data Ontap

Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 and 9.8 are susceptible to a vulnerability which could allow unauthorized tenant users to discover information related to converting a 7-Mode directory to Cluster-mode such as Storage Virtual Machine (SVM) names, volume names, directory paths and Job IDs.

2.7
2021-03-05 CVE-2021-28039 Linux
XEN
Resource Exhaustion vulnerability in multiple products

An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen.

2.1
2021-03-04 CVE-2021-25348 Samsung Unspecified vulnerability in Samsung Internet

Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission.

2.1
2021-03-04 CVE-2021-25344 Google Incorrect Default Permissions vulnerability in Google Android 10.0/11.0

Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.

2.1
2021-03-04 CVE-2021-25343 Samsung Improper Authentication vulnerability in Samsung Members

Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider.

2.1
2021-03-04 CVE-2021-25342 Samsung Improper Authentication vulnerability in Samsung Members

Calling of non-existent provider in SMP sdk prior to version 3.0.9 allows unauthorized actions including denial of service attack by hijacking the provider.

2.1
2021-03-04 CVE-2021-25341 Samsung Improper Authentication vulnerability in Samsung S Assistant

Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider.

2.1
2021-03-04 CVE-2021-25340 Google Incorrect Authorization vulnerability in Google Android 10.0

Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows physically proximate attackers to change in arbitrary settings during Initialization State.

2.1
2021-03-04 CVE-2021-25339 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

Improper address validation in HArx in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to corrupt EL2 memory.

2.1
2021-03-04 CVE-2021-24031 Facebook Incorrect Default Permissions vulnerability in Facebook Zstandard

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions.

2.1
2021-03-02 CVE-2021-22294 Huawei Unspecified vulnerability in Huawei Harmonyos 2.0

A component API of the HarmonyOS 2.0 has a permission bypass vulnerability.

2.1
2021-03-02 CVE-2020-4726 IBM Insecure Storage of Sensitive Information vulnerability in IBM Cloud Application Performance Management 8.1.4

The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system.

2.1
2021-03-02 CVE-2021-27904 Misp Unspecified vulnerability in Misp

An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139.

2.1
2021-03-04 CVE-2021-25335 Samsung
Google
Improper lockscreen status check in cocktailbar service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows unauthenticated users to access hidden notification contents over the lockscreen in specific condition.
1.9
2021-03-04 CVE-2021-25333 Samsung Information Exposure vulnerability in Samsung PAY Mini

Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen via scanning specific QR code.

1.9
2021-03-04 CVE-2021-25332 Samsung Information Exposure vulnerability in Samsung PAY Mini

Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition.

1.9
2021-03-04 CVE-2021-25331 Samsung Information Exposure vulnerability in Samsung PAY Mini

Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition.

1.9
2021-03-04 CVE-2021-24032 Facebook Incorrect Default Permissions vulnerability in Facebook Zstandard 1.4.1/1.4.2

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards.

1.9