Weekly Vulnerabilities Reports > March 8 to 14, 2021
Overview
377 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 133 high severity vulnerabilities. This weekly summary report vulnerabilities in 224 products from 103 vendors including Microsoft, Google, Debian, Fedoraproject, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Out-of-bounds Write", "Use After Free", and "Incorrect Authorization".
- 221 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 55 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 277 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 81 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
23 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-11 | CVE-2021-26867 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows Hyper-V Remote Code Execution Vulnerability | 9.9 |
2021-03-12 | CVE-2021-20232 | GNU Redhat Fedoraproject | Use After Free vulnerability in multiple products A flaw was found in gnutls. | 9.8 |
2021-03-12 | CVE-2021-20231 | GNU Redhat Fedoraproject Netapp | Use After Free vulnerability in multiple products A flaw was found in gnutls. | 9.8 |
2021-03-12 | CVE-2020-36282 | Rabbitmq | Deserialization of Untrusted Data vulnerability in Rabbitmq JMS Client JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data. | 9.8 |
2021-03-11 | CVE-2016-20009 | Windriver Siemens | Out-of-bounds Write vulnerability in multiple products A DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks 6.5 through 7. | 9.8 |
2021-03-11 | CVE-2021-28141 | Telerik | Missing Authorization vulnerability in Telerik UI for Asp.Net Ajax 2021.1.224 An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. | 9.8 |
2021-03-11 | CVE-2021-26897 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-03-11 | CVE-2021-26895 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-03-11 | CVE-2021-26894 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-03-11 | CVE-2021-26893 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-03-11 | CVE-2021-26877 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Remote Code Execution Vulnerability | 9.8 |
2021-03-12 | CVE-2021-21067 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 21.0/21.1 Adobe Photoshop versions 21.2.5 (and earlier) and 22.2 (and earlier) are affected by an Out-of-bounds Write vulnerability in the CoolType library. | 9.3 |
2021-03-11 | CVE-2021-22712 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address. | 9.3 |
2021-03-11 | CVE-2021-22711 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to missing validation of input data. | 9.3 |
2021-03-11 | CVE-2021-22710 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could cause remote code execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition. | 9.3 |
2021-03-11 | CVE-2021-22709 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in loss of data or remote code execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition. | 9.3 |
2021-03-11 | CVE-2021-27080 | Microsoft | Unspecified vulnerability in Microsoft Azure Sphere Azure Sphere Unsigned Code Execution Vulnerability | 9.3 |
2021-03-11 | CVE-2021-28154 | Camunda | Missing Authorization vulnerability in Camunda Modeler Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. | 9.1 |
2021-03-13 | CVE-2021-20017 | Sonicwall | OS Command Injection vulnerability in Sonicwall Sma100 Firmware 10.2.0.220Sv A post-authenticated command injection vulnerability in SonicWall SMA100 allows an authenticated attacker to execute OS commands as a 'nobody' user. | 9.0 |
2021-03-11 | CVE-2020-14987 | Bloomreach | Incorrect Permission Assignment for Critical Resource vulnerability in Bloomreach Experience Manager An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. | 9.0 |
2021-03-11 | CVE-2021-28144 | Dlink | Command Injection vulnerability in Dlink Dir-3060 Firmware prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely. | 9.0 |
2021-03-10 | CVE-2020-19417 | Emerson | Unspecified vulnerability in Emerson Wireless 1420 Gateway Firmware 4.6.59 Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application. | 9.0 |
2021-03-09 | CVE-2021-21480 | SAP | Code Injection vulnerability in SAP Manufacturing Integration and Intelligence SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). | 9.0 |
133 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-12 | CVE-2021-21368 | Msgpack5 Project | Unspecified vulnerability in Msgpack5 Project Msgpack5 msgpack5 is a msgpack v5 implementation for node.js and the browser. | 8.8 |
2021-03-11 | CVE-2021-27085 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 11 Internet Explorer Remote Code Execution Vulnerability | 8.8 |
2021-03-11 | CVE-2021-27076 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.8 |
2021-03-11 | CVE-2021-26876 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 OpenType Font Parsing Remote Code Execution Vulnerability | 8.8 |
2021-03-11 | CVE-2021-26865 | Microsoft | Unspecified vulnerability in Microsoft products Windows Container Execution Agent Elevation of Privilege Vulnerability | 8.8 |
2021-03-11 | CVE-2021-26411 | Microsoft | Use After Free vulnerability in Microsoft Edge and Internet Explorer Internet Explorer Memory Corruption Vulnerability | 8.8 |
2021-03-10 | CVE-2020-13936 | Apache Debian Oracle | An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. | 8.8 |
2021-03-09 | CVE-2021-21190 | Google Fedoraproject Debian | Use of Uninitialized Resource vulnerability in multiple products Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | 8.8 |
2021-03-09 | CVE-2021-21188 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21180 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21179 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21174 | Google Fedoraproject Debian | Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21169 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21167 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21166 | Google Fedoraproject Debian | Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21165 | Google Fedoraproject Debian | Race Condition vulnerability in multiple products Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21162 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21161 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21160 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-09 | CVE-2021-21159 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-11 | CVE-2021-26864 | Microsoft | Unspecified vulnerability in Microsoft products Windows Virtual Registry Provider Elevation of Privilege Vulnerability | 8.4 |
2021-03-10 | CVE-2020-35231 | Netgear | Improper Authentication vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device. | 8.3 |
2021-03-09 | CVE-2021-21481 | SAP | Incorrect Authorization vulnerability in SAP Netweaver The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. | 8.3 |
2021-03-11 | CVE-2021-21381 | Flatpak Debian Fedoraproject | Injection vulnerability in multiple products Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. | 8.2 |
2021-03-11 | CVE-2021-21378 | Envoyproxy | Improper Authentication vulnerability in Envoyproxy Envoy 1.17.0 Envoy is a cloud-native high-performance edge/middle/service proxy. | 8.2 |
2021-03-12 | CVE-2021-21367 | Elementary Fedoraproject | Incorrect Authorization vulnerability in multiple products Switchboard Bluetooth Plug for elementary OS from version 2.3.0 and before version version 2.3.5 has an incorrect authorization vulnerability. | 8.1 |
2021-03-10 | CVE-2021-21772 | 3MF Fedoraproject Debian | Use After Free vulnerability in multiple products A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. | 8.1 |
2021-03-09 | CVE-2021-21172 | Google Fedoraproject Debian | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | 8.1 |
2021-03-12 | CVE-2021-21082 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop Adobe Photoshop versions 21.2.5 (and earlier) and 22.2 (and earlier) are affected by a Memory Corruption vulnerability when parsing a specially crafted file. | 7.8 |
2021-03-11 | CVE-2021-22713 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric products A CWE-119:Improper restriction of operations within the bounds of a memory buffer vulnerability exists in PowerLogic ION8650, ION8800, ION7650, ION7700/73xx, and ION83xx/84xx/85xx/8600 (see security notifcation for affected versions), which could cause the meter to reboot. | 7.8 |
2021-03-11 | CVE-2021-27084 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27083 | Microsoft | Unspecified vulnerability in Microsoft Remote Development Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27082 | Microsoft | Unspecified vulnerability in Microsoft Quantum Development KIT Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27081 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Eslint Extension Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27077 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27062 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27061 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27060 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27058 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps Microsoft Office ClickToRun Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27057 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27056 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps, Office and Powerpoint Microsoft PowerPoint Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27054 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27053 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27051 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27050 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27049 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27048 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-27047 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26902 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26901 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26900 | Microsoft | Use After Free vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26899 | Microsoft | Unspecified vulnerability in Microsoft products Windows UPnP Device Host Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26898 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26891 | Microsoft | Unspecified vulnerability in Microsoft products Windows Container Execution Agent Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26890 | Microsoft | Unspecified vulnerability in Microsoft products Application Virtualization Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26889 | Microsoft | Link Following vulnerability in Microsoft products Windows Update Stack Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26887 | Microsoft | Link Following vulnerability in Microsoft products <p>An elevation of privilege vulnerability exists in Microsoft Windows when Folder redirection has been enabled via Group Policy. | 7.8 |
2021-03-11 | CVE-2021-26885 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 Windows WalletService Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26882 | Microsoft | Unspecified vulnerability in Microsoft products Remote Access API Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26880 | Microsoft | Unspecified vulnerability in Microsoft products Storage Spaces Controller Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26878 | Microsoft | Unspecified vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26875 | Microsoft | Unspecified vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26874 | Microsoft | Unspecified vulnerability in Microsoft products Windows Overlay Filter Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26872 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26871 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 Windows WalletService Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26870 | Microsoft | Unspecified vulnerability in Microsoft products Windows Projected File System Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26868 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Windows Graphics Component Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26861 | Microsoft | Unspecified vulnerability in Microsoft products Windows Graphics Component Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-26860 | Microsoft | Unspecified vulnerability in Microsoft products Windows App-V Overlay Filter Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-24110 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-24108 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps and Office Microsoft Office Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-24090 | Microsoft | Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows Error Reporting Elevation of Privilege Vulnerability | 7.8 |
2021-03-11 | CVE-2021-24089 | Microsoft | Unspecified vulnerability in Microsoft High Efficiency Video Coding HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-03-11 | CVE-2021-1640 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2021-03-10 | CVE-2021-0386 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 11.0 In onCreate of UsbConfirmActivity, there is a possible tapjacking vector due to an insecure default value. | 7.8 | |
2021-03-10 | CVE-2021-0391 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. | 7.8 | |
2021-03-10 | CVE-2021-0369 | Unspecified vulnerability in Google Android 11.0 In CrossProfileAppsServiceImpl.java, there is the possibility of an application's INTERACT_ACROSS_PROFILES grant state not displaying properly in the setting UI due to a logic error in the code. | 7.8 | |
2021-03-09 | CVE-2020-35524 | Libtiff Debian Fedoraproject Netapp Redhat | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. | 7.8 |
2021-03-09 | CVE-2020-35523 | Libtiff Debian Netapp Redhat | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. | 7.8 |
2021-03-09 | CVE-2021-20268 | Linux | Integer Overflow or Wraparound vulnerability in Linux Kernel An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. | 7.8 |
2021-03-11 | CVE-2021-28143 | Dlink | Command Injection vulnerability in Dlink Dir-841 Firmware 3.03/3.04 /jsonrpc on D-Link DIR-841 3.03 and 3.04 devices allows authenticated command injection via ping, ping6, or traceroute (under System Tools). | 7.7 |
2021-03-11 | CVE-2021-26859 | Microsoft | Unspecified vulnerability in Microsoft Power BI Report Server 15.0.1103.234/15.0.1104.300 Microsoft Power BI Information Disclosure Vulnerability | 7.7 |
2021-03-11 | CVE-2021-27059 | Microsoft | Unspecified vulnerability in Microsoft Office 2010/2013/2016 Microsoft Office Remote Code Execution Vulnerability | 7.6 |
2021-03-12 | CVE-2021-28092 | IS SVG Project | Unspecified vulnerability in Is-Svg Project Is-Svg The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). | 7.5 |
2021-03-12 | CVE-2021-23354 | Adaltas | Unspecified vulnerability in Adaltas Printf The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. | 7.5 |
2021-03-12 | CVE-2021-28305 | Diesel | Use After Free vulnerability in Diesel An issue was discovered in the diesel crate before 1.4.6 for Rust. | 7.5 |
2021-03-12 | CVE-2021-27647 | Synology | Out-of-bounds Read vulnerability in Synology Diskstation Manager Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. | 7.5 |
2021-03-12 | CVE-2021-27646 | Synology | Use After Free vulnerability in Synology Diskstation Manager Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. | 7.5 |
2021-03-12 | CVE-2020-36281 | Leptonica Debian Fedoraproject | Out-of-bounds Read vulnerability in multiple products Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c. | 7.5 |
2021-03-12 | CVE-2020-36280 | Leptonica Fedoraproject | Out-of-bounds Read vulnerability in multiple products Leptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c. | 7.5 |
2021-03-12 | CVE-2020-36279 | Leptonica Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c. | 7.5 |
2021-03-12 | CVE-2020-36278 | Leptonica Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c. | 7.5 |
2021-03-11 | CVE-2021-22714 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric products A CWE-119:Improper restriction of operations within the bounds of a memory buffer vulnerability exists in PowerLogic ION7400, PM8000 and ION9000 (All versions prior to V3.0.0), which could cause the meter to reboot or allow for remote code execution. | 7.5 |
2021-03-11 | CVE-2020-36277 | Leptonica Fedoraproject Debian | Always-Incorrect Control Flow Implementation vulnerability in multiple products Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c. | 7.5 |
2021-03-11 | CVE-2020-29045 | Fivestarplugins | Deserialization of Untrusted Data vulnerability in Fivestarplugins Five Star Restaurant Menu The food-and-drink-menu plugin through 2.2.0 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the fdm_cart cookie in load_cart_from_cookie in includes/class-cart-manager.php. | 7.5 |
2021-03-11 | CVE-2021-27063 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Denial of Service Vulnerability | 7.5 |
2021-03-11 | CVE-2021-26896 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Server Denial of Service Vulnerability | 7.5 |
2021-03-11 | CVE-2021-26881 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows Media Foundation Remote Code Execution Vulnerability | 7.5 |
2021-03-11 | CVE-2021-26879 | Microsoft | Unspecified vulnerability in Microsoft products Windows Network Address Translation (NAT) Denial of Service Vulnerability | 7.5 |
2021-03-11 | CVE-2021-28132 | Lucysecurity | OS Command Injection vulnerability in Lucysecurity Security Awareness LUCY Security Awareness Software through 4.7.x allows unauthenticated remote code execution because the Migration Tool (in the Support section) allows upload of .php files within a system.tar.gz file. | 7.5 |
2021-03-11 | CVE-2020-1900 | Use After Free vulnerability in Facebook Hhvm When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. | 7.5 | |
2021-03-11 | CVE-2021-28134 | Clipper Project | Unspecified vulnerability in Clipper Project Clipper Clipper before 1.0.5 allows remote command execution. | 7.5 |
2021-03-11 | CVE-2021-27918 | Golang | Infinite Loop vulnerability in Golang GO encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. | 7.5 |
2021-03-10 | CVE-2020-27632 | Siemens | Unspecified vulnerability in Siemens Simatic Mv420 Firmware and Simatic Mv440 Firmware In SIMATIC MV400 family versions prior to v7.0.6, the ISN generator is initialized with a constant value and has constant increments. | 7.5 |
2021-03-10 | CVE-2020-19419 | Emerson | Missing Authentication for Critical Function vulnerability in Emerson Smart Wireless Gateway 1420 Firmware 4.6.59 Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication. | 7.5 |
2021-03-10 | CVE-2021-24030 | Argument Injection or Modification vulnerability in Facebook Gameroom The fbgames protocol handler registered as part of Facebook Gameroom does not properly quote arguments passed to the executable. | 7.5 | |
2021-03-10 | CVE-2021-24025 | Integer Overflow or Wraparound vulnerability in Facebook Hhvm Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow. | 7.5 | |
2021-03-10 | CVE-2021-0397 | Double Free vulnerability in Google Android In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. | 7.5 | |
2021-03-10 | CVE-2021-0396 | Out-of-bounds Write vulnerability in Google Android In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check. | 7.5 | |
2021-03-10 | CVE-2020-1917 | Out-of-bounds Write vulnerability in Facebook Hhvm xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function. | 7.5 | |
2021-03-10 | CVE-2020-1916 | Out-of-bounds Write vulnerability in Facebook Hhvm An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write. | 7.5 | |
2021-03-10 | CVE-2021-28122 | Open5Gs | Missing Authentication for Critical Function vulnerability in Open5Gs A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. | 7.5 |
2021-03-10 | CVE-2020-24791 | Thedaylightstudio | SQL Injection vulnerability in Thedaylightstudio Fuel CMS 1.4.8 FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. | 7.5 |
2021-03-09 | CVE-2021-28119 | Twinkletray | Unspecified vulnerability in Twinkletray Twinkle Tray Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command execution. | 7.5 |
2021-03-09 | CVE-2021-21300 | GIT SCM Fedoraproject Apple Debian | Link Following vulnerability in multiple products Git is an open-source distributed revision control system. | 7.5 |
2021-03-09 | CVE-2021-23352 | Madge Project | SQL Injection vulnerability in Madge Project Madge This affects the package madge before 4.0.1. | 7.5 |
2021-03-09 | CVE-2021-25915 | Changeset Project | Unspecified vulnerability in Changeset Project Changeset Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution. | 7.5 |
2021-03-08 | CVE-2021-21335 | Spnego Http Authentication Module Project | Improper Authentication vulnerability in Spnego Http Authentication Module Project Spnego Http Authentication Module In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. | 7.5 |
2021-03-08 | CVE-2021-21327 | Glpi Project | Unsafe Reflection vulnerability in Glpi-Project Glpi GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. | 7.5 |
2021-03-11 | CVE-2021-27070 | Microsoft | Incorrect Permission Assignment for Critical Resource vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows 10 Update Assistant Elevation of Privilege Vulnerability | 7.3 |
2021-03-12 | CVE-2021-21518 | Dell | Uncontrolled Search Path Element vulnerability in Dell products Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4.x, 3.3.x, Dell SupportAssist Client for Business PCs versions 2.0.x, 2.1.x, 2.2.x, and Dell SupportAssist Client ProManage 1.x contain a DLL injection vulnerability in the Costura Fody plugin. | 7.2 |
2021-03-11 | CVE-2020-5025 | IBM Netapp | Classic Buffer Overflow vulnerability in multiple products IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. | 7.2 |
2021-03-10 | CVE-2021-0455 | Out-of-bounds Write vulnerability in Google Android In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. | 7.2 | |
2021-03-10 | CVE-2021-0454 | Out-of-bounds Write vulnerability in Google Android In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. | 7.2 | |
2021-03-08 | CVE-2020-23967 | Drweb | Improper Verification of Cryptographic Signature vulnerability in Drweb Security Space 11.0/12.0 Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate. | 7.2 |
2021-03-12 | CVE-2021-21072 | Adobe | Out-of-bounds Read vulnerability in Adobe Animate Adobe Animate version 21.0.3 (and earlier) is affected by an Out-of-bounds Read vulnerability. | 7.1 |
2021-03-11 | CVE-2021-26866 | Microsoft | Link Following vulnerability in Microsoft products Windows Update Service Elevation of Privilege Vulnerability | 7.1 |
2021-03-11 | CVE-2021-1729 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Update Stack Setup Elevation of Privilege Vulnerability | 7.1 |
2021-03-11 | CVE-2021-27055 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps, Office and Visio Microsoft Visio Security Feature Bypass Vulnerability | 7.0 |
2021-03-11 | CVE-2021-26873 | Microsoft | Link Following vulnerability in Microsoft products Windows User Profile Service Elevation of Privilege Vulnerability | 7.0 |
2021-03-11 | CVE-2021-26863 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Windows Win32k Elevation of Privilege Vulnerability | 7.0 |
2021-03-11 | CVE-2021-26862 | Microsoft | Link Following vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 7.0 |
2021-03-11 | CVE-2021-24095 | Microsoft | Improper Privilege Management vulnerability in Microsoft products DirectX Elevation of Privilege Vulnerability | 7.0 |
178 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-10 | CVE-2021-0387 | Race Condition vulnerability in Google Android 11.0 In FindQuotaDeviceForUuid of QuotaUtils.cpp, there is a possible use-after-free due to a race condition. | 6.9 | |
2021-03-12 | CVE-2021-21085 | Adobe | Improper Input Validation vulnerability in Adobe Connect Adobe Connect version 11.0.7 (and earlier) is affected by an Input Validation vulnerability in the export feature. | 6.8 |
2021-03-12 | CVE-2021-26569 | Synology | Race Condition vulnerability in Synology Diskstation Manager Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. | 6.8 |
2021-03-12 | CVE-2021-20674 | NTT TX | Uncontrolled Search Path Element vulnerability in Ntt-Tx Magicconnect Untrusted search path vulnerability in Installer of MagicConnect Client program distributed before 2021 March 1 allows an attacker to gain privileges and via a Trojan horse DLL in an unspecified directory and to execute arbitrary code with the privilege of the user invoking the installer when a terminal is connected remotely using Remote desktop. | 6.8 |
2021-03-11 | CVE-2020-24984 | Quadbase | Cross-Site Request Forgery (CSRF) vulnerability in Quadbase Espressreports ES 7 An issue was discovered in Quadbase EspressReports ES 7 Update 9. | 6.8 |
2021-03-11 | CVE-2020-24983 | Quadbase | Cross-Site Request Forgery (CSRF) vulnerability in Quadbase Espressreports ES 7 An issue was discovered in Quadbase EspressReports ES 7 Update 9. | 6.8 |
2021-03-11 | CVE-2021-27075 | Microsoft | Unspecified vulnerability in Microsoft products Azure Virtual Machine Information Disclosure Vulnerability | 6.8 |
2021-03-10 | CVE-2020-35223 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests. | 6.8 |
2021-03-10 | CVE-2021-0393 | Integer Overflow or Wraparound vulnerability in Google Android In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow. | 6.8 | |
2021-03-09 | CVE-2021-27592 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27591 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27590 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27589 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27588 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27587 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27586 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-27585 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.8 |
2021-03-09 | CVE-2021-21484 | SAP | Incorrect Authorization vulnerability in SAP Hana 2.0 LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind. | 6.8 |
2021-03-09 | CVE-2021-24033 | OS Command Injection vulnerability in Facebook React-Dev-Utils react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. | 6.8 | |
2021-03-08 | CVE-2020-27574 | Maxum | Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.13/8.2.14 Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). | 6.8 |
2021-03-08 | CVE-2021-21329 | Ratcf | Improper Authentication vulnerability in Ratcf RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events. | 6.8 |
2021-03-10 | CVE-2020-35230 | Netgear | Integer Overflow or Wraparound vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware Multiple integer overflow parameters were found in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices. | 6.7 |
2021-03-13 | CVE-2020-35682 | Zohocorp | Incorrect Authorization vulnerability in Zohocorp Manageengine Servicedesk Plus 8.2/9.0 Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | 6.5 |
2021-03-12 | CVE-2021-21078 | Adobe | Untrusted Search Path vulnerability in Adobe Creative Cloud Desktop Application Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by an Unquoted Service Path vulnerability in CCXProcess that could allow an attacker to achieve arbitrary code execution in the process of the current user. | 6.5 |
2021-03-10 | CVE-2021-21375 | Teluu Debian | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. | 6.5 |
2021-03-10 | CVE-2020-35227 | Netgear | Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware A buffer overflow vulnerability in the access control section on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices (in the administration web panel) allows an attacker to inject IP addresses into the whitelist via the checkedList parameter to the delete command. | 6.5 |
2021-03-10 | CVE-2021-20205 | Libjpeg Turbo Fedoraproject | Divide By Zero vulnerability in multiple products Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image. | 6.5 |
2021-03-10 | CVE-2020-23722 | Thedaylightstudio | Improper Privilege Management vulnerability in Thedaylightstudio Fuel CMS 1.4.7 An issue was discovered in FUEL CMS 1.4.7. | 6.5 |
2021-03-10 | CVE-2021-20671 | Weseek | Improper Input Validation vulnerability in Weseek Growi 4.2.2 Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution. | 6.5 |
2021-03-10 | CVE-2021-20669 | Weseek | Path Traversal vulnerability in Weseek Growi Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL. | 6.5 |
2021-03-09 | CVE-2021-21182 | Google Fedoraproject Debian | Incorrect Authorization vulnerability in multiple products Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21181 | Google Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21178 | Google Fedoraproject Debian | Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21177 | Google Fedoraproject Debian | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21176 | Google Fedoraproject Debian | Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21175 | Google Fedoraproject Debian | Origin Validation Error vulnerability in multiple products Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21173 | Google Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21171 | Google Fedoraproject Debian | Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21170 | Google Fedoraproject Debian | Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21168 | Google Fedoraproject Debian | Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21164 | Google Fedoraproject Debian | Origin Validation Error vulnerability in multiple products Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2021-03-09 | CVE-2021-21163 | Google Fedoraproject Debian | Origin Validation Error vulnerability in multiple products Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server. | 6.5 |
2021-03-09 | CVE-2021-21487 | SAP | Missing Authorization vulnerability in SAP Payment Engine 500 SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 6.5 |
2021-03-09 | CVE-2021-21486 | SAP | Missing Authorization vulnerability in SAP Enterprise Financial Services SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | 6.5 |
2021-03-08 | CVE-2021-21506 | Dell | Improper Input Validation vulnerability in Dell EMC Powerscale Onefs 8.1.2/8.2.2/9.1.0 PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in its API handler. | 6.5 |
2021-03-08 | CVE-2020-27575 | Maxum | Command Injection vulnerability in Maxum Rumpus 8.2.13/8.2.14 Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. | 6.5 |
2021-03-08 | CVE-2021-21362 | Minio | Incorrect Authorization vulnerability in Minio MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. | 6.5 |
2021-03-12 | CVE-2021-28308 | Fltk Project | Out-of-bounds Read vulnerability in Fltk Project Fltk An issue was discovered in the fltk crate before 0.15.3 for Rust. | 6.4 |
2021-03-08 | CVE-2020-4903 | IBM | Unspecified vulnerability in IBM API Connect IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. | 6.4 |
2021-03-10 | CVE-2021-21334 | Linuxfoundation Fedoraproject | Exposure of Resource to Wrong Sphere vulnerability in multiple products In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. | 6.3 |
2021-03-11 | CVE-2021-27074 | Microsoft | Unspecified vulnerability in Microsoft Azure Sphere Azure Sphere Unsigned Code Execution Vulnerability | 6.2 |
2021-03-11 | CVE-2021-26892 | Microsoft | Unspecified vulnerability in Microsoft products Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | 6.2 |
2021-03-12 | CVE-2021-21080 | Adobe | Cross-site Scripting vulnerability in Adobe Connect Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2021-03-12 | CVE-2021-21079 | Adobe | Cross-site Scripting vulnerability in Adobe Connect Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2021-03-12 | CVE-2021-21068 | Adobe | Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Creative Cloud Desktop Application Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by a file handling vulnerability that could allow an attacker to cause arbitrary file overwriting. | 6.1 |
2021-03-11 | CVE-2021-26886 | Microsoft | Unspecified vulnerability in Microsoft products User Profile Service Denial of Service Vulnerability | 6.1 |
2021-03-10 | CVE-2020-35233 | Netgear | Resource Exhaustion vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack. | 6.1 |
2021-03-10 | CVE-2020-35224 | Netgear | Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware A buffer overflow vulnerability in the NSDP protocol authentication method on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote unauthenticated attackers to force a device reboot. | 6.1 |
2021-03-10 | CVE-2020-13959 | Apache Debian | Cross-site Scripting vulnerability in multiple products The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. | 6.1 |
2021-03-08 | CVE-2021-21510 | Dell | Injection vulnerability in Dell Idrac8 Firmware Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. | 6.1 |
2021-03-09 | CVE-2021-21295 | Netty Netapp Debian Quarkus Apache Oracle | HTTP Request Smuggling vulnerability in multiple products Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. | 5.9 |
2021-03-10 | CVE-2020-35229 | Netgear | Session Fixation vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges. | 5.8 |
2021-03-10 | CVE-2021-21491 | SAP | Open Redirect vulnerability in SAP Netweaver Application Server Java SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. | 5.8 |
2021-03-09 | CVE-2020-28150 | Inetsoftware | Open Redirect vulnerability in Inetsoftware I-Net Clear Reports 20.10.136 I-Net Software Clear Reports 20.10.136 web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a Redirect. | 5.8 |
2021-03-08 | CVE-2021-21337 | Zope | Open Redirect vulnerability in Zope Products.Pluggableauthservice Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. | 5.8 |
2021-03-08 | CVE-2021-21354 | Mozilla | Open Redirect vulnerability in Mozilla Pollbot Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". | 5.8 |
2021-03-11 | CVE-2021-26884 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Photo Codec Information Disclosure Vulnerability | 5.5 |
2021-03-11 | CVE-2021-26869 | Microsoft | Unspecified vulnerability in Microsoft products Windows ActiveX Installer Service Information Disclosure Vulnerability | 5.5 |
2021-03-11 | CVE-2021-24107 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Information Disclosure Vulnerability | 5.5 |
2021-03-11 | CVE-2021-21364 | Smartbear | Incorrect Permission Assignment for Critical Resource vulnerability in Smartbear Swagger-Codegen swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. | 5.5 |
2021-03-11 | CVE-2021-27919 | Golang Fedoraproject | archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. | 5.5 |
2021-03-09 | CVE-2020-35522 | Libtiff Netapp Fedoraproject Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. | 5.5 |
2021-03-09 | CVE-2020-35521 | Libtiff Redhat Fedoraproject Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in libtiff. | 5.5 |
2021-03-09 | CVE-2021-20246 | Imagemagick Redhat Fedoraproject Debian | A flaw was found in ImageMagick in MagickCore/resample.c. | 5.5 |
2021-03-09 | CVE-2021-20245 | Imagemagick Redhat Fedoraproject Debian | A flaw was found in ImageMagick in coders/webp.c. | 5.5 |
2021-03-09 | CVE-2021-20244 | Imagemagick Redhat Fedoraproject Debian | A flaw was found in ImageMagick in MagickCore/visual-effects.c. | 5.5 |
2021-03-09 | CVE-2021-20243 | Imagemagick Debian | A flaw was found in ImageMagick in MagickCore/resize.c. | 5.5 |
2021-03-09 | CVE-2021-20241 | Imagemagick Debian | A flaw was found in ImageMagick in coders/jp2.c. | 5.5 |
2021-03-09 | CVE-2021-23273 | Tibco | Cross-site Scripting vulnerability in Tibco products The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a stored Cross Site Scripting (XSS) attack on the affected system. | 5.4 |
2021-03-11 | CVE-2021-28153 | Gnome Debian Fedoraproject Broadcom | Link Following vulnerability in multiple products An issue was discovered in GNOME GLib before 2.66.8. | 5.3 |
2021-03-11 | CVE-2021-27052 | Microsoft | Unspecified vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server Microsoft SharePoint Server Information Disclosure Vulnerability | 5.3 |
2021-03-09 | CVE-2021-28116 | Squid Cache Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. | 5.3 |
2021-03-10 | CVE-2020-35225 | Netgear | Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was not properly validating the length of string parameters sent in write requests, potentially allowing denial of service attacks. | 5.2 |
2021-03-13 | CVE-2021-28373 | TT RSS | Incorrect Authorization vulnerability in Tt-Rss Tiny RSS 17.4/20200916 The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. | 5.0 |
2021-03-13 | CVE-2021-28361 | Spdk | NULL Pointer Dereference vulnerability in Spdk Storage Performance Development KIT An issue was discovered in Storage Performance Development Kit (SPDK) before 20.01.01. | 5.0 |
2021-03-12 | CVE-2020-4831 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Datapower Gateway 10.0.0.0/10.0.0.1/10.0.1.0 IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-03-12 | CVE-2021-28302 | Pupnp Project | Allocation of Resources Without Limits or Throttling vulnerability in Pupnp Project Pupnp A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. | 5.0 |
2021-03-12 | CVE-2021-28307 | Fltk Project | NULL Pointer Dereference vulnerability in Fltk Project Fltk An issue was discovered in the fltk crate before 0.15.3 for Rust. | 5.0 |
2021-03-12 | CVE-2021-28306 | Fltk Project | NULL Pointer Dereference vulnerability in Fltk Project Fltk An issue was discovered in the fltk crate before 0.15.3 for Rust. | 5.0 |
2021-03-11 | CVE-2020-5024 | IBM Netapp | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response. | 5.0 |
2021-03-11 | CVE-2020-1899 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Facebook Hhvm The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. | 5.0 | |
2021-03-11 | CVE-2020-1898 | Uncontrolled Recursion vulnerability in Facebook Hhvm The fb_unserialize function did not impose a depth limit for nested deserialization. | 5.0 | |
2021-03-10 | CVE-2020-1921 | Out-of-bounds Write vulnerability in Facebook Hhvm In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer. | 5.0 | |
2021-03-10 | CVE-2020-1919 | Out-of-bounds Read vulnerability in Facebook Hhvm Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first. | 5.0 | |
2021-03-10 | CVE-2020-1918 | Out-of-bounds Read vulnerability in Facebook Hhvm In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer. | 5.0 | |
2021-03-10 | CVE-2021-20670 | Weseek | Incorrect Authorization vulnerability in Weseek Growi Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors. | 5.0 |
2021-03-10 | CVE-2020-29238 | Expressvpn | Integer Overflow or Wraparound vulnerability in Expressvpn 1.0 An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request. | 5.0 |
2021-03-09 | CVE-2020-28952 | Homey | Use of Hard-coded Credentials vulnerability in Homey Firmware and Homey PRO Firmware An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. | 5.0 |
2021-03-09 | CVE-2021-23353 | Parall | Unspecified vulnerability in Parall Jspdf This affects the package jspdf before 2.3.1. | 5.0 |
2021-03-09 | CVE-2021-20341 | IBM | Unspecified vulnerability in IBM Cloud PAK for Multicloud Management Monitoring IBM Cloud Pak for Multicloud Management Monitoring 2.2 returns potentially sensitive information in headers which could lead to further attacks against the system. | 5.0 |
2021-03-09 | CVE-2021-20276 | Privoxy Debian | A flaw was found in privoxy before 3.0.32. | 5.0 |
2021-03-09 | CVE-2021-20275 | Privoxy Debian | Out-of-bounds Read vulnerability in multiple products A flaw was found in privoxy before 3.0.32. | 5.0 |
2021-03-09 | CVE-2021-20274 | Privoxy | NULL Pointer Dereference vulnerability in Privoxy A flaw was found in privoxy before 3.0.32. | 5.0 |
2021-03-09 | CVE-2021-20273 | Privoxy Debian | Improper Input Validation vulnerability in multiple products A flaw was found in privoxy before 3.0.32. | 5.0 |
2021-03-09 | CVE-2021-20272 | Privoxy Debian | Reachable Assertion vulnerability in multiple products A flaw was found in privoxy before 3.0.32. | 5.0 |
2021-03-09 | CVE-2021-21360 | Zope | Information Exposure vulnerability in Zope Products.Genericsetup Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. | 5.0 |
2021-03-08 | CVE-2020-4695 | IBM | Missing Encryption of Sensitive Data vulnerability in IBM API Connect 10.0.0.0/10.0.1.0 IBM API Connect V10 is impacted by insecure communications during database replication. | 5.0 |
2021-03-08 | CVE-2021-26788 | Oryx Embedded | Improper Input Validation vulnerability in Oryx-Embedded Cyclonetcp Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). | 5.0 |
2021-03-10 | CVE-2021-20265 | Linux Oracle | Memory Leak vulnerability in multiple products A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. | 4.9 |
2021-03-08 | CVE-2021-23351 | GO Proxyproto Project Fedoraproject | The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. | 4.9 |
2021-03-10 | CVE-2020-35226 | Netgear | Injection vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allow unauthenticated users to modify the switch DHCP configuration by sending the corresponding write request command. | 4.8 |
2021-03-09 | CVE-2020-35451 | Apache | Race Condition vulnerability in Apache Oozie There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation. | 4.7 |
2021-03-11 | CVE-2021-24104 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft SharePoint Server Spoofing Vulnerability | 4.6 |
2021-03-10 | CVE-2021-21371 | Tenable | Deserialization of Untrusted Data vulnerability in Tenable Jira Cloud Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. | 4.6 |
2021-03-10 | CVE-2021-0465 | Out-of-bounds Write vulnerability in Google Android In GenerateFaceMask of face.cc, there is a possible out of bounds write due to an incorrect bounds check. | 4.6 | |
2021-03-10 | CVE-2021-0464 | Out-of-bounds Write vulnerability in Google Android In sound_trigger_event_alloc of platform.h, there is a possible out of bounds write due to a heap buffer overflow. | 4.6 | |
2021-03-10 | CVE-2021-0462 | Unspecified vulnerability in Google Android In the NXP NFC firmware, there is a possible insecure firmware update due to a logic error. | 4.6 | |
2021-03-10 | CVE-2021-0461 | Out-of-bounds Write vulnerability in Google Android In iaxxx_core_sensor_change_state of iaxxx-module.c, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-03-10 | CVE-2021-0457 | Out-of-bounds Write vulnerability in Google Android In the FingerTipS touch screen driver, there is a possible out of bounds write due to a heap buffer overflow. | 4.6 | |
2021-03-10 | CVE-2021-0456 | Out-of-bounds Write vulnerability in Google Android In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-03-10 | CVE-2021-0389 | Missing Authorization vulnerability in Google Android 11.0 In setNightModeActivated of UiModeManagerService.java, there is a missing permission check. | 4.6 | |
2021-03-10 | CVE-2021-0388 | Missing Authorization vulnerability in Google Android 11.0 In onReceive of ImsPhoneCallTracker.java, there is a possible misattribution of data usage due to an incorrect broadcast handler. | 4.6 | |
2021-03-10 | CVE-2021-0385 | Missing Authorization vulnerability in Google Android 11.0 In createConnectToAvailableNetworkNotification of ConnectToNetworkNotificationBuilder.java, there is a possible connection to untrusted WiFi networks due to notification interaction above the lockscreen. | 4.6 | |
2021-03-10 | CVE-2021-0383 | Unspecified vulnerability in Google Android 11.0 In done of CaptivePortalLoginActivity.java, there is a confused deputy. | 4.6 | |
2021-03-10 | CVE-2021-0380 | Missing Authorization vulnerability in Google Android 11.0 In onReceive of DcTracker.java, there is a possible way to trigger a provisioning URL and modify other telephony settings due to a missing permission check. | 4.6 | |
2021-03-10 | CVE-2021-0399 | Use After Free vulnerability in Google Android In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free. | 4.6 | |
2021-03-10 | CVE-2021-0398 | Unspecified vulnerability in Google Android 11.0 In bindServiceLocked of ActiveServices.java, there is a possible foreground service launch due to a confused deputy. | 4.6 | |
2021-03-10 | CVE-2021-0395 | Use After Free vulnerability in Google Android 11.0 In StopServicesAndLogViolations of reboot.cpp, there is possible memory corruption due to a use after free. | 4.6 | |
2021-03-10 | CVE-2021-0392 | Double Free vulnerability in Google Android In main of main.cpp, there is a possible memory corruption due to a double free. | 4.6 | |
2021-03-10 | CVE-2021-0390 | Missing Authorization vulnerability in Google Android In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check. | 4.6 | |
2021-03-10 | CVE-2021-0376 | Incorrect Authorization vulnerability in Google Android 11.0 In checkUriPermission and related functions of MediaProvider.java, there is a possible way to access external files due to a permissions bypass. | 4.6 | |
2021-03-10 | CVE-2021-0372 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 11.0 In getMediaOutputSliceAction of RemoteMediaSlice.java, there is a possible permission bypass due to an unsafe PendingIntent. | 4.6 | |
2021-03-10 | CVE-2021-0371 | Out-of-bounds Read vulnerability in Google Android 11.0 In nci_proc_rf_management_ntf of nci_hrcv.cc, there is a possible out of bounds read due to a missing bounds check. | 4.6 | |
2021-03-10 | CVE-2021-0370 | Out-of-bounds Write vulnerability in Google Android 11.0 In Write of NxpMfcReader.cc, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-03-10 | CVE-2020-0025 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 11.0 In deletePackageVersionedInternal of PackageManagerService.java, there is a possible way to exit Screen Pinning due to a permissions bypass. | 4.6 | |
2021-03-10 | CVE-2021-3310 | Westerndigital | Link Following vulnerability in Westerndigital MY Cloud OS Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. | 4.6 |
2021-03-09 | CVE-2021-3411 | Linux Redhat | Code Injection vulnerability in multiple products A flaw was found in the Linux kernel in versions prior to 5.10. | 4.6 |
2021-03-09 | CVE-2020-27225 | Eclipse | Missing Authentication for Critical Function vulnerability in Eclipse Platform In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process. | 4.6 |
2021-03-09 | CVE-2021-20262 | Redhat | Missing Authentication for Critical Function vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. | 4.6 |
2021-03-08 | CVE-2021-21503 | Dell | OS Command Injection vulnerability in Dell EMC Powerscale Onefs 8.1.2/8.2.2/9.1.0 PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. | 4.6 |
2021-03-08 | CVE-2020-5014 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Datapower Gateway IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. | 4.6 |
2021-03-11 | CVE-2021-20261 | Linux Redhat | Race Condition vulnerability in multiple products A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. | 4.4 |
2021-03-11 | CVE-2021-21363 | Smartbear | Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Smartbear Swagger-Codegen swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. | 4.4 |
2021-03-12 | CVE-2021-28162 | Eclipse | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | 4.3 |
2021-03-12 | CVE-2021-28161 | Eclipse | Cross-site Scripting vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. | 4.3 |
2021-03-12 | CVE-2021-27290 | Ssri Project Oracle Siemens | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. | 4.3 |
2021-03-12 | CVE-2021-21366 | Xmldom Project Debian | Misinterpretation of Input vulnerability in multiple products xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. | 4.3 |
2021-03-11 | CVE-2020-14989 | Bloomreach | Cross-Site Request Forgery (CSRF) vulnerability in Bloomreach Experience Manager An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. | 4.3 |
2021-03-11 | CVE-2021-27066 | Microsoft | Unspecified vulnerability in Microsoft Windows Admin Center Windows Admin Center Security Feature Bypass Vulnerability | 4.3 |
2021-03-10 | CVE-2020-15260 | Teluu | Improper Validation of Certificate with Host Mismatch vulnerability in Teluu Pjsip PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. | 4.3 |
2021-03-10 | CVE-2021-21265 | Octobercms | Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 4.3 |
2021-03-10 | CVE-2021-0379 | Out-of-bounds Read vulnerability in Google Android 11.0 In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. | 4.3 | |
2021-03-10 | CVE-2021-0378 | Out-of-bounds Read vulnerability in Google Android 11.0 In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. | 4.3 | |
2021-03-10 | CVE-2021-0368 | Out-of-bounds Read vulnerability in Google Android 11.0 In oggpack_look of bitwise.c, there is a possible out of bounds read due to a missing bounds check. | 4.3 | |
2021-03-10 | CVE-2020-28705 | Thedaylightstudio | Cross-Site Request Forgery (CSRF) vulnerability in Thedaylightstudio Fuel CMS 1.4.13 FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3. | 4.3 |
2021-03-10 | CVE-2021-28007 | WEB Based Quiz System Project | Cross-site Scripting vulnerability in web Based Quiz System Project web Based Quiz System 1.0 Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in register.php through the name parameter. | 4.3 |
2021-03-10 | CVE-2021-20672 | Weseek | Cross-site Scripting vulnerability in Weseek Growi Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-03-09 | CVE-2021-28115 | Ougc Feedback Project | Cross-site Scripting vulnerability in Ougc Feedback Project Ougc Feedback The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation. | 4.3 |
2021-03-09 | CVE-2021-21189 | Google Fedoraproject Debian | Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 4.3 |
2021-03-09 | CVE-2021-21187 | Google Fedoraproject Debian | Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | 4.3 |
2021-03-09 | CVE-2021-21186 | Google Fedoraproject Debian | Incorrect Authorization vulnerability in multiple products Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code. | 4.3 |
2021-03-09 | CVE-2021-21185 | Google Fedoraproject Debian | Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome Extension. | 4.3 |
2021-03-09 | CVE-2021-21184 | Google Fedoraproject Debian | Origin Validation Error vulnerability in multiple products Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 4.3 |
2021-03-09 | CVE-2021-21183 | Google Fedoraproject Debian | Origin Validation Error vulnerability in multiple products Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 4.3 |
2021-03-09 | CVE-2021-27584 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated PhotoShop Document (.PSD) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 4.3 |
2021-03-09 | CVE-2021-21493 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 4.3 |
2021-03-09 | CVE-2021-28006 | WEB Based Quiz System Project | Cross-site Scripting vulnerability in web Based Quiz System Project web Based Quiz System 1.0 Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in admin.php through the options parameter. | 4.3 |
2021-03-08 | CVE-2020-27838 | Redhat | Improper Authentication vulnerability in Redhat Keycloak A flaw was found in keycloak in versions prior to 13.0.0. | 4.3 |
2021-03-08 | CVE-2021-22134 | Elastic Oracle | Incorrect Authorization vulnerability in multiple products A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. | 4.3 |
2021-03-13 | CVE-2021-20018 | Sonicwall | Improper Authentication vulnerability in Sonicwall Sma100 Firmware 10.2.0.220Sv A post-authenticated vulnerability in SonicWall SMA100 allows an attacker to export the configuration file to the specified email address. | 4.0 |
2021-03-10 | CVE-2021-20668 | Weseek | Path Traversal vulnerability in Weseek Growi Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL. | 4.0 |
2021-03-09 | CVE-2021-21369 | Linuxfoundation | Resource Exhaustion vulnerability in Linuxfoundation Besu Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. | 4.0 |
2021-03-09 | CVE-2021-3417 | Lenovo | Cleartext Transmission of Sensitive Information vulnerability in Lenovo Xclarity Orchestrator An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. | 4.0 |
2021-03-09 | CVE-2020-8356 | Lenovo | Cleartext Transmission of Sensitive Information vulnerability in Lenovo Xclarity Orchestrator An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. | 4.0 |
2021-03-09 | CVE-2021-21488 | SAP | Deserialization of Untrusted Data vulnerability in SAP Netweaver Knowledge Management Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. | 4.0 |
2021-03-08 | CVE-2021-21336 | Zope Plone | Information Exposure vulnerability in multiple products Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. | 4.0 |
2021-03-08 | CVE-2021-21326 | Glpi Project | Missing Authorization vulnerability in Glpi-Project Glpi GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. | 4.0 |
2021-03-08 | CVE-2021-21324 | Glpi Project | Authorization Bypass Through User-Controlled Key vulnerability in Glpi-Project Glpi GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. | 4.0 |
43 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-11 | CVE-2020-4976 | IBM Netapp | Incorrect Default Permissions vulnerability in multiple products IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. | 3.6 |
2021-03-10 | CVE-2021-3034 | Paloaltonetworks | Information Exposure Through Log Files vulnerability in Paloaltonetworks Cortex Xsoar An information exposure through log file vulnerability exists in Cortex XSOAR software where the secrets configured for the SAML single sign-on (SSO) integration can be logged to the '/var/log/demisto/' server logs when testing the integration during setup. | 3.6 |
2021-03-12 | CVE-2021-21379 | Xwiki | Improper Preservation of Permissions vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 3.5 |
2021-03-11 | CVE-2020-14988 | Bloomreach | Cross-site Scripting vulnerability in Bloomreach Experience Manager An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. | 3.5 |
2021-03-11 | CVE-2021-28088 | Impresscms | Cross-site Scripting vulnerability in Impresscms 1.4.2 Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field. | 3.5 |
2021-03-11 | CVE-2021-27679 | Batflat | Cross-site Scripting vulnerability in Batflat 1.3.6 Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | 3.5 |
2021-03-11 | CVE-2021-27678 | Batflat | Cross-site Scripting vulnerability in Batflat 1.3.6 Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | 3.5 |
2021-03-11 | CVE-2021-27677 | Batflat | Cross-site Scripting vulnerability in Batflat 1.3.6 Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | 3.5 |
2021-03-11 | CVE-2021-26776 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9 CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name. | 3.5 |
2021-03-11 | CVE-2021-20336 | IBM | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0 IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. | 3.5 |
2021-03-10 | CVE-2020-35228 | Netgear | Cross-site Scripting vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter. | 3.5 |
2021-03-10 | CVE-2020-5016 | IBM | Path Traversal vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. | 3.5 |
2021-03-10 | CVE-2020-35752 | Baby Care System Project | Cross-site Scripting vulnerability in Baby Care System Project Baby Care System 1.0 Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter. | 3.5 |
2021-03-10 | CVE-2021-3224 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9 A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter. | 3.5 |
2021-03-10 | CVE-2020-23721 | Thedaylightstudio | Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.4.7 An issue was discovered in FUEL CMS V1.4.7. | 3.5 |
2021-03-10 | CVE-2021-20673 | Weseek | Cross-site Scripting vulnerability in Weseek Growi Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. | 3.5 |
2021-03-10 | CVE-2021-20667 | Weseek | Cross-site Scripting vulnerability in Weseek Growi Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content. | 3.5 |
2021-03-09 | CVE-2021-20253 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat Ansible Tower A flaw was found in ansible-tower. | 3.5 |
2021-03-08 | CVE-2020-27576 | Maxum | Cross-site Scripting vulnerability in Maxum Rumpus 8.2.13/8.2.14 Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). | 3.5 |
2021-03-08 | CVE-2021-21325 | Glpi Project | Cross-site Scripting vulnerability in Glpi-Project Glpi GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. | 3.5 |
2021-03-08 | CVE-2021-27222 | Obss | Cross-site Scripting vulnerability in Status In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS. | 3.5 |
2021-03-10 | CVE-2020-35221 | Netgear | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure, allowing attackers (with access to a network capture) to quickly generate multiple collisions to generate valid passwords, or infer some parts of the original. | 3.3 |
2021-03-09 | CVE-2021-20263 | Qemu | Improper Preservation of Permissions vulnerability in Qemu A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. | 3.3 |
2021-03-09 | CVE-2021-21361 | Vagrant Project | Information Exposure Through Log Files vulnerability in Vagrant Project Vagrant The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. | 3.3 |
2021-03-12 | CVE-2021-21726 | ZTE | Improper Input Validation vulnerability in ZTE products Some ZTE products have an input verification vulnerability in the diagnostic function interface. | 2.1 |
2021-03-10 | CVE-2021-0460 | Out-of-bounds Read vulnerability in Google Android In the FingerTipS touch screen driver, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-03-10 | CVE-2021-0459 | Out-of-bounds Read vulnerability in Google Android In fts_driver_test_write of fts_proc.c, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-03-10 | CVE-2021-0458 | Integer Overflow or Wraparound vulnerability in Google Android In the FingerTipS touch screen driver, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-03-10 | CVE-2021-0453 | Improper Initialization vulnerability in Google Android In the Titan-M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. | 2.1 | |
2021-03-10 | CVE-2021-0452 | Improper Initialization vulnerability in Google Android In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. | 2.1 | |
2021-03-10 | CVE-2021-0451 | Improper Initialization vulnerability in Google Android In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. | 2.1 | |
2021-03-10 | CVE-2021-0450 | Improper Initialization vulnerability in Google Android In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. | 2.1 | |
2021-03-10 | CVE-2021-0449 | Improper Initialization vulnerability in Google Android In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. | 2.1 | |
2021-03-10 | CVE-2021-0382 | Incorrect Authorization vulnerability in Google Android 11.0 In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check. | 2.1 | |
2021-03-10 | CVE-2021-0381 | Incorrect Default Permissions vulnerability in Google Android 11.0 In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. | 2.1 | |
2021-03-10 | CVE-2021-0394 | Out-of-bounds Read vulnerability in Google Android In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-03-10 | CVE-2021-0377 | Improper Input Validation vulnerability in Google Android 11.0 In DeltaPerformer::Write of delta_performer.cc, there is a possible use of untrusted input due to improper input validation. | 2.1 | |
2021-03-10 | CVE-2021-0375 | Use of Insufficiently Random Values vulnerability in Google Android 11.0 In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. | 2.1 | |
2021-03-10 | CVE-2021-0374 | Out-of-bounds Read vulnerability in Google Android 11.0 In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2021-03-10 | CVE-2020-4717 | IBM | Link Following vulnerability in IBM Spss Modeler A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation. | 2.1 |
2021-03-09 | CVE-2021-20255 | Qemu Debian | Uncontrolled Recursion vulnerability in multiple products A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. | 2.1 |
2021-03-09 | CVE-2020-8357 | Lenovo | Incorrect Default Permissions vulnerability in Lenovo Pcmanager 3.0.50.9162 A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations. | 2.1 |
2021-03-10 | CVE-2021-0463 | Out-of-bounds Read vulnerability in Google Android In convertToHidl of convert.cpp, there is a possible out of bounds read due to uninitialized data from ReturnFrameworkMessage. | 1.9 |