Weekly Vulnerabilities Reports > March 8 to 14, 2021

Overview

377 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 133 high severity vulnerabilities. This weekly summary report vulnerabilities in 224 products from 103 vendors including Microsoft, Google, Debian, Fedoraproject, and SAP. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Out-of-bounds Write", "Use After Free", and "Incorrect Authorization".

  • 221 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 55 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 277 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 81 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

23 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-11 CVE-2021-26867 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows Hyper-V Remote Code Execution Vulnerability

9.9
2021-03-12 CVE-2021-20232 GNU
Redhat
Fedoraproject
Use After Free vulnerability in multiple products

A flaw was found in gnutls.

9.8
2021-03-12 CVE-2021-20231 GNU
Redhat
Fedoraproject
Netapp
Use After Free vulnerability in multiple products

A flaw was found in gnutls.

9.8
2021-03-12 CVE-2020-36282 Rabbitmq Deserialization of Untrusted Data vulnerability in Rabbitmq JMS Client

JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data.

9.8
2021-03-11 CVE-2016-20009 Windriver
Siemens
Out-of-bounds Write vulnerability in multiple products

A DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks 6.5 through 7.

9.8
2021-03-11 CVE-2021-28141 Telerik Missing Authorization vulnerability in Telerik UI for Asp.Net Ajax 2021.1.224

An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224.

9.8
2021-03-11 CVE-2021-26897 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

9.8
2021-03-11 CVE-2021-26895 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

9.8
2021-03-11 CVE-2021-26894 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

9.8
2021-03-11 CVE-2021-26893 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

9.8
2021-03-11 CVE-2021-26877 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Remote Code Execution Vulnerability

9.8
2021-03-12 CVE-2021-21067 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 21.0/21.1

Adobe Photoshop versions 21.2.5 (and earlier) and 22.2 (and earlier) are affected by an Out-of-bounds Write vulnerability in the CoolType library.

9.3
2021-03-11 CVE-2021-22712 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to an unchecked pointer address.

9.3
2021-03-11 CVE-2021-22711 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in arbitrary read or write conditions when malicious CGF (Configuration Group File) file is imported to IGSS Definition due to missing validation of input data.

9.3
2021-03-11 CVE-2021-22710 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could cause remote code execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

9.3
2021-03-11 CVE-2021-22709 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Interactive Graphical SCADA System (IGSS) Definition (Def.exe) V15.0.0.21041 and prior, which could result in loss of data or remote code execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

9.3
2021-03-11 CVE-2021-27080 Microsoft Unspecified vulnerability in Microsoft Azure Sphere

Azure Sphere Unsigned Code Execution Vulnerability

9.3
2021-03-11 CVE-2021-28154 Camunda Missing Authorization vulnerability in Camunda Modeler

Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access.

9.1
2021-03-13 CVE-2021-20017 Sonicwall OS Command Injection vulnerability in Sonicwall Sma100 Firmware 10.2.0.220Sv

A post-authenticated command injection vulnerability in SonicWall SMA100 allows an authenticated attacker to execute OS commands as a 'nobody' user.

9.0
2021-03-11 CVE-2020-14987 Bloomreach Incorrect Permission Assignment for Critical Resource vulnerability in Bloomreach Experience Manager

An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2.

9.0
2021-03-11 CVE-2021-28144 Dlink Command Injection vulnerability in Dlink Dir-3060 Firmware

prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely.

9.0
2021-03-10 CVE-2020-19417 Emerson Unspecified vulnerability in Emerson Wireless 1420 Gateway Firmware 4.6.59

Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application.

9.0
2021-03-09 CVE-2021-21480 SAP Code Injection vulnerability in SAP Manufacturing Integration and Intelligence

SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment).

9.0

133 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-12 CVE-2021-21368 Msgpack5 Project Unspecified vulnerability in Msgpack5 Project Msgpack5

msgpack5 is a msgpack v5 implementation for node.js and the browser.

8.8
2021-03-11 CVE-2021-27085 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 11

Internet Explorer Remote Code Execution Vulnerability

8.8
2021-03-11 CVE-2021-27076 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Remote Code Execution Vulnerability

8.8
2021-03-11 CVE-2021-26876 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

OpenType Font Parsing Remote Code Execution Vulnerability

8.8
2021-03-11 CVE-2021-26865 Microsoft Unspecified vulnerability in Microsoft products

Windows Container Execution Agent Elevation of Privilege Vulnerability

8.8
2021-03-11 CVE-2021-26411 Microsoft Use After Free vulnerability in Microsoft Edge and Internet Explorer

Internet Explorer Memory Corruption Vulnerability

8.8
2021-03-10 CVE-2020-13936 Apache
Debian
Oracle
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.
8.8
2021-03-09 CVE-2021-21190 Google
Fedoraproject
Debian
Use of Uninitialized Resource vulnerability in multiple products

Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

8.8
2021-03-09 CVE-2021-21188 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21180 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21179 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21174 Google
Fedoraproject
Debian
Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
8.8
2021-03-09 CVE-2021-21169 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21167 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21166 Google
Fedoraproject
Debian
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
8.8
2021-03-09 CVE-2021-21165 Google
Fedoraproject
Debian
Race Condition vulnerability in multiple products

Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21162 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21161 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21160 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-09 CVE-2021-21159 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2021-03-11 CVE-2021-26864 Microsoft Unspecified vulnerability in Microsoft products

Windows Virtual Registry Provider Elevation of Privilege Vulnerability

8.4
2021-03-10 CVE-2020-35231 Netgear Improper Authentication vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device.

8.3
2021-03-09 CVE-2021-21481 SAP Incorrect Authorization vulnerability in SAP Netweaver

The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check.

8.3
2021-03-11 CVE-2021-21381 Flatpak
Debian
Fedoraproject
Injection vulnerability in multiple products

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.

8.2
2021-03-11 CVE-2021-21378 Envoyproxy Improper Authentication vulnerability in Envoyproxy Envoy 1.17.0

Envoy is a cloud-native high-performance edge/middle/service proxy.

8.2
2021-03-12 CVE-2021-21367 Elementary
Fedoraproject
Incorrect Authorization vulnerability in multiple products

Switchboard Bluetooth Plug for elementary OS from version 2.3.0 and before version version 2.3.5 has an incorrect authorization vulnerability.

8.1
2021-03-10 CVE-2021-21772 3MF
Fedoraproject
Debian
Use After Free vulnerability in multiple products

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0.

8.1
2021-03-09 CVE-2021-21172 Google
Fedoraproject
Debian
Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
8.1
2021-03-12 CVE-2021-21082 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.5 (and earlier) and 22.2 (and earlier) are affected by a Memory Corruption vulnerability when parsing a specially crafted file.

7.8
2021-03-11 CVE-2021-22713 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric products

A CWE-119:Improper restriction of operations within the bounds of a memory buffer vulnerability exists in PowerLogic ION8650, ION8800, ION7650, ION7700/73xx, and ION83xx/84xx/85xx/8600 (see security notifcation for affected versions), which could cause the meter to reboot.

7.8
2021-03-11 CVE-2021-27084 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27083 Microsoft Unspecified vulnerability in Microsoft Remote Development

Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27082 Microsoft Unspecified vulnerability in Microsoft Quantum Development KIT

Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27081 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code Eslint Extension

Visual Studio Code ESLint Extension Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27077 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Win32k Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-27062 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27061 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27060 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27058 Microsoft Unspecified vulnerability in Microsoft 365 Apps

Microsoft Office ClickToRun Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27057 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27056 Microsoft Unspecified vulnerability in Microsoft 365 Apps, Office and Powerpoint

Microsoft PowerPoint Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27054 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27053 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27051 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27050 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27049 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27048 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-27047 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-26902 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-26901 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26900 Microsoft Use After Free vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows Win32k Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26899 Microsoft Unspecified vulnerability in Microsoft products

Windows UPnP Device Host Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26898 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26891 Microsoft Unspecified vulnerability in Microsoft products

Windows Container Execution Agent Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26890 Microsoft Unspecified vulnerability in Microsoft products

Application Virtualization Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-26889 Microsoft Link Following vulnerability in Microsoft products

Windows Update Stack Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26887 Microsoft Link Following vulnerability in Microsoft products

<p>An elevation of privilege vulnerability exists in Microsoft Windows when Folder redirection has been enabled via Group Policy.

7.8
2021-03-11 CVE-2021-26885 Microsoft Unspecified vulnerability in Microsoft Windows 10

Windows WalletService Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26882 Microsoft Unspecified vulnerability in Microsoft products

Remote Access API Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26880 Microsoft Unspecified vulnerability in Microsoft products

Storage Spaces Controller Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26878 Microsoft Unspecified vulnerability in Microsoft products

Windows Print Spooler Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26875 Microsoft Unspecified vulnerability in Microsoft products

Windows Win32k Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26874 Microsoft Unspecified vulnerability in Microsoft products

Windows Overlay Filter Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26872 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26871 Microsoft Unspecified vulnerability in Microsoft Windows 10

Windows WalletService Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26870 Microsoft Unspecified vulnerability in Microsoft products

Windows Projected File System Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26868 Microsoft Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products

Windows Graphics Component Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-26861 Microsoft Unspecified vulnerability in Microsoft products

Windows Graphics Component Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-26860 Microsoft Unspecified vulnerability in Microsoft products

Windows App-V Overlay Filter Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-24110 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-24108 Microsoft Unspecified vulnerability in Microsoft 365 Apps and Office

Microsoft Office Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-24090 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows Error Reporting Elevation of Privilege Vulnerability

7.8
2021-03-11 CVE-2021-24089 Microsoft Unspecified vulnerability in Microsoft High Efficiency Video Coding

HEVC Video Extensions Remote Code Execution Vulnerability

7.8
2021-03-11 CVE-2021-1640 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Print Spooler Elevation of Privilege Vulnerability

7.8
2021-03-10 CVE-2021-0386 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 11.0

In onCreate of UsbConfirmActivity, there is a possible tapjacking vector due to an insecure default value.

7.8
2021-03-10 CVE-2021-0391 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android

In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack.

7.8
2021-03-10 CVE-2021-0369 Google Unspecified vulnerability in Google Android 11.0

In CrossProfileAppsServiceImpl.java, there is the possibility of an application's INTERACT_ACROSS_PROFILES grant state not displaying properly in the setting UI due to a logic error in the code.

7.8
2021-03-09 CVE-2020-35524 Libtiff
Debian
Fedoraproject
Netapp
Redhat
Out-of-bounds Write vulnerability in multiple products

A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool.

7.8
2021-03-09 CVE-2020-35523 Libtiff
Debian
Netapp
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file.

7.8
2021-03-09 CVE-2021-20268 Linux Integer Overflow or Wraparound vulnerability in Linux Kernel

An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc.

7.8
2021-03-11 CVE-2021-28143 Dlink Command Injection vulnerability in Dlink Dir-841 Firmware 3.03/3.04

/jsonrpc on D-Link DIR-841 3.03 and 3.04 devices allows authenticated command injection via ping, ping6, or traceroute (under System Tools).

7.7
2021-03-11 CVE-2021-26859 Microsoft Unspecified vulnerability in Microsoft Power BI Report Server 15.0.1103.234/15.0.1104.300

Microsoft Power BI Information Disclosure Vulnerability

7.7
2021-03-11 CVE-2021-27059 Microsoft Unspecified vulnerability in Microsoft Office 2010/2013/2016

Microsoft Office Remote Code Execution Vulnerability

7.6
2021-03-12 CVE-2021-28092 IS SVG Project Unspecified vulnerability in Is-Svg Project Is-Svg

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS).

7.5
2021-03-12 CVE-2021-23354 Adaltas Unspecified vulnerability in Adaltas Printf

The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js.

7.5
2021-03-12 CVE-2021-28305 Diesel Use After Free vulnerability in Diesel

An issue was discovered in the diesel crate before 1.4.6 for Rust.

7.5
2021-03-12 CVE-2021-27647 Synology Out-of-bounds Read vulnerability in Synology Diskstation Manager

Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

7.5
2021-03-12 CVE-2021-27646 Synology Use After Free vulnerability in Synology Diskstation Manager

Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

7.5
2021-03-12 CVE-2020-36281 Leptonica
Debian
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.

7.5
2021-03-12 CVE-2020-36280 Leptonica
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Leptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c.

7.5
2021-03-12 CVE-2020-36279 Leptonica
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c.

7.5
2021-03-12 CVE-2020-36278 Leptonica
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c.

7.5
2021-03-11 CVE-2021-22714 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric products

A CWE-119:Improper restriction of operations within the bounds of a memory buffer vulnerability exists in PowerLogic ION7400, PM8000 and ION9000 (All versions prior to V3.0.0), which could cause the meter to reboot or allow for remote code execution.

7.5
2021-03-11 CVE-2020-36277 Leptonica
Fedoraproject
Debian
Always-Incorrect Control Flow Implementation vulnerability in multiple products

Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c.

7.5
2021-03-11 CVE-2020-29045 Fivestarplugins Deserialization of Untrusted Data vulnerability in Fivestarplugins Five Star Restaurant Menu

The food-and-drink-menu plugin through 2.2.0 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the fdm_cart cookie in load_cart_from_cookie in includes/class-cart-manager.php.

7.5
2021-03-11 CVE-2021-27063 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Denial of Service Vulnerability

7.5
2021-03-11 CVE-2021-26896 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Server Denial of Service Vulnerability

7.5
2021-03-11 CVE-2021-26881 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

7.5
2021-03-11 CVE-2021-26879 Microsoft Unspecified vulnerability in Microsoft products

Windows Network Address Translation (NAT) Denial of Service Vulnerability

7.5
2021-03-11 CVE-2021-28132 Lucysecurity OS Command Injection vulnerability in Lucysecurity Security Awareness

LUCY Security Awareness Software through 4.7.x allows unauthenticated remote code execution because the Migration Tool (in the Support section) allows upload of .php files within a system.tar.gz file.

7.5
2021-03-11 CVE-2020-1900 Facebook Use After Free vulnerability in Facebook Hhvm

When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it.

7.5
2021-03-11 CVE-2021-28134 Clipper Project Unspecified vulnerability in Clipper Project Clipper

Clipper before 1.0.5 allows remote command execution.

7.5
2021-03-11 CVE-2021-27918 Golang Infinite Loop vulnerability in Golang GO

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element.

7.5
2021-03-10 CVE-2020-27632 Siemens Unspecified vulnerability in Siemens Simatic Mv420 Firmware and Simatic Mv440 Firmware

In SIMATIC MV400 family versions prior to v7.0.6, the ISN generator is initialized with a constant value and has constant increments.

7.5
2021-03-10 CVE-2020-19419 Emerson Missing Authentication for Critical Function vulnerability in Emerson Smart Wireless Gateway 1420 Firmware 4.6.59

Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.

7.5
2021-03-10 CVE-2021-24030 Facebook Argument Injection or Modification vulnerability in Facebook Gameroom

The fbgames protocol handler registered as part of Facebook Gameroom does not properly quote arguments passed to the executable.

7.5
2021-03-10 CVE-2021-24025 Facebook Integer Overflow or Wraparound vulnerability in Facebook Hhvm

Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow.

7.5
2021-03-10 CVE-2021-0397 Google Double Free vulnerability in Google Android

In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free.

7.5
2021-03-10 CVE-2021-0396 Google Out-of-bounds Write vulnerability in Google Android

In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check.

7.5
2021-03-10 CVE-2020-1917 Facebook Out-of-bounds Write vulnerability in Facebook Hhvm

xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was not using its standard append char function.

7.5
2021-03-10 CVE-2020-1916 Facebook Out-of-bounds Write vulnerability in Facebook Hhvm

An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write.

7.5
2021-03-10 CVE-2021-28122 Open5Gs Missing Authentication for Critical Function vulnerability in Open5Gs

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1.

7.5
2021-03-10 CVE-2020-24791 Thedaylightstudio SQL Injection vulnerability in Thedaylightstudio Fuel CMS 1.4.8

FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1.

7.5
2021-03-09 CVE-2021-28119 Twinkletray Unspecified vulnerability in Twinkletray Twinkle Tray

Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command execution.

7.5
2021-03-09 CVE-2021-21300 GIT SCM
Fedoraproject
Apple
Debian
Link Following vulnerability in multiple products

Git is an open-source distributed revision control system.

7.5
2021-03-09 CVE-2021-23352 Madge Project SQL Injection vulnerability in Madge Project Madge

This affects the package madge before 4.0.1.

7.5
2021-03-09 CVE-2021-25915 Changeset Project Unspecified vulnerability in Changeset Project Changeset

Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-03-08 CVE-2021-21335 Spnego Http Authentication Module Project Improper Authentication vulnerability in Spnego Http Authentication Module Project Spnego Http Authentication Module

In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username.

7.5
2021-03-08 CVE-2021-21327 Glpi Project Unsafe Reflection vulnerability in Glpi-Project Glpi

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

7.5
2021-03-11 CVE-2021-27070 Microsoft Incorrect Permission Assignment for Critical Resource vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows 10 Update Assistant Elevation of Privilege Vulnerability

7.3
2021-03-12 CVE-2021-21518 Dell Uncontrolled Search Path Element vulnerability in Dell products

Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4.x, 3.3.x, Dell SupportAssist Client for Business PCs versions 2.0.x, 2.1.x, 2.2.x, and Dell SupportAssist Client ProManage 1.x contain a DLL injection vulnerability in the Costura Fody plugin.

7.2
2021-03-11 CVE-2020-5025 IBM
Netapp
Classic Buffer Overflow vulnerability in multiple products

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges.

7.2
2021-03-10 CVE-2021-0455 Google Out-of-bounds Write vulnerability in Google Android

In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check.

7.2
2021-03-10 CVE-2021-0454 Google Out-of-bounds Write vulnerability in Google Android

In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check.

7.2
2021-03-08 CVE-2020-23967 Drweb Improper Verification of Cryptographic Signature vulnerability in Drweb Security Space 11.0/12.0

Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate.

7.2
2021-03-12 CVE-2021-21072 Adobe Out-of-bounds Read vulnerability in Adobe Animate

Adobe Animate version 21.0.3 (and earlier) is affected by an Out-of-bounds Read vulnerability.

7.1
2021-03-11 CVE-2021-26866 Microsoft Link Following vulnerability in Microsoft products

Windows Update Service Elevation of Privilege Vulnerability

7.1
2021-03-11 CVE-2021-1729 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Update Stack Setup Elevation of Privilege Vulnerability

7.1
2021-03-11 CVE-2021-27055 Microsoft Unspecified vulnerability in Microsoft 365 Apps, Office and Visio

Microsoft Visio Security Feature Bypass Vulnerability

7.0
2021-03-11 CVE-2021-26873 Microsoft Link Following vulnerability in Microsoft products

Windows User Profile Service Elevation of Privilege Vulnerability

7.0
2021-03-11 CVE-2021-26863 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Win32k Elevation of Privilege Vulnerability

7.0
2021-03-11 CVE-2021-26862 Microsoft Link Following vulnerability in Microsoft products

Windows Installer Elevation of Privilege Vulnerability

7.0
2021-03-11 CVE-2021-24095 Microsoft Improper Privilege Management vulnerability in Microsoft products

DirectX Elevation of Privilege Vulnerability

7.0

178 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-10 CVE-2021-0387 Google Race Condition vulnerability in Google Android 11.0

In FindQuotaDeviceForUuid of QuotaUtils.cpp, there is a possible use-after-free due to a race condition.

6.9
2021-03-12 CVE-2021-21085 Adobe Improper Input Validation vulnerability in Adobe Connect

Adobe Connect version 11.0.7 (and earlier) is affected by an Input Validation vulnerability in the export feature.

6.8
2021-03-12 CVE-2021-26569 Synology Race Condition vulnerability in Synology Diskstation Manager

Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

6.8
2021-03-12 CVE-2021-20674 NTT TX Uncontrolled Search Path Element vulnerability in Ntt-Tx Magicconnect

Untrusted search path vulnerability in Installer of MagicConnect Client program distributed before 2021 March 1 allows an attacker to gain privileges and via a Trojan horse DLL in an unspecified directory and to execute arbitrary code with the privilege of the user invoking the installer when a terminal is connected remotely using Remote desktop.

6.8
2021-03-11 CVE-2020-24984 Quadbase Cross-Site Request Forgery (CSRF) vulnerability in Quadbase Espressreports ES 7

An issue was discovered in Quadbase EspressReports ES 7 Update 9.

6.8
2021-03-11 CVE-2020-24983 Quadbase Cross-Site Request Forgery (CSRF) vulnerability in Quadbase Espressreports ES 7

An issue was discovered in Quadbase EspressReports ES 7 Update 9.

6.8
2021-03-11 CVE-2021-27075 Microsoft Unspecified vulnerability in Microsoft products

Azure Virtual Machine Information Disclosure Vulnerability

6.8
2021-03-10 CVE-2020-35223 Netgear Cross-Site Request Forgery (CSRF) vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests.

6.8
2021-03-10 CVE-2021-0393 Google Integer Overflow or Wraparound vulnerability in Google Android

In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow.

6.8
2021-03-09 CVE-2021-27592 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Universal 3D (.U3D) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27591 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Portable Document Format (.PDF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27590 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Tag Image File Format (.TIFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27589 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Scalable Vector Graphics (.SVG) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27588 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated HPGL format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27587 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Jupiter Tessellation (.JT) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27586 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Interchange File Format (.IFF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-27585 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Computer Graphics Metafile (.CGM) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.8
2021-03-09 CVE-2021-21484 SAP Incorrect Authorization vulnerability in SAP Hana 2.0

LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.

6.8
2021-03-09 CVE-2021-24033 Facebook OS Command Injection vulnerability in Facebook React-Dev-Utils

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed.

6.8
2021-03-08 CVE-2020-27574 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.13/8.2.14

Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF).

6.8
2021-03-08 CVE-2021-21329 Ratcf Improper Authentication vulnerability in Ratcf

RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events.

6.8
2021-03-10 CVE-2020-35230 Netgear Integer Overflow or Wraparound vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

Multiple integer overflow parameters were found in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices.

6.7
2021-03-13 CVE-2020-35682 Zohocorp Incorrect Authorization vulnerability in Zohocorp Manageengine Servicedesk Plus 8.2/9.0

Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

6.5
2021-03-12 CVE-2021-21078 Adobe Untrusted Search Path vulnerability in Adobe Creative Cloud Desktop Application

Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by an Unquoted Service Path vulnerability in CCXProcess that could allow an attacker to achieve arbitrary code execution in the process of the current user.

6.5
2021-03-10 CVE-2021-21375 Teluu
Debian
Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

6.5
2021-03-10 CVE-2020-35227 Netgear Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

A buffer overflow vulnerability in the access control section on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices (in the administration web panel) allows an attacker to inject IP addresses into the whitelist via the checkedList parameter to the delete command.

6.5
2021-03-10 CVE-2021-20205 Libjpeg Turbo
Fedoraproject
Divide By Zero vulnerability in multiple products

Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.

6.5
2021-03-10 CVE-2020-23722 Thedaylightstudio Improper Privilege Management vulnerability in Thedaylightstudio Fuel CMS 1.4.7

An issue was discovered in FUEL CMS 1.4.7.

6.5
2021-03-10 CVE-2021-20671 Weseek Improper Input Validation vulnerability in Weseek Growi 4.2.2

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.

6.5
2021-03-10 CVE-2021-20669 Weseek Path Traversal vulnerability in Weseek Growi

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.

6.5
2021-03-09 CVE-2021-21182 Google
Fedoraproject
Debian
Incorrect Authorization vulnerability in multiple products

Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21181 Google
Fedoraproject
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21178 Google
Fedoraproject
Debian
Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2021-03-09 CVE-2021-21177 Google
Fedoraproject
Debian
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21176 Google
Fedoraproject
Debian
Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2021-03-09 CVE-2021-21175 Google
Fedoraproject
Debian
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21173 Google
Fedoraproject
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21171 Google
Fedoraproject
Debian
Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2021-03-09 CVE-2021-21170 Google
Fedoraproject
Debian
Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
6.5
2021-03-09 CVE-2021-21168 Google
Fedoraproject
Debian
Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
6.5
2021-03-09 CVE-2021-21164 Google
Fedoraproject
Debian
Origin Validation Error vulnerability in multiple products

Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2021-03-09 CVE-2021-21163 Google
Fedoraproject
Debian
Origin Validation Error vulnerability in multiple products

Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server.

6.5
2021-03-09 CVE-2021-21487 SAP Missing Authorization vulnerability in SAP Payment Engine 500

SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

6.5
2021-03-09 CVE-2021-21486 SAP Missing Authorization vulnerability in SAP Enterprise Financial Services

SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

6.5
2021-03-08 CVE-2021-21506 Dell Improper Input Validation vulnerability in Dell EMC Powerscale Onefs 8.1.2/8.2.2/9.1.0

PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in its API handler.

6.5
2021-03-08 CVE-2020-27575 Maxum Command Injection vulnerability in Maxum Rumpus 8.2.13/8.2.14

Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability.

6.5
2021-03-08 CVE-2021-21362 Minio Incorrect Authorization vulnerability in Minio

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service.

6.5
2021-03-12 CVE-2021-28308 Fltk Project Out-of-bounds Read vulnerability in Fltk Project Fltk

An issue was discovered in the fltk crate before 0.15.3 for Rust.

6.4
2021-03-08 CVE-2020-4903 IBM Unspecified vulnerability in IBM API Connect

IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information.

6.4
2021-03-10 CVE-2021-21334 Linuxfoundation
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers.

6.3
2021-03-11 CVE-2021-27074 Microsoft Unspecified vulnerability in Microsoft Azure Sphere

Azure Sphere Unsigned Code Execution Vulnerability

6.2
2021-03-11 CVE-2021-26892 Microsoft Unspecified vulnerability in Microsoft products

Windows Extensible Firmware Interface Security Feature Bypass Vulnerability

6.2
2021-03-12 CVE-2021-21080 Adobe Cross-site Scripting vulnerability in Adobe Connect

Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2021-03-12 CVE-2021-21079 Adobe Cross-site Scripting vulnerability in Adobe Connect

Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2021-03-12 CVE-2021-21068 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Creative Cloud Desktop Application

Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by a file handling vulnerability that could allow an attacker to cause arbitrary file overwriting.

6.1
2021-03-11 CVE-2021-26886 Microsoft Unspecified vulnerability in Microsoft products

User Profile Service Denial of Service Vulnerability

6.1
2021-03-10 CVE-2020-35233 Netgear Resource Exhaustion vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack.

6.1
2021-03-10 CVE-2020-35224 Netgear Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

A buffer overflow vulnerability in the NSDP protocol authentication method on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote unauthenticated attackers to force a device reboot.

6.1
2021-03-10 CVE-2020-13959 Apache
Debian
Cross-site Scripting vulnerability in multiple products

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL.

6.1
2021-03-08 CVE-2021-21510 Dell Injection vulnerability in Dell Idrac8 Firmware

Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability.

6.1
2021-03-09 CVE-2021-21295 Netty
Netapp
Debian
Quarkus
Apache
Oracle
HTTP Request Smuggling vulnerability in multiple products

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

5.9
2021-03-10 CVE-2020-35229 Netgear Session Fixation vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges.

5.8
2021-03-10 CVE-2021-21491 SAP Open Redirect vulnerability in SAP Netweaver Application Server Java

SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

5.8
2021-03-09 CVE-2020-28150 Inetsoftware Open Redirect vulnerability in Inetsoftware I-Net Clear Reports 20.10.136

I-Net Software Clear Reports 20.10.136 web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a Redirect.

5.8
2021-03-08 CVE-2021-21337 Zope Open Redirect vulnerability in Zope Products.Pluggableauthservice

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework.

5.8
2021-03-08 CVE-2021-21354 Mozilla Open Redirect vulnerability in Mozilla Pollbot

Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/".

5.8
2021-03-11 CVE-2021-26884 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Photo Codec Information Disclosure Vulnerability

5.5
2021-03-11 CVE-2021-26869 Microsoft Unspecified vulnerability in Microsoft products

Windows ActiveX Installer Service Information Disclosure Vulnerability

5.5
2021-03-11 CVE-2021-24107 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Information Disclosure Vulnerability

5.5
2021-03-11 CVE-2021-21364 Smartbear Incorrect Permission Assignment for Critical Resource vulnerability in Smartbear Swagger-Codegen

swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition.

5.5
2021-03-11 CVE-2021-27919 Golang
Fedoraproject
archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
5.5
2021-03-09 CVE-2020-35522 Libtiff
Netapp
Fedoraproject
Redhat
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In LibTIFF, there is a memory malloc failure in tif_pixarlog.c.

5.5
2021-03-09 CVE-2020-35521 Libtiff
Redhat
Fedoraproject
Netapp
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A flaw was found in libtiff.

5.5
2021-03-09 CVE-2021-20246 Imagemagick
Redhat
Fedoraproject
Debian
A flaw was found in ImageMagick in MagickCore/resample.c.
5.5
2021-03-09 CVE-2021-20245 Imagemagick
Redhat
Fedoraproject
Debian
A flaw was found in ImageMagick in coders/webp.c.
5.5
2021-03-09 CVE-2021-20244 Imagemagick
Redhat
Fedoraproject
Debian
A flaw was found in ImageMagick in MagickCore/visual-effects.c.
5.5
2021-03-09 CVE-2021-20243 Imagemagick
Debian
A flaw was found in ImageMagick in MagickCore/resize.c.
5.5
2021-03-09 CVE-2021-20241 Imagemagick
Debian
A flaw was found in ImageMagick in coders/jp2.c.
5.5
2021-03-09 CVE-2021-23273 Tibco Cross-site Scripting vulnerability in Tibco products

The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a stored Cross Site Scripting (XSS) attack on the affected system.

5.4
2021-03-11 CVE-2021-28153 Gnome
Debian
Fedoraproject
Broadcom
Link Following vulnerability in multiple products

An issue was discovered in GNOME GLib before 2.66.8.

5.3
2021-03-11 CVE-2021-27052 Microsoft Unspecified vulnerability in Microsoft Sharepoint Enterprise Server and Sharepoint Server

Microsoft SharePoint Server Information Disclosure Vulnerability

5.3
2021-03-09 CVE-2021-28116 Squid Cache
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data.

5.3
2021-03-10 CVE-2020-35225 Netgear Classic Buffer Overflow vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was not properly validating the length of string parameters sent in write requests, potentially allowing denial of service attacks.

5.2
2021-03-13 CVE-2021-28373 TT RSS Incorrect Authorization vulnerability in Tt-Rss Tiny RSS 17.4/20200916

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password.

5.0
2021-03-13 CVE-2021-28361 Spdk NULL Pointer Dereference vulnerability in Spdk Storage Performance Development KIT

An issue was discovered in Storage Performance Development Kit (SPDK) before 20.01.01.

5.0
2021-03-12 CVE-2020-4831 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Datapower Gateway 10.0.0.0/10.0.0.1/10.0.1.0

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-03-12 CVE-2021-28302 Pupnp Project Allocation of Resources Without Limits or Throttling vulnerability in Pupnp Project Pupnp

A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function.

5.0
2021-03-12 CVE-2021-28307 Fltk Project NULL Pointer Dereference vulnerability in Fltk Project Fltk

An issue was discovered in the fltk crate before 0.15.3 for Rust.

5.0
2021-03-12 CVE-2021-28306 Fltk Project NULL Pointer Dereference vulnerability in Fltk Project Fltk

An issue was discovered in the fltk crate before 0.15.3 for Rust.

5.0
2021-03-11 CVE-2020-5024 IBM
Netapp
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response.
5.0
2021-03-11 CVE-2020-1899 Facebook Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Facebook Hhvm

The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization.

5.0
2021-03-11 CVE-2020-1898 Facebook Uncontrolled Recursion vulnerability in Facebook Hhvm

The fb_unserialize function did not impose a depth limit for nested deserialization.

5.0
2021-03-10 CVE-2020-1921 Facebook Out-of-bounds Write vulnerability in Facebook Hhvm

In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer.

5.0
2021-03-10 CVE-2020-1919 Facebook Out-of-bounds Read vulnerability in Facebook Hhvm

Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is longer than the first.

5.0
2021-03-10 CVE-2020-1918 Facebook Out-of-bounds Read vulnerability in Facebook Hhvm

In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of memory prior to the in-memory buffer.

5.0
2021-03-10 CVE-2021-20670 Weseek Incorrect Authorization vulnerability in Weseek Growi

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.

5.0
2021-03-10 CVE-2020-29238 Expressvpn Integer Overflow or Wraparound vulnerability in Expressvpn 1.0

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.

5.0
2021-03-09 CVE-2020-28952 Homey Use of Hard-coded Credentials vulnerability in Homey Firmware and Homey PRO Firmware

An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0.

5.0
2021-03-09 CVE-2021-23353 Parall Unspecified vulnerability in Parall Jspdf

This affects the package jspdf before 2.3.1.

5.0
2021-03-09 CVE-2021-20341 IBM Unspecified vulnerability in IBM Cloud PAK for Multicloud Management Monitoring

IBM Cloud Pak for Multicloud Management Monitoring 2.2 returns potentially sensitive information in headers which could lead to further attacks against the system.

5.0
2021-03-09 CVE-2021-20276 Privoxy
Debian
A flaw was found in privoxy before 3.0.32.
5.0
2021-03-09 CVE-2021-20275 Privoxy
Debian
Out-of-bounds Read vulnerability in multiple products

A flaw was found in privoxy before 3.0.32.

5.0
2021-03-09 CVE-2021-20274 Privoxy NULL Pointer Dereference vulnerability in Privoxy

A flaw was found in privoxy before 3.0.32.

5.0
2021-03-09 CVE-2021-20273 Privoxy
Debian
Improper Input Validation vulnerability in multiple products

A flaw was found in privoxy before 3.0.32.

5.0
2021-03-09 CVE-2021-20272 Privoxy
Debian
Reachable Assertion vulnerability in multiple products

A flaw was found in privoxy before 3.0.32.

5.0
2021-03-09 CVE-2021-21360 Zope Information Exposure vulnerability in Zope Products.Genericsetup

Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts.

5.0
2021-03-08 CVE-2020-4695 IBM Missing Encryption of Sensitive Data vulnerability in IBM API Connect 10.0.0.0/10.0.1.0

IBM API Connect V10 is impacted by insecure communications during database replication.

5.0
2021-03-08 CVE-2021-26788 Oryx Embedded Improper Input Validation vulnerability in Oryx-Embedded Cyclonetcp

Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS).

5.0
2021-03-10 CVE-2021-20265 Linux
Oracle
Memory Leak vulnerability in multiple products

A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending.

4.9
2021-03-08 CVE-2021-23351 GO Proxyproto Project
Fedoraproject
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function.
4.9
2021-03-10 CVE-2020-35226 Netgear Injection vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allow unauthenticated users to modify the switch DHCP configuration by sending the corresponding write request command.

4.8
2021-03-09 CVE-2020-35451 Apache Race Condition vulnerability in Apache Oozie

There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation.

4.7
2021-03-11 CVE-2021-24104 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Spoofing Vulnerability

4.6
2021-03-10 CVE-2021-21371 Tenable Deserialization of Untrusted Data vulnerability in Tenable Jira Cloud

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state.

4.6
2021-03-10 CVE-2021-0465 Google Out-of-bounds Write vulnerability in Google Android

In GenerateFaceMask of face.cc, there is a possible out of bounds write due to an incorrect bounds check.

4.6
2021-03-10 CVE-2021-0464 Google Out-of-bounds Write vulnerability in Google Android

In sound_trigger_event_alloc of platform.h, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-03-10 CVE-2021-0462 Google Unspecified vulnerability in Google Android

In the NXP NFC firmware, there is a possible insecure firmware update due to a logic error.

4.6
2021-03-10 CVE-2021-0461 Google Out-of-bounds Write vulnerability in Google Android

In iaxxx_core_sensor_change_state of iaxxx-module.c, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-03-10 CVE-2021-0457 Google Out-of-bounds Write vulnerability in Google Android

In the FingerTipS touch screen driver, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-03-10 CVE-2021-0456 Google Out-of-bounds Write vulnerability in Google Android

In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-03-10 CVE-2021-0389 Google Missing Authorization vulnerability in Google Android 11.0

In setNightModeActivated of UiModeManagerService.java, there is a missing permission check.

4.6
2021-03-10 CVE-2021-0388 Google Missing Authorization vulnerability in Google Android 11.0

In onReceive of ImsPhoneCallTracker.java, there is a possible misattribution of data usage due to an incorrect broadcast handler.

4.6
2021-03-10 CVE-2021-0385 Google Missing Authorization vulnerability in Google Android 11.0

In createConnectToAvailableNetworkNotification of ConnectToNetworkNotificationBuilder.java, there is a possible connection to untrusted WiFi networks due to notification interaction above the lockscreen.

4.6
2021-03-10 CVE-2021-0383 Google Unspecified vulnerability in Google Android 11.0

In done of CaptivePortalLoginActivity.java, there is a confused deputy.

4.6
2021-03-10 CVE-2021-0380 Google Missing Authorization vulnerability in Google Android 11.0

In onReceive of DcTracker.java, there is a possible way to trigger a provisioning URL and modify other telephony settings due to a missing permission check.

4.6
2021-03-10 CVE-2021-0399 Google Use After Free vulnerability in Google Android

In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free.

4.6
2021-03-10 CVE-2021-0398 Google Unspecified vulnerability in Google Android 11.0

In bindServiceLocked of ActiveServices.java, there is a possible foreground service launch due to a confused deputy.

4.6
2021-03-10 CVE-2021-0395 Google Use After Free vulnerability in Google Android 11.0

In StopServicesAndLogViolations of reboot.cpp, there is possible memory corruption due to a use after free.

4.6
2021-03-10 CVE-2021-0392 Google Double Free vulnerability in Google Android

In main of main.cpp, there is a possible memory corruption due to a double free.

4.6
2021-03-10 CVE-2021-0390 Google Missing Authorization vulnerability in Google Android

In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check.

4.6
2021-03-10 CVE-2021-0376 Google Incorrect Authorization vulnerability in Google Android 11.0

In checkUriPermission and related functions of MediaProvider.java, there is a possible way to access external files due to a permissions bypass.

4.6
2021-03-10 CVE-2021-0372 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 11.0

In getMediaOutputSliceAction of RemoteMediaSlice.java, there is a possible permission bypass due to an unsafe PendingIntent.

4.6
2021-03-10 CVE-2021-0371 Google Out-of-bounds Read vulnerability in Google Android 11.0

In nci_proc_rf_management_ntf of nci_hrcv.cc, there is a possible out of bounds read due to a missing bounds check.

4.6
2021-03-10 CVE-2021-0370 Google Out-of-bounds Write vulnerability in Google Android 11.0

In Write of NxpMfcReader.cc, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-03-10 CVE-2020-0025 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 11.0

In deletePackageVersionedInternal of PackageManagerService.java, there is a possible way to exit Screen Pinning due to a permissions bypass.

4.6
2021-03-10 CVE-2021-3310 Westerndigital Link Following vulnerability in Westerndigital MY Cloud OS

Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares.

4.6
2021-03-09 CVE-2021-3411 Linux
Redhat
Code Injection vulnerability in multiple products

A flaw was found in the Linux kernel in versions prior to 5.10.

4.6
2021-03-09 CVE-2020-27225 Eclipse Missing Authentication for Critical Function vulnerability in Eclipse Platform

In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.

4.6
2021-03-09 CVE-2021-20262 Redhat Missing Authentication for Critical Function vulnerability in Redhat Keycloak and Single Sign-On

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password.

4.6
2021-03-08 CVE-2021-21503 Dell OS Command Injection vulnerability in Dell EMC Powerscale Onefs 8.1.2/8.2.2/9.1.0

PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command.

4.6
2021-03-08 CVE-2020-5014 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Datapower Gateway

IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack.

4.6
2021-03-11 CVE-2021-20261 Linux
Redhat
Race Condition vulnerability in multiple products

A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software.

4.4
2021-03-11 CVE-2021-21363 Smartbear Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Smartbear Swagger-Codegen

swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition.

4.4
2021-03-12 CVE-2021-28162 Eclipse Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Theia

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

4.3
2021-03-12 CVE-2021-28161 Eclipse Cross-site Scripting vulnerability in Eclipse Theia

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

4.3
2021-03-12 CVE-2021-27290 Ssri Project
Oracle
Siemens
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service.
4.3
2021-03-12 CVE-2021-21366 Xmldom Project
Debian
Misinterpretation of Input vulnerability in multiple products

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

4.3
2021-03-11 CVE-2020-14989 Bloomreach Cross-Site Request Forgery (CSRF) vulnerability in Bloomreach Experience Manager

An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2.

4.3
2021-03-11 CVE-2021-27066 Microsoft Unspecified vulnerability in Microsoft Windows Admin Center

Windows Admin Center Security Feature Bypass Vulnerability

4.3
2021-03-10 CVE-2020-15260 Teluu Improper Validation of Certificate with Host Mismatch vulnerability in Teluu Pjsip

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.

4.3
2021-03-10 CVE-2021-21265 Octobercms Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in Octobercms October

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

4.3
2021-03-10 CVE-2021-0379 Google Out-of-bounds Read vulnerability in Google Android 11.0

In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow.

4.3
2021-03-10 CVE-2021-0378 Google Out-of-bounds Read vulnerability in Google Android 11.0

In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow.

4.3
2021-03-10 CVE-2021-0368 Google Out-of-bounds Read vulnerability in Google Android 11.0

In oggpack_look of bitwise.c, there is a possible out of bounds read due to a missing bounds check.

4.3
2021-03-10 CVE-2020-28705 Thedaylightstudio Cross-Site Request Forgery (CSRF) vulnerability in Thedaylightstudio Fuel CMS 1.4.13

FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.

4.3
2021-03-10 CVE-2021-28007 WEB Based Quiz System Project Cross-site Scripting vulnerability in web Based Quiz System Project web Based Quiz System 1.0

Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in register.php through the name parameter.

4.3
2021-03-10 CVE-2021-20672 Weseek Cross-site Scripting vulnerability in Weseek Growi

Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors.

4.3
2021-03-09 CVE-2021-28115 Ougc Feedback Project Cross-site Scripting vulnerability in Ougc Feedback Project Ougc Feedback

The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation.

4.3
2021-03-09 CVE-2021-21189 Google
Fedoraproject
Debian
Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
4.3
2021-03-09 CVE-2021-21187 Google
Fedoraproject
Debian
Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
4.3
2021-03-09 CVE-2021-21186 Google
Fedoraproject
Debian
Incorrect Authorization vulnerability in multiple products

Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.

4.3
2021-03-09 CVE-2021-21185 Google
Fedoraproject
Debian
Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome Extension.
4.3
2021-03-09 CVE-2021-21184 Google
Fedoraproject
Debian
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-03-09 CVE-2021-21183 Google
Fedoraproject
Debian
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-03-09 CVE-2021-27584 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated PhotoShop Document (.PSD) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-09 CVE-2021-21493 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Graphics Interchange Format (.GIF) format files received from untrusted sources in SAP 3D Visual Enterprise Viewer version 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-09 CVE-2021-28006 WEB Based Quiz System Project Cross-site Scripting vulnerability in web Based Quiz System Project web Based Quiz System 1.0

Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in admin.php through the options parameter.

4.3
2021-03-08 CVE-2020-27838 Redhat Improper Authentication vulnerability in Redhat Keycloak

A flaw was found in keycloak in versions prior to 13.0.0.

4.3
2021-03-08 CVE-2021-22134 Elastic
Oracle
Incorrect Authorization vulnerability in multiple products

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used.

4.3
2021-03-13 CVE-2021-20018 Sonicwall Improper Authentication vulnerability in Sonicwall Sma100 Firmware 10.2.0.220Sv

A post-authenticated vulnerability in SonicWall SMA100 allows an attacker to export the configuration file to the specified email address.

4.0
2021-03-10 CVE-2021-20668 Weseek Path Traversal vulnerability in Weseek Growi

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL.

4.0
2021-03-09 CVE-2021-21369 Linuxfoundation Resource Exhaustion vulnerability in Linuxfoundation Besu

Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java.

4.0
2021-03-09 CVE-2021-3417 Lenovo Cleartext Transmission of Sensitive Information vulnerability in Lenovo Xclarity Orchestrator

An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA.

4.0
2021-03-09 CVE-2020-8356 Lenovo Cleartext Transmission of Sensitive Information vulnerability in Lenovo Xclarity Orchestrator

An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text.

4.0
2021-03-09 CVE-2021-21488 SAP Deserialization of Untrusted Data vulnerability in SAP Netweaver Knowledge Management

Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability.

4.0
2021-03-08 CVE-2021-21336 Zope
Plone
Information Exposure vulnerability in multiple products

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework.

4.0
2021-03-08 CVE-2021-21326 Glpi Project Missing Authorization vulnerability in Glpi-Project Glpi

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

4.0
2021-03-08 CVE-2021-21324 Glpi Project Authorization Bypass Through User-Controlled Key vulnerability in Glpi-Project Glpi

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

4.0

43 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-11 CVE-2020-4976 IBM
Netapp
Incorrect Default Permissions vulnerability in multiple products

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions.

3.6
2021-03-10 CVE-2021-3034 Paloaltonetworks Information Exposure Through Log Files vulnerability in Paloaltonetworks Cortex Xsoar

An information exposure through log file vulnerability exists in Cortex XSOAR software where the secrets configured for the SAML single sign-on (SSO) integration can be logged to the '/var/log/demisto/' server logs when testing the integration during setup.

3.6
2021-03-12 CVE-2021-21379 Xwiki Improper Preservation of Permissions vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

3.5
2021-03-11 CVE-2020-14988 Bloomreach Cross-site Scripting vulnerability in Bloomreach Experience Manager

An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2.

3.5
2021-03-11 CVE-2021-28088 Impresscms Cross-site Scripting vulnerability in Impresscms 1.4.2

Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field.

3.5
2021-03-11 CVE-2021-27679 Batflat Cross-site Scripting vulnerability in Batflat 1.3.6

Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name.

3.5
2021-03-11 CVE-2021-27678 Batflat Cross-site Scripting vulnerability in Batflat 1.3.6

Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name.

3.5
2021-03-11 CVE-2021-27677 Batflat Cross-site Scripting vulnerability in Batflat 1.3.6

Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name.

3.5
2021-03-11 CVE-2021-26776 Cszcms Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9

CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.

3.5
2021-03-11 CVE-2021-20336 IBM Cross-site Scripting vulnerability in IBM Tivoli Netcool/Omnibus Webgui 8.1.0

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting.

3.5
2021-03-10 CVE-2020-35228 Netgear Cross-site Scripting vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter.

3.5
2021-03-10 CVE-2020-5016 IBM Path Traversal vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system.

3.5
2021-03-10 CVE-2020-35752 Baby Care System Project Cross-site Scripting vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter.

3.5
2021-03-10 CVE-2021-3224 Cszcms Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.2.9

A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter.

3.5
2021-03-10 CVE-2020-23721 Thedaylightstudio Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.4.7

An issue was discovered in FUEL CMS V1.4.7.

3.5
2021-03-10 CVE-2021-20673 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.

3.5
2021-03-10 CVE-2021-20667 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.

3.5
2021-03-09 CVE-2021-20253 Redhat Files or Directories Accessible to External Parties vulnerability in Redhat Ansible Tower

A flaw was found in ansible-tower.

3.5
2021-03-08 CVE-2020-27576 Maxum Cross-site Scripting vulnerability in Maxum Rumpus 8.2.13/8.2.14

Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS).

3.5
2021-03-08 CVE-2021-21325 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing.

3.5
2021-03-08 CVE-2021-27222 Obss Cross-site Scripting vulnerability in Status

In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS.

3.5
2021-03-10 CVE-2020-35221 Netgear Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netgear Gs116E Firmware and Jgs516Pe Firmware

The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure, allowing attackers (with access to a network capture) to quickly generate multiple collisions to generate valid passwords, or infer some parts of the original.

3.3
2021-03-09 CVE-2021-20263 Qemu Improper Preservation of Permissions vulnerability in Qemu

A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU.

3.3
2021-03-09 CVE-2021-21361 Vagrant Project Information Exposure Through Log Files vulnerability in Vagrant Project Vagrant

The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.

3.3
2021-03-12 CVE-2021-21726 ZTE Improper Input Validation vulnerability in ZTE products

Some ZTE products have an input verification vulnerability in the diagnostic function interface.

2.1
2021-03-10 CVE-2021-0460 Google Out-of-bounds Read vulnerability in Google Android

In the FingerTipS touch screen driver, there is a possible out of bounds read due to an integer overflow.

2.1
2021-03-10 CVE-2021-0459 Google Out-of-bounds Read vulnerability in Google Android

In fts_driver_test_write of fts_proc.c, there is a possible out of bounds read due to a missing bounds check.

2.1
2021-03-10 CVE-2021-0458 Google Integer Overflow or Wraparound vulnerability in Google Android

In the FingerTipS touch screen driver, there is a possible out of bounds read due to an integer overflow.

2.1
2021-03-10 CVE-2021-0453 Google Improper Initialization vulnerability in Google Android

In the Titan-M chip firmware, there is a possible disclosure of stack memory due to uninitialized data.

2.1
2021-03-10 CVE-2021-0452 Google Improper Initialization vulnerability in Google Android

In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data.

2.1
2021-03-10 CVE-2021-0451 Google Improper Initialization vulnerability in Google Android

In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data.

2.1
2021-03-10 CVE-2021-0450 Google Improper Initialization vulnerability in Google Android

In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data.

2.1
2021-03-10 CVE-2021-0449 Google Improper Initialization vulnerability in Google Android

In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data.

2.1
2021-03-10 CVE-2021-0382 Google Incorrect Authorization vulnerability in Google Android 11.0

In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check.

2.1
2021-03-10 CVE-2021-0381 Google Incorrect Default Permissions vulnerability in Google Android 11.0

In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent.

2.1
2021-03-10 CVE-2021-0394 Google Out-of-bounds Read vulnerability in Google Android

In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check.

2.1
2021-03-10 CVE-2021-0377 Google Improper Input Validation vulnerability in Google Android 11.0

In DeltaPerformer::Write of delta_performer.cc, there is a possible use of untrusted input due to improper input validation.

2.1
2021-03-10 CVE-2021-0375 Google Use of Insufficiently Random Values vulnerability in Google Android 11.0

In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value.

2.1
2021-03-10 CVE-2021-0374 Google Out-of-bounds Read vulnerability in Google Android 11.0

In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible out of bounds read due to a missing bounds check.

2.1
2021-03-10 CVE-2020-4717 IBM Link Following vulnerability in IBM Spss Modeler

A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation.

2.1
2021-03-09 CVE-2021-20255 Qemu
Debian
Uncontrolled Recursion vulnerability in multiple products

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU.

2.1
2021-03-09 CVE-2020-8357 Lenovo Incorrect Default Permissions vulnerability in Lenovo Pcmanager 3.0.50.9162

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations.

2.1
2021-03-10 CVE-2021-0463 Google Out-of-bounds Read vulnerability in Google Android

In convertToHidl of convert.cpp, there is a possible out of bounds read due to uninitialized data from ReturnFrameworkMessage.

1.9