Weekly Vulnerabilities Reports > March 15 to 21, 2021
Overview
275 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 51 high severity vulnerabilities. This weekly summary report vulnerabilities in 797 products from 156 vendors including Fedoraproject, Qualcomm, Debian, Siemens, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Incorrect Authorization", and "Out-of-bounds Read".
- 218 reported vulnerabilities are remotely exploitables.
- 5 reported vulnerabilities have public exploit available.
- 103 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 186 reported vulnerabilities are exploitable by an anonymous user.
- Fedoraproject has the most reported vulnerabilities, with 32 reported vulnerabilities.
- Redhat has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
12 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-18 | CVE-2021-24148 | Inspireui | Improper Authentication vulnerability in Inspireui Mstore API A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. | 10.0 |
2021-03-17 | CVE-2020-11299 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Buffer overflow can occur in video while playing the non-standard clip in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
2021-03-17 | CVE-2020-11192 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Out of bound write while parsing SDP string due to missing check on null termination in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
2021-03-16 | CVE-2020-24264 | Portainer | Incorrect Authorization vulnerability in Portainer Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. | 10.0 |
2021-03-21 | CVE-2020-13963 | Soplanning | Use of Hard-coded Credentials vulnerability in Soplanning 1.45/1.46.01 SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. | 9.8 |
2021-03-19 | CVE-2021-28834 | Kramdown Project Fedoraproject Debian | Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | 9.8 |
2021-03-19 | CVE-2021-26275 | Eslint Fixer Project | Command Injection vulnerability in Eslint-Fixer Project Eslint-Fixer The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. | 9.8 |
2021-03-16 | CVE-2021-25916 | Patchmerge Project | Unspecified vulnerability in Patchmerge Project Patchmerge 1.0.0/1.0.1 Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2021-03-19 | CVE-2021-26990 | Netapp | Missing Authorization vulnerability in Netapp Cloud Manager Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files. | 9.4 |
2021-03-19 | CVE-2019-10200 | Redhat | Improper Access Control vulnerability in Redhat Openshift Container Platform 4.0 A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. | 9.0 |
2021-03-19 | CVE-2019-10196 | Http Proxy Agent Project Fedoraproject Redhat | Improper Initialization vulnerability in multiple products A flaw was found in http-proxy-agent, prior to version 2.1.0. | 9.0 |
2021-03-19 | CVE-2021-27928 | Mariadb Percona Galeracluster Debian | Code Injection vulnerability in multiple products A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. | 9.0 |
51 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-21 | CVE-2021-28961 | Openwrt | OS Command Injection vulnerability in Openwrt 19.07.0 applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests. | 8.8 |
2021-03-18 | CVE-2021-21627 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Libvirt Agents A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains. | 8.8 |
2021-03-18 | CVE-2021-20678 | Strangerstudios | SQL Injection vulnerability in Strangerstudios Paid Memberships PRO SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | 8.8 |
2021-03-17 | CVE-2021-28660 | Linux Fedoraproject Debian Netapp | Out-of-bounds Write vulnerability in multiple products rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. | 8.8 |
2021-03-16 | CVE-2021-21193 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-16 | CVE-2021-21192 | Google Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in tab groups in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-16 | CVE-2021-21191 | Google Fedoraproject Debian | Use After Free vulnerability in multiple products Use after free in WebRTC in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-03-15 | CVE-2021-25667 | Siemens | Stack-based Buffer Overflow vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600 Family (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All versions < V4.1), SCALANCE XC-200 (All versions < V4.1), SCALANCE XF-200BA (All versions < V4.1), SCALANCE XM400 (All versions < V6.2), SCALANCE XP-200 (All versions < V4.1), SCALANCE XR-300WG (All versions < V4.1), SCALANCE XR500 (All versions < V6.2). | 8.8 |
2021-03-19 | CVE-2020-25097 | Squid Cache Debian Fedoraproject Netapp | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. | 8.6 |
2021-03-19 | CVE-2021-27221 | Mikrotik | Unspecified vulnerability in Mikrotik Routeros 6.47.9 MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. | 8.1 |
2021-03-15 | CVE-2021-20179 | Dogtagpki Redhat Fedoraproject | Incorrect Authorization vulnerability in multiple products A flaw was found in pki-core. | 8.1 |
2021-03-21 | CVE-2021-28953 | C C Advanced Lint Project | Uncontrolled Search Path Element vulnerability in C/C++ Advanced Lint Project C/C++ Advanced Lint The unofficial C/C++ Advanced Lint extension before 1.9.0 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted repository. | 7.8 |
2021-03-20 | CVE-2021-28952 | Linux Fedoraproject Netapp | Classic Buffer Overflow vulnerability in multiple products An issue was discovered in the Linux kernel through 5.11.8. | 7.8 |
2021-03-18 | CVE-2020-35492 | Cairographics | Out-of-bounds Write vulnerability in Cairographics Cairo A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. | 7.8 |
2021-03-18 | CVE-2021-24144 | Ciphercoin | Improper Neutralization of Formula Elements in a CSV File vulnerability in Ciphercoin Contact Form 7 Database Addon Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | 7.8 |
2021-03-15 | CVE-2021-28375 | Linux Fedoraproject Netapp | Missing Authorization vulnerability in multiple products An issue was discovered in the Linux kernel through 5.11.6. | 7.8 |
2021-03-20 | CVE-2021-28117 | KDE | Unspecified vulnerability in KDE Discover libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. | 7.5 |
2021-03-19 | CVE-2021-28831 | Busybox Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. | 7.5 |
2021-03-19 | CVE-2021-28089 | Torproject Fedoraproject | Resource Exhaustion vulnerability in multiple products Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001. | 7.5 |
2021-03-19 | CVE-2021-25289 | Python | Out-of-bounds Write vulnerability in Python Pillow An issue was discovered in Pillow before 8.1.1. | 7.5 |
2021-03-19 | CVE-2020-6577 | IT Recht Kanzlei | SQL Injection vulnerability in It-Recht-Kanzlei 1.5.6C The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection. | 7.5 |
2021-03-18 | CVE-2020-26797 | Mediaarea Fedoraproject | Out-of-bounds Write vulnerability in multiple products Mediainfo before version 20.08 has a heap buffer overflow vulnerability via MediaInfoLib::File_Gxf::ChooseParser_ChannelGrouping. | 7.5 |
2021-03-18 | CVE-2020-14516 | Rockwellautomation | Use of Password Hash With Insufficient Computational Effort vulnerability in Rockwellautomation Factorytalk Services Platform 6.10.00/6.11.00 In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform that prevents the user password from being hashed properly. | 7.5 |
2021-03-18 | CVE-2020-27827 | Lldpd Project Openvswitch Redhat Fedoraproject Siemens | Resource Exhaustion vulnerability in multiple products A flaw was found in multiple versions of OpenvSwitch. | 7.5 |
2021-03-18 | CVE-2021-28794 | Shellcheck Project | Unspecified vulnerability in Shellcheck Project Shellcheck The unofficial ShellCheck extension before 0.13.4 for Visual Studio Code mishandles shellcheck.executablePath. | 7.5 |
2021-03-18 | CVE-2021-27306 | Konghq | Use of Incorrectly-Resolved Name or Reference vulnerability in Konghq Kong Gateway An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. | 7.5 |
2021-03-18 | CVE-2021-24139 | 10Web | SQL Injection vulnerability in 10Web Photo Gallery Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. | 7.5 |
2021-03-18 | CVE-2021-22848 | Hgiga | SQL Injection vulnerability in Hgiga products HGiga MailSherlock contains a SQL Injection. | 7.5 |
2021-03-17 | CVE-2019-18235 | Advantech | Improper Restriction of Excessive Authentication Attempts vulnerability in Advantech Spectre RT Ert351 Firmware Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack. | 7.5 |
2021-03-17 | CVE-2021-27291 | Pygments Debian Fedoraproject | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. | 7.5 |
2021-03-17 | CVE-2020-28873 | Fluxbb | Use of Password Hash With Insufficient Computational Effort vulnerability in Fluxbb 1.5.11 Fluxbb 1.5.11 is affected by a denial of service (DoS) vulnerability by sending an extremely long password via the user login form. | 7.5 |
2021-03-17 | CVE-2021-22860 | EIC | Improper Authentication vulnerability in EIC E-Document System 2.9/3.0.2 EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. | 7.5 |
2021-03-17 | CVE-2021-22859 | EIC | SQL Injection vulnerability in EIC E-Document System 3.0.2 The users’ data querying function of EIC e-document system does not filter the special characters which resulted in remote attackers can inject SQL syntax and execute arbitrary commands without privilege. | 7.5 |
2021-03-17 | CVE-2020-11227 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Out of bound write while parsing RTT/TTY packet parsing due to lack of check of buffer size before copying into buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.5 |
2021-03-16 | CVE-2021-28381 | VHS Project | SQL Injection vulnerability in VHS Project VHS The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3 allows SQL injection via isLanguageViewHelper. | 7.5 |
2021-03-16 | CVE-2021-28294 | Online Ordering System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Ordering System Project Online Ordering System 1.0 Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE). | 7.5 |
2021-03-16 | CVE-2021-28543 | Varnish Cache Fedoraproject | Reachable Assertion vulnerability in multiple products Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. | 7.5 |
2021-03-15 | CVE-2021-26987 | Vmware Netapp | Element Plug-in for vCenter Server incorporates SpringBoot Framework. | 7.5 |
2021-03-15 | CVE-2021-27817 | Shopxo | Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 1.9.3 A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix. | 7.5 |
2021-03-15 | CVE-2021-23356 | Kill Process BY Name Project | Command Injection vulnerability in Kill-Process-By-Name Project Kill-Process-By-Name This affects all versions of package kill-process-by-name. | 7.5 |
2021-03-15 | CVE-2021-23355 | PS Kill Project | Command Injection vulnerability in Ps-Kill Project Ps-Kill This affects all versions of package ps-kill. | 7.5 |
2021-03-15 | CVE-2020-24877 | Zzzcms | SQL Injection vulnerability in Zzzcms Zzzphp 1.8.0 A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass. | 7.5 |
2021-03-15 | CVE-2020-4184 | IBM | Improper Privilege Management vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. | 7.5 |
2021-03-15 | CVE-2021-26923 | Argoproj | Information Exposure vulnerability in Argoproj Argo CD An issue was discovered in Argo CD before 1.8.4. | 7.5 |
2021-03-15 | CVE-2020-35358 | Domainmod | Insufficient Session Expiration vulnerability in Domainmod 4.15.0 DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. | 7.5 |
2021-03-18 | CVE-2021-1287 | Cisco | Stack-based Buffer Overflow vulnerability in Cisco Rv132W Firmware and Rv134W Firmware A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly. | 7.2 |
2021-03-18 | CVE-2021-22665 | Rockwellautomation | Uncontrolled Search Path Element vulnerability in Rockwellautomation Drivetools Add-On Profiles and Drivetools SP Rockwell Automation DriveTools SP v5.13 and below and Drives AOP v4.12 and below both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system. | 7.2 |
2021-03-18 | CVE-2021-24142 | Webfactoryltd | SQL Injection vulnerability in Webfactoryltd 301 Redirects Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | 7.2 |
2021-03-17 | CVE-2020-11309 | Qualcomm | Use After Free vulnerability in Qualcomm products Use after free in GPU driver while mapping the user memory to GPU memory due to improper check of referenced memory in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-03-17 | CVE-2020-11308 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Buffer overflow occurs when trying to convert ASCII string to Unicode string if the actual size is more than required in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.2 |
2021-03-18 | CVE-2021-28667 | Stackstorm | Infinite Loop vulnerability in Stackstorm StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. | 7.1 |
177 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-18 | CVE-2020-9367 | Zohocorp | Uncontrolled Search Path Element vulnerability in Zohocorp Manageengine Desktop Central 10.0.486 The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. | 6.9 |
2021-03-18 | CVE-2020-26886 | Softaculous | Improper Initialization vulnerability in Softaculous Softaculous before 5.5.7 is affected by a code execution vulnerability because of External Initialization of Trusted Variables or Data Stores. | 6.9 |
2021-03-17 | CVE-2020-11290 | Qualcomm | Use After Free vulnerability in Qualcomm products Use after free condition in msm ioctl events due to race between the ioctl register and deregister events in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 6.9 |
2021-03-21 | CVE-2021-28954 | BIT Project | Unspecified vulnerability in BIT Project BIT In Chris Walz bit before 1.0.5 on Windows, attackers can run arbitrary code via a .exe file in a crafted repository. | 6.8 |
2021-03-18 | CVE-2021-28792 | Swift Development Environment Project | Unspecified vulnerability in Swift Development Environment Project Swift Development Environment The unofficial Swift Development Environment extension before 2.12.1 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted sourcekit-lsp.serverPath, swift.languageServerPath, swift.path.sourcekite, swift.path.sourcekiteDockerMode, swift.path.swift_driver_bin, or swift.path.shell configuration value that triggers execution upon opening the workspace. | 6.8 |
2021-03-18 | CVE-2021-28791 | Swiftformat Project | Unspecified vulnerability in Swiftformat Project Swiftformat The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | 6.8 |
2021-03-18 | CVE-2021-28790 | Swiftlint Project | Unspecified vulnerability in Swiftlint Project Swiftlint The unofficial SwiftLint extension before 1.4.5 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftlint.path configuration value that triggers execution upon opening the workspace. | 6.8 |
2021-03-18 | CVE-2021-28789 | Apple Swift Format Project | Unspecified vulnerability in Apple-Swift-Format Project Apple-Swift-Format The unofficial apple/swift-format extension before 1.1.2 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted apple-swift-format.path configuration value that triggers execution upon opening the workspace. | 6.8 |
2021-03-18 | CVE-2021-26237 | Faststone | Out-of-bounds Write vulnerability in Faststone Image Viewer FastStone Image Viewer <= 7.5 is affected by a user mode write access violation at 0x00402d7d, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. | 6.8 |
2021-03-18 | CVE-2021-26235 | Faststone | NULL Pointer Dereference vulnerability in Faststone Image Viewer FastStone Image Viewer <= 7.5 is affected by a user mode write access violation near NULL at 0x005bdfc9, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. | 6.8 |
2021-03-18 | CVE-2021-26234 | Faststone | Out-of-bounds Write vulnerability in Faststone Image Viewer FastStone Image Viewer <= 7.5 is affected by a user mode write access violation at 0x00402d8a, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. | 6.8 |
2021-03-18 | CVE-2021-26233 | Faststone | Out-of-bounds Write vulnerability in Faststone Image Viewer FastStone Image Viewer <= 7.5 is affected by a user mode write access violation near NULL at 0x005bdfcb, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. | 6.8 |
2021-03-18 | CVE-2021-26236 | Faststone | Out-of-bounds Write vulnerability in Faststone Image Viewer FastStone Image Viewer v.<= 7.5 is affected by a Stack-based Buffer Overflow at 0x005BDF49, affecting the CUR file parsing functionality (BITMAPINFOHEADER Structure, 'BitCount' file format field), that will end up corrupting the Structure Exception Handler (SEH). | 6.8 |
2021-03-18 | CVE-2021-20675 | M System | Unspecified vulnerability in M-System products M-System DL8 series (type A (DL8-A) versions prior to Ver3.0, type B (DL8-B) versions prior to Ver3.0, type C (DL8-C) versions prior to Ver3.0, type D (DL8-D) versions prior to Ver3.0, and type E (DL8-E) versions prior to Ver3.0) allows remote authenticated attackers to cause a denial of service (DoS) condition via unspecified vectors. | 6.8 |
2021-03-15 | CVE-2021-27890 | Mybb | SQL Injection vulnerability in Mybb SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. | 6.8 |
2021-03-15 | CVE-2021-22191 | Wireshark Oracle Debian | Injection vulnerability in multiple products Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. | 6.8 |
2021-03-15 | CVE-2020-28149 | Mydbr | Cross-site Scripting vulnerability in Mydbr 5.8.3/4262 myDBR 5.8.3/4262 is affected by: Cross Site Scripting (XSS). | 6.8 |
2021-03-15 | CVE-2021-27381 | Siemens | Out-of-bounds Read vulnerability in Siemens Solid Edge Se2021 A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). | 6.8 |
2021-03-15 | CVE-2021-27380 | Siemens | Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021 A vulnerability has been identified in Solid Edge SE2020 (All versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP4). | 6.8 |
2021-03-15 | CVE-2020-28385 | Siemens | Out-of-bounds Write vulnerability in Siemens Solid Edge Se2020/Se2021 A vulnerability has been identified in Solid Edge SE2020 (All versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP4). | 6.8 |
2021-03-15 | CVE-2021-28379 | Myvestacp Vestacp | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin. | 6.8 |
2021-03-19 | CVE-2021-20077 | Tenable | Unspecified vulnerability in Tenable Nessus Agent Nessus Agent versions 7.2.0 through 8.2.2 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. | 6.7 |
2021-03-15 | CVE-2021-23879 | Mcafee | Unquoted Search Path or Element vulnerability in Mcafee Endpoint Product Removal Tool Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. | 6.7 |
2021-03-21 | CVE-2021-23360 | Killport Project | Command Injection vulnerability in Killport Project Killport 1.0.0/1.0.1 This affects the package killport before 1.0.2. | 6.5 |
2021-03-19 | CVE-2019-10225 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Openshift and Openshift Container Platform A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. | 6.5 |
2021-03-19 | CVE-2021-25292 | Python | Unspecified vulnerability in Python Pillow An issue was discovered in Pillow before 8.1.1. | 6.5 |
2021-03-18 | CVE-2021-24149 | Webnus | SQL Injection vulnerability in Webnus Modern Events Calendar Lite Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. | 6.5 |
2021-03-18 | CVE-2021-24145 | Webnus | Unrestricted Upload of File with Dangerous Type vulnerability in Webnus Modern Events Calendar Lite Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. | 6.5 |
2021-03-18 | CVE-2021-24143 | Accesspressthemes | SQL Injection vulnerability in Accesspressthemes Accesspress Social Icons Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. | 6.5 |
2021-03-18 | CVE-2021-24141 | Sigmaplugin | SQL Injection vulnerability in Sigmaplugin Advanced Database Cleaner Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks. | 6.5 |
2021-03-18 | CVE-2021-24140 | Connekthq | SQL Injection vulnerability in Connekthq Ajax Load More Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test. | 6.5 |
2021-03-18 | CVE-2021-24137 | Adenion | SQL Injection vulnerability in Adenion Blog2Social Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands. | 6.5 |
2021-03-18 | CVE-2021-24132 | 10Web | SQL Injection vulnerability in 10Web Slider The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks. | 6.5 |
2021-03-18 | CVE-2021-24131 | Cleantalk | SQL Injection vulnerability in Cleantalk Anti-Spam Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | 6.5 |
2021-03-18 | CVE-2021-24130 | Flippercode | SQL Injection vulnerability in Flippercode WP Google MAP Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). | 6.5 |
2021-03-18 | CVE-2021-24125 | Contact Form Submissions Project | SQL Injection vulnerability in Contact Form Submissions Project Contact Form Submissions Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high privilege user (admin+) | 6.5 |
2021-03-18 | CVE-2021-24123 | Blubrry | Unrestricted Upload of File with Dangerous Type vulnerability in Blubrry Powerpress Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE. | 6.5 |
2021-03-18 | CVE-2021-21623 | Jenkins | Incorrect Authorization vulnerability in Jenkins Matrix Authorization Strategy An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | 6.5 |
2021-03-18 | CVE-2021-23359 | Port Killer Project | OS Command Injection vulnerability in Port-Killer Project Port-Killer This affects all versions of package port-killer. | 6.5 |
2021-03-18 | CVE-2021-28419 | Seopanel | SQL Injection vulnerability in Seopanel SEO Panel 4.8.0 The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases. | 6.5 |
2021-03-16 | CVE-2021-3344 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Openshift Builder and Openshift Container Platform A privilege escalation flaw was found in OpenShift builder. | 6.5 |
2021-03-16 | CVE-2020-24263 | Portainer | Incorrect Permission Assignment for Critical Resource vulnerability in Portainer Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. | 6.5 |
2021-03-15 | CVE-2021-27230 | Expressionengine | Code Injection vulnerability in Expressionengine ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. | 6.5 |
2021-03-15 | CVE-2021-28363 | Python Fedoraproject Oracle | Improper Certificate Validation vulnerability in multiple products The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. | 6.5 |
2021-03-15 | CVE-2021-27948 | Mybb | SQL Injection vulnerability in Mybb SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. | 6.5 |
2021-03-15 | CVE-2021-27947 | Mybb | SQL Injection vulnerability in Mybb SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. | 6.5 |
2021-03-15 | CVE-2021-27946 | Mybb | SQL Injection vulnerability in Mybb SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. | 6.5 |
2021-03-15 | CVE-2021-25672 | Mendix | Unspecified vulnerability in Mendix Forgot Password 3.1.0/3.2.0 A vulnerability has been identified in Mendix Forgot Password Appstore module (All Versions < V3.2.1). | 6.5 |
2021-03-15 | CVE-2020-25240 | Siemens | Incorrect Authorization vulnerability in Siemens Sinema Remote Connect Server 1.1/2.0 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). | 6.5 |
2021-03-15 | CVE-2020-25239 | Siemens | Incorrect Authorization vulnerability in Siemens Sinema Remote Connect Server 1.1/2.0 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). | 6.5 |
2021-03-15 | CVE-2021-27891 | SSH | Unspecified vulnerability in SSH Tectia Client SSH Tectia Client and Server before 6.4.19 on Windows have weak key generation. | 6.5 |
2021-03-17 | CVE-2020-11222 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over read while processing MT SMS with maximum length due to improper length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile | 6.4 |
2021-03-17 | CVE-2020-11190 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 6.4 |
2021-03-17 | CVE-2020-11189 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 6.4 |
2021-03-17 | CVE-2020-11188 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 6.4 |
2021-03-17 | CVE-2020-11171 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 6.4 |
2021-03-17 | CVE-2020-11166 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Potential out of bound read exception when UE receives unusually large number of padding octets in the beginning of ROHC header in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 6.4 |
2021-03-16 | CVE-2020-28899 | Zyxel | Missing Authentication for Critical Function vulnerability in Zyxel products The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. | 6.4 |
2021-03-21 | CVE-2021-28957 | Lxml Debian Fedoraproject Netapp Oracle | Cross-site Scripting vulnerability in multiple products An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. | 6.1 |
2021-03-19 | CVE-2019-14831 | Moodle | Open Redirect vulnerability in Moodle A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. | 6.1 |
2021-03-19 | CVE-2019-14830 | Moodle | Open Redirect vulnerability in Moodle A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. | 6.1 |
2021-03-15 | CVE-2021-26924 | Argoproj | Cross-site Scripting vulnerability in Argoproj Argo CD An issue was discovered in Argo CD before 1.8.4. | 6.1 |
2021-03-20 | CVE-2020-27171 | Linux Fedoraproject Debian Canonical | Off-by-one Error vulnerability in multiple products An issue was discovered in the Linux kernel before 5.11.8. | 6.0 |
2021-03-18 | CVE-2021-3416 | Qemu Fedoraproject Redhat Debian | Infinite Loop vulnerability in multiple products A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. | 6.0 |
2021-03-16 | CVE-2021-20218 | Redhat | Path Traversal vulnerability in Redhat products A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. | 5.8 |
2021-03-20 | CVE-2021-28951 | Linux Fedoraproject Netapp | Improper Locking vulnerability in multiple products An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. | 5.5 |
2021-03-20 | CVE-2021-28950 | Linux Fedoraproject Debian | Excessive Iteration vulnerability in multiple products An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. | 5.5 |
2021-03-19 | CVE-2021-27906 | Apache Fedoraproject Oracle | A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. | 5.5 |
2021-03-19 | CVE-2021-27807 | Apache Fedoraproject Oracle | Excessive Iteration vulnerability in multiple products A carefully crafted PDF file can trigger an infinite loop while loading the file. | 5.5 |
2021-03-19 | CVE-2021-27506 | Netasq Project Stormshield Clamav | The ClamAV Engine (version 0.103.1 and below) component embedded in Storsmshield Network Security (SNS) is subject to DoS in case of parsing of malformed png files. | 5.5 |
2021-03-18 | CVE-2021-24138 | Ajdg | SQL Injection vulnerability in Ajdg Adrotate Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". | 5.5 |
2021-03-17 | CVE-2021-28650 | Gnome Fedoraproject | Link Following vulnerability in multiple products autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. | 5.5 |
2021-03-15 | CVE-2020-29555 | Getgrav | Path Traversal vulnerability in Getgrav Grav CMS The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. | 5.5 |
2021-03-15 | CVE-2020-24985 | Quadbase | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Quadbase Espressdashboard 7.0 An issue was discovered in Quadbase EspressReports ES 7 Update 9. | 5.5 |
2021-03-15 | CVE-2020-25236 | Siemens | Improper Handling of Exceptional Conditions vulnerability in Siemens Logo! 8 BM Firmware A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA1) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA1) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA1) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA1) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA1) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA1) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA1) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1) (All versions). | 5.5 |
2021-03-15 | CVE-2021-20280 | Moodle Fedoraproject | Cross-site Scripting vulnerability in multiple products Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | 5.4 |
2021-03-15 | CVE-2021-20279 | Moodle Fedoraproject | Cross-site Scripting vulnerability in multiple products The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | 5.4 |
2021-03-19 | CVE-2021-28090 | Torproject Fedoraproject | Reachable Assertion vulnerability in multiple products Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002. | 5.3 |
2021-03-15 | CVE-2021-20282 | Moodle Fedoraproject | Incorrect Authorization vulnerability in multiple products When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | 5.3 |
2021-03-15 | CVE-2021-20281 | Moodle Fedoraproject | Incorrect Authorization vulnerability in multiple products It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | 5.3 |
2021-03-15 | CVE-2020-29553 | Getgrav | Cross-Site Request Forgery (CSRF) vulnerability in Getgrav Grav CMS The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF). | 5.1 |
2021-03-19 | CVE-2021-21267 | Schema Inspector Project Netapp | Resource Exhaustion vulnerability in multiple products Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). | 5.0 |
2021-03-19 | CVE-2021-26992 | Netapp | Unspecified vulnerability in Netapp Cloud Manager Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability which could allow a remote attacker to cause a Denial of Service (DoS). | 5.0 |
2021-03-19 | CVE-2021-26991 | Netapp | Unspecified vulnerability in Netapp Cloud Manager Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin Resource Sharing (CORS) policy which could allow a remote attacker to interact with Cloud Manager. | 5.0 |
2021-03-19 | CVE-2021-21387 | Wrongthink | Cleartext Transmission of Sensitive Information vulnerability in Wrongthink Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. | 5.0 |
2021-03-19 | CVE-2020-4635 | IBM | Unspecified vulnerability in IBM Soar 40.0 IBM Resilient SOAR 40 and earlier could disclose sensitive information by allowing a user to enumerate usernames. | 5.0 |
2021-03-19 | CVE-2021-28110 | Compassplus | XXE vulnerability in Compassplus Tranzware E-Commerce Payment Gateway /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. | 5.0 |
2021-03-19 | CVE-2021-25293 | Python | Out-of-bounds Read vulnerability in Python Pillow An issue was discovered in Pillow before 8.1.1. | 5.0 |
2021-03-19 | CVE-2021-25291 | Python | Out-of-bounds Read vulnerability in Python Pillow An issue was discovered in Pillow before 8.1.1. | 5.0 |
2021-03-19 | CVE-2021-25290 | Python Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Pillow before 8.1.1. | 5.0 |
2021-03-18 | CVE-2021-27358 | Grafana Netapp | The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | 5.0 |
2021-03-18 | CVE-2021-25764 | Jetbrains | Unspecified vulnerability in Jetbrains PHPstorm In JetBrains PhpStorm before 2020.3, source code could be added to debug logs. | 5.0 |
2021-03-18 | CVE-2019-14852 | Redhat | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Redhat 3Scale API Management 2.0 A flaw was found in 3scale’s APIcast gateway that enabled the TLS 1.0 protocol. | 5.0 |
2021-03-18 | CVE-2021-27656 | Johnsoncontrols | Missing Authorization vulnerability in Johnsoncontrols Exacqvision web Service A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. | 5.0 |
2021-03-18 | CVE-2021-26935 | Wowonder | SQL Injection vulnerability in Wowonder In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter. | 5.0 |
2021-03-18 | CVE-2021-24146 | Webnus | Missing Authorization vulnerability in Webnus Modern Events Calendar Lite Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. | 5.0 |
2021-03-18 | CVE-2021-28681 | Webrtc Project | Incorrect Authorization vulnerability in Webrtc Project Webrtc Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. | 5.0 |
2021-03-17 | CVE-2019-18231 | Advantech | Cleartext Transmission of Sensitive Information vulnerability in Advantech Spectre RT Ert351 Firmware Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request. | 5.0 |
2021-03-17 | CVE-2021-27292 | UA Parser JS Project | Unspecified vulnerability in Ua-Parser-Js Project Ua-Parser-Js ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. | 5.0 |
2021-03-17 | CVE-2020-13924 | Apache | Path Traversal vulnerability in Apache Ambari In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download files. | 5.0 |
2021-03-17 | CVE-2020-11226 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Out of bound memory read in Data modem while unpacking data due to lack of offset length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 5.0 |
2021-03-17 | CVE-2020-11218 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Denial of service in baseband when NW configures LTE betaOffset-RI-Index due to lack of data validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 5.0 |
2021-03-16 | CVE-2019-3897 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat Certification It has been discovered in redhat-certification that any unauthorized user may download any file under /var/www/rhcert, provided they know its name. | 5.0 |
2021-03-16 | CVE-2021-3127 | Nats | Improper Handling of Exceptional Conditions vulnerability in Nats JWT Library and Nats Server NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled. | 5.0 |
2021-03-16 | CVE-2021-28295 | Online Ordering System Project | SQL Injection vulnerability in Online Ordering System Project Online Ordering System 1.0 Online Ordering System 1.0 is vulnerable to unauthenticated SQL injection through /onlineordering/GPST/admin/design.php, which may lead to database information disclosure. | 5.0 |
2021-03-15 | CVE-2021-24029 | Reachable Assertion vulnerability in Facebook Mvfst and Proxygen A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. | 5.0 | |
2021-03-15 | CVE-2021-25676 | Siemens | Improper Restriction of Excessive Authentication Attempts vulnerability in Siemens products A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALANCE M-800 (V6.3), SCALANCE S615 (V6.3), SCALANCE SC-600 (All Versions >= V2.1 and < V2.1.3). | 5.0 |
2021-03-15 | CVE-2020-25241 | Siemens | Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Siemens products A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). | 5.0 |
2021-03-15 | CVE-2021-27576 | Apache | Unspecified vulnerability in Apache Openmeetings If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. | 5.0 |
2021-03-15 | CVE-2021-28374 | Debian | Cleartext Storage of Sensitive Information vulnerability in Debian Courier-Authlib and Debian Linux The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. | 5.0 |
2021-03-15 | CVE-2021-25673 | Siemens | Infinite Loop vulnerability in Siemens Simatic S7-Plcsim A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). | 4.9 |
2021-03-20 | CVE-2020-27170 | Linux Fedoraproject Canonical Debian | Information Exposure Through Discrepancy vulnerability in multiple products An issue was discovered in the Linux kernel before 5.11.8. | 4.7 |
2021-03-17 | CVE-2020-11305 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Integer overflow in boot due to improper length check on arguments received in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music | 4.6 |
2021-03-17 | CVE-2020-11228 | Qualcomm | Improper Privilege Management vulnerability in Qualcomm products Part of RPM region was not protected from xblSec itself due to improper policy and leads to unprivileged access in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 4.6 |
2021-03-17 | CVE-2017-20002 | Debian | Improper Privilege Management vulnerability in Debian Linux and Shadow The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. | 4.6 |
2021-03-15 | CVE-2021-23357 | TYK | Path Traversal vulnerability in TYK All versions of package github.com/tyktechnologies/tyk/gateway are vulnerable to Directory Traversal via the handleAddOrUpdateApi function. | 4.6 |
2021-03-15 | CVE-2021-27892 | SSH | Unspecified vulnerability in SSH Tectia Server SSH Tectia Client and Server before 6.4.19 on Windows allow local privilege escalation. | 4.6 |
2021-03-15 | CVE-2021-27208 | Xilinx | Classic Buffer Overflow vulnerability in Xilinx Zynq-7000 Firmware and Zynq-7000S Firmware When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand’s parameter page. | 4.6 |
2021-03-19 | CVE-2021-21384 | Shescape Project | Argument Injection or Modification vulnerability in Shescape Project Shescape shescape is a simple shell escape package for JavaScript. | 4.4 |
2021-03-18 | CVE-2019-3867 | Redhat | Insufficient Session Expiration vulnerability in Redhat Quay 2.0.0/3.0.0 A vulnerability was found in the Quay web application. | 4.4 |
2021-03-18 | CVE-2020-26155 | Utimaco | Incorrect Permission Assignment for Critical Resource vulnerability in Utimaco products Multiple files and folders in Utimaco SecurityServer 4.20.0.4 and 4.31.1.0. | 4.4 |
2021-03-17 | CVE-2020-11230 | Qualcomm | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Qualcomm products Potential arbitrary memory corruption when the qseecom driver updates ion physical addresses in the buffer as it exposes a physical address to user land in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 4.4 |
2021-03-17 | CVE-2020-11220 | Qualcomm | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Qualcomm products While processing storage SCM commands there is a time of check or time of use window where a pointer used could be invalid at a specific time while executing the storage SCM call in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 4.4 |
2021-03-15 | CVE-2021-3418 | GNU | Improper Preservation of Permissions vulnerability in GNU Grub2 If certificates that signed grub are installed into db, grub can be booted directly. | 4.4 |
2021-03-15 | CVE-2021-27893 | SSH | Unspecified vulnerability in SSH Tectia Server SSH Tectia Client and Server before 6.4.19 on Windows allow local privilege escalation in nonstandard conditions. | 4.4 |
2021-03-19 | CVE-2019-14829 | Moodle | Improper Following of Specification by Caller vulnerability in Moodle A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. | 4.3 |
2021-03-19 | CVE-2021-27520 | Fudforum | Cross-site Scripting vulnerability in Fudforum 3.1.0 A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. | 4.3 |
2021-03-19 | CVE-2021-27519 | Fudforum | Cross-site Scripting vulnerability in Fudforum 3.1.0 A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. | 4.3 |
2021-03-19 | CVE-2019-10127 | Postgresql | Improper Access Control vulnerability in Postgresql A vulnerability was found in postgresql versions 11.x prior to 11.3. | 4.3 |
2021-03-19 | CVE-2021-25277 | Ftapi | Cross-site Scripting vulnerability in Ftapi FTAPI 4.0 - 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component. | 4.3 |
2021-03-19 | CVE-2021-21390 | Minio | Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Minio MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. | 4.3 |
2021-03-19 | CVE-2021-28126 | Compassplus | Cross-site Scripting vulnerability in Compassplus Tranzware E-Commerce Payment Gateway index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability | 4.3 |
2021-03-19 | CVE-2020-6578 | ZEN Cart | Cross-site Scripting vulnerability in Zen-Cart ZEN Cart 1.5.6D Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. | 4.3 |
2021-03-19 | CVE-2021-28109 | Compassplus | Cross-site Scripting vulnerability in Compassplus Tranzware Fimi TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). | 4.3 |
2021-03-18 | CVE-2021-27436 | Advantech | Cross-site Scripting vulnerability in Advantech Webaccess/Scada WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions. | 4.3 |
2021-03-18 | CVE-2020-36144 | Redash | Injection vulnerability in Redash 8.0.0 Redash 8.0.0 is affected by LDAP Injection. | 4.3 |
2021-03-18 | CVE-2021-28160 | Acexy Wireless N Wifi Repeater Project | Cross-site Scripting vulnerability in Acexy Wireless-N Wifi Repeater Project Acexy Wireless-N Wifi Repeater Firmware 28.08.06.1 Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /repeater.html page ("Repeater Wizard" homepage section). | 4.3 |
2021-03-18 | CVE-2021-28796 | Increments | Cross-site Scripting vulnerability in Increments Qiita::Markdown Increments Qiita::Markdown before 0.33.0 allows XSS in transformers. | 4.3 |
2021-03-18 | CVE-2021-26216 | Seeddms | Cross-Site Request Forgery (CSRF) vulnerability in Seeddms SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php. | 4.3 |
2021-03-18 | CVE-2021-26215 | Seeddms | Cross-Site Request Forgery (CSRF) vulnerability in Seeddms SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php. | 4.3 |
2021-03-18 | CVE-2021-24135 | Gowebsolutions | Cross-site Scripting vulnerability in Gowebsolutions WP Customer Reviews Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | 4.3 |
2021-03-18 | CVE-2021-24133 | Activecampaign | Cross-Site Request Forgery (CSRF) vulnerability in Activecampaign Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | 4.3 |
2021-03-18 | CVE-2021-24124 | Terryl | Cross-site Scripting vulnerability in Terryl WP Shieldon Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | 4.3 |
2021-03-18 | CVE-2021-28133 | Zoom | Information Exposure vulnerability in Zoom Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. | 4.3 |
2021-03-18 | CVE-2021-21626 | Jenkins | Missing Authorization vulnerability in Jenkins Warnings Next Generation Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. | 4.3 |
2021-03-18 | CVE-2021-21625 | Jenkins | Missing Authorization vulnerability in Jenkins Cloudbees AWS Credentials Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances. | 4.3 |
2021-03-18 | CVE-2021-21624 | Jenkins | Incorrect Authorization vulnerability in Jenkins Role-Based Authorization Strategy An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | 4.3 |
2021-03-18 | CVE-2021-20629 | Cybozu | Cross-site Scripting vulnerability in Cybozu Office Cross-site scripting vulnerability in E-mail of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-03-18 | CVE-2021-20628 | Cybozu | Cross-site Scripting vulnerability in Cybozu Office Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-03-18 | CVE-2021-20627 | Cybozu | Cross-site Scripting vulnerability in Cybozu Office Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-03-17 | CVE-2019-18233 | Advantech | Cross-site Scripting vulnerability in Advantech Spectre RT Ert351 Firmware In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack. | 4.3 |
2021-03-17 | CVE-2020-35456 | Taidii | Cleartext Transmission of Sensitive Information vulnerability in Taidii Diibear 2.4.0 The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to view private chat messages and media files via logcat because of excessive logging. | 4.3 |
2021-03-17 | CVE-2020-17525 | Apache Debian | NULL Pointer Dereference vulnerability in multiple products Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. | 4.3 |
2021-03-16 | CVE-2021-27938 | Symbiote | Cross-site Scripting vulnerability in Symbiote Silverstripe Queued Jobs A vulnerability has been identified in the Silverstripe CMS 3 and 4 version of the symbiote/silverstripe-queuedjobs module. | 4.3 |
2021-03-16 | CVE-2020-1926 | Apache | Information Exposure Through Discrepancy vulnerability in Apache Hive Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. | 4.3 |
2021-03-15 | CVE-2021-20283 | Moodle Fedoraproject | Missing Authorization vulnerability in multiple products The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | 4.3 |
2021-03-15 | CVE-2021-3150 | Cryptshare | Cross-site Scripting vulnerability in Cryptshare Server A cross-site scripting (XSS) vulnerability on the Delete Personal Data page in Cryptshare Server before 4.8.0 allows an attacker to inject arbitrary web script or HTML via the user name. | 4.3 |
2021-03-15 | CVE-2021-27949 | Mybb | Cross-site Scripting vulnerability in Mybb Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools. | 4.3 |
2021-03-15 | CVE-2020-24982 | Quadbase | Cross-Site Request Forgery (CSRF) vulnerability in Quadbase Espressdashboard 7.0 An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. | 4.3 |
2021-03-15 | CVE-2021-27889 | Mybb | Cross-site Scripting vulnerability in Mybb Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | 4.3 |
2021-03-15 | CVE-2021-27695 | Openmaint | Cross-site Scripting vulnerability in Openmaint 2.13.3B Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name and Code Parameters. | 4.3 |
2021-03-15 | CVE-2020-28387 | Siemens | XXE vulnerability in Siemens Solid Edge Se2021 A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). | 4.3 |
2021-03-19 | CVE-2019-10128 | Postgresql | Improper Access Control vulnerability in Postgresql A vulnerability was found in postgresql versions 11.x prior to 11.3. | 4.1 |
2021-03-19 | CVE-2019-14828 | Moodle | Improper Authorization vulnerability in Moodle A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | 4.0 |
2021-03-19 | CVE-2021-28653 | Westerndigital | Insecure Storage of Sensitive Information vulnerability in Westerndigital Armorlock The iOS and macOS apps before 1.4.1 for the Western Digital G-Technology ArmorLock NVMe SSD store keys insecurely. | 4.0 |
2021-03-18 | CVE-2021-20676 | M System | Incorrect Authorization vulnerability in M-System products M-System DL8 series (type A (DL8-A) versions prior to Ver3.0, type B (DL8-B) versions prior to Ver3.0, type C (DL8-C) versions prior to Ver3.0, type D (DL8-D) versions prior to Ver3.0, and type E (DL8-E) versions prior to Ver3.0) allows remote authenticated attackers to bypass access restriction and conduct prohibited operations via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20634 | Cybozu | Improper Authentication vulnerability in Cybozu Office Improper access control vulnerability in Custom App of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Custom App via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20633 | Cybozu | Unspecified vulnerability in Cybozu Office Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20632 | Cybozu | Improper Authentication vulnerability in Cybozu Office Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the data of Bulletin Board via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20631 | Cybozu | Improper Input Validation vulnerability in Cybozu Office Improper input validation vulnerability in Custom App of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attacker to alter the data of Custom App via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20630 | Cybozu | Improper Authentication vulnerability in Cybozu Office Improper access control vulnerability in Phone Messages of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the data of Phone Messages via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20626 | Cybozu | Unspecified vulnerability in Cybozu Office Improper access control vulnerability in Workflow of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and alter the data of Workflow via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20625 | Cybozu | Unspecified vulnerability in Cybozu Office Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Bulletin Board via unspecified vectors. | 4.0 |
2021-03-18 | CVE-2021-20624 | Cybozu | Unspecified vulnerability in Cybozu Office Improper access control vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Scheduler via unspecified vectors. | 4.0 |
2021-03-15 | CVE-2021-20286 | Redhat | Reachable Assertion vulnerability in Redhat Libnbd A flaw was found in libnbd 1.7.3. | 4.0 |
2021-03-15 | CVE-2021-3167 | Cloudera | Information Exposure vulnerability in Cloudera Data Engineering 1.3.0 In Cloudera Data Engineering (CDE) 1.3.0, JWT authentication tokens are exposed to administrators in virtual cluster server logs. | 4.0 |
2021-03-15 | CVE-2021-20440 | IBM | Unspecified vulnerability in IBM API Connect IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. | 4.0 |
35 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-03-15 | CVE-2020-27278 | Hamilton Medical | Use of Hard-coded Credentials vulnerability in Hamilton-Medical Hamilton-T1 Firmware In Hamilton Medical AG,T1-Ventillator versions 2.2.3 and prior, hard-coded credentials in the ventilator allow attackers with physical access to obtain admin privileges for the device’s configuration interface. | 3.6 |
2021-03-19 | CVE-2021-25278 | Ftapi | Cross-site Scripting vulnerability in Ftapi FTAPI 4.0 through 4.10 allows XSS via an SVG document to the Background Image upload feature in the Submit Box Template Editor. | 3.5 |
2021-03-19 | CVE-2021-3327 | Ovation | Cross-site Scripting vulnerability in Ovation Dynamic Content 1.10.1 Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter. | 3.5 |
2021-03-18 | CVE-2019-14851 | Nbdkit Project | Reachable Assertion vulnerability in Nbdkit Project Nbdkit A denial of service vulnerability was discovered in nbdkit. | 3.5 |
2021-03-18 | CVE-2021-21383 | Requarks | Cross-site Scripting vulnerability in Requarks Wiki.Js Wiki.js an open-source wiki app built on Node.js. | 3.5 |
2021-03-18 | CVE-2021-28145 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. | 3.5 |
2021-03-18 | CVE-2021-24147 | Webnus | Cross-site Scripting vulnerability in Webnus Modern Events Calendar Lite Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | 3.5 |
2021-03-18 | CVE-2021-24136 | Axelerant | Cross-site Scripting vulnerability in Axelerant Testimonials Widget Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | 3.5 |
2021-03-18 | CVE-2021-24134 | Constantcontact | Cross-site Scripting vulnerability in Constantcontact Constant Contact Forms Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | 3.5 |
2021-03-18 | CVE-2021-24129 | Themify | Cross-site Scripting vulnerability in Themify Portfolio Post Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | 3.5 |
2021-03-18 | CVE-2021-24128 | Wpdarko | Cross-site Scripting vulnerability in Wpdarko Team Members Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | 3.5 |
2021-03-18 | CVE-2021-24127 | Caseproof | Cross-site Scripting vulnerability in Caseproof Thirstyaffiliates Affiliate Link Manager Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | 3.5 |
2021-03-18 | CVE-2021-24126 | Enviragallery | Cross-site Scripting vulnerability in Enviragallery Envira Gallery Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | 3.5 |
2021-03-18 | CVE-2021-28420 | Seopanel | Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0 A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. | 3.5 |
2021-03-18 | CVE-2021-28418 | Seopanel | Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0 A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter. | 3.5 |
2021-03-18 | CVE-2021-28417 | Seopanel | Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0 A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter. | 3.5 |
2021-03-17 | CVE-2020-17457 | Fujitsu | Cross-site Scripting vulnerability in Fujitsu Serverview Remote Management Fujitsu ServerView Suite iRMC before 9.62F allows XSS. | 3.5 |
2021-03-16 | CVE-2021-28380 | Aimeos Project | Cross-site Scripting vulnerability in Aimeos Project Aimeos The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account. | 3.5 |
2021-03-15 | CVE-2021-28378 | Gitea | Cross-site Scripting vulnerability in Gitea Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations. | 3.5 |
2021-03-18 | CVE-2019-14850 | Nbdkit Project Redhat | Insufficient Control of Network Message Volume (Network Amplification) vulnerability in multiple products A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. | 2.6 |
2021-03-18 | CVE-2021-3141 | Unisys | Insufficiently Protected Credentials vulnerability in Unisys Stealth In Unisys Stealth (core) before 6.0.025.0, the Keycloak password is stored in a recoverable format that might be accessible by a local attacker, who could gain access to the Management Server and change the Stealth configuration. | 2.1 |
2021-03-17 | CVE-2020-35455 | Taidii | Cleartext Storage of Sensitive Information vulnerability in Taidii Diibear 2.4.0 The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to obtain user credentials from Shared Preferences and the SQLite database because of insecure data storage. | 2.1 |
2021-03-17 | CVE-2020-35454 | Taidii | Cleartext Storage of Sensitive Information vulnerability in Taidii Diibear 2.4.0 The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to obtain user credentials from an Android backup because of insecure application configuration. | 2.1 |
2021-03-17 | CVE-2020-11221 | Qualcomm | Information Exposure vulnerability in Qualcomm products Usage of syscall by non-secure entity can allow extraction of secure QTEE diagnostic information in clear text form due to insufficient checks in the syscall handler and leads to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 2.1 |
2021-03-17 | CVE-2020-11199 | Qualcomm | Information Exposure vulnerability in Qualcomm products HLOS to access EL3 stack canary by just mapping imem region due to Improper access control and can lead to information exposure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 2.1 |
2021-03-17 | CVE-2020-11186 | Qualcomm | Infinite Loop vulnerability in Qualcomm products Modem will enter into busy mode in an infinite loop while parsing histogram dimension due to improper validation of input received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 2.1 |
2021-03-16 | CVE-2021-22887 | Pulsesecure Supermicro | A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. | 2.1 |
2021-03-16 | CVE-2020-4891 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Spectrum Scale IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. | 2.1 |
2021-03-16 | CVE-2020-4890 | IBM | Unspecified vulnerability in IBM Spectrum Scale IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. | 2.1 |
2021-03-16 | CVE-2020-4851 | IBM | Injection vulnerability in IBM Spectrum Scale IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user to poison log files which could impact support and development efforts. | 2.1 |
2021-03-15 | CVE-2020-27290 | Hamilton Medical | Information Exposure vulnerability in Hamilton-Medical Hamilton-T1 Firmware In Hamilton Medical AG,T1-Ventillator versions 2.2.3 and prior, an information disclosure vulnerability in the ventilator allows attackers with physical access to the configuration interface's logs to get valid checksums for tampered configuration files. | 2.1 |
2021-03-15 | CVE-2020-27282 | Hamilton Medical | Missing XML Validation vulnerability in Hamilton-Medical Hamilton-T1 Firmware In Hamilton Medical AG,T1-Ventillator versions 2.2.3 and prior, an XML validation vulnerability in the ventilator allows privileged attackers with physical access to render the device persistently unusable by uploading specially crafted configuration files. | 2.1 |
2021-03-15 | CVE-2020-29556 | Getgrav | Path Traversal vulnerability in Getgrav Grav CMS The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. | 2.1 |
2021-03-15 | CVE-2021-25675 | Siemens | Divide By Zero vulnerability in Siemens Simatic S7-Plcsim 5.4 A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). | 2.1 |
2021-03-15 | CVE-2021-25674 | Siemens | NULL Pointer Dereference vulnerability in Siemens Simatic S7-Plcsim 5.4 A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). | 2.1 |