Weekly Vulnerabilities Reports > March 22 to 28, 2021

Overview

348 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 65 high severity vulnerabilities. This weekly summary report vulnerabilities in 401 products from 119 vendors including Cisco, Redhat, Fedoraproject, Netgear, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Incorrect Authorization", "Improper Privilege Management", "Command Injection", and "Improper Input Validation".

  • 239 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 119 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 243 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 44 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

13 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-25 CVE-2021-27372 Realtek Insufficiently Protected Credentials vulnerability in Realtek Xpon Rtl9601D Software Development KIT 1.9

Realtek xPON RTL9601D SDK 1.9 stores passwords in plaintext which may allow attackers to possibly gain access to the device with root permissions via the build-in network monitoring tool and execute arbitrary commands.

10.0
2021-03-25 CVE-2021-27452 GE Use of Hard-coded Credentials vulnerability in GE Mu320E Firmware

The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1).

10.0
2021-03-25 CVE-2021-3466 GNU
Redhat
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

A flaw was found in libmicrohttpd in versions before 0.9.71.

10.0
2021-03-25 CVE-2020-1946 Apache OS Command Injection vulnerability in Apache Spamassassin

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors.

10.0
2021-03-24 CVE-2021-21386 Apkleaks Project Argument Injection or Modification vulnerability in Apkleaks Project Apkleaks

APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets.

10.0
2021-03-24 CVE-2021-1451 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco IOS XE

A vulnerability in the Easy Virtual Switching System (VSS) feature of Cisco IOS XE Software for Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying Linux operating system of an affected device.

9.3
2021-03-24 CVE-2021-1433 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco IOS XE

A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device.

9.3
2021-03-26 CVE-2021-21389 Buddypress Incorrect Authorization vulnerability in Buddypress

BuddyPress is an open source WordPress plugin to build a community site.

9.0
2021-03-26 CVE-2020-7468 Freebsd Improper Handling of Exceptional Conditions vulnerability in Freebsd

In FreeBSD 12.2-STABLE before r365772, 11.4-STABLE before r365773, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5).

9.0
2021-03-26 CVE-2021-20682 Basercms OS Command Injection vulnerability in Basercms

baserCMS versions prior to 4.4.5 allows a remote attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors.

9.0
2021-03-25 CVE-2020-10583 Invigo OS Command Injection vulnerability in Invigo Automatic Device Management

The /admin/admapi.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary OS commands on the server as the user running the application.

9.0
2021-03-24 CVE-2021-1411 Cisco Improper Null Termination vulnerability in Cisco Jabber

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.

9.0
2021-03-24 CVE-2021-1435 Cisco Path Traversal vulnerability in Cisco IOS XE

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that can be executed as the root user.

9.0

65 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-26 CVE-2020-25582 Freebsd Improper Privilege Management vulnerability in Freebsd 11.4/12.2

In FreeBSD 12.2-STABLE before r369334, 11.4-STABLE before r369335, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 when a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

8.5
2021-03-26 CVE-2020-25581 Freebsd Race Condition vulnerability in Freebsd 11.4/12.2

In FreeBSD 12.2-STABLE before r369312, 11.4-STABLE before r369313, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

8.5
2021-03-24 CVE-2021-1443 Cisco Command Injection vulnerability in Cisco IOS XE

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system of an affected device.

8.5
2021-03-24 CVE-2021-1384 Cisco Command Injection vulnerability in Cisco IOS XE

A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user.

8.5
2021-03-26 CVE-2020-28695 Askey Code Injection vulnerability in Askey Rtf3505Vw-N1 BR SV G000 R3505Vwn1001 S32 7 Firmware

Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 devices allow Remote Code Execution and retrieval of admin credentials to log into the Dashboard or login via SSH, leading to code execution as root.

8.3
2021-03-26 CVE-2021-20285 UPX Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in UPX Project UPX 3.96

A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96.

8.3
2021-03-23 CVE-2021-29067 Netgear Improper Authentication vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

8.3
2021-03-23 CVE-2021-29066 Netgear Improper Authentication vulnerability in Netgear products

Certain NETGEAR devices are affected by authentication bypass.

8.3
2021-03-23 CVE-2021-29065 Netgear Improper Authentication vulnerability in Netgear Rbr850 Firmware

NETGEAR RBR850 devices before 3.2.10.11 are affected by authentication bypass.

8.3
2021-03-25 CVE-2021-20217 Privoxy
Fedoraproject
Reachable Assertion vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.31.

7.8
2021-03-25 CVE-2021-20216 Privoxy
Fedoraproject
Resource Exhaustion vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.31.

7.8
2021-03-25 CVE-2021-20215 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2021-20214 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2021-20212 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2021-20211 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2021-20210 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2020-35502 Privoxy
Redhat
Fedoraproject
Memory Leak vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

7.8
2021-03-25 CVE-2021-20679 Fujixerox Unspecified vulnerability in Fujixerox products

Fuji Xerox multifunction devices and printers (DocuCentre-VII C7773/C6673/C5573/C4473/C3373/C3372/C2273, DocuCentre-VII C7788/C6688/C5588, ApeosPort-VII C7773/C6673/C5573/C4473/C3373/C3372 C2273, ApeosPort-VII C7788/C6688/C5588, ApeosPort C7070/C6570/C5570/C4570/C3570/C3070/C7070G/C6570G/C5570G/C4570G/C3570G/C3070G, ApeosPort-VII C4421/C3321, ApeosPort C3060/C2560/C2060/C3060G/C2560G/C2060G, ApeosPort-VII CP4421, ApeosPort Print C5570, ApeosPort 5570/4570/5570G/4570G, ApeosPort 3560/3060/2560/3560G/3060G/2560G, ApeosPort-VII 5021/ 4021, ApeosPort-VII P5021, DocuPrint CP 555 d/505 d, DocuPrint P505 d, PrimeLink C9065/C9070, DocuPrint CP475AP, and DocuPrint P475AP) allow an attacker to cause a denial of service (DoS) condition and abnormal end (ABEND) of the affected products via sending a specially crafted command.

7.8
2021-03-24 CVE-2021-1373 Cisco Buffer Over-read vulnerability in Cisco IOS XE

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of an affected device.

7.8
2021-03-24 CVE-2021-1431 Cisco Improper Input Validation vulnerability in Cisco IOS XE

A vulnerability in the vDaemon process of Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a device to reload, resulting a denial of service (DoS) condition.

7.8
2021-03-23 CVE-2021-21348 Xstream Project
Debian
Deserialization of Untrusted Data vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

7.8
2021-03-26 CVE-2020-7461 Freebsd
Siemens
Out-of-bounds Write vulnerability in multiple products

In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow.

7.5
2021-03-26 CVE-2021-21403 Kongchuanhujiao Project Authentication Bypass by Primary Weakness vulnerability in Kongchuanhujiao Project Kongchuanhujiao

In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability.

7.5
2021-03-26 CVE-2021-1628 Salesforce XXE vulnerability in Salesforce Mule

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers.

7.5
2021-03-26 CVE-2021-1627 Salesforce Server-Side Request Forgery (SSRF) vulnerability in Salesforce Mule

MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers.

7.5
2021-03-26 CVE-2021-1626 Salesforce Unspecified vulnerability in Salesforce Mule

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers.

7.5
2021-03-26 CVE-2020-19625 Gridx Project Unspecified vulnerability in Gridx Project Gridx 1.3

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.

7.5
2021-03-25 CVE-2021-27440 GE Use of Hard-coded Credentials vulnerability in GE Reason Dr60 Firmware

The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1).

7.5
2021-03-25 CVE-2020-10582 Invigo SQL Injection vulnerability in Invigo Automatic Device Management

A SQL injection on the /admin/display_errors.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to execute arbitrary SQL requests (including data reading and modification) on the database.

7.5
2021-03-25 CVE-2021-27193 Netop Incorrect Default Permissions vulnerability in Netop Vision PRO

Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation.

7.5
2021-03-25 CVE-2021-21783 Genivia Integer Overflow or Wraparound vulnerability in Genivia Gsoap 2.8.107

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107.

7.5
2021-03-25 CVE-2021-22659 Rockwellautomation Classic Buffer Overflow vulnerability in Rockwellautomation Micrologix 1400 Firmware

Rockwell Automation MicroLogix 1400 Version 21.6 and below may allow a remote unauthenticated attacker to send a specially crafted Modbus packet allowing the attacker to retrieve or modify random values in the register.

7.5
2021-03-24 CVE-2020-7853 Tobesoft Out-of-bounds Read vulnerability in Tobesoft Xplatform

An outbound read/write vulnerability exists in XPLATFORM that does not check offset input ranges, allowing out-of-range data to be read.

7.5
2021-03-24 CVE-2020-7839 Markany Improper Input Validation vulnerability in Markany Maepsbroker

In MaEPSBroker 2.5.0.31 and prior, a command injection vulnerability caused by improper input validation checks when parsing brokerCommand parameter.

7.5
2021-03-24 CVE-2020-35337 Thinksaas SQL Injection vulnerability in Thinksaas 2.6/2.91

ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands.

7.5
2021-03-24 CVE-2021-28967 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

The unofficial MATLAB extension before 2.0.1 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace because of lint configuration settings.

7.5
2021-03-23 CVE-2021-23274 Tibco Improper Restriction of Rendered UI Layers or Frames vulnerability in Tibco products

The Config UI component of TIBCO Software Inc.'s TIBCO API Exchange Gateway and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a clickjacking attack on the affected system.

7.5
2021-03-23 CVE-2020-28503 Gulpjs Unspecified vulnerability in Gulpjs Copy-Props

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

7.5
2021-03-23 CVE-2021-21355 Typo3 Files or Directories Accessible to External Parties vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

7.5
2021-03-23 CVE-2021-21350 Xstream Project
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

7.5
2021-03-23 CVE-2021-21347 Xstream Project
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

7.5
2021-03-23 CVE-2021-21346 Xstream Project
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

7.5
2021-03-23 CVE-2021-21344 Xstream Project
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

7.5
2021-03-22 CVE-2021-26295 Apache Deserialization of Untrusted Data vulnerability in Apache Ofbiz

Apache OFBiz has unsafe deserialization prior to 17.12.06.

7.5
2021-03-22 CVE-2021-28955 GIT BUG Project Uncontrolled Search Path Element vulnerability in Git-Bug Project Git-Bug

git-bug before 0.7.2 has an Uncontrolled Search Path Element.

7.5
2021-03-26 CVE-2021-29266 Linux Use After Free vulnerability in Linux Kernel

An issue was discovered in the Linux kernel before 5.11.9.

7.2
2021-03-26 CVE-2020-7467 Freebsd Improper Privilege Management vulnerability in Freebsd

In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.

7.2
2021-03-26 CVE-2021-25372 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.

7.2
2021-03-26 CVE-2021-25371 Google Unspecified vulnerability in Google Android 10.0/11.0

A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP.

7.2
2021-03-26 CVE-2021-28249 CA Improper Privilege Management vulnerability in CA Ehealth Performance Manager

** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library.

7.2
2021-03-24 CVE-2021-1376 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco IOS XE

Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned binaries on an affected device.

7.2
2021-03-24 CVE-2021-1375 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco IOS XE

Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned binaries on an affected device.

7.2
2021-03-24 CVE-2021-1371 Cisco Improper Privilege Management vulnerability in Cisco IOS XE Sd-Wan 17.2.0

A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration.

7.2
2021-03-24 CVE-2021-1454 Cisco Argument Injection or Modification vulnerability in Cisco IOS XE and IOS XE Sd-Wan

Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges.

7.2
2021-03-24 CVE-2021-1453 Cisco Improper Verification of Cryptographic Signature vulnerability in Cisco IOS XE

A vulnerability in the software image verification functionality of Cisco IOS XE Software for the Cisco Catalyst 9000 Family of switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time.

7.2
2021-03-24 CVE-2021-1452 Cisco OS Command Injection vulnerability in Cisco IOS XE ROM Monitor

A vulnerability in the ROM Monitor (ROMMON) of Cisco IOS XE Software for Cisco Catalyst IE3200, IE3300, and IE3400 Rugged Series Switches, Cisco Catalyst IE3400 Heavy Duty Series Switches, and Cisco Embedded Services 3300 Series Switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time.

7.2
2021-03-24 CVE-2021-1441 Oracle OS Command Injection vulnerability in Oracle Cisco IOS XE Software

A vulnerability in the hardware initialization routines of Cisco IOS XE Software for Cisco 1100 Series Industrial Integrated Services Routers and Cisco ESR6300 Embedded Series Routers could allow an authenticated, local attacker to execute unsigned code at system boot time.

7.2
2021-03-24 CVE-2021-1391 Cisco Leftover Debug Code vulnerability in Cisco IOS and IOS XE

A vulnerability in the dragonite debugger of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root privilege.

7.2
2021-03-24 CVE-2021-1390 Cisco Write-what-where Condition vulnerability in Cisco IOS XE

A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device.

7.2
2021-03-24 CVE-2021-1383 Cisco Improper Input Validation vulnerability in Cisco IOS XE

Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges.

7.2
2021-03-24 CVE-2021-1382 Cisco Command Injection vulnerability in Cisco IOS XE

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root privileges on the underlying operating system.

7.2
2021-03-23 CVE-2021-28819 Tibco Incorrect Authorization vulnerability in Tibco FTL

The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

7.2
2021-03-22 CVE-2021-28972 Linux
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly.

7.2
2021-03-24 CVE-2021-1446 Cisco Improper Check for Unusual or Exceptional Conditions vulnerability in Cisco IOS XE

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

7.1
2021-03-24 CVE-2021-1403 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco IOS XE

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

7.1

199 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-25 CVE-2020-6790 Bosch Uncontrolled Search Path Element vulnerability in Bosch Video Streaming Gateway

Calling an executable through an Uncontrolled Search Path Element in the Bosch Video Streaming Gateway installer up to and including version 6.45.10 potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6789 Bosch Uncontrolled Search Path Element vulnerability in Bosch Monitor Wall 10.00.0164

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall installer up to and including version 10.00.0164 potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6788 Bosch Uncontrolled Search Path Element vulnerability in Bosch Configuration Manager

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6787 Bosch Uncontrolled Search Path Element vulnerability in Bosch Video Client 1.7.6.079

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client installer up to and including version 1.7.6.079 potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6786 Bosch Uncontrolled Search Path Element vulnerability in Bosch Video Recording Manager

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording Manager installer up to and including version 3.82.0055 for 3.82, up to and including version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6785 Bosch Uncontrolled Search Path Element vulnerability in Bosch products

Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-25 CVE-2020-6771 Bosch Uncontrolled Search Path Element vulnerability in Bosch IP Helper 1.00.0008

Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a victim's system.

6.9
2021-03-24 CVE-2021-1281 Cisco Improper Privilege Management vulnerability in Cisco IOS XE

A vulnerability in CLI management in Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system as the root user.

6.9
2021-03-24 CVE-2021-1442 Cisco Information Exposure Through Log Files vulnerability in Cisco IOS XE

A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user (level 15) on an affected device.

6.9
2021-03-24 CVE-2021-1432 Cisco Injection vulnerability in Cisco IOS XE and IOS XE Sd-Wan

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user.

6.9
2021-03-24 CVE-2021-1398 Cisco Leftover Debug Code vulnerability in Cisco IOS XE

A vulnerability in the boot logic of Cisco IOS XE Software could allow an authenticated, local attacker with level 15 privileges or an unauthenticated attacker with physical access to execute arbitrary code on the underlying Linux operating system of an affected device.

6.9
2021-03-24 CVE-2019-19353 Redhat Incorrect Privilege Assignment vulnerability in Redhat Openshift Container Platform 4.0

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hive as shipped in Red Hat Openshift 4.

6.9
2021-03-26 CVE-2021-21374 NIM Lang Improper Certificate Validation vulnerability in Nim-Lang NIM

Nimble is a package manager for the Nim programming language.

6.8
2021-03-26 CVE-2021-21372 NIM Lang Injection vulnerability in Nim-Lang NIM

Nimble is a package manager for the Nim programming language.

6.8
2021-03-25 CVE-2021-29098 Esri Access of Uninitialized Pointer vulnerability in Esri products

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

6.8
2021-03-25 CVE-2021-29097 Esri Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Esri products

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

6.8
2021-03-25 CVE-2021-29096 Esri Use After Free vulnerability in Esri products

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

6.8
2021-03-25 CVE-2021-25354 Samsung Improper Input Validation vulnerability in Samsung Internet

Improper input check in Samsung Internet prior to version 13.2.1.46 allows attackers to launch non-exported activity in Samsung Browser via malicious deeplink.

6.8
2021-03-24 CVE-2020-7852 Hmtalk Out-of-bounds Write vulnerability in Hmtalk Daviewindy 8.98.4/8.98.7/8.98.9

DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed ex.j2c format file that is mishandled by Daview.exe.

6.8
2021-03-24 CVE-2021-1471 Cisco Improper Certificate Validation vulnerability in Cisco Jabber

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.

6.8
2021-03-24 CVE-2020-36283 Hidglobal Cross-Site Request Forgery (CSRF) vulnerability in Hidglobal Omnikey 5127 Firmware and Omnikey 5427 Firmware

HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode).

6.8
2021-03-23 CVE-2020-24994 Libass Project Out-of-bounds Write vulnerability in Libass Project Libass 0.13.3

Stack overflow in the parse_tag function in libass/ass_parse.c in libass before 0.15.0 allows remote attackers to cause a denial of service or remote code execution via a crafted file.

6.8
2021-03-22 CVE-2021-25265 Sophos Unspecified vulnerability in Sophos Connect

A malicious website could execute code remotely in Sophos Connect Client before version 2.1.

6.8
2021-03-22 CVE-2021-28956 Sass Lint Project Unspecified vulnerability in Sass Lint Project Sass Lint

** UNSUPPORTED WHEN ASSIGNED ** The unofficial vscode-sass-lint (aka Sass Lint) extension through 1.0.7 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace.

6.8
2021-03-24 CVE-2021-1434 Cisco Files or Directories Accessible to External Parties vulnerability in Cisco IOS XE

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to overwrite arbitrary files in the underlying file system.

6.6
2021-03-26 CVE-2021-20206 Linuxfoundation Improper Input Validation vulnerability in Linuxfoundation Container Network Interface

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1.

6.5
2021-03-25 CVE-2021-27438 GE Code Injection vulnerability in GE Reason Dr60 Firmware

The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1).

6.5
2021-03-25 CVE-2020-10580 Invigo Command Injection vulnerability in Invigo Automatic Device Management

A command injection on the /admin/broadcast.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary PHP code on the server as the user running the application.

6.5
2021-03-24 CVE-2020-26283 Protocol Improper Encoding or Escaping of Output vulnerability in Protocol Go-Ipfs

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem.

6.5
2021-03-24 CVE-2021-1469 Cisco Improper Input Validation vulnerability in Cisco Jabber

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.

6.5
2021-03-24 CVE-2021-22192 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.

6.5
2021-03-23 CVE-2021-21380 Xwiki SQL Injection vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.5
2021-03-23 CVE-2021-22864 Github Command Injection vulnerability in Github Enterprise Server

A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site.

6.5
2021-03-23 CVE-2021-29068 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

6.5
2021-03-23 CVE-2021-21357 Typo3 Improper Input Validation vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

6.5
2021-03-23 CVE-2021-21351 Xstream Project
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

6.5
2021-03-23 CVE-2021-21345 Xstream Project
Debian
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

6.5
2021-03-22 CVE-2021-22311 Huawei Incorrect Default Permissions vulnerability in Huawei Manageone 8.0.0/8.0.1

There is an improper permission assignment vulnerability in Huawei ManageOne product.

6.5
2021-03-25 CVE-2021-26715 Mitreid Server-Side Request Forgery (SSRF) vulnerability in Mitreid Connect

The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability.

6.4
2021-03-23 CVE-2021-21342 Xstream Project
Debian
Deserialization of Untrusted Data vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

6.4
2021-03-22 CVE-2021-26070 Atlassian Improper Authentication vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource.

6.4
2021-03-25 CVE-2021-29095 Esri Access of Uninitialized Pointer vulnerability in Esri Arcgis

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

6.0
2021-03-25 CVE-2021-29094 Esri Classic Buffer Overflow vulnerability in Esri Arcgis

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

6.0
2021-03-25 CVE-2021-29093 Esri Use After Free vulnerability in Esri Arcgis

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

6.0
2021-03-24 CVE-2021-1385 Cisco Path Traversal vulnerability in Cisco IOS and IOS XE

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

6.0
2021-03-26 CVE-2021-1629 Tableau Open Redirect vulnerability in Tableau Server

Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users.

5.8
2021-03-26 CVE-2021-23890 Mcafee Information Exposure vulnerability in Mcafee Epolicy Orchestrator

Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server.

5.8
2021-03-25 CVE-2021-3450 Openssl
Freebsd
Netapp
Windriver
Fedoraproject
Tenable
Oracle
Mcafee
Improper Certificate Validation vulnerability in multiple products

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.

5.8
2021-03-24 CVE-2021-21385 Mifos Improper Validation of Certificate with Host Mismatch vulnerability in Mifos Mifos-Mobile

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform.

5.8
2021-03-23 CVE-2020-12483 Vivo Open Redirect vulnerability in Vivo Appstore

The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.

5.8
2021-03-23 CVE-2021-29081 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker.

5.8
2021-03-23 CVE-2021-29079 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-03-23 CVE-2021-29078 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-03-23 CVE-2021-29077 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-03-23 CVE-2021-29076 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

5.8
2021-03-23 CVE-2021-21338 Typo3 Open Redirect vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

5.8
2021-03-22 CVE-2020-4882 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics 2.0 could be vulnerable to a Server-Side Request Forgery (SSRF) attack by constucting URLs from user-controlled data .

5.8
2021-03-26 CVE-2021-21411 Oauth2 Proxy Project Incorrect Authorization vulnerability in Oauth2 Proxy Project Oauth2 Proxy 7.0.0

OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers.

5.5
2021-03-25 CVE-2021-25367 Samsung Path Traversal vulnerability in Samsung Notes 2.0.02.31

Path Traversal vulnerability in Samsung Notes prior to version 4.2.00.22 allows attackers to access local files without permission.

5.5
2021-03-24 CVE-2020-26279 Protocol Path Traversal vulnerability in Protocol Go-Ipfs

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem.

5.5
2021-03-24 CVE-2021-22179 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

A vulnerability was discovered in GitLab versions before 12.2.

5.5
2021-03-23 CVE-2021-21401 Nanopb Project Release of Invalid Pointer or Reference vulnerability in Nanopb Project Nanopb

Nanopb is a small code-size Protocol Buffers implementation in ansi C.

5.5
2021-03-22 CVE-2021-25920 Open EMR Incorrect Authorization vulnerability in Open-Emr Openemr

In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.

5.5
2021-03-23 CVE-2021-29075 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

5.2
2021-03-23 CVE-2021-29074 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

5.2
2021-03-23 CVE-2021-29073 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user.

5.2
2021-03-23 CVE-2021-29072 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-03-23 CVE-2021-29071 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-03-23 CVE-2021-29070 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-03-23 CVE-2021-29069 Netgear Command Injection vulnerability in Netgear Wnr2000V5 Firmware, Xr450 Firmware and Xr500 Firmware

Certain NETGEAR devices are affected by command injection by an authenticated user.

5.2
2021-03-26 CVE-2021-20271 RPM
Redhat
Fedoraproject
Insufficient Verification of Data Authenticity vulnerability in multiple products

A flaw was found in RPM's signature check functionality when reading a package file.

5.1
2021-03-23 CVE-2021-20222 Redhat Improper Input Validation vulnerability in Redhat Keycloak

A flaw was found in keycloak.

5.1
2021-03-26 CVE-2021-29249 Btcpayserver Unspecified vulnerability in Btcpayserver Btcpay Server

BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability.

5.0
2021-03-26 CVE-2020-7464 Freebsd Injection vulnerability in Freebsd

In FreeBSD 12.2-STABLE before r365730, 11.4-STABLE before r365738, 12.1-RELEASE before p10, 11.4-RELEASE before p4, and 11.3-RELEASE before p14, a programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes.

5.0
2021-03-26 CVE-2020-25580 Freebsd Incorrect Authorization vulnerability in Freebsd 11.4/12.2

In FreeBSD 12.2-STABLE before r369346, 11.4-STABLE before r369345, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 a regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not.

5.0
2021-03-26 CVE-2020-25579 Freebsd Information Exposure vulnerability in Freebsd 11.4/12.1/12.2

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.

5.0
2021-03-26 CVE-2020-25578 Freebsd Information Exposure vulnerability in Freebsd 11.4/12.1/12.2

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR.

5.0
2021-03-26 CVE-2021-20289 Redhat
Netapp
Quarkus
Information Exposure Through an Error Message vulnerability in multiple products

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final.

5.0
2021-03-26 CVE-2020-35518 Redhat Information Exposure vulnerability in Redhat 389 Directory Server

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not.

5.0
2021-03-26 CVE-2021-22506 Microfocus Information Exposure vulnerability in Microfocus Access Manager

Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0.

5.0
2021-03-26 CVE-2021-28248 CA Improper Restriction of Excessive Authentication Attempts vulnerability in CA Ehealth

** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts.

5.0
2021-03-26 CVE-2020-28346 Projectacrn NULL Pointer Dereference vulnerability in Projectacrn Acrn

ACRN through 2.2 has a devicemodel/hw/pci/virtio/virtio.c NULL Pointer Dereference.

5.0
2021-03-25 CVE-2021-3119 Zetetic SQL Injection vulnerability in Zetetic Sqlcipher 4.0/4.4.1/4.4.2

Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c.

5.0
2021-03-25 CVE-2020-10584 Invigo Path Traversal vulnerability in Invigo Automatic Device Management

A directory traversal on the /admin/search_by.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to read arbitrary server files accessible to the user running the application.

5.0
2021-03-25 CVE-2020-10581 Invigo Exposure of Resource to Wrong Sphere vulnerability in Invigo Automatic Device Management

Multiple session validity check issues in several administration functionalities of Invigo Automatic Device Management (ADM) through 5.0 allow remote attackers to read potentially sensitive data hosted by the application.

5.0
2021-03-25 CVE-2020-10579 Invigo Path Traversal vulnerability in Invigo Automatic Device Management

A directory traversal on the /admin/sysmon.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to list the content of arbitrary server directories accessible to the user running the application.

5.0
2021-03-25 CVE-2021-27195 Netop Authentication Bypass by Capture-replay vulnerability in Netop Vision PRO

Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic.

5.0
2021-03-25 CVE-2021-25368 Samsung Improper Authentication vulnerability in Samsung Cloud

Hijacking vulnerability in Samsung Cloud prior to version 4.7.0.3 allows attackers to intercept when the provider is executed.

5.0
2021-03-25 CVE-2021-22496 Microfocus Improper Authentication vulnerability in Microfocus Access Manager

Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3.

5.0
2021-03-25 CVE-2021-29156 Forgerock Injection vulnerability in Forgerock Openam

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol.

5.0
2021-03-24 CVE-2021-1460 Cisco Resource Exhaustion vulnerability in Cisco products

A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute Gateway could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

5.0
2021-03-24 CVE-2021-1437 Cisco Permission Issues vulnerability in Cisco products

A vulnerability in the FlexConnect Upgrade feature of Cisco Aironet Series Access Points Software could allow an unauthenticated, remote attacker to obtain confidential information from an affected device.

5.0
2021-03-24 CVE-2021-1377 Cisco Resource Management Errors vulnerability in Cisco IOS

A vulnerability in Address Resolution Protocol (ARP) management of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent an affected device from resolving ARP entries for legitimate hosts on the connected subnets.

5.0
2021-03-24 CVE-2020-5015 IBM Unspecified vulnerability in IBM Elastic Storage Server and Elastic Storage System

IBM Elastic Storage System 6.0.0 through 6.0.1.2 and IBM Elastic Storage Server 5.3.0 through 5.3.6.2 could allow a remote attacker to cause a denial of service by sending malformed UDP requests.

5.0
2021-03-24 CVE-2021-28362 Contiki OS Integer Underflow (Wrap or Wraparound) vulnerability in Contiki-Os Contiki

An issue was discovered in Contiki through 3.0.

5.0
2021-03-24 CVE-2021-27320 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.

5.0
2021-03-24 CVE-2021-27319 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.

5.0
2021-03-24 CVE-2021-27316 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.

5.0
2021-03-24 CVE-2021-27315 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.

5.0
2021-03-23 CVE-2019-19343 Redhat Resource Exhaustion vulnerability in Redhat products

A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4.

5.0
2021-03-23 CVE-2021-23362 Npmjs Unspecified vulnerability in Npmjs Hosted-Git-Info

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js.

5.0
2021-03-23 CVE-2021-20270 Pygments
Redhat
Fedoraproject
Infinite Loop vulnerability in multiple products

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

5.0
2021-03-23 CVE-2021-21376 Openmicroscopy Information Exposure vulnerability in Openmicroscopy Omero.Web 5.6.3

OMERO.web is open source Django-based software for managing microscopy imaging.

5.0
2021-03-23 CVE-2021-21359 Typo3 Uncontrolled Recursion vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

5.0
2021-03-23 CVE-2021-21339 Typo3 Cleartext Storage of Sensitive Information vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

5.0
2021-03-23 CVE-2021-21349 Xstream Project
Debian
Deserialization of Untrusted Data vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

5.0
2021-03-23 CVE-2021-21343 Xstream Project
Debian
External Control of File Name or Path vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

5.0
2021-03-23 CVE-2021-21341 Xstream Project
Debian
Deserialization of Untrusted Data vulnerability in multiple products

XStream is a Java library to serialize objects to XML and back again.

5.0
2021-03-22 CVE-2021-22321 Huawei Use After Free vulnerability in Huawei products

There is a use-after-free vulnerability in a Huawei product.

5.0
2021-03-22 CVE-2021-22320 Huawei Unspecified vulnerability in Huawei products

There is a denial of service vulnerability in Huawei products.

5.0
2021-03-22 CVE-2021-26578 HPE SQL Injection vulnerability in HPE Network Orchestrator

A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5.

5.0
2021-03-22 CVE-2021-22309 Huawei Use of a Broken or Risky Cryptographic Algorithm vulnerability in Huawei products

There is insecure algorithm vulnerability in Huawei products.

5.0
2021-03-22 CVE-2020-9213 Huawei Improper Handling of Exceptional Conditions vulnerability in Huawei products

There is a denial of service vulnerability in some huawei products.

5.0
2021-03-22 CVE-2021-28148 Grafana Improper Authentication vulnerability in Grafana

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication.

5.0
2021-03-22 CVE-2020-28501 Crawlerdetect Project Unspecified vulnerability in Crawlerdetect Project Crawlerdetect

This affects the package es6-crawler-detect before 3.1.3.

5.0
2021-03-22 CVE-2021-28963 Shibboleth
Debian
Injection vulnerability in multiple products

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

5.0
2021-03-22 CVE-2021-26069 Atlassian Injection vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint.

5.0
2021-03-26 CVE-2020-7463 Freebsd
Apple
Use After Free vulnerability in multiple products

In FreeBSD 12.1-STABLE before r364644, 11.4-STABLE before r364651, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, improper handling in the kernel causes a use-after-free bug by sending large user messages from multiple threads on the same SCTP socket.

4.9
2021-03-26 CVE-2020-7462 Freebsd Use After Free vulnerability in Freebsd 11.3/11.4

In 11.4-PRERELEASE before r360733 and 11.3-RELEASE before p13, improper mbuf handling in the kernel causes a use-after-free bug by sending IPv6 Hop-by-Hop options over the loopback interface.

4.9
2021-03-26 CVE-2021-25370 Google Unspecified vulnerability in Google Android

An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.

4.9
2021-03-26 CVE-2021-3109 Solarwinds Unspecified vulnerability in Solarwinds Orion Platform

The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account.

4.9
2021-03-26 CVE-2021-23888 Mcafee Open Redirect vulnerability in Mcafee Epolicy Orchestrator

Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user.

4.9
2021-03-23 CVE-2021-21377 Openmicroscopy Open Redirect vulnerability in Openmicroscopy Omero.Web 5.6.3

OMERO.web is open source Django-based software for managing microscopy imaging.

4.9
2021-03-22 CVE-2021-28971 Linux
Fedoraproject
Resource Exhaustion vulnerability in multiple products

In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.

4.9
2021-03-22 CVE-2021-27962 Grafana Incorrect Permission Assignment for Critical Resource vulnerability in Grafana

Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.

4.9
2021-03-23 CVE-2021-29080 Netgear Weak Password Recovery Mechanism for Forgotten Password vulnerability in Netgear products

Certain NETGEAR devices are affected by password reset by an unauthenticated attacker.

4.8
2021-03-26 CVE-2021-29265 Linux Race Condition vulnerability in Linux Kernel

An issue was discovered in the Linux kernel before 5.11.7.

4.7
2021-03-26 CVE-2021-29264 Linux Unspecified vulnerability in Linux Kernel

An issue was discovered in the Linux kernel through 5.11.10.

4.7
2021-03-24 CVE-2021-1436 Cisco Path Traversal vulnerability in Cisco IOS XE

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system.

4.7
2021-03-26 CVE-2021-28250 CA Improper Privilege Management vulnerability in CA Ehealth Performance Manager

** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file.

4.6
2021-03-25 CVE-2021-27454 GE Improper Privilege Management vulnerability in GE Reason Dr60 Firmware

The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1).

4.6
2021-03-25 CVE-2021-27450 GE Inadequate Encryption Strength vulnerability in GE Mu320E Firmware

SSH server configuration file does not implement some best practices.

4.6
2021-03-25 CVE-2021-27448 GE Improper Privilege Management vulnerability in GE Mu320E Firmware

A miscommunication in the file system allows adversaries with access to the MU320E to escalate privileges on the MU320E (all firmware versions prior to v04A00.1).

4.6
2021-03-25 CVE-2021-27192 Netop Improper Privilege Management vulnerability in Netop Vision PRO

Local privilege escalation vulnerability in Windows clients of Netop Vision Pro up to and including 9.7.1 allows a local user to gain administrator privileges whilst using the clients.

4.6
2021-03-25 CVE-2021-25355 Samsung Incorrect Default Permissions vulnerability in Samsung Notes 2.0.02.31

Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent.

4.6
2021-03-25 CVE-2021-25352 Samsung Incorrect Authorization vulnerability in Samsung Bixby Voice

Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.

4.6
2021-03-25 CVE-2021-25349 Samsung Incorrect Authorization vulnerability in Samsung Slow Motion Editor

Using unsafe PendingIntent in Slow Motion Editor prior to version 3.5.18.5 allows local attackers unauthorized action without permission via hijacking the PendingIntent.

4.6
2021-03-24 CVE-2021-1449 Cisco Improper Access Control vulnerability in Cisco products

A vulnerability in the boot logic of Cisco Access Points Software could allow an authenticated, local attacker to execute unsigned code at boot time.

4.6
2021-03-24 CVE-2019-19354 Redhat Improper Privilege Management vulnerability in Redhat Openshift Container Platform 4.4

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4.

4.6
2021-03-24 CVE-2019-19350 Redhat Incorrect Privilege Assignment vulnerability in Redhat Openshift 3.11/4.0

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ansible-service-broker as shipped in Red Hat Openshift 4 and 3.11.

4.6
2021-03-23 CVE-2021-3409 Qemu
Redhat
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code.

4.6
2021-03-23 CVE-2021-28824 Tibco Incorrect Authorization vulnerability in Tibco Activespaces

The Windows Installation component of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28823 Tibco Incorrect Authorization vulnerability in Tibco Eftl

The Windows Installation component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28822 Tibco Uncontrolled Search Path Element vulnerability in Tibco Enterprise Message Service

The Enterprise Message Service Server (tibemsd), Enterprise Message Service Central Administration (tibemsca), Enterprise Message Service JSON configuration generator (tibemsconf2json), and Enterprise Message Service C API components of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28821 Tibco Incorrect Authorization vulnerability in Tibco Enterprise Message Service

The Windows Installation component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28820 Tibco Uncontrolled Search Path Element vulnerability in Tibco FTL

The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28818 Tibco Improper Privilege Management vulnerability in Tibco Rendezvous

The Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon (rvrsd), Rendezvous Secure Daemon (rvsd), Rendezvous Cache (rvcache), Rendezvous Secure C API, Rendezvous Java API, and Rendezvous .Net API components of TIBCO Software Inc.'s TIBCO Rendezvous and TIBCO Rendezvous Developer Edition contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-28817 Tibco Improper Privilege Management vulnerability in Tibco Rendezvous

The Windows Installation component of TIBCO Software Inc.'s TIBCO Rendezvous and TIBCO Rendezvous Developer Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

4.6
2021-03-23 CVE-2021-3444 Linux Incorrect Conversion between Numeric Types vulnerability in Linux Kernel

The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0.

4.6
2021-03-23 CVE-2020-7346 Mcafee Improper Privilege Management vulnerability in Mcafee Data Loss Prevention

Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) for Windows prior to 11.6.100 allows a local, low privileged, attacker through the use of junctions to cause the product to load DLLs of the attacker's choosing.

4.6
2021-03-22 CVE-2021-22314 Huawei Improper Privilege Management vulnerability in Huawei Manageone 6.5.1/6.5.1.1

There is a local privilege escalation vulnerability in some versions of ManageOne.

4.6
2021-03-22 CVE-2020-9206 Huawei Unspecified vulnerability in Huawei Eudc660 Firmware V100R005C00

The eUDC660 product has a resource management vulnerability.

4.6
2021-03-26 CVE-2020-35508 Linux
Redhat
Improper Initialization vulnerability in multiple products

A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers.

4.4
2021-03-26 CVE-2021-28246 CA Untrusted Search Path vulnerability in CA Ehealth

** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library.

4.4
2021-03-24 CVE-2019-19352 Redhat Incorrect Privilege Assignment vulnerability in Redhat Openshift Container Platform 4.0

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/presto as shipped in Red Hat Openshift 4.

4.4
2021-03-24 CVE-2019-19349 Redhat Incorrect Privilege Assignment vulnerability in Redhat Openshift 4.0

An insecure modification vulnerability in the /etc/passwd file was found in the container operator-framework/operator-metering as shipped in Red Hat Openshift 4.

4.4
2021-03-27 CVE-2021-29272 Microco Cross-site Scripting vulnerability in Microco Bluemonday

bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.

4.3
2021-03-27 CVE-2021-29271 Remark42 Cross-site Scripting vulnerability in Remark42

remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload.

4.3
2021-03-26 CVE-2021-21373 NIM Lang Improper Certificate Validation vulnerability in Nim-Lang NIM

Nimble is a package manager for the Nim programming language.

4.3
2021-03-26 CVE-2021-21332 Matrix Cross-site Scripting vulnerability in Matrix Synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

4.3
2021-03-26 CVE-2021-22886 Rocket Chat Cross-site Scripting vulnerability in Rocket.Chat

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message.

4.3
2021-03-26 CVE-2021-20284 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Binutils 2.35.1

A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly.

4.3
2021-03-26 CVE-2021-20193 GNU Memory Leak vulnerability in GNU TAR

A flaw was found in the src/list.c of tar 1.33 and earlier.

4.3
2021-03-26 CVE-2020-27829 Imagemagick Heap-based Buffer Overflow vulnerability in Imagemagick

A heap based buffer overflow in coders/tiff.c may result in program crash and denial of service in ImageMagick before 7.0.10-45.

4.3
2021-03-26 CVE-2020-25840 Microfocus Cross-site Scripting vulnerability in Microfocus Access Manager

Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0.

4.3
2021-03-26 CVE-2021-3275 TP Link Cross-site Scripting vulnerability in Tp-Link products

Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname.

4.3
2021-03-26 CVE-2020-23517 Aryanic Cross-site Scripting vulnerability in Aryanic High CMS

Cross Site Scripting (XSS) vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.

4.3
2021-03-25 CVE-2021-22889 Revive Adserver Cross-site Scripting vulnerability in Revive-Adserver Revive Adserver

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly other scripts) due to single quotes not being escaped.

4.3
2021-03-25 CVE-2021-22888 Revive Adserver Cross-site Scripting vulnerability in Revive-Adserver Revive Adserver

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-zones.php.

4.3
2021-03-25 CVE-2021-3467 Jasper Project
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.26 handled component references in CDEF box in the JP2 image format decoder.

4.3
2021-03-25 CVE-2021-3443 Jasper Project
Redhat
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.27 handled component references in the JP2 image format decoder.

4.3
2021-03-25 CVE-2021-20213 Privoxy
Redhat
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A flaw was found in Privoxy in versions before 3.0.29.

4.3
2021-03-25 CVE-2021-3449 Openssl
Debian
Freebsd
Netapp
Tenable
Fedoraproject
Mcafee
Checkpoint
Oracle
Sonicwall
Siemens
NULL Pointer Dereference vulnerability in multiple products

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client.

4.3
2021-03-24 CVE-2021-1394 Cisco Resource Management Errors vulnerability in Cisco IOS XE

A vulnerability in the ingress traffic manager of Cisco IOS XE Software for Cisco Network Convergence System (NCS) 520 Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the web management interface of an affected device.

4.3
2021-03-23 CVE-2021-27310 Csphere Cross-site Scripting vulnerability in Csphere Clansphere 2011.4

Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter.

4.3
2021-03-23 CVE-2021-27309 Csphere Cross-site Scripting vulnerability in Csphere Clansphere 2011.4

Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter.

4.3
2021-03-22 CVE-2021-25922 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly.

4.3
2021-03-22 CVE-2021-27596 SAP Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Autodesk 3D Studio for MS-DOS (.3DS) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-22 CVE-2021-27595 SAP Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Portable Document Format (.PDF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-22 CVE-2021-27594 SAP Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Windows Bitmap (.BMP) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-22 CVE-2021-27593 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens manipulated Graphics Interchange Format (.GIF) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

4.3
2021-03-26 CVE-2021-21396 Wire Information Exposure vulnerability in Wire Server 20210216/20210225

wire-server is an open-source back end for Wire, a secure collaboration platform.

4.0
2021-03-26 CVE-2021-22180 Gitlab Incorrect Authorization vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 13.4.

4.0
2021-03-26 CVE-2021-22172 Gitlab Incorrect Authorization vulnerability in Gitlab

Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page

4.0
2021-03-26 CVE-2021-3153 Hashicorp Incorrect Authorization vulnerability in Hashicorp Terraform Enterprise 2020071

HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled.

4.0
2021-03-26 CVE-2021-3027 Librit Improper Input Validation vulnerability in Librit Passhport

app/views_mod/user/user.py in LibrIT PaSSHport through 2.5 is affected by LDAP Injection.

4.0
2021-03-25 CVE-2021-26597 Nokia Unrestricted Upload of File with Dangerous Type vulnerability in Nokia Netact 18A

An issue was discovered in Nokia NetAct 18A.

4.0
2021-03-24 CVE-2021-1418 Cisco Improper Null Termination vulnerability in Cisco Jabber

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.

4.0
2021-03-24 CVE-2021-1417 Cisco Information Exposure vulnerability in Cisco Jabber

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.

4.0
2021-03-24 CVE-2021-22169 Gitlab Information Exposure vulnerability in Gitlab

An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.

4.0
2021-03-24 CVE-2021-22186 Gitlab Incorrect Authorization vulnerability in Gitlab

An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners

4.0
2021-03-24 CVE-2021-22178 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 13.2.

4.0
2021-03-24 CVE-2021-22176 Gitlab Incorrect Authorization vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting with 3.0.1.

4.0
2021-03-24 CVE-2020-15809 Spinetix Path Traversal vulnerability in Spinetix products

spxmanage on certain SpinetiX devices allows requests that access unintended resources because of SSRF and Path Traversal.

4.0
2021-03-23 CVE-2021-21402 Jellyfin Path Traversal vulnerability in Jellyfin

Jellyfin is a Free Software Media System.

4.0
2021-03-22 CVE-2020-9212 Huawei Unspecified vulnerability in Huawei Usg9500 Firmware

There is a vulnerability in some version of USG9500 that the device improperly handles the information when a user logs in to device.

4.0
2021-03-22 CVE-2021-28146 Grafana Incorrect Authorization vulnerability in Grafana

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue.

4.0
2021-03-22 CVE-2021-21438 Otrs Incorrect Default Permissions vulnerability in Otrs FAQ and Otrs

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category).

4.0
2021-03-22 CVE-2021-21437 Otrs Missing Authorization vulnerability in Otrs products

Agents are able to see linked Config Items without permissions, which are defined in General Catalog.

4.0

71 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-03-25 CVE-2021-25366 Samsung Incorrect Authorization vulnerability in Samsung Internet

Improper access control in Samsung Internet prior to version 13.2.1.70 allows physically proximate attackers to bypass the secret mode's authentication.

3.6
2021-03-25 CVE-2021-25353 Samsung Unspecified vulnerability in Samsung Galaxy Themes

Using empty PendingIntent in Galaxy Themes prior to version 5.2.00.1215 allows local attackers to read/write private file directories of Galaxy Themes application without permission via hijacking the PendingIntent.

3.6
2021-03-25 CVE-2021-1492 DUO Windows Shortcut Following (.LNK) vulnerability in DUO Authentication Proxy

The Duo Authentication Proxy installer prior to 5.2.1 did not properly validate file installation paths.

3.6
2021-03-24 CVE-2021-1381 Cisco Leftover Debug Code vulnerability in Cisco IOS XE

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with high privileges or an unauthenticated attacker with physical access to the device to open a debugging console.

3.6
2021-03-23 CVE-2021-28099 Netflix Unspecified vulnerability in Netflix Hollow

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions.

3.6
2021-03-26 CVE-2020-35856 Solarwinds Cross-site Scripting vulnerability in Solarwinds Orion Platform

SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page.

3.5
2021-03-26 CVE-2020-19626 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS 3.1.31

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.

3.5
2021-03-26 CVE-2021-23889 Mcafee Cross-site Scripting vulnerability in Mcafee Epolicy Orchestrator

Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.

3.5
2021-03-26 CVE-2021-20683 Basercms Cross-site Scripting vulnerability in Basercms

Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.

3.5
2021-03-26 CVE-2021-20681 Basercms Cross-site Scripting vulnerability in Basercms

Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.

3.5
2021-03-26 CVE-2021-20677 Necplatforms Unspecified vulnerability in Necplatforms products

UNIVERGE Aspire series PBX (UNIVERGE Aspire WX from 1.00 to 3.51, UNIVERGE Aspire UX from 1.00 to 9.70, UNIVERGE SV9100 from 1.00 to 10.70, and SL2100 from 1.00 to 3.00) allows a remote authenticated attacker to cause system down and a denial of service (DoS) condition by sending a specially crafted command.

3.5
2021-03-26 CVE-2021-28247 CA Cross-site Scripting vulnerability in CA Ehealth Performance Manager

** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS).

3.5
2021-03-25 CVE-2021-29010 Seopanel Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0

A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "report_type" parameter.

3.5
2021-03-25 CVE-2021-29009 Seopanel Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0

A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "type" parameter.

3.5
2021-03-25 CVE-2021-29008 Seopanel Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0

A cross-site scripting (XSS) issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via webmaster-tools.php in the "to_time" parameter.

3.5
2021-03-25 CVE-2021-26596 Nokia Cross-site Scripting vulnerability in Nokia Netact 18A

An issue was discovered in Nokia NetAct 18A.

3.5
2021-03-24 CVE-2021-1374 Cisco Cross-site Scripting vulnerability in Cisco IOS XE

A vulnerability in the web-based management interface of Cisco IOS XE Wireless Controller software for the Catalyst 9000 Family of switches could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against another user of the web-based management interface of an affected device.

3.5
2021-03-24 CVE-2021-1356 Cisco Improper Handling of Exceptional Conditions vulnerability in Cisco IOS XE

Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition.

3.5
2021-03-24 CVE-2021-1220 Cisco Improper Input Validation vulnerability in Cisco IOS XE

Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition.

3.5
2021-03-24 CVE-2021-22193 Gitlab Information Exposure Through an Error Message vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting with 7.1.

3.5
2021-03-24 CVE-2021-22185 Gitlab Cross-site Scripting vulnerability in Gitlab

Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki

3.5
2021-03-24 CVE-2021-29002 Plone Cross-site Scripting vulnerability in Plone 5.2.3

A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.

3.5
2021-03-24 CVE-2021-29033 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI.

3.5
2021-03-24 CVE-2021-29032 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI.

3.5
2021-03-24 CVE-2021-29031 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI.

3.5
2021-03-24 CVE-2021-29030 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI.

3.5
2021-03-24 CVE-2021-29029 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/edit_personal_page.php URI.

3.5
2021-03-24 CVE-2021-29028 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI.

3.5
2021-03-24 CVE-2021-29027 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI.

3.5
2021-03-24 CVE-2021-29026 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI.

3.5
2021-03-24 CVE-2021-29025 Bitweaver Cross-site Scripting vulnerability in Bitweaver 3.1.0

A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI.

3.5
2021-03-23 CVE-2021-27969 Boonex Cross-site Scripting vulnerability in Boonex Dolphin 7.4.2

Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "width" parameter.

3.5
2021-03-23 CVE-2021-27531 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "query" parameter.

3.5
2021-03-23 CVE-2021-27530 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allow remote attacker to inject javascript via URI in /index.php.

3.5
2021-03-23 CVE-2021-27529 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "limit" parameter.

3.5
2021-03-23 CVE-2021-27528 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "refID" parameter.

3.5
2021-03-23 CVE-2021-27527 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "valueID" parameter.

3.5
2021-03-23 CVE-2021-27526 Dynpg Cross-site Scripting vulnerability in Dynpg 4.9.2

A cross-site scripting (XSS) vulnerability in DynPG version 4.9.2 allows remote attackers to inject JavaScript via the "page" parameter.

3.5
2021-03-23 CVE-2021-21370 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-03-23 CVE-2021-21358 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-03-23 CVE-2021-21340 Typo3 Cross-site Scripting vulnerability in Typo3

TYPO3 is an open source PHP based web content management system.

3.5
2021-03-22 CVE-2021-25921 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr

In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section.

3.5
2021-03-22 CVE-2021-25919 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr 5.0.2/5.0.2.1/5.0.2.5

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly.

3.5
2021-03-22 CVE-2021-25918 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr 5.0.2/5.0.2.1/5.0.2.5

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page.

3.5
2021-03-22 CVE-2021-25917 Open EMR Cross-site Scripting vulnerability in Open-Emr Openemr 5.0.2/5.0.2.1/5.0.2.5

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page.

3.5
2021-03-22 CVE-2021-28968 GNU Cross-site Scripting vulnerability in GNU Punbb

An issue was discovered in PunBB before 1.4.6.

3.5
2021-03-22 CVE-2021-28147 Grafana Unspecified vulnerability in Grafana

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue.

3.5
2021-03-22 CVE-2021-27308 4Homepages Cross-site Scripting vulnerability in 4Homepages 4Images 1.8

A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.

3.5
2021-03-26 CVE-2021-20197 GNU
Redhat
Link Following vulnerability in multiple products

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib.

3.3
2021-03-25 CVE-2021-27194 Netop Cleartext Transmission of Sensitive Information vulnerability in Netop Vision PRO

Cleartext transmission of sensitive information in Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to gather credentials including Windows login usernames and passwords.

3.3
2021-03-24 CVE-2021-1439 Cisco Classic Buffer Overflow vulnerability in Cisco products

A vulnerability in the multicast DNS (mDNS) gateway feature of Cisco Aironet Series Access Points Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

3.3
2021-03-23 CVE-2021-29082 Netgear Information Exposure vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

3.3
2021-03-26 CVE-2021-29255 Microseven Insufficiently Protected Credentials vulnerability in Microseven Mym71080I-B Firmware

MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007.

2.9
2021-03-24 CVE-2021-1352 Cisco Use of Out-of-range Pointer Offset vulnerability in Cisco IOS XE

A vulnerability in the DECnet Phase IV and DECnet/OSI protocol processing of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

2.9
2021-03-26 CVE-2021-21333 Matrix Injection vulnerability in Matrix Synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

2.6
2021-03-26 CVE-2021-22194 Gitlab Cleartext Storage of Sensitive Information vulnerability in Gitlab

In all versions of GitLab, marshalled session keys were being stored in Redis.

2.1
2021-03-26 CVE-2021-22184 Gitlab Information Exposure vulnerability in Gitlab

An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.

2.1
2021-03-26 CVE-2021-25369 Google Incorrect Authorization vulnerability in Google Android

An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.

2.1
2021-03-25 CVE-2021-3446 Libtpms Project
Redhat
Fedoraproject
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

A flaw was found in libtpms in versions before 0.8.2.

2.1
2021-03-25 CVE-2021-25351 Samsung Incorrect Authorization vulnerability in Samsung Account

Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.

2.1
2021-03-25 CVE-2021-25350 Samsung Information Exposure Through Log Files vulnerability in Samsung Account

Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.

2.1
2021-03-24 CVE-2021-1423 Cisco Exposure of Resource to Wrong Sphere vulnerability in Cisco products

A vulnerability in the implementation of a CLI command in Cisco Aironet Access Points (AP) could allow an authenticated, local attacker to overwrite files in the flash memory of the device.

2.1
2021-03-24 CVE-2021-1392 Cisco Insufficiently Protected Credentials vulnerability in Cisco IOS

A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user.

2.1
2021-03-24 CVE-2021-29133 Haserl Project Unspecified vulnerability in Haserl Project Haserl

Lack of verification in haserl, a component of Alpine Linux Configuration Framework, before 0.9.36 allows local users to read the contents of any file on the filesystem.

2.1
2021-03-23 CVE-2021-28100 Netflix Unspecified vulnerability in Netflix Priam

Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--.

2.1
2021-03-23 CVE-2021-3392 Qemu
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the MegaRAID emulator of QEMU.

2.1
2021-03-23 CVE-2021-27908 Acquia Incorrect Permission Assignment for Critical Resource vulnerability in Acquia Mautic

In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.

2.1
2021-03-23 CVE-2021-20227 Sqlite
Oracle
Use After Free vulnerability in multiple products

A flaw was found in SQLite's SELECT query functionality (src/select.c).

2.1
2021-03-23 CVE-2021-20219 Linux Incorrect Comparison vulnerability in Linux Kernel

A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel.

2.1
2021-03-22 CVE-2021-22310 Huawei Information Exposure Through Log Files vulnerability in Huawei products

There is an information leakage vulnerability in some huawei products.

2.1
2021-03-22 CVE-2021-28964 Linux
Fedoraproject
Race Condition vulnerability in multiple products

A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8.

1.9