Weekly Vulnerabilities Reports > March 29 to April 4, 2021

Overview

421 new vulnerabilities reported during this period, including 48 critical vulnerabilities and 73 high severity vulnerabilities. This weekly summary report vulnerabilities in 337 products from 138 vendors including Apple, F5, Siemens, Fedoraproject, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Out-of-bounds Write", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Classic Buffer Overflow".

  • 355 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 93 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 322 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 130 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 21 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

48 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-02 CVE-2020-27600 Dlink OS Command Injection vulnerability in Dlink Dir-846 Firmware A1100.26

HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter.

10.0
2021-03-31 CVE-2021-22986 F5 Server-Side Request Forgery (SSRF) vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability.

10.0
2021-03-30 CVE-2021-26810 Dlink OS Command Injection vulnerability in Dlink Dir-816 Firmware 1.10B05

D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability.

10.0
2021-03-29 CVE-2021-27274 Netgear Unrestricted Upload of File with Dangerous Type vulnerability in Netgear Prosafe Network Management System 1.6.0.26

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26.

10.0
2021-03-29 CVE-2020-25583 Freebsd Classic Buffer Overflow vulnerability in Freebsd

In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length.

10.0
2021-03-29 CVE-2020-25577 Freebsd Classic Buffer Overflow vulnerability in Freebsd 11.4/12.1/12.2

In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 rtsold(8) does not verify that the RDNSS option does not extend past the end of the received packet before processing its contents.

10.0
2021-03-29 CVE-2020-24636 Arubanetworks
Siemens
OS Command Injection vulnerability in multiple products

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below.

10.0
2021-04-02 CVE-2021-28940 Magpierss Project Improper Encoding or Escaping of Output vulnerability in Magpierss Project Magpierss 0.72

Because of a incorrect escaped exec command in MagpieRSS in 0.72 in the /extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary.

9.8
2021-04-02 CVE-2021-1871 Apple
Debian
Fedoraproject
A logic issue was addressed with improved restrictions.
9.8
2021-04-02 CVE-2021-1870 Apple
Webkitgtk
Fedoraproject
A logic issue was addressed with improved restrictions.
9.8
2021-03-31 CVE-2021-22991 F5 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack.

9.8
2021-03-30 CVE-2019-5319 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below.

9.8
2021-03-29 CVE-2020-35138 Mobileiron Use of Hard-coded Credentials vulnerability in Mobileiron Mobile@Work

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron).

9.8
2021-03-29 CVE-2020-25218 Grandstream Missing Authentication for Critical Function vulnerability in Grandstream products

Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface.

9.8
2021-04-01 CVE-2021-20078 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Opmanager

Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component.

9.4
2021-04-02 CVE-2021-1805 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write was addressed with improved input validation.

9.3
2021-04-02 CVE-2021-1779 Apple Unspecified vulnerability in Apple mac OS X and Macos

A logic error in kext loading was addressed with improved state handling.

9.3
2021-04-02 CVE-2021-1767 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

This issue was addressed with improved checks.

9.3
2021-04-02 CVE-2021-1763 Apple Classic Buffer Overflow vulnerability in Apple products

A buffer overflow was addressed with improved bounds checking.

9.3
2021-04-02 CVE-2021-1759 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

9.3
2021-04-02 CVE-2021-1758 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

9.3
2021-04-02 CVE-2021-1750 Apple Improper Privilege Management vulnerability in Apple products

Multiple issues were addressed with improved logic.

9.3
2021-04-02 CVE-2021-1745 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

9.3
2021-04-02 CVE-2021-1744 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

9.3
2021-04-02 CVE-2020-9975 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

9.3
2021-04-02 CVE-2020-9967 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple memory corruption issues were addressed with improved input validation.

9.3
2021-04-02 CVE-2020-29612 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write issue was addressed with improved bounds checking.

9.3
2021-04-02 CVE-2020-27947 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X and Macos

A memory corruption issue was addressed with improved input validation.

9.3
2021-04-02 CVE-2020-27941 Apple Unspecified vulnerability in Apple Macos 11.0/11.0.1

A validation issue was addressed with improved logic.

9.3
2021-04-02 CVE-2020-27921 Apple Race Condition vulnerability in Apple mac OS X

A race condition was addressed with improved state handling.

9.3
2021-04-02 CVE-2020-27915 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

9.3
2021-04-02 CVE-2020-27914 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved input validation.

9.3
2021-04-02 CVE-2020-27907 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Macos

A memory corruption issue was addressed with improved memory handling.

9.3
2021-04-02 CVE-2020-10015 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write issue was addressed with improved bounds checking.

9.3
2021-03-31 CVE-2021-22992 F5 Classic Buffer Overflow vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack.

9.3
2021-03-30 CVE-2021-25162 Arubanetworks
Siemens
Command Injection vulnerability in multiple products

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.

9.3
2021-03-29 CVE-2021-27245 TP Link Protection Mechanism Failure vulnerability in Tp-Link Archer A7 Firmware 200721

This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 prior to Archer C7(US)_V5_210125 and Archer A7(US)_V5_200220 AC1750 routers.

9.3
2021-04-01 CVE-2021-28918 Netmask Project Incorrect Type Conversion or Cast vulnerability in Netmask Project Netmask

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages.

9.1
2021-04-01 CVE-2021-29083 Synology OS Command Injection vulnerability in Synology Diskstation Manager

Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.

9.0
2021-03-31 CVE-2021-22990 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, on systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

9.0
2021-03-31 CVE-2021-22989 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

9.0
2021-03-31 CVE-2021-22987 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

9.0
2021-03-31 CVE-2021-22988 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

9.0
2021-03-30 CVE-2021-25150 Arubanetworks
Siemens
Command Injection vulnerability in multiple products

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.4 and below.

9.0
2021-03-30 CVE-2021-25146 Arubanetworks
Siemens
Command Injection vulnerability in multiple products

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below.

9.0
2021-03-29 CVE-2021-27273 Netgear OS Command Injection vulnerability in Netgear Prosafe Network Management System 1.6.0.26

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26.

9.0
2021-03-29 CVE-2021-25144 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below.

9.0
2021-03-29 CVE-2020-24635 Arubanetworks
Siemens
OS Command Injection vulnerability in multiple products

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below.

9.0

73 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-02 CVE-2021-1844 Apple
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A memory corruption issue was addressed with improved validation.

8.8
2021-04-02 CVE-2021-1789 Apple
Fedoraproject
Webkitgtk
Type Confusion vulnerability in multiple products

A type confusion issue was addressed with improved state handling.

8.8
2021-04-02 CVE-2021-1788 Apple
Debian
Fedoraproject
Use After Free vulnerability in multiple products

A use after free issue was addressed with improved memory management.

8.8
2021-04-02 CVE-2020-27920 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

8.8
2021-04-01 CVE-2021-25924 Thoughtworks Cross-Site Request Forgery (CSRF) vulnerability in Thoughtworks Gocd

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint.

8.8
2021-03-31 CVE-2021-21782 Accusoft Out-of-bounds Write vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the SGI format buffer size processing functionality of Accusoft ImageGear 19.8.

8.8
2021-03-30 CVE-2021-21412 THI NG EGF Project OS Command Injection vulnerability in @Thi.Ng/Egf Project @Thi.Ng/Egf

Potential for arbitrary code execution in npm package @thi.ng/egf `#gpg`-tagged property values (only if `decrypt: true` option is enabled).

8.8
2021-03-30 CVE-2021-21638 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Team Foundation Server

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2021-03-30 CVE-2021-21633 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Owasp Dependency-Track

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

8.8
2021-03-30 CVE-2021-21629 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Build With Parameters

A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

8.8
2021-03-30 CVE-2021-26919 Apache Unspecified vulnerability in Apache Druid

Apache Druid allows users to read data from other database systems using JDBC.

8.8
2021-04-02 CVE-2021-28113 Okta OS Command Injection vulnerability in Okta Access Gateway

A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.

8.7
2021-03-31 CVE-2021-21983 Vmware Unspecified vulnerability in VMWare products

Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

8.5
2021-03-30 CVE-2021-25159 Arubanetworks
Siemens
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.
8.5
2021-03-30 CVE-2021-25155 Arubanetworks
Siemens
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below.
8.5
2021-03-30 CVE-2021-25148 Arubanetworks
Siemens
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.4 and below.
8.5
2021-04-02 CVE-2020-11925 Luvion Insufficiently Protected Credentials vulnerability in Luvion Grand Elite 3 Connect Firmware

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.

8.3
2021-03-29 CVE-2021-27239 Netgear Stack-based Buffer Overflow vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400 and R6700 firmware version 1.0.4.98 routers.

8.3
2021-04-01 CVE-2021-20235 Zeromq Out-of-bounds Write vulnerability in Zeromq Libzmq

There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp.

8.1
2021-04-02 CVE-2020-27931 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue existed in the processing of font files.

7.8
2021-04-02 CVE-2020-27924 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

7.8
2021-04-02 CVE-2020-27923 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

7.8
2021-04-02 CVE-2020-27922 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

7.8
2021-04-02 CVE-2020-27908 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

7.8
2021-04-02 CVE-2020-27899 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

7.8
2021-04-02 CVE-2019-20463 Sannce Unspecified vulnerability in Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Firmware

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.

7.8
2021-03-31 CVE-2021-21773 Accusoft Improper Check for Unusual or Exceptional Conditions vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the TIFF header count-processing functionality of Accusoft ImageGear 19.8.

7.8
2021-03-30 CVE-2020-24995 Ffmpeg Classic Buffer Overflow vulnerability in Ffmpeg 3.1.2

Buffer overflow vulnerability in sniff_channel_order function in aacdec_template.c in ffmpeg 3.1.2, allows attackers to execute arbitrary code (local).

7.8
2021-03-29 CVE-2021-21727 ZTE Unspecified vulnerability in ZTE Zxhn F623 Firmware

A ZTE product has a DoS vulnerability.

7.8
2021-04-02 CVE-2021-1806 Apple Race Condition vulnerability in Apple mac OS X and Macos

A race condition was addressed with additional validation.

7.6
2021-04-03 CVE-2021-30127 Terra Master Unspecified vulnerability in Terra-Master F2-210 Firmware 20210403/4.0.19

TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation.

7.5
2021-04-02 CVE-2021-30072 Dlink Out-of-bounds Write vulnerability in Dlink Dir-878 Firmware

An issue was discovered in prog.cgi on D-Link DIR-878 1.30B08 devices.

7.5
2021-04-02 CVE-2020-21585 Emlog Unrestricted Upload of File with Dangerous Type vulnerability in Emlog 6.0.0

Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.

7.5
2021-04-02 CVE-2021-1818 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

7.5
2021-04-02 CVE-2021-1796 Apple Out-of-bounds Write vulnerability in Apple Ipad OS and Iphone OS

An out-of-bounds write was addressed with improved input validation.

7.5
2021-04-02 CVE-2021-1795 Apple Out-of-bounds Write vulnerability in Apple Ipad OS and Iphone OS

An out-of-bounds write was addressed with improved input validation.

7.5
2021-04-02 CVE-2021-1794 Apple Out-of-bounds Read vulnerability in Apple Ipad OS and Iphone OS

An out-of-bounds read was addressed with improved input validation.

7.5
2021-04-02 CVE-2021-22203 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1.

7.5
2021-04-02 CVE-2021-28123 Cohesity Insecure Default Initialization of Resource vulnerability in Cohesity Dataplatform

Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.

7.5
2021-04-02 CVE-2021-29012 Dmasoftlab Improper Authentication vulnerability in Dmasoftlab DMA Radius Manager 4.4.0

DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session.

7.5
2021-04-02 CVE-2021-22696 Apache
Oracle
Server-Side Request Forgery (SSRF) vulnerability in multiple products

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)).

7.5
2021-04-02 CVE-2021-30000 Latrix Project SQL Injection vulnerability in Latrix Project Latrix 0.6.0

An issue was discovered in LATRIX 0.6.0.

7.5
2021-04-01 CVE-2021-29421 Pikepdf Project
Fedoraproject
XXE vulnerability in multiple products

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.

7.5
2021-04-01 CVE-2021-28165 Eclipse
Oracle
Jenkins
Netapp
Improper Handling of Exceptional Conditions vulnerability in multiple products

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

7.5
2021-04-01 CVE-2021-29942 Reorder Project Out-of-bounds Write vulnerability in Reorder Project Reorder

An issue was discovered in the reorder crate through 2021-02-24 for Rust.

7.5
2021-04-01 CVE-2021-29941 Reorder Project Out-of-bounds Write vulnerability in Reorder Project Reorder

An issue was discovered in the reorder crate through 2021-02-24 for Rust.

7.5
2021-04-01 CVE-2021-29940 Through Project Double Free vulnerability in Through Project Through

An issue was discovered in the through crate through 2021-02-18 for Rust.

7.5
2021-04-01 CVE-2021-29937 Telemetry Project Use of Uninitialized Resource vulnerability in Telemetry Project Telemetry

An issue was discovered in the telemetry crate through 2021-02-17 for Rust.

7.5
2021-04-01 CVE-2021-29936 Adtensor Project Use of Uninitialized Resource vulnerability in Adtensor Project Adtensor

An issue was discovered in the adtensor crate through 2021-01-11 for Rust.

7.5
2021-04-01 CVE-2021-29935 Rocket Use After Free vulnerability in Rocket

An issue was discovered in the rocket crate before 0.4.7 for Rust.

7.5
2021-04-01 CVE-2021-29934 UU OD Project Use of Uninitialized Resource vulnerability in UU OD Project UU OD 0.0.1/0.0.2/0.0.3

An issue was discovered in PartialReader in the uu_od crate before 0.0.4 for Rust.

7.5
2021-03-31 CVE-2020-35308 Conquest Dicom Server Project Unspecified vulnerability in Conquest Dicom Server Project Conquest Dicom Server

CONQUEST DICOM SERVER before 1.5.0 has a code execution vulnerability which can be exploited by attackers to execute malicious code.

7.5
2021-03-31 CVE-2021-29662 Data
Netapp
Incorrect Type Conversion or Cast vulnerability in multiple products

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

7.5
2021-03-31 CVE-2020-28172 Simple College Project SQL Injection vulnerability in Simple College Project Simple College 1.0

A SQL injection vulnerability in Simple College Website 1.0 allows remote unauthenticated attackers to bypass the admin authentication mechanism in college_website/admin/ajax.php?action=login, thus gaining access to the website administrative panel.

7.5
2021-03-30 CVE-2020-24391 Mongo Express Project Unspecified vulnerability in Mongo-Express Project Mongo-Express

mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way.

7.5
2021-03-30 CVE-2021-25149 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below.

7.5
2021-03-29 CVE-2021-28672 Xerox Classic Buffer Overflow vulnerability in Xerox products

Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before 32.65.51 and 32.59.01 (Bridge), B605/B615 before 33.65.51 and 33.59.01 (Bridge), B7025/30/35 before 58.65.51 and 58.59.11 (Bridge), C400 before 67.65.51 and 67.59.01 (Bridge), C405 before 68.65.51 and 68.59.01 (Bridge), C500/C600 before 61.65.51 and 61.59.01 (Bridge), C505/C605 before 62.65.51 and 62.59.01 (Bridge), C7000 before 56.65.51 and 56.59.01 (Bridge), C7020/25/30 before 57.65.51 and 57.59.01 (Bridge), C8000/C9000 before 70.65.51 and 70.59.01 (Bridge), C8000W before 72.65.51 allows remote attackers to execute arbitrary code through a buffer overflow in Web page parameter handling.

7.5
2021-03-29 CVE-2021-28671 Xerox Unspecified vulnerability in Xerox products

Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before 32.65.51 and 32.59.01 (Bridge), B605/B615 before 33.65.51 and 33.59.01 (Bridge), B7025/30/35 before 58.65.51 and 58.59.11 (Bridge), C400 before 67.65.51 and 67.59.01 (Bridge), C405 before 68.65.51 and 68.59.01 (Bridge), C500/C600 before 61.65.51 and 61.59.01 (Bridge), C505/C605 before 62.65.51 and 62.59.01 (Bridge), C7000 before 56.65.51 and 56.59.01 (Bridge), C7020/25/30 before 57.65.51 and 57.59.01 (Bridge), C8000/C9000 before 70.65.51 and 70.59.01 (Bridge), C8000W before 72.65.51 have a remote Command Execution vulnerability in the Web User Interface that allows remote attackers with "a weaponized clone file" to execute arbitrary commands.

7.5
2021-03-29 CVE-2021-27272 Netgear Path Traversal vulnerability in Netgear Prosafe Network Management System 1.6.0.26

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26.

7.5
2021-03-29 CVE-2021-28673 Xerox Unspecified vulnerability in Xerox products

Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 6515 before 65.61.23 and 65.59.11 (Bridge), VersaLink B400 before 37.61.23 and 37.59.01 (Bridge), B405 before 38.61.23 and 38.59.01 (Bridge), B600/B610 before 32.61.23 and 32.59.01 (Bridge), B605/B615 before 33.61.23 and 33.59.01 (Bridge), B7025/30/35 before 58.61.23 and 58.59.11 (Bridge), C400 before 67.61.23 and 67.59.01 (Bridge), C405 before 68.61.23 and 68.59.01 (Bridge), C500/C600 before 61.61.23 and 61.59.01 (Bridge), C505/C605 before 62.61.23 and 62.59.11 (Bridge), C7000 before 56.61.23 and 56.59.01 (Bridge), C7020/25/30 before 57.61.23 and 57.59.01 (Bridge), C8000/C9000 before 70.61.23 and 70.59.01 (Bridge), allows remote attackers with "a weaponized clone file" to execute arbitrary commands in the Web User Interface.

7.5
2021-03-29 CVE-2021-28668 Xerox SQL Injection vulnerability in Xerox products

Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities.

7.5
2021-03-29 CVE-2021-26714 Mitel Path Traversal vulnerability in Mitel Micontact Center Enterprise 9.3

The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control.

7.5
2021-03-29 CVE-2020-35137 Mobileiron Use of Hard-coded Credentials vulnerability in Mobileiron Mobile@Work

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron).

7.5
2021-03-29 CVE-2021-29417 Gitjacker Project Path Traversal vulnerability in Gitjacker Project Gitjacker 0.0.1/0.0.2/0.0.3

gitjacker before 0.1.0 allows remote attackers to execute arbitrary code via a crafted .git directory because of directory traversal.

7.5
2021-04-01 CVE-2021-29939 Stackvector Project Out-of-bounds Write vulnerability in Stackvector Project Stackvector

An issue was discovered in the stackvector crate through 2021-02-19 for Rust.

7.3
2021-04-02 CVE-2020-27897 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write issue was addressed with improved bounds checking.

7.2
2021-04-02 CVE-2019-20466 Sannce Use of Password Hash With Insufficient Computational Effort vulnerability in Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Firmware

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.

7.2
2021-03-31 CVE-2021-26943 Asus Unspecified vulnerability in Asus Ux360Ca Bios

The UX360CA BIOS through 303 on ASUS laptops allow an attacker (with the ring 0 privilege) to overwrite nearly arbitrary physical memory locations, including SMRAM, and execute arbitrary code in the SMM (issue 3 of 3).

7.2
2021-03-29 CVE-2021-27240 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Patch Manager 2020.2.1

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1.

7.2
2021-03-29 CVE-2020-25217 Grandstream Command Injection vulnerability in Grandstream products

Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface.

7.2
2021-03-29 CVE-2021-23358 Underscorejs
Debian
Tenable
Fedoraproject
Code Injection vulnerability in multiple products

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

7.2
2021-04-02 CVE-2021-1791 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

7.1
2021-04-02 CVE-2021-1782 Apple Improper Locking vulnerability in Apple products

A race condition was addressed with improved locking.

7.0

249 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-02 CVE-2021-29660 Softing Cross-Site Request Forgery (CSRF) vulnerability in Softing OPC Toolbox

A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.

6.8
2021-04-02 CVE-2021-1793 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1790 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1753 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1792 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1785 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1783 Apple Unspecified vulnerability in Apple products

An access issue was addressed with improved memory management.

6.8
2021-04-02 CVE-2021-1777 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1776 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1775 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed by removing the vulnerable code.

6.8
2021-04-02 CVE-2021-1774 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1772 Apple Out-of-bounds Write vulnerability in Apple products

A stack overflow was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1768 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1754 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1748 Apple Improper Input Validation vulnerability in Apple products

A validation issue was addressed with improved input sanitization.

6.8
2021-04-02 CVE-2021-1747 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1746 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1743 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1742 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2021-1741 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2021-1738 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1737 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

6.8
2021-04-02 CVE-2021-1736 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-9971 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved validation.

6.8
2021-04-02 CVE-2020-9962 Apple Classic Buffer Overflow vulnerability in Apple products

A buffer overflow was addressed with improved size validation.

6.8
2021-04-02 CVE-2020-9960 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-9956 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-9955 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2020-9926 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2021-04-02 CVE-2020-29625 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2020-29624 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue existed in the processing of font files.

6.8
2021-04-02 CVE-2020-29620 Apple Improper Privilege Management vulnerability in Apple mac OS X and Macos

This issue was addressed with improved entitlements.

6.8
2021-04-02 CVE-2020-29619 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-29618 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-29617 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-29616 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple mac OS X and Macos

A memory corruption issue was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-29614 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2020-29611 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2020-27952 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-27951 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2020-27948 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

6.8
2021-04-02 CVE-2020-27945 Apple Integer Overflow or Wraparound vulnerability in Apple mac OS X and Macos

An integer overflow was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-27944 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue existed in the processing of font files.

6.8
2021-04-02 CVE-2020-27943 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue existed in the processing of font files.

6.8
2021-04-02 CVE-2020-27939 Apple Unspecified vulnerability in Apple Macos 11.0/11.0.1

This issue was addressed with improved checks.

6.8
2021-04-02 CVE-2020-27938 Apple Improper Privilege Management vulnerability in Apple mac OS X

A logic issue was addressed with improved state management.

6.8
2021-04-02 CVE-2020-27933 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

6.8
2021-04-02 CVE-2020-27919 Apple Out-of-bounds Write vulnerability in Apple mac OS X

An out-of-bounds write was addressed with improved input validation.

6.8
2021-04-01 CVE-2021-21420 Stripe Unspecified vulnerability in Stripe

vscode-stripe is an extension for Visual Studio Code.

6.8
2021-04-01 CVE-2021-22195 Gitlab Uncontrolled Search Path Element vulnerability in Gitlab Gitlab-Vscode-Extension

Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system

6.8
2021-03-31 CVE-2021-22993 F5 Cross-site Scripting vulnerability in F5 products

On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, DOM-based XSS on DoS Profile properties page.

6.8
2021-03-31 CVE-2021-29658 Vscode Rufo Project Unspecified vulnerability in Vscode-Rufo Project Vscode-Rufo 0.0.1/0.0.2/0.0.3

The unofficial vscode-rufo extension before 0.0.4 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace folder.

6.8
2021-03-31 CVE-2021-23988 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

Mozilla developers reported memory safety bugs present in Firefox 86.

6.8
2021-03-31 CVE-2021-23987 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8.

6.8
2021-03-31 CVE-2021-21776 Accusoft Incorrect Calculation of Buffer Size vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the SGI Format Buffer Size Processing functionality of Accusoft ImageGear 19.8.

6.8
2021-03-30 CVE-2021-27271 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2021-27270 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2021-27269 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2021-27268 Foxitsoftware Use After Free vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2021-27267 Foxitsoftware Use After Free vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2021-27261 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527.

6.8
2021-03-30 CVE-2020-19639 Insma Cross-Site Request Forgery (CSRF) vulnerability in Insma Wifi Mini SPY 1080P HD Security IP Camera Firmware 1.9.7B

Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI.

6.8
2021-03-29 CVE-2020-7850 Douzone Argument Injection or Modification vulnerability in Douzone Nbbdownloader.Ocx

NBBDownloader.ocx ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method.

6.8
2021-04-02 CVE-2020-9930 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read was addressed with improved input validation.

6.6
2021-04-02 CVE-2020-27936 Apple Out-of-bounds Read vulnerability in Apple mac OS X

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

6.6
2021-04-02 CVE-2021-27973 Piwigo SQL Injection vulnerability in Piwigo

SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.

6.5
2021-04-02 CVE-2021-1801 Apple
Fedoraproject
Webkitgtk
This issue was addressed with improved iframe sandbox enforcement.
6.5
2021-04-02 CVE-2021-1799 Apple
Fedoraproject
Webkitgtk
A port redirection issue was addressed with additional port validation.
6.5
2021-04-02 CVE-2021-22865 Github Unspecified vulnerability in Github Enterprise Server

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions.

6.5
2021-04-02 CVE-2021-1765 Apple
Fedoraproject
Webkitgtk
This issue was addressed with improved iframe sandbox enforcement.
6.5
2021-04-02 CVE-2020-29633 Apple Improper Authentication vulnerability in Apple mac OS X and Macos

An authentication issue was addressed with improved state management.

6.5
2021-04-01 CVE-2021-21421 Node Etsy Client Project Information Exposure Through an Error Message vulnerability in Node-Etsy-Client Project Node-Etsy-Client

node-etsy-client is a NodeJs Etsy ReST API Client.

6.5
2021-04-01 CVE-2021-20291 Storage Project
Redhat
Fedoraproject
Improper Locking vulnerability in multiple products

A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1.

6.5
2021-03-31 CVE-2021-22538 Google Incorrect Default Permissions vulnerability in Google Exposure Notifications Verification Server

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own.

6.5
2021-03-31 CVE-2021-23348 Portprocesses Project Command Injection vulnerability in Portprocesses Project Portprocesses

This affects the package portprocesses before 1.0.5.

6.5
2021-03-31 CVE-2020-28173 Simple College Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple College Project Simple College 1.0

Simple College Website 1.0 allows a user to conduct remote code execution via /alumni/admin/ajax.php?action=save_settings when uploading a malicious file using the image upload functionality, which is stored in /alumni/admin/assets/uploads/.

6.5
2021-03-30 CVE-2021-23363 Kill BY Port Project Command Injection vulnerability in Kill-By-Port Project Kill-By-Port 0.0.1

This affects the package kill-by-port before 0.0.2.

6.5
2021-03-30 CVE-2021-21637 Jenkins Missing Authorization vulnerability in Jenkins Team Foundation Server

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2021-03-30 CVE-2021-21634 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Jabber (Xmpp) Notifier and Control

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

6.5
2021-03-30 CVE-2021-21632 Jenkins Missing Authorization vulnerability in Jenkins Owasp Dependency-Track

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

6.5
2021-03-30 CVE-2020-19641 Insma Unspecified vulnerability in Insma Wifi Mini SPY 1080P HD Security IP Camera Firmware 1.9.7B

An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B.

6.5
2021-03-29 CVE-2021-27275 Netgear Path Traversal vulnerability in Netgear Prosafe Network Management System 1.6.0.26

This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26.

6.5
2021-04-02 CVE-2021-30126 Lightmeter Unspecified vulnerability in Lightmeter Controlcenter

Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1 allows anyone who knows the URL of a publicly available Lightmeter instance to access application settings, possibly including an SMTP password and a Slack access token, via a settings HTTP query.

6.4
2021-04-01 CVE-2021-23921 Devolutions Unspecified vulnerability in Devolutions Server

An issue was discovered in Devolutions Server before 2020.3.

6.4
2021-04-01 CVE-2021-21982 Vmware Improper Authentication vulnerability in VMWare Carbon Black Cloud Workload

VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token.

6.4
2021-03-31 CVE-2021-23005 F5 Unspecified vulnerability in F5 Big-Iq Centralized Management

On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol.

6.4
2021-03-29 CVE-2021-28670 Xerox Unspecified vulnerability in Xerox products

Xerox AltaLink B8045/B8090 before 103.008.030.32000, C8030/C8035 before 103.001.030.32000, C8045/C8055 before 103.002.030.32000 and C8070 before 103.003.030.32000 allow unauthorized users, by leveraging the Scan To Mailbox feature, to delete arbitrary files from the disk.

6.4
2021-04-02 CVE-2021-21532 Dell Improper Input Validation vulnerability in Dell Wyse Thinos 8.6

Dell Wyse ThinOS 8.6 MR9 contains remediation for an improper management server validation vulnerability that could be potentially exploited to redirect a client to an attacker-controlled management server, thus allowing the attacker to change the device configuration or certificate file.

6.3
2021-04-02 CVE-2020-27935 Apple Unspecified vulnerability in Apple products

Multiple issues were addressed with improved logic.

6.3
2021-04-02 CVE-2021-1879 Apple Cross-site Scripting vulnerability in Apple Watchos

This issue was addressed by improved management of object lifetimes.

6.1
2021-03-30 CVE-2021-21409 Netty
Debian
Netapp
Oracle
Quarkus
HTTP Request Smuggling vulnerability in multiple products

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

5.9
2021-04-02 CVE-2020-9995 Apple Cross-site Scripting vulnerability in Apple Macos Server

An issue existed in the parsing of URLs.

5.8
2021-04-02 CVE-2021-29652 Pomerium Open Redirect vulnerability in Pomerium

Pomerium from version 0.10.0-0.13.3 has an Open Redirect in the user sign-in/out process

5.8
2021-04-02 CVE-2021-29651 Pomerium Open Redirect vulnerability in Pomerium

Pomerium before 0.13.4 has an Open Redirect (issue 1 of 2).

5.8
2021-04-01 CVE-2021-28545 Adobe Missing Support for Integrity Check vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check.

5.8
2021-03-31 CVE-2020-24550 Episerver Open Redirect vulnerability in Episerver Find

An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.

5.8
2021-03-31 CVE-2021-23981 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash.

5.8
2021-03-30 CVE-2021-21413 Isolated VM Project Improper Control of Dynamically-Managed Code Resources vulnerability in Isolated-Vm Project Isolated-Vm

isolated-vm is a library for nodejs which gives you access to v8's Isolate interface.

5.8
2021-04-01 CVE-2021-3447 Redhat
Fedoraproject
Information Exposure Through Log Files vulnerability in multiple products

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode.

5.5
2021-03-31 CVE-2021-3479 Openexr
Debian
Resource Exhaustion vulnerability in multiple products

There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta.

5.5
2021-03-31 CVE-2021-3478 Openexr
Debian
Resource Exhaustion vulnerability in multiple products

There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta.

5.5
2021-03-31 CVE-2021-3477 Openexr
Debian
Integer Overflow or Wraparound vulnerability in multiple products

There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta.

5.5
2021-03-31 CVE-2021-28657 Apache
Oracle
Infinite Loop vulnerability in multiple products

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25.

5.5
2021-03-30 CVE-2021-29650 Linux
Fedoraproject
Debian
An issue was discovered in the Linux kernel before 5.11.11.
5.5
2021-03-30 CVE-2021-29649 Linux
Fedoraproject
Memory Leak vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.11.11.

5.5
2021-03-30 CVE-2021-29648 Linux
Fedoraproject
Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.11.11.

5.5
2021-03-30 CVE-2021-29647 Linux
Fedoraproject
Debian
Missing Initialization of Resource vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.11.11.

5.5
2021-03-30 CVE-2021-29646 Linux
Fedoraproject
An issue was discovered in the Linux kernel before 5.11.11.
5.5
2021-03-30 CVE-2021-20502 IBM XXE vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

5.5
2021-03-30 CVE-2021-20482 IBM XXE vulnerability in IBM Cloud PAK for Automation 20.0.2/20.0.3

IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

5.5
2021-03-30 CVE-2020-4848 IBM Unspecified vulnerability in IBM Urbancode Deploy 6.2.7.9/7.0.5.4/7.1.1.1

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 could allow an authenticated user to initiate a plugin or compare process resources that they should not have access to.

5.5
2021-03-30 CVE-2021-29343 Ovidentia SQL Injection vulnerability in Ovidentia

Ovidentia CMS 6.x contains a SQL injection vulnerability in the "id" parameter of index.php.

5.5
2021-03-29 CVE-2021-27276 Netgear Path Traversal vulnerability in Netgear Prosafe Network Management System 1.6.0.26

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26.

5.5
2021-03-30 CVE-2021-21635 Jenkins Cross-site Scripting vulnerability in Jenkins Rest List Parameter

Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

5.4
2021-03-30 CVE-2021-21630 Jenkins Cross-site Scripting vulnerability in Jenkins Extra Columns

Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

5.4
2021-03-30 CVE-2021-21628 Jenkins Cross-site Scripting vulnerability in Jenkins Build With Parameters

Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

5.4
2021-04-02 CVE-2021-30004 W1 FI Improper Input Validation vulnerability in W1.Fi Hostapd and WPA Supplicant

In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.

5.3
2021-04-01 CVE-2021-22876 Haxx
Fedoraproject
Netapp
Broadcom
Debian
Siemens
Oracle
Splunk
Information Exposure vulnerability in multiple products

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header.

5.3
2021-04-01 CVE-2021-28164 Eclipse
Netapp
Oracle
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory.
5.3
2021-04-01 CVE-2021-20296 Openexr
Debian
NULL Pointer Dereference vulnerability in multiple products

A flaw was found in OpenEXR in versions before 3.0.0-beta.

5.3
2021-03-30 CVE-2021-3476 Openexr
Debian
Integer Overflow or Wraparound vulnerability in multiple products

A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta.

5.3
2021-03-30 CVE-2021-3475 Openexr
Debian
Integer Overflow or Wraparound vulnerability in multiple products

There is a flaw in OpenEXR in versions before 3.0.0-beta.

5.3
2021-03-30 CVE-2021-3474 Openexr
Debian
Integer Overflow or Wraparound vulnerability in multiple products

There's a flaw in OpenEXR in versions before 3.0.0-beta.

5.3
2021-03-30 CVE-2018-1109 Braces Project Resource Exhaustion vulnerability in Braces Project Braces

A vulnerability was found in Braces versions prior to 2.3.1.

5.3
2021-04-02 CVE-2021-28941 Magpierss Project Server-Side Request Forgery (SSRF) vulnerability in Magpierss Project Magpierss 0.72

Because of no validation on a curl command in MagpieRSS 0.72 in the /extlib/Snoopy.class.inc file, when you send a request to the /scripts/magpie_debug.php or /scripts/magpie_simple.php page, it's possible to request any internal page if you use a https request.

5.0
2021-04-02 CVE-2021-3374 Rstudio Path Traversal vulnerability in Rstudio Shiny Server

Directory traversal in RStudio Shiny Server before 1.5.16 allows attackers to read the application source code, involving an encoded slash.

5.0
2021-04-02 CVE-2021-1761 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

5.0
2021-04-02 CVE-2021-1764 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

5.0
2021-04-02 CVE-2019-20465 Sannce Unspecified vulnerability in Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Firmware

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.

5.0
2021-04-02 CVE-2019-20464 Sannce Improper Authentication vulnerability in Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Firmware

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.

5.0
2021-04-01 CVE-2021-23924 Devolutions Information Exposure Through Log Files vulnerability in Devolutions Server

An issue was discovered in Devolutions Server before 2020.3.

5.0
2021-04-01 CVE-2020-19613 Flycms Project Server-Side Request Forgery (SSRF) vulnerability in Flycms Project Flycms 20190503

Server Side Request Forgery (SSRF) vulnerability in saveUrlAs function in ImagesService.java in sunkaifei FlyCMS version 20190503.

5.0
2021-04-01 CVE-2021-29938 Slice Deque Project Double Free vulnerability in Slice-Deque Project Slice-Deque

An issue was discovered in the slice-deque crate through 2021-02-19 for Rust.

5.0
2021-04-01 CVE-2021-29933 Insert Many Project Double Free vulnerability in Insert Many Project Insert Many

An issue was discovered in the insert_many crate through 2021-01-26 for Rust.

5.0
2021-04-01 CVE-2021-29932 Parse Duration Project Allocation of Resources Without Limits or Throttling vulnerability in Parse Duration Project Parse Duration

An issue was discovered in the parse_duration crate through 2021-03-18 for Rust.

5.0
2021-04-01 CVE-2021-29931 Arenavec Project Double Free vulnerability in Arenavec Project Arenavec

An issue was discovered in the arenavec crate through 2021-01-12 for Rust.

5.0
2021-04-01 CVE-2021-29930 Arenavec Project Out-of-bounds Write vulnerability in Arenavec Project Arenavec

An issue was discovered in the arenavec crate through 2021-01-12 for Rust.

5.0
2021-04-01 CVE-2021-29929 Endian Trait Project Double Free vulnerability in Endian Trait Project Endian Trait

An issue was discovered in the endian_trait crate through 2021-01-04 for Rust.

5.0
2021-04-01 CVE-2020-36286 Atlassian Unspecified vulnerability in Atlassian products

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.

5.0
2021-04-01 CVE-2020-36238 Atlassian Missing Authorization vulnerability in Atlassian products

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.

5.0
2021-03-31 CVE-2021-28994 Kopano
Zarafa
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

kopano-ical (formerly zarafa-ical) in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers.

5.0
2021-03-31 CVE-2021-27220 Paessler Unspecified vulnerability in Paessler Prtg Network Monitor

An issue was discovered in PRTG Network Monitor before 21.1.66.1623.

5.0
2021-03-31 CVE-2021-23007 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic.

5.0
2021-03-31 CVE-2021-23004 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile.

5.0
2021-03-31 CVE-2021-23003 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server.

5.0
2021-03-31 CVE-2021-22999 F5 Unspecified vulnerability in F5 products

On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers.

5.0
2021-03-31 CVE-2021-22998 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners.

5.0
2021-03-31 CVE-2021-22997 F5 Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted.

5.0
2021-03-31 CVE-2021-22996 F5 Unspecified vulnerability in F5 Big-Iq Centralized Management 7.0.0/7.1.0/7.1.0.1

On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort.

5.0
2021-03-31 CVE-2021-21975 Vmware Server-Side Request Forgery (SSRF) vulnerability in VMWare products

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

5.0
2021-03-31 CVE-2021-22995 F5 Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon.

5.0
2021-03-31 CVE-2021-3470 Redislabs Out-of-bounds Write vulnerability in Redislabs Redis

A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash.

5.0
2021-03-31 CVE-2021-28245 Pbootcms SQL Injection vulnerability in Pbootcms 3.0.4

PbootCMS 3.0.4 contains a SQL injection vulnerability through index.php via the search parameter that can reveal sensitive information through adding an admin account.

5.0
2021-03-30 CVE-2021-29642 Gistpad Project Incorrect Authorization vulnerability in Gistpad Project Gistpad

GistPad before 0.2.7 allows a crafted workspace folder to change the URL for the Gist API, which leads to leakage of GitHub access tokens.

5.0
2021-03-30 CVE-2021-29418 Netmask Project Improper Input Validation vulnerability in Netmask Project Netmask

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9.

5.0
2021-03-30 CVE-2021-29376 Eterna
Debian
ircII before 20210314 allows remote attackers to cause a denial of service (segmentation fault and client crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message.
5.0
2021-03-30 CVE-2020-19640 Insma Unspecified vulnerability in Insma Wifi Mini SPY 1080P HD Security IP Camera Firmware 1.9.7B

An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B.

5.0
2021-03-30 CVE-2018-1110 NIC Improper Input Validation vulnerability in NIC Knot Resolver

A flaw was found in knot-resolver before version 2.3.0.

5.0
2021-03-30 CVE-2018-1107 IS MY Json Valid Project Resource Exhaustion vulnerability in Is-My-Json-Valid Project Is-My-Json-Valid

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format.

5.0
2021-03-29 CVE-2021-3391 Mobileiron Unspecified vulnerability in Mobileiron Mobile@Work

MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message

5.0
2021-03-29 CVE-2021-28669 Xerox Missing Authorization vulnerability in Xerox products

Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights.

5.0
2021-03-29 CVE-2021-25143 Arubanetworks
Siemens
A remote denial of service (dos) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.9 and below; Aruba Instant 8.6.x: 8.6.0.4 and below.
5.0
2021-03-29 CVE-2021-28937 Acexy Cleartext Storage of Sensitive Information vulnerability in Acexy Wireless-N Wifi Repeater Firmware 28.08.06.1

The /password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) contains the administrator account password in plaintext.

5.0
2021-03-29 CVE-2021-28936 Acexy Incorrect Authorization vulnerability in Acexy Wireless-N Wifi Repeater Firmware 28.08.06.1

The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request.

5.0
2021-04-02 CVE-2021-21529 Dell Resource Exhaustion vulnerability in Dell System Update

Dell System Update (DSU) 1.9 and earlier versions contain a denial of service vulnerability.

4.9
2021-04-02 CVE-2021-1786 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

4.9
2021-04-02 CVE-2021-1780 Apple Improper Initialization vulnerability in Apple Ipados and Iphone OS

A memory initialization issue was addressed with improved memory handling.

4.9
2021-04-01 CVE-2021-23923 Devolutions Improper Authentication vulnerability in Devolutions Server

An issue was discovered in Devolutions Server before 2020.3.

4.9
2021-03-29 CVE-2021-27352 Ilch Open Redirect vulnerability in Ilch CMS 2.1.42

An open redirect vulnerability in Ilch CMS version 2.1.42 allows attackers to redirect users to an attacker's site after a successful login.

4.9
2021-04-02 CVE-2021-1802 Apple Improper Privilege Management vulnerability in Apple mac OS X and Macos

A logic issue was addressed with improved state management.

4.6
2021-04-02 CVE-2021-1787 Apple Improper Privilege Management vulnerability in Apple products

Multiple issues were addressed with improved logic.

4.6
2021-04-02 CVE-2021-1757 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

4.6
2021-04-02 CVE-2021-1751 Apple Unspecified vulnerability in Apple mac OS X and Macos

A logic issue was addressed with improved state management.

4.6
2021-03-30 CVE-2020-19642 Insma Unrestricted Upload of File with Dangerous Type vulnerability in Insma Wifi Mini SPY 1080P HD Security IP Camera Firmware 1.9.7B

An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B.

4.6
2021-03-29 CVE-2021-27243 Parallels Integer Overflow or Wraparound vulnerability in Parallels Desktop 16.0.1

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.0.1-48919.

4.6
2021-03-29 CVE-2021-27242 Parallels Out-of-bounds Write vulnerability in Parallels Desktop 16.0.1

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.0.1-48919.

4.6
2021-03-29 CVE-2019-5317 Arubanetworks
Siemens
Improper Authentication vulnerability in multiple products

A local authentication bypass vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.15 and below; Aruba Instant 8.3.x: 8.3.0.11 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below.

4.6
2021-04-01 CVE-2020-9147 Huawei Classic Buffer Overflow vulnerability in Huawei Emui and Magic UI

A memory buffer error vulnerability exists in a component interface of Huawei Smartphone.

4.4
2021-04-02 CVE-2021-30074 Docsifyjs Cross-site Scripting vulnerability in Docsifyjs Docsify 4.12.1

docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character.

4.3
2021-04-02 CVE-2021-30125 Jamf Cross-site Scripting vulnerability in Jamf

Jamf Pro before 10.28.0 allows XSS related to inventory history, aka PI-009376.

4.3
2021-04-02 CVE-2021-1803 Apple Unspecified vulnerability in Apple Macos 11.0

The issue was addressed with improved permissions logic.

4.3
2021-04-02 CVE-2021-1800 Apple Unspecified vulnerability in Apple Xcode

A path handling issue was addressed with improved validation.

4.3
2021-04-02 CVE-2021-1781 Apple Unspecified vulnerability in Apple products

A privacy issue existed in the handling of Contact cards.

4.3
2021-04-02 CVE-2021-1778 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read issue existed in the curl.

4.3
2021-04-02 CVE-2021-1773 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

4.3
2021-04-02 CVE-2021-1771 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

4.3
2021-04-02 CVE-2021-1766 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

4.3
2021-04-02 CVE-2021-1760 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

4.3
2021-04-02 CVE-2020-29639 Apple Out-of-bounds Read vulnerability in Apple Ipados and Iphone OS

An out-of-bounds read was addressed with improved input validation.

4.3
2021-04-02 CVE-2020-29615 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

4.3
2021-04-02 CVE-2020-29613 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved state management.

4.3
2021-04-02 CVE-2020-29610 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

4.3
2021-04-02 CVE-2020-29608 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved bounds checking.

4.3
2021-04-02 CVE-2020-27949 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks to prevent unauthorized actions.

4.3
2021-04-02 CVE-2020-27946 Apple Information Exposure vulnerability in Apple products

An information disclosure issue was addressed with improved state management.

4.3
2021-04-02 CVE-2020-27937 Apple Unspecified vulnerability in Apple mac OS X

A logic issue was addressed with improved state management.

4.3
2021-04-02 CVE-2020-27901 Apple Incorrect Authorization vulnerability in Apple Macos 11.0/11.0.1

A logic issue was addressed with improved restrictions.

4.3
2021-04-02 CVE-2020-10008 Apple Unspecified vulnerability in Apple Macos 11.0

A logic issue was addressed with improved restrictions.

4.3
2021-04-02 CVE-2020-10001 Apple
Debian
Improper Input Validation vulnerability in multiple products

An input validation issue was addressed with improved memory handling.

4.3
2021-04-02 CVE-2021-22202 Gitlab Cross-Site Request Forgery (CSRF) vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all previous versions.

4.3
2021-04-02 CVE-2021-22200 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6.

4.3
2021-04-02 CVE-2020-11922 Wizconnected Information Exposure vulnerability in Wizconnected A60 Colors Firmware 1.14.0

An issue was discovered in WiZ Colors A60 1.14.0.

4.3
2021-04-02 CVE-2021-28124 Cohesity Missing Authentication for Critical Function vulnerability in Cohesity Dataplatform

A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b.

4.3
2021-04-02 CVE-2021-21400 Wire Information Exposure vulnerability in Wire Wire-Webapp

wire-webapp is an open-source front end for Wire, a secure collaboration platform.

4.3
2021-04-02 CVE-2021-29011 Dmasoftlab Cross-site Scripting vulnerability in Dmasoftlab DMA Radius Manager 4.4.0

DMA Softlab Radius Manager 4.4.0 is affected by Cross Site Scripting (XSS) via the description, name, or address field (under admin.php).

4.3
2021-04-02 CVE-2021-25894 Magnolia CMS Cross-site Scripting vulnerability in Magnolia-Cms Magnolia CMS

Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter.

4.3
2021-04-01 CVE-2021-23925 Devolutions Cross-site Scripting vulnerability in Devolutions Server

An issue was discovered in Devolutions Server before 2020.3.

4.3
2021-04-01 CVE-2021-26580 HPE Cross-site Scripting vulnerability in HPE Integrated Lights-Out Amplifier 1.80

A potential security vulnerability has been identified in HPE iLO Amplifier Pack.

4.3
2021-04-01 CVE-2021-28546 Adobe Missing Support for Integrity Check vulnerability in Adobe products

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are missing support for an integrity check.

4.3
2021-04-01 CVE-2021-20234 Zeromq Memory Leak vulnerability in Zeromq Libzmq

An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before 4.3.3 in src/pipe.cpp.

4.3
2021-03-31 CVE-2021-29349 Mahara Cross-Site Request Forgery (CSRF) vulnerability in Mahara 20.10

Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server.

4.3
2021-03-31 CVE-2021-27349 Algolplus Cross-site Scripting vulnerability in Algolplus Advanced Order Export

Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a different vulnerability than CVE-2020-11727.

4.3
2021-03-31 CVE-2021-23006 F5 Cross-site Scripting vulnerability in F5 Big-Iq Centralized Management

On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability.

4.3
2021-03-31 CVE-2021-23000 F5 Unspecified vulnerability in F5 products

On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart.

4.3
2021-03-31 CVE-2021-22994 F5 Cross-site Scripting vulnerability in F5 products

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

4.3
2021-03-31 CVE-2021-23986 Mozilla Origin Validation Error vulnerability in Mozilla Firefox

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL.

4.3
2021-03-31 CVE-2021-23985 Mozilla Unspecified vulnerability in Mozilla Firefox

If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user.

4.3
2021-03-31 CVE-2021-23984 Mozilla Authentication Bypass by Spoofing vulnerability in Mozilla Firefox

A malicious extension could have opened a popup window lacking an address bar.

4.3
2021-03-31 CVE-2021-23983 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash.

4.3
2021-03-31 CVE-2021-23982 Mozilla Inadequate Encryption Strength vulnerability in Mozilla Firefox

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections.

4.3
2021-03-30 CVE-2021-27266 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 10.1.0.37527.

4.3
2021-03-30 CVE-2021-27265 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 10.1.0.37527.

4.3
2021-03-30 CVE-2021-27264 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 10.1.0.37527.

4.3
2021-03-30 CVE-2021-27263 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 10.1.0.37527.

4.3
2021-03-30 CVE-2021-27262 Foxitsoftware Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 10.1.0.37527.

4.3
2021-03-30 CVE-2021-21636 Jenkins Missing Authorization vulnerability in Jenkins Team Foundation Server

A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

4.3
2021-03-30 CVE-2021-21631 Jenkins Missing Authorization vulnerability in Jenkins Cloud Statistics

Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

4.3
2021-03-30 CVE-2020-19643 Insma Cross-site Scripting vulnerability in Insma Wifi Mini SPY 1080P HD Security IP Camera Firmware 1.9.7B

Cross Site Scripting (XSS) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B via all fields in the FTP settings page to the "goform/formSetFtpCfg" settings page.

4.3
2021-03-30 CVE-2021-25161 Arubanetworks
Siemens
Cross-site Scripting vulnerability in multiple products

A remote cross-site scripting (xss) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.

4.3
2021-03-30 CVE-2021-25158 Arubanetworks
Siemens
Race Condition vulnerability in multiple products

A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.

4.3
2021-03-29 CVE-2021-29416 Portswigger Unspecified vulnerability in Portswigger Burp Suite

An issue was discovered in PortSwigger Burp Suite before 2021.2.

4.3
2021-03-29 CVE-2021-29267 Sherlockim Cross-site Scripting vulnerability in Sherlockim

Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.

4.3
2021-03-29 CVE-2021-29274 Redmine Cross-site Scripting vulnerability in Redmine

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

4.3
2021-04-02 CVE-2021-21533 Dell Improper Input Validation vulnerability in Dell Wyse Management Suite

Wyse Management Suite versions up to 3.2 contains a vulnerability wherein a malicious authenticated user can cause a denial of service in the job status retrieval page, also affecting other users that would have normally access to the same subset of job details

4.0
2021-04-02 CVE-2020-21590 Wuzhicms Path Traversal vulnerability in Wuzhicms 4.1.0

Directory traversal in coreframe/app/template/admin/index.php in WUZHI CMS 4.1.0 allows attackers to list files in arbitrary directories via the dir parameter.

4.0
2021-04-02 CVE-2020-27893 Apple Unspecified vulnerability in Apple Macos 11.0

An issue existed in screen sharing.

4.0
2021-04-02 CVE-2021-22201 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9.

4.0
2021-04-02 CVE-2021-22198 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.

4.0
2021-04-02 CVE-2021-22197 Gitlab Infinite Loop vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other

4.0
2021-04-01 CVE-2021-28970 Fireeye SQL Injection vulnerability in Fireeye Email Malware Protection System 9.0.1.923211

eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature.

4.0
2021-04-01 CVE-2021-28969 Fireeye SQL Injection vulnerability in Fireeye Email Malware Protection System 9.0.1.923211

eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature.

4.0
2021-04-01 CVE-2021-27653 Pega Unspecified vulnerability in Pega Infinity

Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

4.0
2021-04-01 CVE-2021-26581 HPE Unspecified vulnerability in HPE Superdome Flex Server Firmware 3.20.186/3.20.206/3.25.46

A potential security vulnerability has been identified in HPE Superdome Flex server.

4.0
2021-04-01 CVE-2021-26072 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence Data Center and Confluence Server

The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.

4.0
2021-04-01 CVE-2021-22177 Gitlab Resource Exhaustion vulnerability in Gitlab

Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.

4.0
2021-03-31 CVE-2021-23001 F5 Unrestricted Upload of File with Dangerous Type vulnerability in F5 products

On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.

4.0
2021-03-30 CVE-2021-25160 Arubanetworks
Siemens
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below.
4.0
2021-03-30 CVE-2021-25157 Arubanetworks
Siemens
A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below.
4.0
2021-03-30 CVE-2021-25156 Arubanetworks
Siemens
A remote arbitrary directory create vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below.
4.0

51 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-01 CVE-2021-22890 Haxx
Fedoraproject
Netapp
Broadcom
Debian
Siemens
Oracle
Splunk
Authentication Bypass by Spoofing vulnerability in multiple products

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets.

3.7
2021-03-30 CVE-2020-15075 Openvpn Link Following vulnerability in Openvpn Connect

OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.

3.6
2021-03-29 CVE-2021-27241 Avast Link Following vulnerability in Avast Premium Security 20.8.2429

This vulnerability allows local attackers to delete arbitrary directories on affected installations of Avast Premium Security 20.8.2429 (Build 20.8.5653.561).

3.6
2021-04-02 CVE-2021-29661 Softing Cross-site Scripting vulnerability in Softing OPC Toolbox

Softing AG OPC Toolbox through 4.10.1.13035 allows /en/diag_values.html Stored XSS via the ITEMLISTVALUES##ITEMID parameter, resulting in JavaScript payload injection into the trace file.

3.5
2021-04-02 CVE-2021-22196 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4.

3.5
2021-04-02 CVE-2021-25893 Magnolia CMS Cross-site Scripting vulnerability in Magnolia-Cms Magnolia CMS

Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the setText parameter of /magnoliaAuthor/.magnolia/.

3.5
2021-04-02 CVE-2021-30003 Nokia Cross-site Scripting vulnerability in Nokia G-120W-F Firmware 3Fe46606Agab91

An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices.

3.5
2021-04-01 CVE-2021-23922 Devolutions Cross-site Scripting vulnerability in Devolutions Remote Desktop Manager

An issue was discovered in Devolutions Remote Desktop Manager before 2020.2.12.

3.5
2021-04-01 CVE-2021-21416 Django Registration Project Information Exposure Through an Error Message vulnerability in Django-Registration Project Django-Registration

django-registration is a user registration package for Django.

3.5
2021-04-01 CVE-2021-28047 Devolutions Cross-site Scripting vulnerability in Devolutions Remote Desktop Manager

Cross-Site Scripting (XSS) in Administrative Reports in Devolutions Remote Desktop Manager before 2021.1 allows remote authenticated users to inject arbitrary web script or HTML via multiple input fields.

3.5
2021-04-01 CVE-2020-19619 Mblog Project Cross-site Scripting vulnerability in Mblog Project Mblog 3.5.0

Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signature field to /settings/profile.

3.5
2021-04-01 CVE-2020-19618 Mblog Project Cross-site Scripting vulnerability in Mblog Project Mblog 3.5.0

Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post content field to /post/editing.

3.5
2021-04-01 CVE-2020-19617 Mblog Project Cross-site Scripting vulnerability in Mblog Project Mblog 3.5.0

Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the nickname field to /settings/profile.

3.5
2021-04-01 CVE-2020-19616 Mblog Project Cross-site Scripting vulnerability in Mblog Project Mblog 3.5.0

Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post header field to /post/editing.

3.5
2021-04-01 CVE-2021-3393 Postgresql
Redhat
Information Exposure Through an Error Message vulnerability in multiple products

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11.

3.5
2021-04-01 CVE-2021-29251 Btcpayserver Unspecified vulnerability in Btcpayserver Btcpay Server

BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies).

3.5
2021-04-01 CVE-2021-26071 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian products

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.

3.5
2021-03-31 CVE-2021-29663 Course Registration Management System Project Cross-site Scripting vulnerability in Course Registration Management System Project Course Registration Management System 2.1

CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS).

3.5
2021-03-31 CVE-2021-21418 Prestashop Cross-site Scripting vulnerability in Prestashop PS Emailsubscription

ps_emailsubscription is a newsletter subscription module for the PrestaShop platform.

3.5
2021-03-30 CVE-2021-20520 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20518 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20506 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20504 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20503 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20447 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-20352 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation Products are vulnerable to cross-site scripting.

3.5
2021-03-30 CVE-2021-21398 Prestashop Cross-site Scripting vulnerability in Prestashop 1.7.7.0

PrestaShop is a fully scalable open source e-commerce solution.

3.5
2021-03-30 CVE-2021-28935 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.15

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

3.5
2021-03-30 CVE-2020-20545 Seeyon Cross-site Scripting vulnerability in Seeyon G6 Government Collaborative System 6.1

Cross-Site Scripting (XSS) vulnerability in Zhiyuan G6 Government Collaboration System V6.1SP1, via the 'method' parameter to 'seeyon/hrSalary.do'.

3.5
2021-04-02 CVE-2020-29623 Apple
Fedoraproject
Webkitgtk
"Clear History and Website Data" did not clear the history.
3.3
2021-03-30 CVE-2021-25145 Arubanetworks
Siemens
A remote unauthorized disclosure of information vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below.
3.3
2021-04-02 CVE-2020-9978 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved setting propagation.

2.7
2021-04-01 CVE-2021-28163 Eclipse
Fedoraproject
Apache
Netapp
Oracle
Link Following vulnerability in multiple products

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

2.7
2021-03-31 CVE-2021-23002 F5 Unspecified vulnerability in F5 products

When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system.

2.7
2021-04-02 CVE-2020-21588 Coreftp Classic Buffer Overflow vulnerability in Coreftp Core FTP 2.2

Buffer overflow in Core FTP LE v2.2 allows local attackers to cause a denial or service (crash) via a long string in the Setup->Users->Username editbox.

2.1
2021-04-02 CVE-2021-1797 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved permissions logic.

2.1
2021-04-02 CVE-2020-11924 Wizconnected Cleartext Storage of Sensitive Information vulnerability in Wizconnected Colors A60 Firmware 1.14.0

An issue was discovered in WiZ Colors A60 1.14.0.

2.1
2021-04-02 CVE-2020-11923 Wizconnected Cleartext Storage of Sensitive Information vulnerability in Wizconnected WIZ 1.14.0

An issue was discovered in WiZ Colors A60 1.14.0.

2.1
2021-04-02 CVE-2021-1769 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved validation.

2.1
2021-04-02 CVE-2021-1756 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A lock screen issue allowed access to contacts on a locked device.

2.1
2021-04-02 CVE-2021-1755 Apple Missing Authorization vulnerability in Apple Macos 11.0

A lock screen issue allowed access to contacts on a locked device.

2.1
2021-04-02 CVE-2020-29621 Apple Missing Authorization vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

2.1
2021-04-02 CVE-2021-30002 Linux
Debian
An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists.
2.1
2021-04-01 CVE-2021-26718 Kaspersky Incorrect Authorization vulnerability in Kaspersky Internet Security

KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection.

2.1
2021-04-01 CVE-2020-9149 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

An application error verification vulnerability exists in a component interface of Huawei Smartphone.

2.1
2021-04-01 CVE-2020-9148 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

An application bypass mechanism vulnerability exists in a component interface of Huawei Smartphone.

2.1
2021-03-30 CVE-2021-26579 HPE Use of Hard-coded Credentials vulnerability in HPE Unified Data Management 1.2009.0/1.2101.0

A security vulnerability in HPE Unified Data Management (UDM) could allow the local disclosure of privileged information (CWE-321: Use of Hard-coded Cryptographic Key in a product).

2.1
2021-03-30 CVE-2020-4944 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.0.3.0, 7.0.4.0, 7.0.5.3, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2, stores keystore passwords in plain text after a manual edit, which can be read by a local user.

2.1
2021-03-30 CVE-2020-4884 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy 6.2.7.9/7.0.5.4/7.1.1.1

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 stores user credentials in plain in clear text which can be read by a local user.

2.1
2021-03-29 CVE-2021-27244 Parallels Out-of-bounds Read vulnerability in Parallels Desktop 16.0.1

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919.

2.1
2021-04-01 CVE-2020-9146 Huawei Missing Release of Resource after Effective Lifetime vulnerability in Huawei Emui and Magic UI

A memory buffer error vulnerability exists in a component interface of Huawei Smartphone.

1.9