Weekly Vulnerabilities Reports > April 5 to 11, 2021
Overview
339 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 88 high severity vulnerabilities. This weekly summary report vulnerabilities in 809 products from 140 vendors including Asus, Cisco, Fedoraproject, Debian, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Classic Buffer Overflow", "Cross-Site Request Forgery (CSRF)", "SQL Injection", and "Path Traversal".
- 284 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 111 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 217 reported vulnerabilities are exploitable by an anonymous user.
- Asus has the most reported vulnerabilities, with 37 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
19 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-10 | CVE-2021-20020 | Sonicwall | Improper Authentication vulnerability in Sonicwall Global Management System 9.3 A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root. | 10.0 |
2021-04-06 | CVE-2021-24026 | Out-of-bounds Write vulnerability in Whatsapp A missing bounds check within the audio decoding pipeline for WhatsApp calls in WhatsApp for Android prior to v2.21.3, WhatsApp Business for Android prior to v2.21.3, WhatsApp for iOS prior to v2.21.32, and WhatsApp Business for iOS prior to v2.21.32 could have allowed an out-of-bounds write. | 10.0 | |
2021-04-11 | CVE-2021-28879 | Rust Lang Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. | 9.8 |
2021-04-08 | CVE-2021-22507 | Microfocus | Improper Authentication vulnerability in Microfocus Operations Bridge Manager Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. | 9.8 |
2021-04-08 | CVE-2021-1479 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. | 9.8 |
2021-04-08 | CVE-2021-1473 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. | 9.8 |
2021-04-08 | CVE-2021-1472 | Cisco | Improper Authentication vulnerability in Cisco products Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. | 9.8 |
2021-04-08 | CVE-2021-1459 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. | 9.8 |
2021-04-07 | CVE-2021-21425 | Getgrav | Unspecified vulnerability in Getgrav Grav-Plugin-Admin Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. | 9.8 |
2021-04-07 | CVE-2021-26709 | D Link | Out-of-bounds Write vulnerability in D-Link Dsl-320B-D1 D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. | 9.8 |
2021-04-05 | CVE-2021-20307 | Libpano13 Project Fedoraproject Debian | Use of Externally-Controlled Format String vulnerability in multiple products Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values. | 9.8 |
2021-04-05 | CVE-2021-24171 | Woocommerce | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Upload Files The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. | 9.8 |
2021-04-07 | CVE-2020-11251 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out-of-bounds read vulnerability while accessing DTMF payload due to lack of check of buffer length before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.4 |
2021-04-07 | CVE-2020-11247 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bound memory read while unpacking data due to lack of offset length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.4 |
2021-04-07 | CVE-2020-11191 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bound read occurs while processing crafted SDP due to lack of check of null string in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 9.4 |
2021-04-06 | CVE-2021-30045 | Serenityos | Classic Buffer Overflow vulnerability in Serenityos 20210327 SerenityOS 2021-03-27 contains a buffer overflow vulnerability in the EndOfCentralDirectory::read() function. | 9.1 |
2021-04-09 | CVE-2021-30480 | Zoom | Unspecified vulnerability in Zoom Chat 20210409 Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. | 9.0 |
2021-04-08 | CVE-2021-30462 | Vestacp | Missing Authentication for Critical Function vulnerability in Vestacp Vesta Control Panel VestaCP through 0.9.8-24 allows the admin user to escalate privileges to root because the Sudo configuration does not require a password to run /usr/local/vesta/bin scripts. | 9.0 |
2021-04-07 | CVE-2021-26758 | Litespeedtech | Improper Privilege Management vulnerability in Litespeedtech Openlitespeed 1.7.8 Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system. | 9.0 |
88 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-09 | CVE-2021-21199 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-04-09 | CVE-2021-21197 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-04-09 | CVE-2021-21196 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-04-09 | CVE-2021-21195 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-04-09 | CVE-2021-21194 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2021-04-09 | CVE-2021-21433 | Demon1A | OS Command Injection vulnerability in Demon1A Discord-Recon 0.0.1 Discord Recon Server is a bot that allows you to do your reconnaissance process from your Discord. | 8.8 |
2021-04-09 | CVE-2020-13592 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 2.7.2 An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. | 8.8 |
2021-04-09 | CVE-2020-13591 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 2.7.2 An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. | 8.8 |
2021-04-09 | CVE-2020-13587 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 2.7.2 An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. | 8.8 |
2021-04-09 | CVE-2020-21884 | Indionetworks | Cross-Site Request Forgery (CSRF) vulnerability in Indionetworks products Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device. | 8.8 |
2021-04-09 | CVE-2020-21883 | Indionetworks | OS Command Injection vulnerability in Indionetworks products Unibox U-50 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a OS command injection vulnerability in /tools/ping, which can leads to complete device takeover. | 8.8 |
2021-04-08 | CVE-2021-1362 | Cisco | Code Injection vulnerability in Cisco products A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Prime License Manager could allow an authenticated, remote attacker to execute arbitrary code on an affected device. | 8.8 |
2021-04-08 | CVE-2021-1309 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business RV Series Routers. | 8.8 |
2021-04-07 | CVE-2021-30123 | Ffmpeg | Classic Buffer Overflow vulnerability in Ffmpeg 4.4 FFmpeg <=4.3 contains a buffer overflow vulnerability in libavcodec through a crafted file that may lead to remote code execution. | 8.8 |
2021-04-05 | CVE-2021-24163 | Ninjaforms | Missing Authorization vulnerability in Ninjaforms Ninja Forms The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | 8.8 |
2021-04-05 | CVE-2021-24159 | Rocklobster | Cross-Site Request Forgery (CSRF) vulnerability in Rocklobster Contact Form 7 Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. | 8.8 |
2021-04-08 | CVE-2021-1474 | Cisco | Improper Neutralization of Formula Elements in a CSV File vulnerability in Cisco Umbrella Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. | 8.6 |
2021-04-09 | CVE-2021-21431 | Mirahezebots | Unspecified vulnerability in Mirahezebots Channelmgnt sopel-channelmgnt is a channelmgnt plugin for sopel. | 8.1 |
2021-04-06 | CVE-2020-13422 | Openiam | Missing Authorization vulnerability in Openiam OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions. | 8.1 |
2021-04-05 | CVE-2021-20305 | Nettle Project Redhat Fedoraproject Netapp Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. | 8.1 |
2021-04-08 | CVE-2021-29154 | Linux Fedoraproject Debian Netapp | Command Injection vulnerability in multiple products BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. | 7.8 |
2021-04-08 | CVE-2020-23539 | Realtek | NULL Pointer Dereference vulnerability in Realtek Rtl8723De Firmware An issue was discovered in Realtek rtl8723de BLE Stack <= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message. | 7.8 |
2021-04-08 | CVE-2021-1252 | Clamav | Infinite Loop vulnerability in Clamav 0.103.0/0.103.1 A vulnerability in the Excel XLM macro parsing module in Clam AntiVirus (ClamAV) Software versions 0.103.0 and 0.103.1 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 7.8 |
2021-04-08 | CVE-2021-1485 | Cisco | Argument Injection or Modification vulnerability in Cisco IOS XR A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating system (OS) of an affected device. | 7.8 |
2021-04-08 | CVE-2021-1480 | Cisco | Improper Input Validation vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. | 7.8 |
2021-04-08 | CVE-2021-1386 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco products A vulnerability in the dynamic link library (DLL) loading mechanism in Cisco Advanced Malware Protection (AMP) for Endpoints Windows Connector, ClamAV for Windows, and Immunet could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected Windows system. | 7.8 |
2021-04-08 | CVE-2021-1137 | Cisco | Improper Input Validation vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. | 7.8 |
2021-04-07 | CVE-2020-24136 | Wcms | Path Traversal vulnerability in Wcms 0.3.2 Directory traversal in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the pagename parameter to wex/html.php. | 7.8 |
2021-04-07 | CVE-2021-30184 | GNU Fedoraproject | Classic Buffer Overflow vulnerability in multiple products GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. | 7.8 |
2021-04-07 | CVE-2020-11255 | Qualcomm | Memory Leak vulnerability in Qualcomm products Denial of service while processing RTCP packets containing multiple SDES reports due to memory for last SDES packet is freed and rest of the memory is leaked in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables | 7.8 |
2021-04-07 | CVE-2020-11243 | Qualcomm | Improper Handling of Exceptional Conditions vulnerability in Qualcomm products RRC sends a connection establishment success to NAS even though connection setup validation returns failure and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 7.8 |
2021-04-07 | CVE-2020-11236 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption due to invalid value of total dimension in the non-histogram type KPI could lead to a denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 7.8 |
2021-04-06 | CVE-2021-28874 | Serenityos | Classic Buffer Overflow vulnerability in Serenityos 20191230 SerenityOS fixed as of c9f25bca048443e317f1994ba9b106f2386688c3 contains a buffer overflow vulnerability in LibTextCode through opening a crafted file. | 7.8 |
2021-04-11 | CVE-2021-28878 | Rust Lang Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. | 7.5 |
2021-04-11 | CVE-2021-28877 | Rust Lang | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rust-Lang Rust In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. | 7.5 |
2021-04-11 | CVE-2021-28875 | Rust Lang | Unchecked Return Value vulnerability in Rust-Lang Rust In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. | 7.5 |
2021-04-11 | CVE-2020-36318 | Rust Lang | Use After Free vulnerability in Rust-Lang Rust 1.48.0 In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. | 7.5 |
2021-04-09 | CVE-2021-25360 | Out-of-bounds Write vulnerability in Google Android 10.0 An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process. | 7.5 | |
2021-04-09 | CVE-2021-20021 | Sonicwall | Improper Privilege Management vulnerability in Sonicwall Email Security and Hosted Email Security A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. | 7.5 |
2021-04-09 | CVE-2020-23763 | Online Book Store Project | SQL Injection vulnerability in Online Book Store Project Online Book Store 1.0 SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication. | 7.5 |
2021-04-08 | CVE-2020-23426 | Zzcms | Improper Privilege Management vulnerability in Zzcms 201910 zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. | 7.5 |
2021-04-08 | CVE-2021-28925 | Nagios | SQL Injection vulnerability in Nagios Network Analyzer SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/. | 7.5 |
2021-04-07 | CVE-2021-30457 | ID MAP Project | Double Free vulnerability in Id-Map Project Id-Map An issue was discovered in the id-map crate through 2021-02-26 for Rust. | 7.5 |
2021-04-07 | CVE-2021-30456 | ID MAP Project | Double Free vulnerability in Id-Map Project Id-Map An issue was discovered in the id-map crate through 2021-02-26 for Rust. | 7.5 |
2021-04-07 | CVE-2021-30455 | ID MAP Project | Double Free vulnerability in Id-Map Project Id-Map An issue was discovered in the id-map crate through 2021-02-26 for Rust. | 7.5 |
2021-04-07 | CVE-2021-30454 | Outer CGI Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Outer CGI Project Outer CGI An issue was discovered in the outer_cgi crate before 0.2.1 for Rust. | 7.5 |
2021-04-07 | CVE-2020-24140 | Wcms | Server-Side Request Forgery (SSRF) vulnerability in Wcms 0.3.2 Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. | 7.5 |
2021-04-07 | CVE-2020-24139 | Wcms | Server-Side Request Forgery (SSRF) vulnerability in Wcms 0.3.2 Server-side request forgery in Wcms 0.3.2 lets an attacker send crafted requests from the back-end server of a vulnerable web application via the path parameter to wex/cssjs.php. | 7.5 |
2021-04-07 | CVE-2021-30177 | Phpnuke | SQL Injection vulnerability in PHPnuke PHP-Nuke 8.3.3 There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. | 7.5 |
2021-04-06 | CVE-2020-13421 | Openiam | Unspecified vulnerability in Openiam OpenIAM before 4.2.0.3 has Incorrect Access Control for the Create User, Modify User Permissions, and Password Reset actions. | 7.5 |
2021-04-06 | CVE-2020-13420 | Openiam | Unspecified vulnerability in Openiam OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script. | 7.5 |
2021-04-06 | CVE-2021-29424 | NET Fedoraproject | Incorrect Type Conversion or Cast vulnerability in multiple products The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | 7.5 |
2021-04-06 | CVE-2020-23533 | Unionpayintl | Improper Verification of Cryptographic Signature vulnerability in Unionpayintl Union PAY Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | 7.5 |
2021-04-06 | CVE-2021-30130 | Phpseclib Debian | Improper Verification of Cryptographic Signature vulnerability in multiple products phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification. | 7.5 |
2021-04-06 | CVE-2021-27698 | Riot OS | Classic Buffer Overflow vulnerability in Riot-Os Riot 2021.01 RIOT-OS 2021.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c through the _parse_options() function. | 7.5 |
2021-04-06 | CVE-2021-27697 | Riot OS | Classic Buffer Overflow vulnerability in Riot-Os Riot 2021.01 RIOT-OS 2021.01 contains a buffer overflow vulnerability in sys/net/gnrc/routing/rpl/gnrc_rpl_validation.c through the gnrc_rpl_validation_options() function. | 7.5 |
2021-04-06 | CVE-2021-27357 | Riot OS | Classic Buffer Overflow vulnerability in Riot-Os Riot 2021.01 RIOT-OS 2020.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c. | 7.5 |
2021-04-06 | CVE-2021-27343 | Serenityos | Classic Buffer Overflow vulnerability in Serenityos SerenityOS Unspecified is affected by: Buffer Overflow. | 7.5 |
2021-04-06 | CVE-2021-28173 | Deltaflow Project | Unrestricted Upload of File with Dangerous Type vulnerability in Deltaflow Project Deltaflow The file upload function of Vangene deltaFlow E-platform does not perform access controlled properly. | 7.5 |
2021-04-06 | CVE-2021-28171 | Deltaflow Project | Reliance on Cookies without Validation and Integrity Checking vulnerability in Deltaflow Project Deltaflow The Vangene deltaFlow E-platform does not take properly protective measures. | 7.5 |
2021-04-06 | CVE-2021-30164 | Redmine Debian | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. | 7.5 |
2021-04-06 | CVE-2021-30149 | Ocproducts | Unrestricted Upload of File with Dangerous Type vulnerability in Ocproducts Composr 10.0.36 Composr 10.0.36 allows upload and execution of PHP files. | 7.5 |
2021-04-05 | CVE-2021-30141 | Friendica | Memory Leak vulnerability in Friendica Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. | 7.5 |
2021-04-05 | CVE-2021-20308 | Htmldoc Project Debian | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in the htmldoc 1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service that is similar to CVE-2017-9181. | 7.5 |
2021-04-05 | CVE-2020-19596 | Coreftp | Classic Buffer Overflow vulnerability in Coreftp Core FTP 1.2 Buffer overflow vulnerability in Core FTP Server v1.2 Build 583, via a crafted username. | 7.5 |
2021-04-05 | CVE-2021-24212 | Woocommerce | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Help Scout The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp. | 7.5 |
2021-04-05 | CVE-2021-24175 | Posimyth | Improper Authentication vulnerability in Posimyth the Plus Addons for Elementor The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. | 7.5 |
2021-04-05 | CVE-2021-24167 | WEB Stat | Information Exposure vulnerability in Web-Stat When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account. | 7.5 |
2021-04-05 | CVE-2021-24150 | Likebtn Like Button Project | Server-Side Request Forgery (SSRF) vulnerability in Likebtn-Like-Button Project Likebtn-Like-Button The LikeBtn WordPress Like Button Rating ? LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). | 7.5 |
2021-04-09 | CVE-2021-21198 | Google Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 7.4 |
2021-04-08 | CVE-2021-1308 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business RV Series Routers. | 7.4 |
2021-04-08 | CVE-2021-1251 | Cisco | Memory Leak vulnerability in Cisco products Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business RV Series Routers. | 7.4 |
2021-04-09 | CVE-2021-25380 | Samsung | Improper Handling of Exceptional Conditions vulnerability in Samsung Bixby Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user. | 7.3 |
2021-04-09 | CVE-2021-25365 | Improper Handling of Exceptional Conditions vulnerability in Google Android An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd. | 7.2 | |
2021-04-09 | CVE-2021-25361 | Unspecified vulnerability in Google Android 10.0/11.0 An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1 allows local attackers to read or write arbitrary files of system process via untrusted applications. | 7.2 | |
2021-04-09 | CVE-2021-25356 | Incorrect Authorization vulnerability in Google Android An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application. | 7.2 | |
2021-04-09 | CVE-2020-13532 | Dreamreport | Incorrect Default Permissions vulnerability in Dreamreport Dream Report 5R202 A privilege escalation vulnerability exists in Dream Report 5 R20-2. | 7.2 |
2021-04-08 | CVE-2021-30463 | Vestacp | Link Following vulnerability in Vestacp Control Panel VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. | 7.2 |
2021-04-08 | CVE-2021-28685 | Asus | Unspecified vulnerability in Asus Gputweak II AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. | 7.2 |
2021-04-07 | CVE-2021-29627 | Freebsd | Use After Free vulnerability in Freebsd In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly freed a process supplied argument string. | 7.2 |
2021-04-07 | CVE-2021-1892 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Memory corruption due to improper input validation while processing IO control which is nonstandard in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-04-07 | CVE-2020-11246 | Qualcomm | Double Free vulnerability in Qualcomm products A double free condition can occur when the device moves to suspend mode during secure playback in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.2 |
2021-04-07 | CVE-2020-11245 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Unintended reads and writes by NS EL2 in access control driver due to lack of check of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-04-07 | CVE-2020-11242 | Qualcomm | Unspecified vulnerability in Qualcomm products User could gain access to secure memory due to incorrect argument into address range validation api used in SDI to capture requested contents in Snapdragon Industrial IOT, Snapdragon Mobile | 7.2 |
2021-04-07 | CVE-2020-11237 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Memory crash when accessing histogram type KPI input received due to lack of check of histogram definition before accessing it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 7.2 |
2021-04-07 | CVE-2020-11234 | Qualcomm | Use After Free vulnerability in Qualcomm products When sending a socket event message to a user application, invalid information will be passed if socket is freed by other thread resulting in a Use After Free condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |
2021-04-07 | CVE-2020-11210 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible memory corruption in RPM region due to improper XPU configuration in Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-04-05 | CVE-2021-24209 | Automattic | Code Injection vulnerability in Automattic WP Super Cache The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. | 7.2 |
188 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-09 | CVE-2020-13534 | Dreamreport | Incorrect Default Permissions vulnerability in Dreamreport Dream Report 5R202 A privilege escalation vulnerability exists in Dream Report 5 R20-2. | 6.8 |
2021-04-08 | CVE-2020-14104 | MI | Race Condition vulnerability in MI Ax3600 Firmware A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50. | 6.8 |
2021-04-07 | CVE-2021-20687 | Daifukuya | Cross-Site Request Forgery (CSRF) vulnerability in Daifukuya Kagemai 0.8.8 Cross-site request forgery (CSRF) vulnerability in Kagemai 0.8.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2021-04-07 | CVE-2021-30147 | Dmasoftlab | Cross-Site Request Forgery (CSRF) vulnerability in Dmasoftlab Radius Manager 4.4.0 DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php. | 6.8 |
2021-04-06 | CVE-2021-28209 | Asus | Path Traversal vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Delete video file function) does not filter the specific parameter. | 6.8 |
2021-04-06 | CVE-2021-28208 | Asus | Path Traversal vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Get video file function) does not filter the specific parameter. | 6.8 |
2021-04-06 | CVE-2021-28207 | Asus | Path Traversal vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Get Help file function) does not filter the specific parameter. | 6.8 |
2021-04-06 | CVE-2021-28206 | Asus | Path Traversal vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Record video file function) does not filter the specific parameter. | 6.8 |
2021-04-06 | CVE-2021-28205 | Asus | Path Traversal vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Delete SOL video file function) does not filter the specific parameter. | 6.8 |
2021-04-05 | CVE-2021-24162 | Expresstech | Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Responsive Menu In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. | 6.8 |
2021-04-05 | CVE-2021-24161 | Expresstech | Cross-Site Request Forgery (CSRF) vulnerability in Expresstech Responsive Menu In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. | 6.8 |
2021-04-05 | CVE-2021-29996 | Marktext | Cross-site Scripting vulnerability in Marktext Mark Text through 0.16.3 allows attackers arbitrary command execution. | 6.8 |
2021-04-05 | CVE-2021-29261 | Svelte | Unspecified vulnerability in Svelte The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration. | 6.8 |
2021-04-05 | CVE-2021-28832 | VIM Project | Unspecified vulnerability in VIM Project VIM VSCodeVim before 1.19.0 allows attackers to execute arbitrary code via a crafted workspace configuration. | 6.8 |
2021-04-09 | CVE-2021-20022 | Sonicwall | Unrestricted Upload of File with Dangerous Type vulnerability in Sonicwall Email Security and Hosted Email Security SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. | 6.5 |
2021-04-09 | CVE-2021-25328 | Skyworthdigital | Classic Buffer Overflow vulnerability in Skyworthdigital Rn510 Firmware 3.1.0.4 Skyworth Digital Technology RN510 V.3.1.0.4 RN510 V.3.1.0.4 contains a buffer overflow vulnerability in /cgi-bin/app-staticIP.asp. | 6.5 |
2021-04-08 | CVE-2021-3482 | Exiv2 Redhat Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. | 6.5 |
2021-04-08 | CVE-2021-3413 | Theforeman Redhat | Information Exposure vulnerability in multiple products A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. | 6.5 |
2021-04-08 | CVE-2021-22513 | Microfocus | Missing Authorization vulnerability in Microfocus Application Automation Tools Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. | 6.5 |
2021-04-08 | CVE-2021-22512 | Microfocus | Cross-Site Request Forgery (CSRF) vulnerability in Microfocus Application Automation Tools Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. | 6.5 |
2021-04-08 | CVE-2021-22511 | Microfocus | Improper Certificate Validation vulnerability in Microfocus Application Automation Tools Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. | 6.5 |
2021-04-08 | CVE-2021-27522 | Learnsite Project | Improper Authentication vulnerability in Learnsite Project Learnsite 1.2.5.0 Learnsite 1.2.5.0 contains a remote privilege escalation vulnerability in /Manager/index.aspx through the JudgIsAdmin() function. | 6.5 |
2021-04-07 | CVE-2021-29641 | Rangerstudio | Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. | 6.5 |
2021-04-06 | CVE-2021-22158 | Proofpoint | XXE vulnerability in Proofpoint Insider Threat Management The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. | 6.5 |
2021-04-06 | CVE-2021-28142 | Citsmart | SQL Injection vulnerability in Citsmart CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete." | 6.5 |
2021-04-06 | CVE-2021-28204 | Asus | OS Command Injection vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. | 6.5 |
2021-04-06 | CVE-2021-28203 | Asus | OS Command Injection vulnerability in Asus products The Web Set Media Image function in ASUS BMC’s firmware Web management page does not filter the specific parameter. | 6.5 |
2021-04-05 | CVE-2021-24184 | Themeum | Missing Authorization vulnerability in Themeum Tutor LMS Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions. | 6.5 |
2021-04-05 | CVE-2021-24181 | Themeum | SQL Injection vulnerability in Themeum Tutor LMS The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | 6.5 |
2021-04-05 | CVE-2021-24160 | Expresstech | Unrestricted Upload of File with Dangerous Type vulnerability in Expresstech Responsive Menu In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. | 6.5 |
2021-04-05 | CVE-2021-24155 | Backup Guard | Unrestricted Upload of File with Dangerous Type vulnerability in Backup-Guard Backup Guard The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. | 6.5 |
2021-04-05 | CVE-2021-30055 | ENG | SQL Injection vulnerability in ENG Knowage A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report. | 6.5 |
2021-04-07 | CVE-2021-30246 | Jsrsasign Project | Improper Verification of Cryptographic Signature vulnerability in Jsrsasign Project Jsrsasign In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. | 6.4 |
2021-04-08 | CVE-2021-1415 | Cisco | Deserialization of Untrusted Data vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. | 6.3 |
2021-04-08 | CVE-2021-1414 | Cisco | Deserialization of Untrusted Data vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. | 6.3 |
2021-04-08 | CVE-2021-1413 | Cisco | Deserialization of Untrusted Data vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. | 6.3 |
2021-04-07 | CVE-2020-25584 | Freebsd | Race Condition vulnerability in Freebsd In FreeBSD 13.0-STABLE before n245118, 12.2-STABLE before r369552, 11.4-STABLE before r369560, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, a superuser inside a FreeBSD jail configured with the non-default allow.mount permission could cause a race condition between the lookup of ".." and remounting a filesystem, allowing access to filesystem hierarchy outside of the jail. | 6.2 |
2021-04-08 | CVE-2021-22510 | Microfocus | Cross-site Scripting vulnerability in Microfocus Application Automation Tools Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. | 6.1 |
2021-04-08 | CVE-2021-1463 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2021-04-08 | CVE-2021-1409 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. | 6.1 |
2021-04-08 | CVE-2021-1408 | Cisco | Cross-site Scripting vulnerability in Cisco Unified Communications Manager Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. | 6.1 |
2021-04-08 | CVE-2021-1407 | Cisco | Cross-site Scripting vulnerability in Cisco Unified Communications Manager Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. | 6.1 |
2021-04-08 | CVE-2021-1380 | Cisco | Cross-site Scripting vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. | 6.1 |
2021-04-06 | CVE-2021-30157 | Mediawiki Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 6.1 |
2021-04-06 | CVE-2021-30154 | Mediawiki Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 6.1 |
2021-04-06 | CVE-2021-30151 | Contribsys Debian | Cross-site Scripting vulnerability in multiple products Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. | 6.1 |
2021-04-05 | CVE-2020-17453 | Wso2 | Cross-site Scripting vulnerability in Wso2 products WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. | 6.1 |
2021-04-10 | CVE-2021-30481 | Valvesoftware | Classic Buffer Overflow vulnerability in Valvesoftware Steam Client Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click. | 6.0 |
2021-04-07 | CVE-2021-20692 | Eikisoft | Path Traversal vulnerability in Eikisoft Archive Collectively Operation Utility Directory traversal vulnerability in Archive collectively operation utility Ver.2.10.1.0 and earlier allows an attacker to create or overwrite files by leading a user to expand a malicious ZIP archives. | 5.8 |
2021-04-06 | CVE-2021-27899 | Proofpoint | Improper Certificate Validation vulnerability in Proofpoint Insider Threat Management The Proofpoint Insider Threat Management Agents (formerly ObserveIT Agent) for MacOS and Linux perform improper validation of the ITM Server's certificate, which enables a remote attacker to intercept and alter these communications using a man-in-the-middle attack. | 5.8 |
2021-04-05 | CVE-2021-24210 | Kiboit | Open Redirect vulnerability in Kiboit Phastpress There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. | 5.8 |
2021-04-05 | CVE-2021-24174 | Database Backups Project | Cross-Site Request Forgery (CSRF) vulnerability in Database-Backups Project Database-Backups 1.2.2.6 The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. | 5.8 |
2021-04-05 | CVE-2021-24166 | Ninjaforms | Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | 5.8 |
2021-04-05 | CVE-2021-24165 | Ninjaforms | Open Redirect vulnerability in Ninjaforms Ninja Forms In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. | 5.8 |
2021-04-07 | CVE-2021-30178 | Linux Fedoraproject | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in the Linux kernel through 5.11.11. | 5.5 |
2021-04-06 | CVE-2021-27900 | Proofpoint | Missing Authorization vulnerability in Proofpoint Insider Threat Management The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is missing an authorization check on several pages in the Web Console. | 5.5 |
2021-04-06 | CVE-2021-21423 | Projen Project | Exposure of CVS Repository to an Unauthorized Control Sphere vulnerability in Projen Project Projen `projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. | 5.5 |
2021-04-09 | CVE-2021-25326 | Skyworthdigital | Cross-Site Request Forgery (CSRF) vulnerability in Skyworthdigital Rn510 Firmware 3.1.0.4 Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. | 5.4 |
2021-04-06 | CVE-2021-30140 | Liquidfiles | Cross-site Scripting vulnerability in Liquidfiles 3.4.15 LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. | 5.4 |
2021-04-05 | CVE-2021-24201 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. | 5.4 |
2021-04-05 | CVE-2021-24196 | CM WP | Cross-site Scripting vulnerability in Cm-Wp Social Slider Widget The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized | 5.4 |
2021-04-11 | CVE-2021-28876 | Rust Lang Fedoraproject | Improper Handling of Exceptional Conditions vulnerability in multiple products In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. | 5.3 |
2021-04-06 | CVE-2021-28658 | Djangoproject Debian Fedoraproject | Path Traversal vulnerability in multiple products In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. | 5.3 |
2021-04-06 | CVE-2021-30158 | Mediawiki Debian Fedoraproject | Improper Authentication vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 5.3 |
2021-04-11 | CVE-2020-36317 | Rust Lang | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rust-Lang Rust In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. | 5.0 |
2021-04-09 | CVE-2021-25378 | Samsung | Unspecified vulnerability in Samsung Smartthings Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service. | 5.0 |
2021-04-09 | CVE-2021-25376 | Samsung | Improper Synchronization vulnerability in Samsung Email An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed. | 5.0 |
2021-04-09 | CVE-2021-25374 | Samsung | Unspecified vulnerability in Samsung Members 2.4.81.13/3.9.10.11/4.2.005 An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account. | 5.0 |
2021-04-09 | CVE-2020-36287 | Atlassian | Missing Authorization vulnerability in Atlassian products The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. | 5.0 |
2021-04-08 | CVE-2020-6590 | Forcepoint | XXE vulnerability in Forcepoint products Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. | 5.0 |
2021-04-08 | CVE-2021-3328 | Aprelium | Out-of-bounds Read vulnerability in Aprelium Abyss web Server X1 2.12.1/2.14 An issue was discovered in Aprelium Abyss Web Server X1 2.12.1 and 2.14. | 5.0 |
2021-04-08 | CVE-2020-14099 | MI | Use of Hard-coded Credentials vulnerability in MI Ax1800 Firmware and Rm1800 Firmware On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password. | 5.0 |
2021-04-08 | CVE-2021-1405 | Clamav Debian | Missing Initialization of Resource vulnerability in multiple products A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 5.0 |
2021-04-08 | CVE-2021-1404 | Clamav | Out-of-bounds Read vulnerability in Clamav 0.103.0/0.103.1 A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) Software versions 0.103.0 and 0.103.1 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 5.0 |
2021-04-07 | CVE-2020-36315 | Relic Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Relic Project Relic In RELIC before 2020-08-01, RSA PKCS#1 v1.5 signature forgery can occur because certain checks of the padding (and of the first two bytes) are inadequate. | 5.0 |
2021-04-07 | CVE-2020-24137 | Wcms | Path Traversal vulnerability in Wcms 0.3.2 Directory traversal vulnerability in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the path parameter to wex/cssjs.php. | 5.0 |
2021-04-07 | CVE-2021-30185 | Cern | Unspecified vulnerability in Cern Indico CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link. | 5.0 |
2021-04-06 | CVE-2020-13419 | Openiam | Path Traversal vulnerability in Openiam OpenIAM before 4.2.0.3 allows Directory Traversal in the Batch task. | 5.0 |
2021-04-06 | CVE-2021-21404 | Syncthing | Improper Input Validation vulnerability in Syncthing Syncthing is a continuous file synchronization program. | 5.0 |
2021-04-06 | CVE-2020-36309 | Openresty | Unspecified vulnerability in Openresty Lua-Nginx-Module ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header. | 5.0 |
2021-04-06 | CVE-2021-24027 | Unspecified vulnerability in Whatsapp and Whatsapp Business A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read cached TLS material. | 5.0 | |
2021-04-06 | CVE-2020-36285 | Unionpayintl | Improper Verification of Cryptographic Signature vulnerability in Unionpayintl Union PAY Union Pay up to 3.3.12, for iOS mobile apps, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | 5.0 |
2021-04-06 | CVE-2020-36284 | Unionpayintl | Improper Verification of Cryptographic Signature vulnerability in Unionpayintl Union PAY Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | 5.0 |
2021-04-06 | CVE-2021-28075 | Ikuai8 | Unspecified vulnerability in Ikuai8 Ikuaios 3.4.8 iKuaiOS 3.4.8 Build 202012291059 has an arbitrary file download vulnerability, which can be exploited by attackers to obtain sensitive information. | 5.0 |
2021-04-06 | CVE-2021-28172 | Deltaflow Project | Path Traversal vulnerability in Deltaflow Project Deltaflow There is a Path Traversal vulnerability in the file download function of Vangene deltaFlow E-platform. | 5.0 |
2021-04-06 | CVE-2021-30163 | Redmine Debian | Information Exposure vulnerability in multiple products Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. | 5.0 |
2021-04-06 | CVE-2020-36308 | Redmine Debian | Injection vulnerability in multiple products Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. | 5.0 |
2021-04-06 | CVE-2019-25026 | Redmine Debian | Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. | 5.0 |
2021-04-05 | CVE-2020-19595 | Coreftp | Classic Buffer Overflow vulnerability in Coreftp Core FTP 2.0 Buffer overflow vulnerability in Core FTP Server v2 Build 697, via a crafted username. | 5.0 |
2021-04-05 | CVE-2021-24170 | Cozmoslabs | Information Exposure vulnerability in Cozmoslabs User Profile Picture The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. | 5.0 |
2021-04-08 | CVE-2021-1406 | Cisco | Information Exposure vulnerability in Cisco Unified Communications Manager A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to access sensitive information on an affected device. | 4.9 |
2021-04-08 | CVE-2021-1420 | Cisco | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cisco Webex Meetings A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. | 4.7 |
2021-04-07 | CVE-2020-11252 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Trustzone initialization code will disable xPU`s when memory dumps are enabled and lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 4.7 |
2021-04-09 | CVE-2021-25381 | Samsung | Incorrect Default Permissions vulnerability in Samsung Account 10.8.0.4/12.1.1.3 Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | 4.6 |
2021-04-09 | CVE-2021-25373 | Samsung | Unspecified vulnerability in Samsung Customization Service Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | 4.6 |
2021-04-08 | CVE-2021-3146 | Dolby | Untrusted Search Path vulnerability in Dolby Audio X2 The Dolby Audio X2 (DAX2) API service before 0.8.8.90 on Windows allows local users to gain privileges. | 4.6 |
2021-04-07 | CVE-2021-28927 | Libretro | Command Injection vulnerability in Libretro Retroarch 1.9.0/1.9.1 The text-to-speech engine in libretro RetroArch for Windows 1.9.0 passes unsanitized input to PowerShell through platform_win32.c via the accessibility_speak_windows function, which allows attackers who have write access on filesystems that are used by RetroArch to execute code via command injection using specially a crafted file and directory names. | 4.6 |
2021-04-07 | CVE-2020-11231 | Qualcomm | Double Free vulnerability in Qualcomm products Two threads call one or both functions concurrently leading to corruption of pointers and reference counters which in turn can lead to heap corruption in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 4.6 |
2021-04-07 | CVE-2020-36313 | Linux | Use After Free vulnerability in Linux Kernel An issue was discovered in the Linux kernel before 5.7. | 4.6 |
2021-04-06 | CVE-2021-20334 | Mongodb | Improper Privilege Management vulnerability in Mongodb Compass A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. | 4.6 |
2021-04-09 | CVE-2020-13533 | Dreamreport | Incorrect Default Permissions vulnerability in Dreamreport Dream Report 5R202 A privilege escalation vulnerability exists in Dream Report 5 R20-2. | 4.4 |
2021-04-11 | CVE-2021-30485 | Ezxml Project Debian | NULL Pointer Dereference vulnerability in multiple products An issue was discovered in libezxml.a in ezXML 0.8.6. | 4.3 |
2021-04-09 | CVE-2021-25375 | Samsung | Use of Insufficiently Random Values vulnerability in Samsung Email Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. | 4.3 |
2021-04-09 | CVE-2021-20080 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus 8.1/8.2/9.0 Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. | 4.3 |
2021-04-09 | CVE-2020-23761 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab. | 4.3 |
2021-04-09 | CVE-2021-25327 | Skyworthdigital | Cross-site Scripting vulnerability in Skyworthdigital Rn510 Firmware 3.1.0.4 Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. | 4.3 |
2021-04-09 | CVE-2021-30458 | Wikimedia | Cross-site Scripting vulnerability in Wikimedia Parsoid An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. | 4.3 |
2021-04-09 | CVE-2021-30159 | Mediawiki Debian Fedoraproject | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 4.3 |
2021-04-09 | CVE-2021-30156 | Mediawiki Fedoraproject | Information Exposure vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 4.3 |
2021-04-09 | CVE-2021-30155 | Mediawiki Debian Fedoraproject | Missing Authorization vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. | 4.3 |
2021-04-09 | CVE-2021-30152 | Mediawiki Debian Fedoraproject | Improper Privilege Management vulnerability in multiple products An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. | 4.3 |
2021-04-08 | CVE-2020-14106 | MI | Incorrect Authorization vulnerability in MI Miui The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | 4.3 |
2021-04-08 | CVE-2020-14103 | MI | Unspecified vulnerability in MI Miui The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | 4.3 |
2021-04-08 | CVE-2021-27945 | Squirro | Cross-site Scripting vulnerability in Squirro The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. | 4.3 |
2021-04-08 | CVE-2021-28924 | Nagios | Cross-site Scripting vulnerability in Nagios Network Analyzer Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the nagiosna/groups/queries page. | 4.3 |
2021-04-08 | CVE-2021-30114 | WEB School | Cross-Site Request Forgery (CSRF) vulnerability in Web-School Enterprise Resource Planning 5.0 Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. | 4.3 |
2021-04-08 | CVE-2021-30113 | WEB School | Cross-site Scripting vulnerability in Web-School Enterprise Resource Planning 5.0 A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in event name and description fields. | 4.3 |
2021-04-08 | CVE-2021-30112 | WEB School | Cross-Site Request Forgery (CSRF) vulnerability in Web-School Enterprise Resource Planning 5.0 Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. | 4.3 |
2021-04-08 | CVE-2021-1467 | Cisco | Unspecified vulnerability in Cisco Webex Meetings A vulnerability in Cisco Webex Meetings for Android could allow an authenticated, remote attacker to modify the avatar of another user. | 4.3 |
2021-04-08 | CVE-2021-1399 | Cisco | Authentication Bypass by Assumed-Immutable Data vulnerability in Cisco Unified Communications Manager A vulnerability in the Self Care Portal of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to modify data on an affected system without proper authorization. | 4.3 |
2021-04-07 | CVE-2020-36316 | Relic Project | Classic Buffer Overflow vulnerability in Relic Project Relic In RELIC before 2021-04-03, there is a buffer overflow in PKCS#1 v1.5 signature verification because garbage bytes can be present. | 4.3 |
2021-04-07 | CVE-2013-1054 | Canonical | Improper Resource Shutdown or Release vulnerability in Canonical Ubuntu Linux and Unity-Firefox-Extension The unity-firefox-extension package could be tricked into destroying the Unity webapps context, causing Firefox to crash. | 4.3 |
2021-04-07 | CVE-2020-24135 | Wcms | Cross-site Scripting vulnerability in Wcms 0.3.2 A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Wcms 0.3.2, which allows remote attackers to inject arbitrary web script and HTML via the type parameter to wex/cssjs.php. | 4.3 |
2021-04-07 | CVE-2020-24138 | Wcms | Cross-site Scripting vulnerability in Wcms 0.3.2 Cross Site Scripting (XSS) vulnerability in wcms 0.3.2 allows remote attackers to inject arbitrary web script and HTML via the pagename parameter to wex/html.php. | 4.3 |
2021-04-07 | CVE-2021-21641 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Promoted Builds A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds. | 4.3 |
2021-04-07 | CVE-2021-21640 | Jenkins | Unspecified vulnerability in Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. | 4.3 |
2021-04-07 | CVE-2021-21639 | Jenkins | Unspecified vulnerability in Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | 4.3 |
2021-04-07 | CVE-2021-20691 | Yomi Search Project | Cross-site Scripting vulnerability in Yomi-Search Project Yomi-Search 4.22 Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20690 | Yomi Search Project | Cross-site Scripting vulnerability in Yomi-Search Project Yomi-Search 4.22 Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20689 | Yomi Search Project | Cross-site Scripting vulnerability in Yomi-Search Project Yomi-Search 4.22 Cross-site scripting vulnerability in Yomi-Search Ver4.22 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20688 | Click Ranker | Cross-site Scripting vulnerability in Click-Ranker Click Ranker 3.5 Cross-site scripting vulnerability in Click Ranker Ver.3.5 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20686 | Daifukuya | Cross-site Scripting vulnerability in Daifukuya Kagemai 0.8.8 Cross-site scripting vulnerability in Kagemai 0.8.8 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20685 | Daifukuya | Cross-site Scripting vulnerability in Daifukuya Kagemai 0.8.8 Cross-site scripting vulnerability in Kagemai 0.8.8 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-07 | CVE-2021-20684 | Magazinegerz Project | Cross-site Scripting vulnerability in Magazinegerz Project Magazinegerz 1.01 Cross-site scripting vulnerability in MagazinegerZ v.1.01 allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-04-06 | CVE-2021-22157 | Proofpoint | Cross-site Scripting vulnerability in Proofpoint Insider Threat Management Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.11.1 allows stored XSS. | 4.3 |
2021-04-06 | CVE-2020-13418 | Openiam | Cross-site Scripting vulnerability in Openiam OpenIAM before 4.2.0.3 allows XSS in the Add New User feature. | 4.3 |
2021-04-06 | CVE-2021-26833 | Timelybills | Cleartext Storage of Sensitive Information vulnerability in Timelybills 1.21.115/1.7.0 Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. | 4.3 |
2021-04-06 | CVE-2021-30046 | Vigra Computer Vision Library Project | Improper Handling of Exceptional Conditions vulnerability in Vigra Computer Vision Library Project Vigra Computer Vision Library 1.11.1 VIGRA Computer Vision Library Version-1-11-1 contains a segmentation fault vulnerability in the impex.hxx read_image_band() function, in which a crafted file can cause a denial of service. | 4.3 |
2021-04-06 | CVE-2020-36307 | Redmine Debian | Cross-site Scripting vulnerability in multiple products Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. | 4.3 |
2021-04-06 | CVE-2020-36306 | Redmine Debian | Cross-site Scripting vulnerability in multiple products Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. | 4.3 |
2021-04-06 | CVE-2021-30150 | Ocproducts | Cross-site Scripting vulnerability in Ocproducts Composr 10.0.36 Composr 10.0.36 allows XSS in an XML script. | 4.3 |
2021-04-06 | CVE-2021-30144 | Glpi Project | Forced Browsing vulnerability in Glpi-Project Dashboard The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. | 4.3 |
2021-04-05 | CVE-2021-24173 | VM Backups Project | Cross-Site Request Forgery (CSRF) vulnerability in VM Backups Project VM Backups The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | 4.3 |
2021-04-05 | CVE-2021-24172 | VM Backups Project | Cross-Site Request Forgery (CSRF) vulnerability in VM Backups Project VM Backups The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | 4.3 |
2021-04-05 | CVE-2021-24169 | Algolplus | Cross-site Scripting vulnerability in Algolplus Advanced Order Export This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. | 4.3 |
2021-04-05 | CVE-2021-24152 | Sygnoos | Cross-site Scripting vulnerability in Sygnoos Popup Builder The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. | 4.3 |
2021-04-05 | CVE-2021-30109 | Froala | Cross-site Scripting vulnerability in Froala Editor 3.2.6 Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). | 4.3 |
2021-04-05 | CVE-2021-30058 | ENG | Cross-site Scripting vulnerability in ENG Knowage Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). | 4.3 |
2021-04-08 | CVE-2021-1475 | Cisco | Improper Neutralization of Formula Elements in a CSV File vulnerability in Cisco Umbrella Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. | 4.1 |
2021-04-08 | CVE-2021-3448 | Thekelleys Redhat Fedoraproject Oracle | A flaw was found in dnsmasq in versions before 2.85. | 4.0 |
2021-04-08 | CVE-2021-22115 | Cloudfoundry | Insufficiently Protected Credentials vulnerability in Cloudfoundry Capi-Release Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. | 4.0 |
2021-04-08 | CVE-2021-20480 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). | 4.0 |
2021-04-07 | CVE-2021-28166 | Eclipse | NULL Pointer Dereference vulnerability in Eclipse Mosquitto In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. | 4.0 |
2021-04-06 | CVE-2021-28202 | Asus | Classic Buffer Overflow vulnerability in Asus products The Service configuration-2 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28201 | Asus | Classic Buffer Overflow vulnerability in Asus products The Service configuration-1 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28200 | Asus | Classic Buffer Overflow vulnerability in Asus products The CD media configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28199 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28198 | Asus | Classic Buffer Overflow vulnerability in Asus products The Firmware protocol configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28197 | Asus | Classic Buffer Overflow vulnerability in Asus products The Active Directory configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28196 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Generate SSL certificate function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28195 | Asus | Classic Buffer Overflow vulnerability in Asus products The Radius configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28194 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Remote image configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28193 | Asus | Classic Buffer Overflow vulnerability in Asus products The SMTP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28192 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Remote video storage function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28191 | Asus | Classic Buffer Overflow vulnerability in Asus products The Firmware update function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28190 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Generate new certificate function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28189 | Asus | Classic Buffer Overflow vulnerability in Asus products The SMTP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28188 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28187 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Generate new SSL certificate) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28186 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (ActiveX configuration-2 acquisition) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28185 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (ActiveX configuration-1 acquisition) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28184 | Asus | Classic Buffer Overflow vulnerability in Asus products The Active Directory configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28183 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Web License configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28182 | Asus | Classic Buffer Overflow vulnerability in Asus products The Web Service configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28181 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Remote video configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28180 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Audit log configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28179 | Asus | Classic Buffer Overflow vulnerability in Asus products The specific function in ASUS BMC’s firmware Web management page (Media support configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28178 | Asus | Classic Buffer Overflow vulnerability in Asus products The UEFI configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28177 | Asus | Classic Buffer Overflow vulnerability in Asus products The LDAP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28176 | Asus | Classic Buffer Overflow vulnerability in Asus products The DNS configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-06 | CVE-2021-28175 | Asus | Classic Buffer Overflow vulnerability in Asus products The Radius configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. | 4.0 |
2021-04-05 | CVE-2021-24207 | Themeum | Improper Privilege Management vulnerability in Themeum WP Page Builder By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. | 4.0 |
2021-04-05 | CVE-2021-24186 | Themeum | SQL Injection vulnerability in Themeum Tutor LMS The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | 4.0 |
2021-04-05 | CVE-2021-24185 | Themeum | SQL Injection vulnerability in Themeum Tutor LMS The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | 4.0 |
2021-04-05 | CVE-2021-24183 | Themeum | SQL Injection vulnerability in Themeum Tutor LMS The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | 4.0 |
2021-04-05 | CVE-2021-24182 | Themeum | SQL Injection vulnerability in Themeum Tutor LMS The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | 4.0 |
2021-04-05 | CVE-2021-24164 | Ninjaforms | Missing Authorization vulnerability in Ninjaforms Ninja Forms In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. | 4.0 |
2021-04-05 | CVE-2021-24154 | Themeeditor | Files or Directories Accessible to External Parties vulnerability in Themeeditor Theme Editor The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd | 4.0 |
44 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-07 | CVE-2020-36314 | Gnome Fedoraproject | Link Following vulnerability in multiple products fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. | 3.9 |
2021-04-09 | CVE-2021-25363 | Improper Privilege Management vulnerability in Google Android An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processesdelete some local files. | 3.6 | |
2021-04-09 | CVE-2021-25362 | Improper Privilege Management vulnerability in Google Android 10.0/8.1/9.0 An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files. | 3.6 | |
2021-04-06 | CVE-2021-30162 | Unspecified vulnerability in Google Android An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software. | 3.6 | |
2021-04-09 | CVE-2021-21432 | GO Vela | Missing Authorization vulnerability in Go-Vela Vela Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. | 3.5 |
2021-04-09 | CVE-2020-23762 | Larsens Calendar Project | Cross-site Scripting vulnerability in Larsens Calendar Project Larsens Calendar Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage hinzufugen" tab. | 3.5 |
2021-04-08 | CVE-2021-30111 | WEB School | Cross-site Scripting vulnerability in Web-School Enterprise Resource Planning 5.0 A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. | 3.5 |
2021-04-08 | CVE-2021-3012 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Enterprise 10.6.1 A cross-site scripting (XSS) vulnerability in the Document Link of documents in ESRI Enterprise before 10.9 allows remote authenticated users to inject arbitrary JavaScript code via a malicious HTML attribute such as onerror (in the URL field of the Parameters tab). | 3.5 |
2021-04-06 | CVE-2021-30146 | Seafile | Cross-site Scripting vulnerability in Seafile 7.0.5 Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality." | 3.5 |
2021-04-05 | CVE-2021-24211 | Wphive | Cross-site Scripting vulnerability in Wphive Wordpress Related Posts The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. | 3.5 |
2021-04-05 | CVE-2021-24208 | Themeum | Cross-site Scripting vulnerability in Themeum WP Page Builder The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. | 3.5 |
2021-04-05 | CVE-2021-24206 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. | 3.5 |
2021-04-05 | CVE-2021-24205 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. | 3.5 |
2021-04-05 | CVE-2021-24204 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. | 3.5 |
2021-04-05 | CVE-2021-24203 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. | 3.5 |
2021-04-05 | CVE-2021-24202 | Elementor | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. | 3.5 |
2021-04-05 | CVE-2021-24187 | Clogica | Cross-site Scripting vulnerability in Clogica SEO Redirection The setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute. | 3.5 |
2021-04-05 | CVE-2021-24180 | Never5 | Cross-site Scripting vulnerability in Never5 Related Posts Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL. | 3.5 |
2021-04-05 | CVE-2021-24177 | Webdesi9 | Cross-site Scripting vulnerability in Webdesi9 File Manager In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. | 3.5 |
2021-04-05 | CVE-2021-24176 | JH 404 Logger Project | Cross-site Scripting vulnerability in JH 404 Logger Project JH 404 Logger 1.1 The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. | 3.5 |
2021-04-05 | CVE-2021-24168 | Easy Contact Form PRO Project | Cross-site Scripting vulnerability in Easy Contact Form PRO Project Easy Contact Form PRO The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. | 3.5 |
2021-04-05 | CVE-2021-24158 | Themeisle | Unspecified vulnerability in Themeisle Orbit FOX Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. | 3.5 |
2021-04-05 | CVE-2021-24157 | Themeisle | Cross-site Scripting vulnerability in Themeisle Orbit FOX Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. | 3.5 |
2021-04-05 | CVE-2021-24156 | Testimonial Rotator Project | Cross-site Scripting vulnerability in Testimonial Rotator Project Testimonial Rotator 3.0.3 Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. | 3.5 |
2021-04-05 | CVE-2021-24153 | Yoast | Cross-site Scripting vulnerability in Yoast SEO A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. | 3.5 |
2021-04-05 | CVE-2020-4997 | IBM | Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. | 3.5 |
2021-04-05 | CVE-2020-4792 | IBM | Cross-site Scripting vulnerability in IBM Edge Application Manager 4.2 IBM Edge 4.2 is vulnerable to cross-site scripting. | 3.5 |
2021-04-05 | CVE-2021-30057 | ENG | Injection vulnerability in ENG Knowage A stored HTML injection vulnerability exists in Knowage Suite version 7.1. | 3.5 |
2021-04-05 | CVE-2021-30056 | ENG | Cross-site Scripting vulnerability in ENG Knowage Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). | 3.5 |
2021-04-09 | CVE-2021-25364 | Exposure of Resource to Wrong Sphere vulnerability in Google Android 11.0 A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information. | 3.3 | |
2021-04-09 | CVE-2021-25379 | Samsung | Unspecified vulnerability in Samsung Gallery Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action. | 2.1 |
2021-04-09 | CVE-2021-25359 | Incorrect Default Permissions vulnerability in Google Android 10.0/11.0 An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications. | 2.1 | |
2021-04-09 | CVE-2021-25358 | Incorrect Default Permissions vulnerability in Google Android 10.0/9.0 A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications. | 2.1 | |
2021-04-09 | CVE-2021-25357 | Exposure of Resource to Wrong Sphere vulnerability in Google Android 8.1/9.0 A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information. | 2.1 | |
2021-04-08 | CVE-2021-28686 | Asus | Out-of-bounds Write vulnerability in Asus Gputweak II AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. | 2.1 |
2021-04-07 | CVE-2021-29626 | Freebsd | Use After Free vulnerability in Freebsd In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r369551, 11.4-STABLE before r369559, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, copy-on-write logic failed to invalidate shared memory page mappings between multiple processes allowing an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel. | 2.1 |
2021-04-07 | CVE-2020-36312 | Linux | Memory Leak vulnerability in Linux Kernel An issue was discovered in the Linux kernel before 5.8.10. | 2.1 |
2021-04-07 | CVE-2020-36311 | Linux Debian | An issue was discovered in the Linux kernel before 5.9. | 2.1 |
2021-04-07 | CVE-2020-36310 | Linux Debian | Infinite Loop vulnerability in multiple products An issue was discovered in the Linux kernel before 5.8. | 2.1 |
2021-04-06 | CVE-2021-25692 | Teradici | Cleartext Storage of Sensitive Information vulnerability in Teradici Pcoip Connection Manager and Security Gateway Sensitive smart card data is logged in default INFO logs by Teradici's PCoIP Connection Manager and Security Gateway prior to version 21.01.3. | 2.1 |
2021-04-06 | CVE-2021-28688 | Linux Debian | Improper Initialization vulnerability in multiple products The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. | 2.1 |
2021-04-06 | CVE-2021-29136 | Linuxfoundation Sylabs | Improper Input Validation vulnerability in multiple products Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. | 2.1 |
2021-04-06 | CVE-2021-30161 | Unspecified vulnerability in Google Android 11.0 An issue was discovered on LG mobile devices with Android OS 11 software. | 2.1 | |
2021-04-09 | CVE-2021-29671 | IBM | Unspecified vulnerability in IBM Spectrum Scale 5.1.0.1 IBM Spectrum Scale 5.1.0.1 could allow a local attacker to bypass the filesystem audit logging mechanism when file audit logging is enabled. | 1.9 |