Weekly Vulnerabilities Reports > April 12 to 18, 2021

Overview

349 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 146 high severity vulnerabilities. This weekly summary report vulnerabilities in 381 products from 122 vendors including Microsoft, Google, Fedoraproject, SAP, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Improper Privilege Management", and "Command Injection".

  • 227 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 91 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 198 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 108 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-15 CVE-2021-27850 Apache Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry.

10.0
2021-04-13 CVE-2021-23277 Eaton Code Injection vulnerability in Eaton products

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability.

10.0
2021-04-13 CVE-2021-0430 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check.

10.0
2021-04-13 CVE-2020-27227 Openclinic GA Project OS Command Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3.

10.0
2021-04-17 CVE-2020-2509 Qnap Command Injection vulnerability in Qnap QTS

A command injection vulnerability has been reported to affect QTS and QuTS hero.

9.8
2021-04-16 CVE-2021-27692 Tendacn OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request.

9.8
2021-04-16 CVE-2021-27691 Tendacn OS Command Injection vulnerability in Tendacn G0 Firmware, G1 Firmware and G3 Firmware

Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request.

9.8
2021-04-14 CVE-2020-19778 Shopxo Unspecified vulnerability in Shopxo 1.4.0/1.5.0

Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request.

9.8
2021-04-14 CVE-2021-31162 Rust Lang
Fedoraproject
Double Free vulnerability in multiple products

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.

9.8
2021-04-13 CVE-2021-28481 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

9.8
2021-04-13 CVE-2021-28480 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

9.8
2021-04-13 CVE-2021-29998 Windriver
Siemens
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in Wind River VxWorks before 6.5.

9.8
2021-04-13 CVE-2021-22505 Microfocus Unspecified vulnerability in Microfocus Operations Agent

Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15.

9.8
2021-04-13 CVE-2021-27905 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Solr

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core.

9.8
2021-04-12 CVE-2021-24215 Wpruby Forced Browsing vulnerability in Wpruby Controlled Admin Access

An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2.

9.8
2021-04-12 CVE-2020-28872 Monitorr Incorrect Authorization vulnerability in Monitorr 1.7.6M

An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.

9.8
2021-04-13 CVE-2021-28483 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

9.0

146 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-15 CVE-2021-30245 Apache Externally Controlled Reference to a Resource in Another Sphere vulnerability in Apache Openoffice

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks.

8.8
2021-04-14 CVE-2021-27249 Dlink OS Command Injection vulnerability in Dlink Dap-2020 Firmware 1.01

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points.

8.8
2021-04-14 CVE-2021-27248 Dlink Stack-based Buffer Overflow vulnerability in Dlink Dap-2020 Firmware 1.01

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points.

8.8
2021-04-14 CVE-2021-31152 Multilaser Cross-Site Request Forgery (CSRF) vulnerability in Multilaser Ac1200 Re018 Firmware V02.03.01.45Pt

Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability.

8.8
2021-04-14 CVE-2021-22879 Nextcloud
Fedoraproject
Injection vulnerability in multiple products

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands.

8.8
2021-04-13 CVE-2021-28482 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28434 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28358 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28357 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28356 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28355 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28354 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28353 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28352 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28346 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28345 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28344 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28343 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28342 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28341 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28340 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28339 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28338 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28337 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28336 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28335 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28334 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28333 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28332 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28331 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28330 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28329 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-13 CVE-2021-28327 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8
2021-04-12 CVE-2021-24221 Expresstech SQL Injection vulnerability in Expresstech Quiz and Survey Master

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection.

8.8
2021-04-12 CVE-2021-29379 Dlink OS Command Injection vulnerability in Dlink Dir-802 Firmware 1.00B05

An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05.

8.8
2021-04-14 CVE-2021-27253 Netgear Out-of-bounds Write vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800.

8.3
2021-04-14 CVE-2021-27252 Netgear OS Command Injection vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76.

8.3
2021-04-14 CVE-2021-27251 Netgear Cleartext Transmission of Sensitive Information vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800.

8.3
2021-04-14 CVE-2020-36323 Rust Lang
Fedoraproject
Use of Externally-Controlled Format String vulnerability in multiple products

In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

8.2
2021-04-13 CVE-2021-28460 Microsoft Unspecified vulnerability in Microsoft Azure Sphere

Azure Sphere Unsigned Code Execution Vulnerability

8.1
2021-04-13 CVE-2021-28445 Microsoft Unspecified vulnerability in Microsoft products

Windows Network File System Remote Code Execution Vulnerability

8.1
2021-04-12 CVE-2021-29302 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr802N Firmware

TP-Link TL-WR802N(US), Archer_C50v5_US v4_200 <= 2020.06 contains a buffer overflow vulnerability in the httpd process in the body message.

8.1
2021-04-17 CVE-2021-3493 Canonical Incorrect Authorization vulnerability in Canonical Ubuntu Linux

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system.

7.8
2021-04-16 CVE-2020-9668 Adobe Unspecified vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links.

7.8
2021-04-16 CVE-2021-22539 Google Exposure of Resource to Wrong Sphere vulnerability in Google Bazel

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable.

7.8
2021-04-15 CVE-2021-28549 Adobe Classic Buffer Overflow vulnerability in Adobe Photoshop

Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file.

7.8
2021-04-15 CVE-2021-23887 Mcafee Unspecified vulnerability in Mcafee Data Loss Prevention Endpoint

Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses.

7.8
2021-04-14 CVE-2021-28826 Tibco Incorrect Authorization vulnerability in Tibco Messaging - Eclipse Mosquitto Distribution - Bridge 1.3.0

The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

7.8
2021-04-14 CVE-2021-28825 Tibco Incorrect Authorization vulnerability in Tibco Messaging - Eclipse Mosquitto Distribution - Core

The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

7.8
2021-04-14 CVE-2021-25314 Suse Creation of Temporary File With Insecure Permissions vulnerability in Suse Hawk2 2.6.3+Git.1614684118.Af555Ad9/2.6.3+Git.1614685906.812C31E9

A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root.

7.8
2021-04-13 CVE-2021-3462 Lenovo Unspecified vulnerability in Lenovo Power Management Driver

A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.

7.8
2021-04-13 CVE-2021-28475 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28473 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28472 Microsoft Unspecified vulnerability in Microsoft Vscode-Maven

Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28471 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28470 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code Github Pull Requests and Issues

Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28469 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28468 Microsoft Type Confusion vulnerability in Microsoft RAW Image Extension

Raw Image Extension Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28466 Microsoft Unspecified vulnerability in Microsoft RAW Image Extension

Raw Image Extension Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28464 Microsoft Unspecified vulnerability in Microsoft VP9 Video Extensions

VP9 Video Extensions Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28458 Microsoft Unspecified vulnerability in Microsoft Ms-Rest-Nodeauth

Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28457 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28454 Microsoft Use After Free vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28453 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28451 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28449 Microsoft Unspecified vulnerability in Microsoft 365 Apps, Excel and Office

Microsoft Office Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28448 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code Kubernetes Tools

Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28436 Microsoft Unspecified vulnerability in Microsoft products

Windows Speech Runtime Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28351 Microsoft Unspecified vulnerability in Microsoft products

Windows Speech Runtime Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28350 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28349 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28348 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28347 Microsoft Unspecified vulnerability in Microsoft products

Windows Speech Runtime Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28322 Microsoft Improper Privilege Management vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28321 Microsoft Link Following vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28320 Microsoft Unspecified vulnerability in Microsoft products

Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28315 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Video Decoder Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-28314 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28313 Microsoft Improper Privilege Management vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-28310 Microsoft Out-of-bounds Write vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27096 Microsoft Unspecified vulnerability in Microsoft products

NTFS Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27095 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Video Decoder Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-27091 Microsoft Unspecified vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012

RPC Endpoint Mapper Service Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27090 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27089 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Internet Messaging API Remote Code Execution Vulnerability

7.8
2021-04-13 CVE-2021-27088 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27086 Microsoft Incorrect Authorization vulnerability in Microsoft products

Windows Services and Controller App Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-27064 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019

Visual Studio Installer Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-26415 Microsoft Improper Input Validation vulnerability in Microsoft products

Windows Installer Elevation of Privilege Vulnerability

7.8
2021-04-13 CVE-2021-22716 Schneider Electric Incorrect Permission Assignment for Critical Resource vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could allow remote code execution when an unprivileged user modifies a file.

7.8
2021-04-13 CVE-2021-21784 Accusoft Out-of-bounds Write vulnerability in Accusoft Imagegear 19.8

An out-of-bounds write vulnerability exists in the JPG format SOF marker processing of Accusoft ImageGear 19.8.

7.8
2021-04-16 CVE-2021-26073 Atlassian Improper Authentication vulnerability in Atlassian Connect Express

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps.

7.7
2021-04-13 CVE-2021-26416 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Denial of Service Vulnerability

7.7
2021-04-18 CVE-2021-23381 Killing Project Command Injection vulnerability in Killing Project Killing

This affects all versions of package killing.

7.5
2021-04-18 CVE-2021-23380 Roar Pidusage Project Command Injection vulnerability in Roar-Pidusage Project Roar-Pidusage

This affects all versions of package roar-pidusage.

7.5
2021-04-18 CVE-2021-23379 Portkiller Project Command Injection vulnerability in Portkiller Project Portkiller

This affects all versions of package portkiller.

7.5
2021-04-18 CVE-2021-23378 Picotts Project Command Injection vulnerability in Picotts Project Picotts

This affects all versions of package picotts.

7.5
2021-04-18 CVE-2021-23377 Onion Oled JS Project Command Injection vulnerability in Onion-Oled-Js Project Onion-Oled-Js

This affects all versions of package onion-oled-js.

7.5
2021-04-18 CVE-2021-23376 Ffmpegdotjs Project Command Injection vulnerability in Ffmpegdotjs Project Ffmpegdotjs

This affects all versions of package ffmpegdotjs.

7.5
2021-04-18 CVE-2021-23375 Psnode Project Command Injection vulnerability in Psnode Project Psnode

This affects all versions of package psnode.

7.5
2021-04-18 CVE-2021-23374 PS Visitor Project Command Injection vulnerability in Ps-Visitor Project Ps-Visitor

This affects all versions of package ps-visitor.

7.5
2021-04-17 CVE-2020-36195 Qnap SQL Injection vulnerability in Qnap QTS

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on.

7.5
2021-04-15 CVE-2021-31402 Flutterchina Injection vulnerability in Flutterchina DIO 4.0.0

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

7.5
2021-04-15 CVE-2021-27112 Lightcms Project Unspecified vulnerability in Lightcms Project Lightcms 1.3.5

LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.

7.5
2021-04-15 CVE-2020-28592 Cosori Out-of-bounds Write vulnerability in Cosori Cs158-Af Firmware 1.1.0

A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0.

7.5
2021-04-15 CVE-2020-27239 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3.

7.5
2021-04-15 CVE-2020-27238 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3.

7.5
2021-04-15 CVE-2020-27237 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3.

7.5
2021-04-14 CVE-2021-28484 Yubico
Fedoraproject
Infinite Loop vulnerability in multiple products

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04).

7.5
2021-04-14 CVE-2021-27258 Solarwinds Unspecified vulnerability in Solarwinds Orion Platform 2020.2

This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2.

7.5
2021-04-14 CVE-2021-27130 Online Reviewer System Project SQL Injection vulnerability in Online Reviewer System Project Online Reviewer System 1.0

Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.

7.5
2021-04-13 CVE-2019-10881 Xerox Use of Hard-coded Credentials vulnerability in Xerox products

Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled.

7.5
2021-04-13 CVE-2021-28439 Microsoft Unspecified vulnerability in Microsoft products

Windows TCP/IP Driver Denial of Service Vulnerability

7.5
2021-04-13 CVE-2021-28324 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows SMB Information Disclosure Vulnerability

7.5
2021-04-13 CVE-2021-28319 Microsoft Unspecified vulnerability in Microsoft products

Windows TCP/IP Driver Denial of Service Vulnerability

7.5
2021-04-13 CVE-2021-21399 Ampache Improper Authentication vulnerability in Ampache

Ampache is a web based audio/video streaming application and file manager.

7.5
2021-04-13 CVE-2021-29999 Windriver Out-of-bounds Write vulnerability in Windriver Vxworks

An issue was discovered in Wind River VxWorks through 6.8.

7.5
2021-04-13 CVE-2020-27236 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter.

7.5
2021-04-13 CVE-2020-27235 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter.

7.5
2021-04-13 CVE-2020-27234 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter.

7.5
2021-04-13 CVE-2020-27233 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter.

7.5
2021-04-13 CVE-2021-30176 Zerof SQL Injection vulnerability in Zerof Expert 2.0

The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint.

7.5
2021-04-13 CVE-2021-30175 Zerof SQL Injection vulnerability in Zerof web Server 1.0

ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.

7.5
2021-04-13 CVE-2021-29262 Apache Insufficiently Protected Credentials vulnerability in Apache Solr

When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable.

7.5
2021-04-13 CVE-2021-29003 Genexis OS Command Injection vulnerability in Genexis Platinum 4410 Firmware P4410V21.28

Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.

7.5
2021-04-13 CVE-2021-30503 Glsl Linting Project Unspecified vulnerability in Glsl Linting Project Glsl Linting

The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration.

7.5
2021-04-12 CVE-2020-15390 Pega Improper Privilege Management vulnerability in Pega Platform 8.4.0.237

pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.

7.5
2021-04-12 CVE-2021-24223 The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded.
7.5
2021-04-12 CVE-2021-24222 The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed.
7.5
2021-04-12 CVE-2021-23370 Swiperjs Unspecified vulnerability in Swiperjs Swiper

This affects the package swiper before 6.5.1.

7.5
2021-04-12 CVE-2021-23369 Handlebarsjs Unspecified vulnerability in Handlebarsjs Handlebars

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

7.5
2021-04-17 CVE-2021-3492 Canonical Memory Leak vulnerability in Canonical Ubuntu Linux

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly.

7.2
2021-04-15 CVE-2021-20288 Linuxfoundation
Redhat
Fedoraproject
Debian
Improper Authentication vulnerability in multiple products

An authentication flaw was found in ceph in versions before 14.2.20.

7.2
2021-04-14 CVE-2021-29449 PI Hole OS Command Injection vulnerability in Pi-Hole

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application.

7.2
2021-04-13 CVE-2021-29440 Getgrav Code Injection vulnerability in Getgrav Grav

Grav is a file based Web-platform.

7.2
2021-04-13 CVE-2021-29439 Getgrav Incorrect Authorization vulnerability in Getgrav Grav Admin

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges.

7.2
2021-04-13 CVE-2021-28645 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-13 CVE-2021-25253 Trendmicro Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-13 CVE-2021-25250 Trendmicro Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-12 CVE-2021-22497 Microfocus Improper Authentication vulnerability in Microfocus Netiq Advanced Authentication

Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.

7.2
2021-04-12 CVE-2021-21545 Dell Uncontrolled Search Path Element vulnerability in Dell Peripheral Manager

Dell Peripheral Manager 1.3.1 or greater contains remediation for a local privilege escalation vulnerability that could be potentially exploited to gain arbitrary code execution on the system with privileges of the system user.

7.2
2021-04-13 CVE-2021-28452 Microsoft Out-of-bounds Write vulnerability in Microsoft 365 Apps, Office and Outlook

Microsoft Outlook Memory Corruption Vulnerability

7.1
2021-04-13 CVE-2021-28446 Microsoft Unspecified vulnerability in Microsoft products

Windows Portmapping Information Disclosure Vulnerability

7.1
2021-04-13 CVE-2021-28477 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.0
2021-04-13 CVE-2021-28440 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Elevation of Privilege Vulnerability

7.0
2021-04-13 CVE-2021-27072 Microsoft Unspecified vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability

7.0

160 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-16 CVE-2020-9667 Adobe Uncontrolled Search Path Element vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability.

6.9
2021-04-15 CVE-2021-21100 Adobe Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Digital Editions

Adobe Digital Editions version 4.5.11.187245 (and earlier) is affected by a Privilege Escalation vulnerability during installation.

6.8
2021-04-15 CVE-2020-28593 Cosori Unspecified vulnerability in Cosori Cs158-Af Firmware 1.1.0

A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0.

6.8
2021-04-13 CVE-2021-29437 Scratchoauth2 Project Unspecified vulnerability in Scratchoauth2 Project Scratchoauth2

ScratchOAuth2 is an Oauth implementation for Scratch.

6.8
2021-04-13 CVE-2021-27092 Microsoft Unspecified vulnerability in Microsoft products

Azure AD Web Sign-in Security Feature Bypass Vulnerability

6.8
2021-04-13 CVE-2021-22718 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring project files.

6.8
2021-04-13 CVE-2020-27228 Openclinic GA Project Incorrect Default Permissions vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3.

6.8
2021-04-12 CVE-2021-24229 Patreon Cross-site Scripting vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2.

6.8
2021-04-12 CVE-2021-24228 Patreon Cross-site Scripting vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2.

6.8
2021-04-12 CVE-2021-24218 Facebook Cross-Site Request Forgery (CSRF) vulnerability in Facebook

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection.

6.8
2021-04-16 CVE-2021-29452 Curveballjs Incorrect Authorization vulnerability in Curveballjs A12N-Server 0.18.0/0.18.1

a12n-server is an npm package which aims to provide a simple authentication system.

6.5
2021-04-16 CVE-2020-9681 Adobe Uncontrolled Search Path Element vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability.

6.5
2021-04-15 CVE-2021-29447 Wordpress
Debian
XXE vulnerability in multiple products

Wordpress is an open source CMS.

6.5
2021-04-15 CVE-2021-28242 B2Evolution SQL Injection vulnerability in B2Evolution 7.2.2

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.

6.5
2021-04-15 CVE-2021-27545 Phpgurukul SQL Injection vulnerability in PHPgurukul Beauty Parlour Management System 1.0

SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.

6.5
2021-04-15 CVE-2020-7308 Mcafee Cleartext Transmission of Sensitive Information vulnerability in Mcafee Endpoint Security

Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS.

6.5
2021-04-14 CVE-2021-27250 Dlink External Control of File Name or Path vulnerability in Dlink Dap-2020 Firmware 1.01

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points.

6.5
2021-04-13 CVE-2021-28442 Microsoft Unspecified vulnerability in Microsoft products

Windows TCP/IP Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-28441 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-28328 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-28325 Microsoft Unspecified vulnerability in Microsoft products

Windows SMB Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-28323 Microsoft Improper Handling of Case Sensitivity vulnerability in Microsoft products

Windows DNS Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-28311 Microsoft Unspecified vulnerability in Microsoft products

Windows Application Compatibility Cache Denial of Service Vulnerability

6.5
2021-04-13 CVE-2021-27067 Microsoft Unspecified vulnerability in Microsoft Azure Devops Server and Team Foundation Server

Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability

6.5
2021-04-13 CVE-2021-27603 SAP Unspecified vulnerability in SAP Netweaver Application Server Abap 731/740/750

An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time.

6.5
2021-04-13 CVE-2021-22720 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring a project.

6.5
2021-04-13 CVE-2021-22719 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when a file is uploaded.

6.5
2021-04-13 CVE-2021-22717 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when processing config files.

6.5
2021-04-13 CVE-2020-13568 Open EMR
Phpgacl Project
SQL Injection vulnerability in multiple products

SQL injection vulnerability exists in phpGACL 3.3.7.

6.5
2021-04-13 CVE-2020-13566 Open EMR
Phpgacl Project
SQL Injection vulnerability in multiple products

SQL injection vulnerabilities exist in phpGACL 3.3.7.

6.5
2021-04-12 CVE-2021-21393 Matrix
Fedoraproject
Improper Input Validation vulnerability in multiple products

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

6.5
2021-04-12 CVE-2021-21394 Matrix
Fedoraproject
Improper Input Validation vulnerability in multiple products

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

6.5
2021-04-12 CVE-2020-7924 Mongodb Improper Certificate Validation vulnerability in Mongodb Database Tools and Mongomirror

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation.

6.5
2021-04-12 CVE-2021-24224 Easy Form Builder BY Bitware Project Unrestricted Upload of File with Dangerous Type vulnerability in Easy-Form-Builder-By-Bitware Project Easy-Form-Builder-By-Bitware

The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.

6.5
2021-04-16 CVE-2021-26830 Tribalsystems SQL Injection vulnerability in Tribalsystems Zenario 8.8.52729

SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin.

6.4
2021-04-13 CVE-2021-29943 Apache Incorrect Authorization vulnerability in Apache Solr

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials.

6.4
2021-04-12 CVE-2021-21392 Matrix
Fedoraproject
Open Redirect vulnerability in multiple products

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

6.3
2021-04-13 CVE-2021-26413 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Spoofing Vulnerability

6.2
2021-04-13 CVE-2021-29370 Cheetah Browser Project Cross-site Scripting vulnerability in Cheetah Browser Project Cheetah Browser 1.2.0

A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme.

6.1
2021-04-13 CVE-2021-28459 Microsoft Cross-site Scripting vulnerability in Microsoft Azure Devops Server 2020.0.1

Azure DevOps Server Spoofing Vulnerability

6.1
2021-04-12 CVE-2021-3163 Slab Cross-site Scripting vulnerability in Slab Quill 4.8.0

A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.

6.1
2021-04-12 CVE-2021-25926 Sickrage Cross-site Scripting vulnerability in Sickrage

In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature.

6.1
2021-04-12 CVE-2021-24213 Givewp Cross-site Scripting vulnerability in Givewp

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.

6.1
2021-04-13 CVE-2021-29427 Gradle
Quarkus
Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning.

6.0
2021-04-16 CVE-2021-29446 Jose Node CJS Runtime Project Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions.

5.9
2021-04-16 CVE-2021-29445 Jose Node CJS Runtime Project Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.

5.9
2021-04-16 CVE-2021-29444 Jose Node CJS Runtime Project Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime

jose-browser-runtime is an npm package which provides a number of cryptographic functions.

5.9
2021-04-15 CVE-2021-29448 PI Hole Cross-site Scripting vulnerability in Pi-Hole Ftldns, Pi-Hole and web Interface

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application.

5.8
2021-04-13 CVE-2021-29436 Anuko Cross-Site Request Forgery (CSRF) vulnerability in Anuko Time Tracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP.

5.8
2021-04-13 CVE-2021-21731 A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user.
5.8
2021-04-12 CVE-2021-24230 Patreon Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited.

5.8
2021-04-13 CVE-2021-28444 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Security Feature Bypass Vulnerability

5.7
2021-04-13 CVE-2021-27079 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Photo Codec Information Disclosure Vulnerability

5.7
2021-04-15 CVE-2021-21096 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge versions 10.1.1 (and earlier) and 11.0.1 (and earlier) are affected by an Improper Authorization vulnerability in the Genuine Software Service.

5.5
2021-04-15 CVE-2021-23886 Mcafee Improper Handling of Exceptional Conditions vulnerability in Mcafee Data Loss Prevention Endpoint

Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it.

5.5
2021-04-14 CVE-2021-29338 Uclouvain
Fedoraproject
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS).

5.5
2021-04-14 CVE-2021-27815 Libexif Project
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash.

5.5
2021-04-14 CVE-2020-36322 Linux
Debian
Starwindsoftware
Incomplete Cleanup vulnerability in multiple products

An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.

5.5
2021-04-13 CVE-2021-28456 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-28443 Microsoft Unspecified vulnerability in Microsoft products

Windows Console Driver Denial of Service Vulnerability

5.5
2021-04-13 CVE-2021-28438 Microsoft Unspecified vulnerability in Microsoft products

Windows Console Driver Denial of Service Vulnerability

5.5
2021-04-13 CVE-2021-28437 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-28435 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-28326 Microsoft Unspecified vulnerability in Microsoft products

Windows AppX Deployment Server Denial of Service Vulnerability

5.5
2021-04-13 CVE-2021-28318 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-28317 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Windows Codecs Library Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-28309 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-27093 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability

5.5
2021-04-13 CVE-2021-26417 Microsoft Unspecified vulnerability in Microsoft products

Windows Overlay Filter Information Disclosure Vulnerability

5.5
2021-04-12 CVE-2021-24198 TMS Outsource Unspecified vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control.

5.5
2021-04-12 CVE-2021-24197 TMS Outsource Unspecified vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control.

5.5
2021-04-15 CVE-2021-21087 Adobe Cross-site Scripting vulnerability in Adobe Coldfusion 2016/2018/2021.0.0.323925

Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability.

5.4
2021-04-13 CVE-2021-29438 Nextcloud Dialogs Project Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Nextcloud/Dialogs Project Nextcloud/Dialogs

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast.

5.4
2021-04-13 CVE-2021-0433 Google Improper Privilege Management vulnerability in Google Android

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack.

5.4
2021-04-13 CVE-2021-27598 SAP Missing Authorization vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50

SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc.

5.3
2021-04-12 CVE-2021-23368 Postcss Unspecified vulnerability in Postcss

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

5.3
2021-04-15 CVE-2021-21405 Filecoin Improper Verification of Cryptographic Signature vulnerability in Filecoin Lotus

Lotus is an Implementation of the Filecoin protocol written in Go.

5.0
2021-04-15 CVE-2021-29430 Matrix Allocation of Resources Without Limits or Throttling vulnerability in Matrix Sydent

Sydent is a reference Matrix identity server.

5.0
2021-04-15 CVE-2021-30479 Zulip Improper Privilege Management vulnerability in Zulip Server

An issue was discovered in Zulip Server before 3.4.

5.0
2021-04-14 CVE-2021-28060 Group Office Server-Side Request Forgery (SSRF) vulnerability in Group-Office Group Office 6.4.196

A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.

5.0
2021-04-14 CVE-2020-36120 Libsixel Project Classic Buffer Overflow vulnerability in Libsixel Project Libsixel 1.8.6

Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

5.0
2021-04-13 CVE-2021-28450 Microsoft Unspecified vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

Microsoft SharePoint Denial of Service Vulnerability

5.0
2021-04-13 CVE-2021-23372 Mongo Express Project Improper Check for Unusual or Exceptional Conditions vulnerability in Mongo-Express Project Mongo-Express

All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.

5.0
2021-04-13 CVE-2021-0435 Google Improper Initialization vulnerability in Google Android

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data.

5.0
2021-04-13 CVE-2021-0431 Google Out-of-bounds Read vulnerability in Google Android

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check.

5.0
2021-04-13 CVE-2021-29997 Windriver Out-of-bounds Read vulnerability in Windriver Vxworks 7.0

An issue was discovered in Wind River VxWorks 7 before 21.03.

5.0
2021-04-13 CVE-2021-21730 ZTE Unspecified vulnerability in ZTE Zxhn H168N Firmware 3.5.0Ty.T6

A ZTE product is impacted by improper access control vulnerability.

5.0
2021-04-12 CVE-2020-4965 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM products

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-04-12 CVE-2021-24227 Patreon Information Exposure vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site.

5.0
2021-04-12 CVE-2021-24226 Accessally Information Exposure vulnerability in Accessally

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables.

5.0
2021-04-12 CVE-2021-24219 Thrivethemes Missing Authentication for Critical Function vulnerability in Thrivethemes products

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality.

5.0
2021-04-12 CVE-2021-23371 Chrono Node Project Unspecified vulnerability in Chrono-Node Project Chrono-Node

This affects the package chrono-node before 2.2.4.

5.0
2021-04-12 CVE-2020-24285 Intelbras Unspecified vulnerability in Intelbras Tip200 Firmware and Tip200Lite Firmware

INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.

5.0
2021-04-13 CVE-2021-3463 Lenovo NULL Pointer Dereference vulnerability in Lenovo Power Management Driver

A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.

4.9
2021-04-15 CVE-2021-27544 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Beauty Parlour Management System 1.0

Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.

4.8
2021-04-13 CVE-2021-21482 SAP Information Exposure vulnerability in SAP Netweaver Master Data Management 7.10.750/710

SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method.

4.8
2021-04-13 CVE-2021-29425 Apache
Debian
Oracle
Netapp
Path Traversal vulnerability in multiple products

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

4.8
2021-04-13 CVE-2021-0445 Google Unspecified vulnerability in Google Android 11.0/9.0

In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy.

4.6
2021-04-13 CVE-2021-0442 Google Use After Free vulnerability in Google Android 11.0

In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free.

4.6
2021-04-13 CVE-2021-0439 Google Out-of-bounds Write vulnerability in Google Android 11.0

In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-04-13 CVE-2021-0437 Google Double Free vulnerability in Google Android

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free.

4.6
2021-04-13 CVE-2021-0429 Google Use After Free vulnerability in Google Android

In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free.

4.6
2021-04-13 CVE-2021-0427 Google Out-of-bounds Write vulnerability in Google Android 11.0

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-04-13 CVE-2021-0426 Google Out-of-bounds Write vulnerability in Google Android 11.0

In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-04-14 CVE-2021-28098 Forescout Incorrect Default Permissions vulnerability in Forescout Counteract 8.0

An issue was discovered in Forescout CounterACT before 8.1.4.

4.4
2021-04-13 CVE-2021-29428 Gradle
Quarkus
Creation of Temporary File in Directory with Incorrect Permissions vulnerability in multiple products

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it.

4.4
2021-04-13 CVE-2021-28447 Microsoft Unspecified vulnerability in Microsoft products

Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability

4.4
2021-04-13 CVE-2021-27094 Microsoft Unspecified vulnerability in Microsoft products

Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability

4.4
2021-04-13 CVE-2021-0468 Google Insecure Default Initialization of Resource vulnerability in Google Android

In LK, there is a possible escalation of privilege due to an insecure default value.

4.4
2021-04-13 CVE-2021-0446 Google Improper Privilege Management vulnerability in Google Android 11.0

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack.

4.4
2021-04-13 CVE-2021-0438 Google Improper Privilege Management vulnerability in Google Android 10.0/8.1/9.0

In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value.

4.4
2021-04-13 CVE-2021-0432 Google Race Condition vulnerability in Google Android 11.0

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition.

4.4
2021-04-13 CVE-2021-28647 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager 5.0/5.0.0.1076/5.0.0.1081

Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.

4.4
2021-04-16 CVE-2021-31348 Ezxml Project
Debian
Out-of-bounds Read vulnerability in multiple products

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-16 CVE-2021-31347 Ezxml Project
Debian
XML Injection (aka Blind XPath Injection) vulnerability in multiple products

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-16 CVE-2021-29443 Jose Project Information Exposure Through Discrepancy vulnerability in Jose Project Jose

jose is an npm library providing a number of cryptographic operations.

4.3
2021-04-16 CVE-2018-19942 Qnap Cross-site Scripting vulnerability in Qnap QTS and Quts Hero

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station.

4.3
2021-04-15 CVE-2021-28055 Centreon Cross-Site Request Forgery (CSRF) vulnerability in Centreon 20.10.0

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0.

4.3
2021-04-15 CVE-2021-31229 Ezxml Project
Debian
Out-of-bounds Write vulnerability in multiple products

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-15 CVE-2021-23884 Mcafee Cleartext Transmission of Sensitive Information vulnerability in Mcafee Content Security Reporter

Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR.

4.3
2021-04-15 CVE-2020-7270 Mcafee Unspecified vulnerability in Mcafee Advanced Threat Defense

Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter.

4.3
2021-04-15 CVE-2020-7269 Mcafee Unspecified vulnerability in Mcafee Advanced Threat Defense

Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter.

4.3
2021-04-15 CVE-2021-26076 Atlassian Unspecified vulnerability in Atlassian products

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.

4.3
2021-04-15 CVE-2020-36288 Atlassian Cross-site Scripting vulnerability in Atlassian products

The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.

4.3
2021-04-14 CVE-2021-28855 In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).
4.3
2021-04-14 CVE-2020-35419 Group Office Cross-site Scripting vulnerability in Group-Office Group Office 6.4.196

Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.

4.3
2021-04-14 CVE-2021-26832 Priority Software Cross-site Scripting vulnerability in Priority-Software Priority Enterprise Management System 8.00

Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.

4.3
2021-04-14 CVE-2021-26805 Tsmuxer Project Classic Buffer Overflow vulnerability in Tsmuxer Project Tsmuxer 2.6.16

Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a malicious WAV file.

4.3
2021-04-14 CVE-2020-21087 X2Engine Cross-site Scripting vulnerability in X2Engine X2Crm

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

4.3
2021-04-13 CVE-2021-29435 Trestle Auth Project Cross-Site Request Forgery (CSRF) vulnerability in Trestle-Auth Project Trestle-Auth 0.4.0/0.4.1

trestle-auth is an authentication plugin for the Trestle admin framework.

4.3
2021-04-13 CVE-2021-21485 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.

4.3
2021-04-13 CVE-2020-28590 Slic3R Out-of-bounds Read vulnerability in Slic3R Libslic3R 1.3.0

An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42.

4.3
2021-04-13 CVE-2021-21729 ZTE Cross-Site Request Forgery (CSRF) vulnerability in ZTE Zxhn H108N Firmware and Zxhn H168N Firmware

Some ZTE products have CSRF vulnerability.

4.3
2021-04-12 CVE-2021-23270 Gargoyle Router Excessive Iteration vulnerability in Gargoyle-Router Gargoyle 1.12.0

In Gargoyle OS 1.12.0, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router.

4.3
2021-04-12 CVE-2021-20519 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Team Server products are vulnerable to cross-site scripting.

4.3
2021-04-12 CVE-2020-4920 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Team Server products are vulnerable to stored cross-site scripting.

4.3
2021-04-12 CVE-2021-24231 Patreon Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.

4.3
2021-04-13 CVE-2021-28316 Microsoft Unspecified vulnerability in Microsoft products

Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability

4.2
2021-04-16 CVE-2021-26074 Atlassian Improper Authentication vulnerability in Atlassian Connect Spring Boot

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps.

4.0
2021-04-15 CVE-2021-29450 Wordpress
Debian
Information Exposure vulnerability in multiple products

Wordpress is an open source CMS.

4.0
2021-04-15 CVE-2021-29433 Matrix Improper Input Validation vulnerability in Matrix Sydent

Sydent is a reference Matrix identity server.

4.0
2021-04-15 CVE-2021-30209 Textpattern Unrestricted Upload of File with Dangerous Type vulnerability in Textpattern 4.8.4

Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.

4.0
2021-04-15 CVE-2021-30487 Zulip Unspecified vulnerability in Zulip Server 3.0/3.1

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.

4.0
2021-04-15 CVE-2021-30478 Zulip Improper Privilege Management vulnerability in Zulip Server

An issue was discovered in Zulip Server before 3.4.

4.0
2021-04-15 CVE-2021-30477 Zulip Unspecified vulnerability in Zulip Server

An issue was discovered in Zulip Server before 3.4.

4.0
2021-04-15 CVE-2021-26075 Atlassian Unspecified vulnerability in Atlassian products

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.

4.0
2021-04-14 CVE-2021-27604 SAP XXE vulnerability in SAP Netweaver Process Integration

In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.

4.0
2021-04-14 CVE-2021-27599 SAP Information Exposure vulnerability in SAP Netweaver Process Integration

SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted.

4.0
2021-04-13 CVE-2021-3473 Lenovo Cleartext Storage of Sensitive Information vulnerability in Lenovo Xclarity Controller

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore.

4.0
2021-04-13 CVE-2021-27605 SAP Missing Authorization vulnerability in SAP ERP

SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges.

4.0
2021-04-13 CVE-2021-21483 SAP Information Exposure vulnerability in SAP Solution Manager 7.20

Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application.

4.0
2021-04-13 CVE-2021-28973 Perforce XXE vulnerability in Perforce Helix ALM 2020.3.1

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.

4.0
2021-04-13 CVE-2021-28938 Siren Unspecified vulnerability in Siren Federate

Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts.

4.0
2021-04-12 CVE-2020-4964 IBM Unspecified vulnerability in IBM products

IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users.

4.0
2021-04-12 CVE-2021-24024 Fortinet Information Exposure Through Log Files vulnerability in Fortinet Fortiadc

A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker to read other local users' password in log files.

4.0
2021-04-12 CVE-2021-22190 Gitlab Path Traversal vulnerability in Gitlab

A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token

4.0
2021-04-12 CVE-2020-15942 Fortinet Information Exposure vulnerability in Fortinet Fortiweb

An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.

4.0
2021-04-12 CVE-2019-17656 Fortinet Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy

A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server.

4.0
2021-04-12 CVE-2021-24200 TMS Outsource SQL Injection vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter.

4.0
2021-04-12 CVE-2021-24199 TMS Outsource SQL Injection vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter.

4.0

26 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-15 CVE-2021-29432 Matrix Unspecified vulnerability in Matrix Sydent

Sydent is a reference matrix identity server.

3.5
2021-04-15 CVE-2021-27673 Tribalsystems Cross-site Scripting vulnerability in Tribalsystems Zenario 8.8.52729

Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.

3.5
2021-04-15 CVE-2021-27129 Casap Automated Enrollment System Project Cross-site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.

3.5
2021-04-14 CVE-2020-35660 Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.
3.5
2021-04-14 CVE-2020-28124 Lavalite Cross-site Scripting vulnerability in Lavalite 5.8.0

Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field.

3.5
2021-04-14 CVE-2020-35418 Group Office Cross-site Scripting vulnerability in Group-Office Group Office 6.4.196

Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.

3.5
2021-04-14 CVE-2021-27989 Appspace Cross-site Scripting vulnerability in Appspace 6.2.4

Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.

3.5
2021-04-13 CVE-2021-27600 SAP Cross-site Scripting vulnerability in SAP Manufacturing Execution

SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability.

3.5
2021-04-13 CVE-2021-30637 Htmly Cross-site Scripting vulnerability in Htmly 2.8.0

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.

3.5
2021-04-13 CVE-2021-30044 Remoteclinic Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php.

3.5
2021-04-13 CVE-2021-30042 Remoteclinic Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php

3.5
2021-04-13 CVE-2021-30039 Remoteclinic Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php.

3.5
2021-04-13 CVE-2021-30034 Remoteclinic Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php.

3.5
2021-04-13 CVE-2021-30030 Remoteclinic Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.

3.5
2021-04-12 CVE-2021-25925 Sickrage Cross-site Scripting vulnerability in Sickrage

in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server.

3.5
2021-04-14 CVE-2021-25316 Suse Insecure Temporary File vulnerability in Suse S390-Tools 2.1.018.29.1

A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1.

3.3
2021-04-13 CVE-2021-28312 Microsoft Unspecified vulnerability in Microsoft products

Windows NTFS Denial of Service Vulnerability

3.3
2021-04-14 CVE-2021-27260 Parallels Out-of-bounds Read vulnerability in Parallels Desktop 16.0.1

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919.

2.1
2021-04-13 CVE-2021-0471 Google Out-of-bounds Read vulnerability in Google Android

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow.

2.1
2021-04-13 CVE-2021-0436 Google Integer Overflow or Wraparound vulnerability in Google Android

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow.

2.1
2021-04-13 CVE-2021-0428 Google Missing Authorization vulnerability in Google Android 10.0

In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check.

2.1
2021-04-13 CVE-2021-0400 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/9.0

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation.

2.1
2021-04-13 CVE-2021-28646 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.

2.1
2021-04-13 CVE-2021-0444 Google Unspecified vulnerability in Google Android

In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent.

1.9
2021-04-13 CVE-2021-0443 Google Race Condition vulnerability in Google Android

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition.

1.9
2021-04-12 CVE-2021-29429 Gradle
Quarkus
Insecure Temporary File vulnerability in multiple products

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle.

1.9