Weekly Vulnerabilities Reports > April 12 to 18, 2021

Overview

264 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 39 high severity vulnerabilities. This weekly summary report vulnerabilities in 202 products from 88 vendors including Microsoft, Google, Fedoraproject, Apache, and Schneider Electric. Vulnerabilities are notably categorized as "Improper Privilege Management", "Cross-site Scripting", "Information Exposure", "SQL Injection", and "Out-of-bounds Write".

  • 190 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 69 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 178 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 83 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-16 CVE-2021-27692 Tendacn OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware

Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request.

10.0
2021-04-16 CVE-2021-27691 Tendacn OS Command Injection vulnerability in Tendacn G0 Firmware, G1 Firmware and G3 Firmware

Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request.

10.0
2021-04-15 CVE-2021-27850 Apache Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry.

10.0
2021-04-13 CVE-2021-28481 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28482, CVE-2021-28483.

10.0
2021-04-13 CVE-2021-28480 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28481, CVE-2021-28482, CVE-2021-28483.

10.0
2021-04-13 CVE-2021-0430 Google Out-Of-Bounds Write vulnerability in Google Android 10.0/11.0

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check.

10.0
2021-04-13 CVE-2021-28482 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28481, CVE-2021-28483.

9.0

39 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-14 CVE-2021-27253 Netgear Out-Of-Bounds Write vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800.

8.3
2021-04-14 CVE-2021-27252 Netgear OS Command Injection vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76.

8.3
2021-04-14 CVE-2021-27251 Netgear Cleartext Transmission of Sensitive Information vulnerability in Netgear products

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800.

8.3
2021-04-13 CVE-2021-26416 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Denial of Service Vulnerability

7.8
2021-04-13 CVE-2021-28483 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28481, CVE-2021-28482.

7.7
2021-04-17 CVE-2020-36195 Qnap SQL Injection vulnerability in Qnap QTS

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on.

7.5
2021-04-17 CVE-2020-2509 Qnap Command Injection vulnerability in Qnap QTS and Quts Hero

A command injection vulnerability has been reported to affect QTS and QuTS hero.

7.5
2021-04-15 CVE-2021-27112 Lightcms Project Unspecified vulnerability in Lightcms Project Lightcms 1.3.5

LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.

7.5
2021-04-14 CVE-2021-27130 Online Reviewer System Project SQL Injection vulnerability in Online Reviewer System Project Online Reviewer System 1.0

Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.

7.5
2021-04-14 CVE-2021-31162 Rust Lang
Fedoraproject
Double Free vulnerability in multiple products

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.

7.5
2021-04-13 CVE-2019-10881 Xerox USE of Hard-Coded Credentials vulnerability in Xerox products

Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled.

7.5
2021-04-13 CVE-2021-27092 Microsoft Unspecified vulnerability in Microsoft products

Azure AD Web Sign-in Security Feature Bypass Vulnerability

7.5
2021-04-13 CVE-2021-29999 Windriver Out-Of-Bounds Write vulnerability in Windriver Vxworks

An issue was discovered in Wind River VxWorks through 6.8.

7.5
2021-04-13 CVE-2021-29998 Windriver Out-Of-Bounds Write vulnerability in Windriver Vxworks

An issue was discovered in Wind River VxWorks before 6.5.

7.5
2021-04-13 CVE-2020-27236 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter.

7.5
2021-04-13 CVE-2020-27235 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter.

7.5
2021-04-13 CVE-2020-27234 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter.

7.5
2021-04-13 CVE-2020-27233 Openclinic GA Project SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter.

7.5
2021-04-13 CVE-2021-30176 Zerof SQL Injection vulnerability in Zerof Expert 2.0

The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint.

7.5
2021-04-13 CVE-2021-30175 Zerof SQL Injection vulnerability in Zerof web Server 1.0

ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.

7.5
2021-04-13 CVE-2021-28421 Fluidsynth USE After Free vulnerability in Fluidsynth 2.1.7

FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/fluid_sffile.c that can result in arbitrary code execution or a denial of service (DoS) if a malicious soundfont2 file is loaded into a fluidsynth library.

7.5
2021-04-13 CVE-2021-27905 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Solr

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core.

7.5
2021-04-13 CVE-2021-30503 Glsl Linting Project Incorrect Authorization vulnerability in Glsl Linting Project Glsl Linting

The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration.

7.5
2021-04-12 CVE-2020-15390 Pega Improper Privilege Management vulnerability in Pega Platform 8.4.0.237

pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.

7.5
2021-04-12 CVE-2021-24223 The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded.
7.5
2021-04-12 CVE-2021-24222 The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed.
7.5
2021-04-12 CVE-2021-23370 Swiperjs Unspecified vulnerability in Swiperjs Swiper

This affects the package swiper before 6.5.1.

7.5
2021-04-12 CVE-2021-23369 Handlebarsjs Unspecified vulnerability in Handlebarsjs Handlebars

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

7.5
2021-04-12 CVE-2020-28872 Monitorr Project Incorrect Authorization vulnerability in Monitorr Project Monitorr 1.7.6M

An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.

7.5
2021-04-17 CVE-2021-3493 Canonical Improper Privilege Management vulnerability in Canonical Ubuntu Linux

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system.

7.2
2021-04-17 CVE-2021-3492 Canonical Memory Leak vulnerability in Canonical Ubuntu Linux

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly.

7.2
2021-04-15 CVE-2021-23887 Mcafee Improper Privilege Management vulnerability in Mcafee Data Loss Prevention Endpoint

Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses.

7.2
2021-04-14 CVE-2021-29449 PI Hole Improper Privilege Management vulnerability in Pi-Hole

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application.

7.2
2021-04-14 CVE-2021-25314 Suse Creation of Temporary File With Insecure Permissions vulnerability in Suse Hawk2

A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root.

7.2
2021-04-13 CVE-2021-28645 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan

An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-13 CVE-2021-25253 Trendmicro Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-13 CVE-2021-25250 Trendmicro Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations.

7.2
2021-04-12 CVE-2021-21545 Dell Uncontrolled Search Path Element vulnerability in Dell Peripheral Manager

Dell Peripheral Manager 1.3.1 or greater contains remediation for a local privilege escalation vulnerability that could be potentially exploited to gain arbitrary code execution on the system with privileges of the system user.

7.2
2021-04-15 CVE-2021-3487 GNU
Redhat
Fedoraproject
Resource Exhaustion vulnerability in multiple products

There's a flaw in the BFD library of binutils in versions before 2.36.

7.1

182 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-16 CVE-2020-9667 Adobe Uncontrolled Search Path Element vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability.

6.9
2021-04-16 CVE-2020-9668 Adobe Improper Access Control vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links.

6.8
2021-04-15 CVE-2021-30245 Apache Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Apache Openoffice

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks.

6.8
2021-04-14 CVE-2021-31152 Multilaser Cross-Site Request Forgery (CSRF) vulnerability in Multilaser Ac1200 Re018 Firmware V02.03.01.45Pt

Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability.

6.8
2021-04-14 CVE-2021-22879 Nextcloud
Fedoraproject
Injection vulnerability in multiple products

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands.

6.8
2021-04-13 CVE-2021-28477 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28457, CVE-2021-28469, CVE-2021-28473, CVE-2021-28475.

6.8
2021-04-13 CVE-2021-28475 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28457, CVE-2021-28469, CVE-2021-28473, CVE-2021-28477.

6.8
2021-04-13 CVE-2021-28473 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28457, CVE-2021-28469, CVE-2021-28475, CVE-2021-28477.

6.8
2021-04-13 CVE-2021-28453 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Remote Code Execution Vulnerability

6.8
2021-04-13 CVE-2021-28452 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft 365 Apps, Office and Outlook

Microsoft Outlook Memory Corruption Vulnerability

6.8
2021-04-13 CVE-2021-28451 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28454.

6.8
2021-04-13 CVE-2021-27095 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Video Decoder Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28315.

6.8
2021-04-13 CVE-2021-27089 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Internet Messaging API Remote Code Execution Vulnerability

6.8
2021-04-13 CVE-2021-22718 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring project files.

6.8
2021-04-13 CVE-2020-27228 Openclinic GA Project Incorrect Default Permissions vulnerability in Openclinic GA Project Openclinic GA 5.173.3

An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3.

6.8
2021-04-12 CVE-2021-24229 Patreon Cross-Site Scripting vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2.

6.8
2021-04-12 CVE-2021-24228 Patreon Cross-Site Scripting vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2.

6.8
2021-04-12 CVE-2021-24218 Facebook Cross-Site Request Forgery (CSRF) vulnerability in Facebook

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection.

6.8
2021-04-15 CVE-2021-20288 Linuxfoundation
Redhat
Fedoraproject
Improper Authentication vulnerability in multiple products

An authentication flaw was found in ceph in versions before 14.2.20.

6.5
2021-04-15 CVE-2021-28242 B2Evolution Command Injection vulnerability in B2Evolution 7.2.2

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.

6.5
2021-04-13 CVE-2021-29440 Getgrav Code Injection vulnerability in Getgrav Grav

Grav is a file based Web-platform.

6.5
2021-04-13 CVE-2021-29439 Getgrav Incorrect Authorization vulnerability in Getgrav Grav Admin

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges.

6.5
2021-04-13 CVE-2021-28434 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358.

6.5
2021-04-13 CVE-2021-28358 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28357 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28356 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28355 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28354 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28353 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28352 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28346 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28345 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28344 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28343 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28342 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28341 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28340 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28339 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28338 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28337 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28336 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28335 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28334 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28333 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28332 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28331 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28330 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28329, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28329 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28327, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-28327 Microsoft Unspecified vulnerability in Microsoft products

Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.

6.5
2021-04-13 CVE-2021-22720 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring a project.

6.5
2021-04-13 CVE-2021-22719 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when a file is uploaded.

6.5
2021-04-13 CVE-2021-22717 Schneider Electric Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when processing config files.

6.5
2021-04-13 CVE-2020-13568 Open EMR
Phpgacl Project
SQL Injection vulnerability in multiple products

SQL injection vulnerability exists in phpGACL 3.3.7.

6.5
2021-04-13 CVE-2020-13566 Open EMR
Phpgacl Project
SQL Injection vulnerability in multiple products

SQL injection vulnerabilities exist in phpGACL 3.3.7.

6.5
2021-04-12 CVE-2021-24224 Easy Form Builder BY Bitware Project Unrestricted Upload of File With Dangerous Type vulnerability in Easy-Form-Builder-By-Bitware Project Easy-Form-Builder-By-Bitware

The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.

6.5
2021-04-12 CVE-2021-24221 Expresstech SQL Injection vulnerability in Expresstech Quiz and Survey Master

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection.

6.5
2021-04-16 CVE-2021-26830 Tribalsystems SQL Injection vulnerability in Tribalsystems Zenario 8.8.52729

SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin.

6.4
2021-04-15 CVE-2020-7308 Mcafee Cleartext Transmission of Sensitive Information vulnerability in Mcafee Endpoint Security

Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS.

6.4
2021-04-14 CVE-2020-36323 Rust Lang
Fedoraproject
USE of Externally-Controlled Format String vulnerability in multiple products

In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

6.4
2021-04-13 CVE-2021-29943 Apache Incorrect Authorization vulnerability in Apache Solr

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials.

6.4
2021-04-13 CVE-2021-27079 Microsoft Information Exposure vulnerability in Microsoft products

Windows Media Photo Codec Information Disclosure Vulnerability

6.3
2021-04-13 CVE-2021-29427 Gradle Inclusion of Functionality From Untrusted Control Sphere vulnerability in Gradle

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning.

6.0
2021-04-15 CVE-2021-29448 PI Hole Cross-Site Scripting vulnerability in Pi-Hole Ftldns, Pi-Hole and web Interface

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application.

5.8
2021-04-13 CVE-2021-29436 Anuko Cross-Site Request Forgery (CSRF) vulnerability in Anuko Time Tracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP.

5.8
2021-04-13 CVE-2021-21731 A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user.
5.8
2021-04-12 CVE-2021-24230 Patreon Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited.

5.8
2021-04-12 CVE-2021-29379 Dlink OS Command Injection vulnerability in Dlink Dir-802 Firmware

** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05.

5.8
2021-04-12 CVE-2021-24198 TMS Outsource Improper Access Control vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control.

5.5
2021-04-12 CVE-2021-24197 TMS Outsource Improper Access Control vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control.

5.5
2021-04-13 CVE-2021-0433 Google Improper Privilege Management vulnerability in Google Android

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack.

5.4
2021-04-15 CVE-2021-21405 Filecoin Improper Verification of Cryptographic Signature vulnerability in Filecoin Lotus

Lotus is an Implementation of the Filecoin protocol written in Go.

5.0
2021-04-15 CVE-2021-30479 An issue was discovered in Zulip Server before 3.4.
5.0
2021-04-14 CVE-2021-28484 Yubico
Fedoraproject
Infinite Loop vulnerability in multiple products

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04).

5.0
2021-04-14 CVE-2021-28060 Group Office Server-Side Request Forgery (SSRF) vulnerability in Group-Office Group Office 6.4.196

A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.

5.0
2021-04-14 CVE-2020-36120 Libsixel Project Classic Buffer Overflow vulnerability in Libsixel Project Libsixel 1.8.6

Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

5.0
2021-04-13 CVE-2021-28324 Microsoft Information Exposure vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28325.

5.0
2021-04-13 CVE-2021-28319 Microsoft Unspecified vulnerability in Microsoft products

Windows TCP/IP Driver Denial of Service Vulnerability This CVE ID is unique from CVE-2021-28439.

5.0
2021-04-13 CVE-2021-23372 Mongo Express Project Improper Check for Unusual OR Exceptional Conditions vulnerability in Mongo-Express Project Mongo-Express

All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.

5.0
2021-04-13 CVE-2021-21399 Ampache Improper Access Control vulnerability in Ampache

Ampache is a web based audio/video streaming application and file manager.

5.0
2021-04-13 CVE-2021-0435 Google Improper Initialization vulnerability in Google Android

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data.

5.0
2021-04-13 CVE-2021-0431 Google Out-Of-Bounds Read vulnerability in Google Android

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check.

5.0
2021-04-13 CVE-2021-29997 Windriver Out-Of-Bounds Read vulnerability in Windriver Vxworks 7.0

An issue was discovered in Wind River VxWorks 7 before 21.03.

5.0
2021-04-13 CVE-2021-29425 Apache Path Traversal vulnerability in Apache Commons IO

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

5.0
2021-04-12 CVE-2020-4965 IBM Inadequate Encryption Strength vulnerability in IBM products

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-04-12 CVE-2021-24227 Patreon Information Exposure vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site.

5.0
2021-04-12 CVE-2021-24226 Accessally Information Exposure vulnerability in Accessally

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables.

5.0
2021-04-12 CVE-2021-23368 Postcss Unspecified vulnerability in Postcss

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

5.0
2021-04-12 CVE-2021-23371 Chrono Node Project Unspecified vulnerability in Chrono-Node Project Chrono-Node

This affects the package chrono-node before 2.2.4.

5.0
2021-04-12 CVE-2020-24285 Intelbras Unspecified vulnerability in Intelbras products

INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.

5.0
2021-04-14 CVE-2020-36322 Linux Incomplete Cleanup vulnerability in Linux Kernel

An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.

4.9
2021-04-13 CVE-2021-3463 Lenovo Null Pointer Dereference vulnerability in Lenovo Power Management Driver

A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.

4.9
2021-04-12 CVE-2021-21392 Matrix Open Redirect vulnerability in Matrix Synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

4.9
2021-04-13 CVE-2021-3462 Lenovo Improper Privilege Management vulnerability in Lenovo Power Management Driver

A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.

4.6
2021-04-13 CVE-2021-28436 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Speech Runtime Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28347, CVE-2021-28351.

4.6
2021-04-13 CVE-2021-28350 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28348, CVE-2021-28349.

4.6
2021-04-13 CVE-2021-28349 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28348, CVE-2021-28350.

4.6
2021-04-13 CVE-2021-28348 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28349, CVE-2021-28350.

4.6
2021-04-13 CVE-2021-28347 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Speech Runtime Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28351, CVE-2021-28436.

4.6
2021-04-13 CVE-2021-28322 Microsoft Improper Privilege Management vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28313, CVE-2021-28321.

4.6
2021-04-13 CVE-2021-28321 Microsoft Improper Privilege Management vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28313, CVE-2021-28322.

4.6
2021-04-13 CVE-2021-28320 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-28315 Microsoft Unspecified vulnerability in Microsoft products

Windows Media Video Decoder Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-27095.

4.6
2021-04-13 CVE-2021-28314 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Hyper-V Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-28313 Microsoft Improper Privilege Management vulnerability in Microsoft products

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28321, CVE-2021-28322.

4.6
2021-04-13 CVE-2021-28310 Microsoft Improper Privilege Management vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.

4.6
2021-04-13 CVE-2021-27096 Microsoft Improper Privilege Management vulnerability in Microsoft products

NTFS Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-27091 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012

RPC Endpoint Mapper Service Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-27090 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-27088 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Event Tracing Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-27086 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Services and Controller App Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-27072 Microsoft Improper Privilege Management vulnerability in Microsoft products

Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28310.

4.6
2021-04-13 CVE-2021-27064 Microsoft Improper Privilege Management vulnerability in Microsoft Visual Studio 2017

Visual Studio Installer Elevation of Privilege Vulnerability

4.6
2021-04-13 CVE-2021-26415 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Installer Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28440.

4.6
2021-04-13 CVE-2021-22716 Schneider Electric Improper Privilege Management vulnerability in Schneider-Electric C-Bus Toolkit

A CWE-269: Improper Privilege Management vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when an unprivileged user modifies a file.

4.6
2021-04-13 CVE-2021-0445 Google Improper Privilege Management vulnerability in Google Android 11.0/9.0

In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy.

4.6
2021-04-13 CVE-2021-0442 Google USE After Free vulnerability in Google Android 11.0

In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free.

4.6
2021-04-13 CVE-2021-0439 Google Out-Of-Bounds Write vulnerability in Google Android 11.0

In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check.

4.6
2021-04-13 CVE-2021-0437 Google Double Free vulnerability in Google Android

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free.

4.6
2021-04-13 CVE-2021-0429 Google USE After Free vulnerability in Google Android

In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free.

4.6
2021-04-13 CVE-2021-0427 Google Out-Of-Bounds Write vulnerability in Google Android 11.0

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-04-13 CVE-2021-0426 Google Out-Of-Bounds Write vulnerability in Google Android 11.0

In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow.

4.6
2021-04-16 CVE-2020-9681 Adobe Uncontrolled Search Path Element vulnerability in Adobe Genuine Service

Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability.

4.4
2021-04-13 CVE-2021-0468 Google Improper Privilege Management vulnerability in Google Android

In LK, there is a possible escalation of privilege due to an insecure default value.

4.4
2021-04-13 CVE-2021-0446 Google Improper Privilege Management vulnerability in Google Android 11.0

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack.

4.4
2021-04-13 CVE-2021-0438 Google Improper Privilege Management vulnerability in Google Android 10.0/8.1/9.0

In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value.

4.4
2021-04-13 CVE-2021-0432 Google Race Condition vulnerability in Google Android 11.0

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition.

4.4
2021-04-13 CVE-2021-28647 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager 5.0/5.0.0.1076/5.0.0.1081

Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.

4.4
2021-04-16 CVE-2021-29445 Jose Project Information Exposure Through Discrepancy vulnerability in Jose Project Jose

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.

4.3
2021-04-16 CVE-2021-29444 Jose Project Information Exposure Through Discrepancy vulnerability in Jose Project Jose

jose-browser-runtime is an npm package which provides a number of cryptographic functions.

4.3
2021-04-16 CVE-2021-31348 Ezxml Project XML Injection (Aka Blind Xpath Injection) vulnerability in Ezxml Project Ezxml 0.8.6

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-16 CVE-2021-31347 Ezxml Project XML Injection (Aka Blind Xpath Injection) vulnerability in Ezxml Project Ezxml 0.8.6

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-16 CVE-2021-29443 Jose Project Information Exposure Through Discrepancy vulnerability in Jose Project Jose

jose is an npm library providing a number of cryptographic operations.

4.3
2021-04-16 CVE-2018-19942 Qnap Cross-Site Scripting vulnerability in Qnap QTS and Quts Hero

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station.

4.3
2021-04-15 CVE-2021-28055 Centreon Cross-Site Request Forgery (CSRF) vulnerability in Centreon 20.10.0

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0.

4.3
2021-04-15 CVE-2021-31229 Ezxml Project Out-Of-Bounds Write vulnerability in Ezxml Project Ezxml 0.8.6

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2021-04-14 CVE-2021-28855 In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).
4.3
2021-04-14 CVE-2020-35419 Group Office Cross-Site Scripting vulnerability in Group-Office Group Office 6.4.196

Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.

4.3
2021-04-14 CVE-2021-29338 Uclouvain Integer Overflow OR Wraparound vulnerability in Uclouvain Openjpeg 2.4.0

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS).

4.3
2021-04-14 CVE-2021-27815 Libexif Project
Fedoraproject
Null Pointer Dereference vulnerability in multiple products

NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash.

4.3
2021-04-14 CVE-2021-26832 Priority Software Cross-Site Scripting vulnerability in Priority-Software Priority Enterprise Management System 8.00

Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.

4.3
2021-04-14 CVE-2021-26805 Tsmuxer Project Classic Buffer Overflow vulnerability in Tsmuxer Project Tsmuxer 2.6.16

Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a malicious WAV file.

4.3
2021-04-14 CVE-2020-21087 X2Engine Cross-Site Scripting vulnerability in X2Engine X2Crm

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

4.3
2021-04-13 CVE-2021-29370 Cheetah Browser Project Cross-Site Scripting vulnerability in Cheetah Browser Project Cheetah Browser 1.2.0

A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme.

4.3
2021-04-13 CVE-2021-29438 Nextcloud Dialogs Project Improper Neutralization of Script-Related Html Tags in A web Page (Basic XSS) vulnerability in Nextcloud/Dialogs Project Nextcloud/Dialogs

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast.

4.3
2021-04-13 CVE-2021-29435 Trestle Auth Project Cross-Site Request Forgery (CSRF) vulnerability in Trestle-Auth Project Trestle-Auth 0.4.0/0.4.1

trestle-auth is an authentication plugin for the Trestle admin framework.

4.3
2021-04-13 CVE-2021-28312 Microsoft Unspecified vulnerability in Microsoft products

Windows NTFS Denial of Service Vulnerability

4.3
2021-04-13 CVE-2021-28311 Microsoft Unspecified vulnerability in Microsoft products

Windows Application Compatibility Cache Denial of Service Vulnerability

4.3
2021-04-13 CVE-2021-29262 Apache Insufficiently Protected Credentials vulnerability in Apache Solr

When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable.

4.3
2021-04-12 CVE-2021-21393 Matrix Improper Input Validation vulnerability in Matrix Synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

4.3
2021-04-12 CVE-2021-3163 Slab Cross-Site Scripting vulnerability in Slab Quill 4.8.0

A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.

4.3
2021-04-12 CVE-2021-23270 Gargoyle Router Excessive Iteration vulnerability in Gargoyle-Router Gargoyle 1.12.0

In Gargoyle OS 1.12.0, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router.

4.3
2021-04-12 CVE-2021-20519 IBM Cross-Site Scripting vulnerability in IBM products

IBM Jazz Team Server products are vulnerable to cross-site scripting.

4.3
2021-04-12 CVE-2020-4920 IBM Cross-Site Scripting vulnerability in IBM products

IBM Jazz Team Server products are vulnerable to stored cross-site scripting.

4.3
2021-04-12 CVE-2021-25926 Sickrage Cross-Site Scripting vulnerability in Sickrage 10.0.11/9.3.54

In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature.

4.3
2021-04-12 CVE-2021-24231 Patreon Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.

4.3
2021-04-12 CVE-2021-24213 The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page.
4.3
2021-04-16 CVE-2021-26074 Atlassian Incorrect Authorization vulnerability in Atlassian Connect Spring Boot

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps.

4.0
2021-04-16 CVE-2021-26073 Atlassian Incorrect Authorization vulnerability in Atlassian Connect Express

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps.

4.0
2021-04-15 CVE-2021-29450 Wordpress
Debian
Information Exposure vulnerability in multiple products

Wordpress is an open source CMS.

4.0
2021-04-15 CVE-2021-29447 Wordpress
Debian
XXE vulnerability in multiple products

Wordpress is an open source CMS.

4.0
2021-04-15 CVE-2021-29433 Matrix Resource Exhaustion vulnerability in Matrix Sydent

Sydent is a reference Matrix identity server.

4.0
2021-04-15 CVE-2021-30209 Textpattern Unrestricted Upload of File With Dangerous Type vulnerability in Textpattern 4.8.4

Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.

4.0
2021-04-15 CVE-2021-30487 In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
4.0
2021-04-15 CVE-2021-30478 An issue was discovered in Zulip Server before 3.4.
4.0
2021-04-15 CVE-2021-30477 An issue was discovered in Zulip Server before 3.4.
4.0
2021-04-13 CVE-2021-3473 Lenovo Cleartext Storage of Sensitive Information vulnerability in Lenovo Xclarity Controller

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore.

4.0
2021-04-13 CVE-2021-28450 Microsoft Unspecified vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server

Microsoft SharePoint Denial of Service Update

4.0
2021-04-13 CVE-2021-28328 Microsoft Unspecified vulnerability in Microsoft products

Windows DNS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28323.

4.0
2021-04-13 CVE-2021-28325 Microsoft Information Exposure vulnerability in Microsoft products

Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28324.

4.0
2021-04-13 CVE-2021-28323 Microsoft Information Exposure vulnerability in Microsoft products

Windows DNS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28328.

4.0
2021-04-13 CVE-2021-27067 Microsoft Information Exposure vulnerability in Microsoft Azure Devops Server and Team Foundation Server

Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability

4.0
2021-04-13 CVE-2021-27605 SAP Missing Authorization vulnerability in SAP Fiori Apps 2.0 for Travel Management in SAP ERP

SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges.

4.0
2021-04-13 CVE-2021-27603 SAP Unspecified vulnerability in SAP Netweaver AS Abap 731/740/750

An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time.

4.0
2021-04-13 CVE-2021-28938 Siren Unspecified vulnerability in Siren Federate

Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts.

4.0
2021-04-12 CVE-2021-21394 Matrix Improper Input Validation vulnerability in Matrix Synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse).

4.0
2021-04-12 CVE-2020-4964 IBM Unspecified vulnerability in IBM products

IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users.

4.0
2021-04-12 CVE-2021-24024 Fortinet Information Exposure Through LOG Files vulnerability in Fortinet Fortiadc

A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker to read other local users' password in log files.

4.0
2021-04-12 CVE-2021-22190 Gitlab Path Traversal vulnerability in Gitlab

A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token

4.0
2021-04-12 CVE-2020-15942 An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.
4.0
2021-04-12 CVE-2019-17656 Fortinet Out-Of-Bounds Write vulnerability in Fortinet Fortios and Fortiproxy

A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server.

4.0
2021-04-12 CVE-2021-24200 TMS Outsource SQL Injection vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter.

4.0
2021-04-12 CVE-2021-24199 TMS Outsource SQL Injection vulnerability in Tms-Outsource Wpdatatables

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter.

4.0

36 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-13 CVE-2021-28326 Microsoft Unspecified vulnerability in Microsoft products

Windows AppX Deployment Server Denial of Service Vulnerability

3.6
2021-04-15 CVE-2021-27673 Tribalsystems Cross-Site Scripting vulnerability in Tribalsystems Zenario 8.8.52729

Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.

3.5
2021-04-15 CVE-2021-21087 Adobe Cross-Site Scripting vulnerability in Adobe Coldfusion 2016/2018/2021.0.0.323925

Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability.

3.5
2021-04-15 CVE-2021-27129 Casap Automated Enrollment System Project Cross-Site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0

CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.

3.5
2021-04-14 CVE-2020-35660 Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.
3.5
2021-04-14 CVE-2020-28124 Lavalite Cross-Site Scripting vulnerability in Lavalite 5.8.0

Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field.

3.5
2021-04-14 CVE-2020-35418 Group Office Cross-Site Scripting vulnerability in Group-Office Group Office 6.4.196

Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.

3.5
2021-04-14 CVE-2021-27989 Appspace Cross-Site Scripting vulnerability in Appspace 6.2.4

Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.

3.5
2021-04-13 CVE-2021-27600 SAP Cross-Site Scripting vulnerability in SAP Manufacturing Execution

SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability.

3.5
2021-04-13 CVE-2021-30637 Htmly Cross-Site Scripting vulnerability in Htmly 2.8.0

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.

3.5
2021-04-13 CVE-2021-30044 Remoteclinic Cross-Site Scripting vulnerability in Remoteclinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php.

3.5
2021-04-13 CVE-2021-30042 Remoteclinic Cross-Site Scripting vulnerability in Remoteclinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php

3.5
2021-04-13 CVE-2021-30039 Remoteclinic Cross-Site Scripting vulnerability in Remoteclinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php.

3.5
2021-04-13 CVE-2021-30034 Remoteclinic Cross-Site Scripting vulnerability in Remoteclinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php.

3.5
2021-04-13 CVE-2021-30030 Remoteclinic Cross-Site Scripting vulnerability in Remoteclinic 2.0

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.

3.5
2021-04-12 CVE-2021-25925 Sickrage Cross-Site Scripting vulnerability in Sickrage

in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server.

3.5
2021-04-15 CVE-2021-21096 Adobe Improper Authorization vulnerability in Adobe Bridge

Adobe Bridge versions 10.1.1 (and earlier) and 11.0.1 (and earlier) are affected by an Improper Authorization vulnerability in the Genuine Software Service.

2.1
2021-04-14 CVE-2021-27260 Parallels Out-Of-Bounds Read vulnerability in Parallels Desktop 16.0.1

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919.

2.1
2021-04-13 CVE-2021-28447 Microsoft Unspecified vulnerability in Microsoft products

Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-27094.

2.1
2021-04-13 CVE-2021-28437 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Information Disclosure Vulnerability

2.1
2021-04-13 CVE-2021-28435 Microsoft Unspecified vulnerability in Microsoft products

Windows Event Tracing Information Disclosure Vulnerability

2.1
2021-04-13 CVE-2021-28318 Microsoft Information Exposure vulnerability in Microsoft products

Windows GDI+ Information Disclosure Vulnerability

2.1
2021-04-13 CVE-2021-28317 Microsoft Information Exposure vulnerability in Microsoft products

Microsoft Windows Codecs Library Information Disclosure Vulnerability

2.1
2021-04-13 CVE-2021-28316 Microsoft Unspecified vulnerability in Microsoft products

Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability

2.1
2021-04-13 CVE-2021-28309 Microsoft Information Exposure vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-27093.

2.1
2021-04-13 CVE-2021-27094 Microsoft Unspecified vulnerability in Microsoft products

Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-28447.

2.1
2021-04-13 CVE-2021-27093 Microsoft Information Exposure vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28309.

2.1
2021-04-13 CVE-2021-26417 Microsoft Information Exposure vulnerability in Microsoft products

Windows Overlay Filter Information Disclosure Vulnerability

2.1
2021-04-13 CVE-2021-26413 Microsoft Unspecified vulnerability in Microsoft products

Windows Installer Spoofing Vulnerability

2.1
2021-04-13 CVE-2021-0471 Google Out-Of-Bounds Read vulnerability in Google Android

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow.

2.1
2021-04-13 CVE-2021-0436 Google Integer Overflow OR Wraparound vulnerability in Google Android

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow.

2.1
2021-04-13 CVE-2021-0428 Google Incorrect Default Permissions vulnerability in Google Android 10.0

In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check.

2.1
2021-04-13 CVE-2021-0400 Google Unspecified vulnerability in Google Android 10.0/11.0/9.0

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation.

2.1
2021-04-13 CVE-2021-28646 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan

An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.

2.1
2021-04-13 CVE-2021-0444 Google Unspecified vulnerability in Google Android

In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent.

1.9
2021-04-13 CVE-2021-0443 Google Race Condition vulnerability in Google Android

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition.

1.9