Weekly Vulnerabilities Reports > April 12 to 18, 2021
Overview
349 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 146 high severity vulnerabilities. This weekly summary report vulnerabilities in 381 products from 122 vendors including Microsoft, Google, Fedoraproject, SAP, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Improper Privilege Management", and "Command Injection".
- 227 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 91 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 198 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 108 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
17 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-15 | CVE-2021-27850 | Apache | Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0 A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. | 10.0 |
2021-04-13 | CVE-2021-23277 | Eaton | Code Injection vulnerability in Eaton products Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. | 10.0 |
2021-04-13 | CVE-2021-0430 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0 In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. | 10.0 | |
2021-04-13 | CVE-2020-27227 | Openclinic GA Project | OS Command Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. | 10.0 |
2021-04-17 | CVE-2020-2509 | Qnap | Command Injection vulnerability in Qnap QTS A command injection vulnerability has been reported to affect QTS and QuTS hero. | 9.8 |
2021-04-16 | CVE-2021-27692 | Tendacn | OS Command Injection vulnerability in Tendacn G1 Firmware and G3 Firmware Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. | 9.8 |
2021-04-16 | CVE-2021-27691 | Tendacn | OS Command Injection vulnerability in Tendacn G0 Firmware, G1 Firmware and G3 Firmware Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. | 9.8 |
2021-04-14 | CVE-2020-19778 | Shopxo | Unspecified vulnerability in Shopxo 1.4.0/1.5.0 Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request. | 9.8 |
2021-04-14 | CVE-2021-31162 | Rust Lang Fedoraproject | Double Free vulnerability in multiple products In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. | 9.8 |
2021-04-13 | CVE-2021-28481 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.8 |
2021-04-13 | CVE-2021-28480 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.8 |
2021-04-13 | CVE-2021-29998 | Windriver Siemens | Out-of-bounds Write vulnerability in multiple products An issue was discovered in Wind River VxWorks before 6.5. | 9.8 |
2021-04-13 | CVE-2021-22505 | Microfocus | Unspecified vulnerability in Microfocus Operations Agent Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. | 9.8 |
2021-04-13 | CVE-2021-27905 | Apache | Server-Side Request Forgery (SSRF) vulnerability in Apache Solr The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. | 9.8 |
2021-04-12 | CVE-2021-24215 | Wpruby | Forced Browsing vulnerability in Wpruby Controlled Admin Access An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. | 9.8 |
2021-04-12 | CVE-2020-28872 | Monitorr | Incorrect Authorization vulnerability in Monitorr 1.7.6M An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials. | 9.8 |
2021-04-13 | CVE-2021-28483 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 9.0 |
146 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-15 | CVE-2021-30245 | Apache | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Apache Openoffice The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. | 8.8 |
2021-04-14 | CVE-2021-27249 | Dlink | OS Command Injection vulnerability in Dlink Dap-2020 Firmware 1.01 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. | 8.8 |
2021-04-14 | CVE-2021-27248 | Dlink | Stack-based Buffer Overflow vulnerability in Dlink Dap-2020 Firmware 1.01 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. | 8.8 |
2021-04-14 | CVE-2021-31152 | Multilaser | Cross-Site Request Forgery (CSRF) vulnerability in Multilaser Ac1200 Re018 Firmware V02.03.01.45Pt Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. | 8.8 |
2021-04-14 | CVE-2021-22879 | Nextcloud Fedoraproject | Injection vulnerability in multiple products Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. | 8.8 |
2021-04-13 | CVE-2021-28482 | Microsoft | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28434 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28358 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28357 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28356 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28355 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28354 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28353 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28352 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28346 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28345 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28344 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28343 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28342 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28341 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28340 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28339 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28338 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28337 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28336 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28335 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28334 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28333 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28332 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28331 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28330 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28329 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-13 | CVE-2021-28327 | Microsoft | Unspecified vulnerability in Microsoft products Remote Procedure Call Runtime Remote Code Execution Vulnerability | 8.8 |
2021-04-12 | CVE-2021-24221 | Expresstech | SQL Injection vulnerability in Expresstech Quiz and Survey Master The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. | 8.8 |
2021-04-12 | CVE-2021-29379 | Dlink | OS Command Injection vulnerability in Dlink Dir-802 Firmware 1.00B05 An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. | 8.8 |
2021-04-14 | CVE-2021-27253 | Netgear | Out-of-bounds Write vulnerability in Netgear products This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800. | 8.3 |
2021-04-14 | CVE-2021-27252 | Netgear | OS Command Injection vulnerability in Netgear products This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. | 8.3 |
2021-04-14 | CVE-2021-27251 | Netgear | Cleartext Transmission of Sensitive Information vulnerability in Netgear products This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800. | 8.3 |
2021-04-14 | CVE-2020-36323 | Rust Lang Fedoraproject | Use of Externally-Controlled Format String vulnerability in multiple products In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked. | 8.2 |
2021-04-13 | CVE-2021-28460 | Microsoft | Unspecified vulnerability in Microsoft Azure Sphere Azure Sphere Unsigned Code Execution Vulnerability | 8.1 |
2021-04-13 | CVE-2021-28445 | Microsoft | Unspecified vulnerability in Microsoft products Windows Network File System Remote Code Execution Vulnerability | 8.1 |
2021-04-12 | CVE-2021-29302 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr802N Firmware TP-Link TL-WR802N(US), Archer_C50v5_US v4_200 <= 2020.06 contains a buffer overflow vulnerability in the httpd process in the body message. | 8.1 |
2021-04-17 | CVE-2021-3493 | Canonical | Incorrect Authorization vulnerability in Canonical Ubuntu Linux The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. | 7.8 |
2021-04-16 | CVE-2020-9668 | Adobe | Unspecified vulnerability in Adobe Genuine Service Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. | 7.8 |
2021-04-16 | CVE-2021-22539 | Exposure of Resource to Wrong Sphere vulnerability in Google Bazel An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. | 7.8 | |
2021-04-15 | CVE-2021-28549 | Adobe | Classic Buffer Overflow vulnerability in Adobe Photoshop Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. | 7.8 |
2021-04-15 | CVE-2021-23887 | Mcafee | Unspecified vulnerability in Mcafee Data Loss Prevention Endpoint Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. | 7.8 |
2021-04-14 | CVE-2021-28826 | Tibco | Incorrect Authorization vulnerability in Tibco Messaging - Eclipse Mosquitto Distribution - Bridge 1.3.0 The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. | 7.8 |
2021-04-14 | CVE-2021-28825 | Tibco | Incorrect Authorization vulnerability in Tibco Messaging - Eclipse Mosquitto Distribution - Core The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. | 7.8 |
2021-04-14 | CVE-2021-25314 | Suse | Creation of Temporary File With Insecure Permissions vulnerability in Suse Hawk2 2.6.3+Git.1614684118.Af555Ad9/2.6.3+Git.1614685906.812C31E9 A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. | 7.8 |
2021-04-13 | CVE-2021-3462 | Lenovo | Unspecified vulnerability in Lenovo Power Management Driver A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object. | 7.8 |
2021-04-13 | CVE-2021-28475 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28473 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28472 | Microsoft | Unspecified vulnerability in Microsoft Vscode-Maven Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28471 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28470 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Github Pull Requests and Issues Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28469 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28468 | Microsoft | Type Confusion vulnerability in Microsoft RAW Image Extension Raw Image Extension Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28466 | Microsoft | Unspecified vulnerability in Microsoft RAW Image Extension Raw Image Extension Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28464 | Microsoft | Unspecified vulnerability in Microsoft VP9 Video Extensions VP9 Video Extensions Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28458 | Microsoft | Unspecified vulnerability in Microsoft Ms-Rest-Nodeauth Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28457 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28454 | Microsoft | Use After Free vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28453 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Word Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28451 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28449 | Microsoft | Unspecified vulnerability in Microsoft 365 Apps, Excel and Office Microsoft Office Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28448 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Kubernetes Tools Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28436 | Microsoft | Unspecified vulnerability in Microsoft products Windows Speech Runtime Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28351 | Microsoft | Unspecified vulnerability in Microsoft products Windows Speech Runtime Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28350 | Microsoft | Unspecified vulnerability in Microsoft products Windows GDI+ Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28349 | Microsoft | Unspecified vulnerability in Microsoft products Windows GDI+ Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28348 | Microsoft | Unspecified vulnerability in Microsoft products Windows GDI+ Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28347 | Microsoft | Unspecified vulnerability in Microsoft products Windows Speech Runtime Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28322 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28321 | Microsoft | Link Following vulnerability in Microsoft products Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28320 | Microsoft | Unspecified vulnerability in Microsoft products Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28315 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Video Decoder Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28314 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28313 | Microsoft | Improper Privilege Management vulnerability in Microsoft products Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-28310 | Microsoft | Out-of-bounds Write vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27096 | Microsoft | Unspecified vulnerability in Microsoft products NTFS Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27095 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Video Decoder Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27091 | Microsoft | Unspecified vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27090 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows Secure Kernel Mode Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27089 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Internet Messaging API Remote Code Execution Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27088 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27086 | Microsoft | Incorrect Authorization vulnerability in Microsoft products Windows Services and Controller App Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-27064 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio 2017 and Visual Studio 2019 Visual Studio Installer Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-26415 | Microsoft | Improper Input Validation vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 7.8 |
2021-04-13 | CVE-2021-22716 | Schneider Electric | Incorrect Permission Assignment for Critical Resource vulnerability in Schneider-Electric C-Bus Toolkit A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could allow remote code execution when an unprivileged user modifies a file. | 7.8 |
2021-04-13 | CVE-2021-21784 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.8 An out-of-bounds write vulnerability exists in the JPG format SOF marker processing of Accusoft ImageGear 19.8. | 7.8 |
2021-04-16 | CVE-2021-26073 | Atlassian | Improper Authentication vulnerability in Atlassian Connect Express Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. | 7.7 |
2021-04-13 | CVE-2021-26416 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Denial of Service Vulnerability | 7.7 |
2021-04-18 | CVE-2021-23381 | Killing Project | Command Injection vulnerability in Killing Project Killing This affects all versions of package killing. | 7.5 |
2021-04-18 | CVE-2021-23380 | Roar Pidusage Project | Command Injection vulnerability in Roar-Pidusage Project Roar-Pidusage This affects all versions of package roar-pidusage. | 7.5 |
2021-04-18 | CVE-2021-23379 | Portkiller Project | Command Injection vulnerability in Portkiller Project Portkiller This affects all versions of package portkiller. | 7.5 |
2021-04-18 | CVE-2021-23378 | Picotts Project | Command Injection vulnerability in Picotts Project Picotts This affects all versions of package picotts. | 7.5 |
2021-04-18 | CVE-2021-23377 | Onion Oled JS Project | Command Injection vulnerability in Onion-Oled-Js Project Onion-Oled-Js This affects all versions of package onion-oled-js. | 7.5 |
2021-04-18 | CVE-2021-23376 | Ffmpegdotjs Project | Command Injection vulnerability in Ffmpegdotjs Project Ffmpegdotjs This affects all versions of package ffmpegdotjs. | 7.5 |
2021-04-18 | CVE-2021-23375 | Psnode Project | Command Injection vulnerability in Psnode Project Psnode This affects all versions of package psnode. | 7.5 |
2021-04-18 | CVE-2021-23374 | PS Visitor Project | Command Injection vulnerability in Ps-Visitor Project Ps-Visitor This affects all versions of package ps-visitor. | 7.5 |
2021-04-17 | CVE-2020-36195 | Qnap | SQL Injection vulnerability in Qnap QTS An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. | 7.5 |
2021-04-15 | CVE-2021-31402 | Flutterchina | Injection vulnerability in Flutterchina DIO 4.0.0 The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. | 7.5 |
2021-04-15 | CVE-2021-27112 | Lightcms Project | Unspecified vulnerability in Lightcms Project Lightcms 1.3.5 LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. | 7.5 |
2021-04-15 | CVE-2020-28592 | Cosori | Out-of-bounds Write vulnerability in Cosori Cs158-Af Firmware 1.1.0 A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. | 7.5 |
2021-04-15 | CVE-2020-27239 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. | 7.5 |
2021-04-15 | CVE-2020-27238 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. | 7.5 |
2021-04-15 | CVE-2020-27237 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. | 7.5 |
2021-04-14 | CVE-2021-28484 | Yubico Fedoraproject | Infinite Loop vulnerability in multiple products An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). | 7.5 |
2021-04-14 | CVE-2021-27258 | Solarwinds | Unspecified vulnerability in Solarwinds Orion Platform 2020.2 This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. | 7.5 |
2021-04-14 | CVE-2021-27130 | Online Reviewer System Project | SQL Injection vulnerability in Online Reviewer System Project Online Reviewer System 1.0 Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload. | 7.5 |
2021-04-13 | CVE-2019-10881 | Xerox | Use of Hard-coded Credentials vulnerability in Xerox products Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled. | 7.5 |
2021-04-13 | CVE-2021-28439 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Driver Denial of Service Vulnerability | 7.5 |
2021-04-13 | CVE-2021-28324 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Windows SMB Information Disclosure Vulnerability | 7.5 |
2021-04-13 | CVE-2021-28319 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Driver Denial of Service Vulnerability | 7.5 |
2021-04-13 | CVE-2021-21399 | Ampache | Improper Authentication vulnerability in Ampache Ampache is a web based audio/video streaming application and file manager. | 7.5 |
2021-04-13 | CVE-2021-29999 | Windriver | Out-of-bounds Write vulnerability in Windriver Vxworks An issue was discovered in Wind River VxWorks through 6.8. | 7.5 |
2021-04-13 | CVE-2020-27236 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. | 7.5 |
2021-04-13 | CVE-2020-27235 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. | 7.5 |
2021-04-13 | CVE-2020-27234 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter. | 7.5 |
2021-04-13 | CVE-2020-27233 | Openclinic GA Project | SQL Injection vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. | 7.5 |
2021-04-13 | CVE-2021-30176 | Zerof | SQL Injection vulnerability in Zerof Expert 2.0 The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint. | 7.5 |
2021-04-13 | CVE-2021-30175 | Zerof | SQL Injection vulnerability in Zerof web Server 1.0 ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. | 7.5 |
2021-04-13 | CVE-2021-29262 | Apache | Insufficiently Protected Credentials vulnerability in Apache Solr When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. | 7.5 |
2021-04-13 | CVE-2021-29003 | Genexis | OS Command Injection vulnerability in Genexis Platinum 4410 Firmware P4410V21.28 Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI. | 7.5 |
2021-04-13 | CVE-2021-30503 | Glsl Linting Project | Unspecified vulnerability in Glsl Linting Project Glsl Linting The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration. | 7.5 |
2021-04-12 | CVE-2020-15390 | Pega | Improper Privilege Management vulnerability in Pega Platform 8.4.0.237 pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo. | 7.5 |
2021-04-12 | CVE-2021-24223 | The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. | 7.5 | |
2021-04-12 | CVE-2021-24222 | The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed. | 7.5 | |
2021-04-12 | CVE-2021-23370 | Swiperjs | Unspecified vulnerability in Swiperjs Swiper This affects the package swiper before 6.5.1. | 7.5 |
2021-04-12 | CVE-2021-23369 | Handlebarsjs | Unspecified vulnerability in Handlebarsjs Handlebars The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. | 7.5 |
2021-04-17 | CVE-2021-3492 | Canonical | Memory Leak vulnerability in Canonical Ubuntu Linux Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. | 7.2 |
2021-04-15 | CVE-2021-20288 | Linuxfoundation Redhat Fedoraproject Debian | Improper Authentication vulnerability in multiple products An authentication flaw was found in ceph in versions before 14.2.20. | 7.2 |
2021-04-14 | CVE-2021-29449 | PI Hole | OS Command Injection vulnerability in Pi-Hole Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. | 7.2 |
2021-04-13 | CVE-2021-29440 | Getgrav | Code Injection vulnerability in Getgrav Grav Grav is a file based Web-platform. | 7.2 |
2021-04-13 | CVE-2021-29439 | Getgrav | Incorrect Authorization vulnerability in Getgrav Grav Admin The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. | 7.2 |
2021-04-13 | CVE-2021-28645 | Trendmicro | Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. | 7.2 |
2021-04-13 | CVE-2021-25253 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. | 7.2 |
2021-04-13 | CVE-2021-25250 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro Apex ONE and Officescan An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. | 7.2 |
2021-04-12 | CVE-2021-22497 | Microfocus | Improper Authentication vulnerability in Microfocus Netiq Advanced Authentication Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue. | 7.2 |
2021-04-12 | CVE-2021-21545 | Dell | Uncontrolled Search Path Element vulnerability in Dell Peripheral Manager Dell Peripheral Manager 1.3.1 or greater contains remediation for a local privilege escalation vulnerability that could be potentially exploited to gain arbitrary code execution on the system with privileges of the system user. | 7.2 |
2021-04-13 | CVE-2021-28452 | Microsoft | Out-of-bounds Write vulnerability in Microsoft 365 Apps, Office and Outlook Microsoft Outlook Memory Corruption Vulnerability | 7.1 |
2021-04-13 | CVE-2021-28446 | Microsoft | Unspecified vulnerability in Microsoft products Windows Portmapping Information Disclosure Vulnerability | 7.1 |
2021-04-13 | CVE-2021-28477 | Microsoft | Unspecified vulnerability in Microsoft Visual Studio Code Visual Studio Code Remote Code Execution Vulnerability | 7.0 |
2021-04-13 | CVE-2021-28440 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 7.0 |
2021-04-13 | CVE-2021-27072 | Microsoft | Unspecified vulnerability in Microsoft products Win32k Elevation of Privilege Vulnerability | 7.0 |
160 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-16 | CVE-2020-9667 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Genuine Service Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. | 6.9 |
2021-04-15 | CVE-2021-21100 | Adobe | Creation of Temporary File in Directory with Incorrect Permissions vulnerability in Adobe Digital Editions Adobe Digital Editions version 4.5.11.187245 (and earlier) is affected by a Privilege Escalation vulnerability during installation. | 6.8 |
2021-04-15 | CVE-2020-28593 | Cosori | Unspecified vulnerability in Cosori Cs158-Af Firmware 1.1.0 A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. | 6.8 |
2021-04-13 | CVE-2021-29437 | Scratchoauth2 Project | Unspecified vulnerability in Scratchoauth2 Project Scratchoauth2 ScratchOAuth2 is an Oauth implementation for Scratch. | 6.8 |
2021-04-13 | CVE-2021-27092 | Microsoft | Unspecified vulnerability in Microsoft products Azure AD Web Sign-in Security Feature Bypass Vulnerability | 6.8 |
2021-04-13 | CVE-2021-22718 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring project files. | 6.8 |
2021-04-13 | CVE-2020-27228 | Openclinic GA Project | Incorrect Default Permissions vulnerability in Openclinic GA Project Openclinic GA 5.173.3 An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. | 6.8 |
2021-04-12 | CVE-2021-24229 | Patreon | Cross-site Scripting vulnerability in Patreon Wordpress The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. | 6.8 |
2021-04-12 | CVE-2021-24228 | Patreon | Cross-site Scripting vulnerability in Patreon Wordpress The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. | 6.8 |
2021-04-12 | CVE-2021-24218 | Cross-Site Request Forgery (CSRF) vulnerability in Facebook The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. | 6.8 | |
2021-04-16 | CVE-2021-29452 | Curveballjs | Incorrect Authorization vulnerability in Curveballjs A12N-Server 0.18.0/0.18.1 a12n-server is an npm package which aims to provide a simple authentication system. | 6.5 |
2021-04-16 | CVE-2020-9681 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Genuine Service Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. | 6.5 |
2021-04-15 | CVE-2021-29447 | Wordpress Debian | XXE vulnerability in multiple products Wordpress is an open source CMS. | 6.5 |
2021-04-15 | CVE-2021-28242 | B2Evolution | SQL Injection vulnerability in B2Evolution 7.2.2 SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab. | 6.5 |
2021-04-15 | CVE-2021-27545 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Beauty Parlour Management System 1.0 SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter. | 6.5 |
2021-04-15 | CVE-2020-7308 | Mcafee | Cleartext Transmission of Sensitive Information vulnerability in Mcafee Endpoint Security Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. | 6.5 |
2021-04-14 | CVE-2021-27250 | Dlink | External Control of File Name or Path vulnerability in Dlink Dap-2020 Firmware 1.01 This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. | 6.5 |
2021-04-13 | CVE-2021-28442 | Microsoft | Unspecified vulnerability in Microsoft products Windows TCP/IP Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-28441 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-28328 | Microsoft | Unspecified vulnerability in Microsoft products Windows DNS Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-28325 | Microsoft | Unspecified vulnerability in Microsoft products Windows SMB Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-28323 | Microsoft | Improper Handling of Case Sensitivity vulnerability in Microsoft products Windows DNS Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-28311 | Microsoft | Unspecified vulnerability in Microsoft products Windows Application Compatibility Cache Denial of Service Vulnerability | 6.5 |
2021-04-13 | CVE-2021-27067 | Microsoft | Unspecified vulnerability in Microsoft Azure Devops Server and Team Foundation Server Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability | 6.5 |
2021-04-13 | CVE-2021-27603 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Abap 731/740/750 An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. | 6.5 |
2021-04-13 | CVE-2021-22720 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring a project. | 6.5 |
2021-04-13 | CVE-2021-22719 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when a file is uploaded. | 6.5 |
2021-04-13 | CVE-2021-22717 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric C-Bus Toolkit A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when processing config files. | 6.5 |
2021-04-13 | CVE-2020-13568 | Open EMR Phpgacl Project | SQL Injection vulnerability in multiple products SQL injection vulnerability exists in phpGACL 3.3.7. | 6.5 |
2021-04-13 | CVE-2020-13566 | Open EMR Phpgacl Project | SQL Injection vulnerability in multiple products SQL injection vulnerabilities exist in phpGACL 3.3.7. | 6.5 |
2021-04-12 | CVE-2021-21393 | Matrix Fedoraproject | Improper Input Validation vulnerability in multiple products Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). | 6.5 |
2021-04-12 | CVE-2021-21394 | Matrix Fedoraproject | Improper Input Validation vulnerability in multiple products Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). | 6.5 |
2021-04-12 | CVE-2020-7924 | Mongodb | Improper Certificate Validation vulnerability in Mongodb Database Tools and Mongomirror Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. | 6.5 |
2021-04-12 | CVE-2021-24224 | Easy Form Builder BY Bitware Project | Unrestricted Upload of File with Dangerous Type vulnerability in Easy-Form-Builder-By-Bitware Project Easy-Form-Builder-By-Bitware The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE. | 6.5 |
2021-04-16 | CVE-2021-26830 | Tribalsystems | SQL Injection vulnerability in Tribalsystems Zenario 8.8.52729 SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. | 6.4 |
2021-04-13 | CVE-2021-29943 | Apache | Incorrect Authorization vulnerability in Apache Solr When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. | 6.4 |
2021-04-12 | CVE-2021-21392 | Matrix Fedoraproject | Open Redirect vulnerability in multiple products Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). | 6.3 |
2021-04-13 | CVE-2021-26413 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Spoofing Vulnerability | 6.2 |
2021-04-13 | CVE-2021-29370 | Cheetah Browser Project | Cross-site Scripting vulnerability in Cheetah Browser Project Cheetah Browser 1.2.0 A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. | 6.1 |
2021-04-13 | CVE-2021-28459 | Microsoft | Cross-site Scripting vulnerability in Microsoft Azure Devops Server 2020.0.1 Azure DevOps Server Spoofing Vulnerability | 6.1 |
2021-04-12 | CVE-2021-3163 | Slab | Cross-site Scripting vulnerability in Slab Quill 4.8.0 A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. | 6.1 |
2021-04-12 | CVE-2021-25926 | Sickrage | Cross-site Scripting vulnerability in Sickrage In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature. | 6.1 |
2021-04-12 | CVE-2021-24213 | Givewp | Cross-site Scripting vulnerability in Givewp The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page. | 6.1 |
2021-04-13 | CVE-2021-29427 | Gradle Quarkus | Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. | 6.0 |
2021-04-16 | CVE-2021-29446 | Jose Node CJS Runtime Project | Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. | 5.9 |
2021-04-16 | CVE-2021-29445 | Jose Node CJS Runtime Project | Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. | 5.9 |
2021-04-16 | CVE-2021-29444 | Jose Node CJS Runtime Project | Information Exposure Through Discrepancy vulnerability in Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime jose-browser-runtime is an npm package which provides a number of cryptographic functions. | 5.9 |
2021-04-15 | CVE-2021-29448 | PI Hole | Cross-site Scripting vulnerability in Pi-Hole Ftldns, Pi-Hole and web Interface Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. | 5.8 |
2021-04-13 | CVE-2021-29436 | Anuko | Cross-Site Request Forgery (CSRF) vulnerability in Anuko Time Tracker Anuko Time Tracker is an open source, web-based time tracking application written in PHP. | 5.8 |
2021-04-13 | CVE-2021-21731 | A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. | 5.8 | |
2021-04-12 | CVE-2021-24230 | Patreon | Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. | 5.8 |
2021-04-13 | CVE-2021-28444 | Microsoft | Unspecified vulnerability in Microsoft products Windows Hyper-V Security Feature Bypass Vulnerability | 5.7 |
2021-04-13 | CVE-2021-27079 | Microsoft | Unspecified vulnerability in Microsoft products Windows Media Photo Codec Information Disclosure Vulnerability | 5.7 |
2021-04-15 | CVE-2021-21096 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge versions 10.1.1 (and earlier) and 11.0.1 (and earlier) are affected by an Improper Authorization vulnerability in the Genuine Software Service. | 5.5 |
2021-04-15 | CVE-2021-23886 | Mcafee | Improper Handling of Exceptional Conditions vulnerability in Mcafee Data Loss Prevention Endpoint Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. | 5.5 |
2021-04-14 | CVE-2021-29338 | Uclouvain Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). | 5.5 |
2021-04-14 | CVE-2021-27815 | Libexif Project Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash. | 5.5 |
2021-04-14 | CVE-2020-36322 | Linux Debian Starwindsoftware | Incomplete Cleanup vulnerability in multiple products An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. | 5.5 |
2021-04-13 | CVE-2021-28456 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Excel Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28443 | Microsoft | Unspecified vulnerability in Microsoft products Windows Console Driver Denial of Service Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28438 | Microsoft | Unspecified vulnerability in Microsoft products Windows Console Driver Denial of Service Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28437 | Microsoft | Unspecified vulnerability in Microsoft products Windows Installer Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28435 | Microsoft | Unspecified vulnerability in Microsoft products Windows Event Tracing Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28326 | Microsoft | Unspecified vulnerability in Microsoft products Windows AppX Deployment Server Denial of Service Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28318 | Microsoft | Unspecified vulnerability in Microsoft products Windows GDI+ Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28317 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows Codecs Library Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-28309 | Microsoft | Unspecified vulnerability in Microsoft products Windows Kernel Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-27093 | Microsoft | Unspecified vulnerability in Microsoft products Windows Kernel Information Disclosure Vulnerability | 5.5 |
2021-04-13 | CVE-2021-26417 | Microsoft | Unspecified vulnerability in Microsoft products Windows Overlay Filter Information Disclosure Vulnerability | 5.5 |
2021-04-12 | CVE-2021-24198 | TMS Outsource | Unspecified vulnerability in Tms-Outsource Wpdatatables The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. | 5.5 |
2021-04-12 | CVE-2021-24197 | TMS Outsource | Unspecified vulnerability in Tms-Outsource Wpdatatables The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. | 5.5 |
2021-04-15 | CVE-2021-21087 | Adobe | Cross-site Scripting vulnerability in Adobe Coldfusion 2016/2018/2021.0.0.323925 Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. | 5.4 |
2021-04-13 | CVE-2021-29438 | Nextcloud Dialogs Project | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Nextcloud/Dialogs Project Nextcloud/Dialogs The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. | 5.4 |
2021-04-13 | CVE-2021-0433 | Improper Privilege Management vulnerability in Google Android In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. | 5.4 | |
2021-04-13 | CVE-2021-27598 | SAP | Missing Authorization vulnerability in SAP Netweaver Application Server Java 7.31/7.40/7.50 SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. | 5.3 |
2021-04-12 | CVE-2021-23368 | Postcss | Unspecified vulnerability in Postcss The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. | 5.3 |
2021-04-15 | CVE-2021-21405 | Filecoin | Improper Verification of Cryptographic Signature vulnerability in Filecoin Lotus Lotus is an Implementation of the Filecoin protocol written in Go. | 5.0 |
2021-04-15 | CVE-2021-29430 | Matrix | Allocation of Resources Without Limits or Throttling vulnerability in Matrix Sydent Sydent is a reference Matrix identity server. | 5.0 |
2021-04-15 | CVE-2021-30479 | Zulip | Improper Privilege Management vulnerability in Zulip Server An issue was discovered in Zulip Server before 3.4. | 5.0 |
2021-04-14 | CVE-2021-28060 | Group Office | Server-Side Request Forgery (SSRF) vulnerability in Group-Office Group Office 6.4.196 A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php. | 5.0 |
2021-04-14 | CVE-2020-36120 | Libsixel Project | Classic Buffer Overflow vulnerability in Libsixel Project Libsixel 1.8.6 Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS). | 5.0 |
2021-04-13 | CVE-2021-28450 | Microsoft | Unspecified vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server Microsoft SharePoint Denial of Service Vulnerability | 5.0 |
2021-04-13 | CVE-2021-23372 | Mongo Express Project | Improper Check for Unusual or Exceptional Conditions vulnerability in Mongo-Express Project Mongo-Express All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash. | 5.0 |
2021-04-13 | CVE-2021-0435 | Improper Initialization vulnerability in Google Android In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. | 5.0 | |
2021-04-13 | CVE-2021-0431 | Out-of-bounds Read vulnerability in Google Android In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. | 5.0 | |
2021-04-13 | CVE-2021-29997 | Windriver | Out-of-bounds Read vulnerability in Windriver Vxworks 7.0 An issue was discovered in Wind River VxWorks 7 before 21.03. | 5.0 |
2021-04-13 | CVE-2021-21730 | ZTE | Unspecified vulnerability in ZTE Zxhn H168N Firmware 3.5.0Ty.T6 A ZTE product is impacted by improper access control vulnerability. | 5.0 |
2021-04-12 | CVE-2020-4965 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM products IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-04-12 | CVE-2021-24227 | Patreon | Information Exposure vulnerability in Patreon Wordpress The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. | 5.0 |
2021-04-12 | CVE-2021-24226 | Accessally | Information Exposure vulnerability in Accessally In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. | 5.0 |
2021-04-12 | CVE-2021-24219 | Thrivethemes | Missing Authentication for Critical Function vulnerability in Thrivethemes products The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. | 5.0 |
2021-04-12 | CVE-2021-23371 | Chrono Node Project | Unspecified vulnerability in Chrono-Node Project Chrono-Node This affects the package chrono-node before 2.2.4. | 5.0 |
2021-04-12 | CVE-2020-24285 | Intelbras | Unspecified vulnerability in Intelbras Tip200 Firmware and Tip200Lite Firmware INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx. | 5.0 |
2021-04-13 | CVE-2021-3463 | Lenovo | NULL Pointer Dereference vulnerability in Lenovo Power Management Driver A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error. | 4.9 |
2021-04-15 | CVE-2021-27544 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Beauty Parlour Management System 1.0 Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter. | 4.8 |
2021-04-13 | CVE-2021-21482 | SAP | Information Exposure vulnerability in SAP Netweaver Master Data Management 7.10.750/710 SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. | 4.8 |
2021-04-13 | CVE-2021-29425 | Apache Debian Oracle Netapp | Path Traversal vulnerability in multiple products In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. | 4.8 |
2021-04-13 | CVE-2021-0445 | Unspecified vulnerability in Google Android 11.0/9.0 In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy. | 4.6 | |
2021-04-13 | CVE-2021-0442 | Use After Free vulnerability in Google Android 11.0 In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free. | 4.6 | |
2021-04-13 | CVE-2021-0439 | Out-of-bounds Write vulnerability in Google Android 11.0 In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2021-04-13 | CVE-2021-0437 | Double Free vulnerability in Google Android In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. | 4.6 | |
2021-04-13 | CVE-2021-0429 | Use After Free vulnerability in Google Android In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. | 4.6 | |
2021-04-13 | CVE-2021-0427 | Out-of-bounds Write vulnerability in Google Android 11.0 In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. | 4.6 | |
2021-04-13 | CVE-2021-0426 | Out-of-bounds Write vulnerability in Google Android 11.0 In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. | 4.6 | |
2021-04-14 | CVE-2021-28098 | Forescout | Incorrect Default Permissions vulnerability in Forescout Counteract 8.0 An issue was discovered in Forescout CounterACT before 8.1.4. | 4.4 |
2021-04-13 | CVE-2021-29428 | Gradle Quarkus | Creation of Temporary File in Directory with Incorrect Permissions vulnerability in multiple products In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. | 4.4 |
2021-04-13 | CVE-2021-28447 | Microsoft | Unspecified vulnerability in Microsoft products Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability | 4.4 |
2021-04-13 | CVE-2021-27094 | Microsoft | Unspecified vulnerability in Microsoft products Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability | 4.4 |
2021-04-13 | CVE-2021-0468 | Insecure Default Initialization of Resource vulnerability in Google Android In LK, there is a possible escalation of privilege due to an insecure default value. | 4.4 | |
2021-04-13 | CVE-2021-0446 | Improper Privilege Management vulnerability in Google Android 11.0 In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. | 4.4 | |
2021-04-13 | CVE-2021-0438 | Improper Privilege Management vulnerability in Google Android 10.0/8.1/9.0 In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. | 4.4 | |
2021-04-13 | CVE-2021-0432 | Race Condition vulnerability in Google Android 11.0 In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. | 4.4 | |
2021-04-13 | CVE-2021-28647 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager 5.0/5.0.0.1076/5.0.0.1081 Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program. | 4.4 |
2021-04-16 | CVE-2021-31348 | Ezxml Project Debian | Out-of-bounds Read vulnerability in multiple products An issue was discovered in libezxml.a in ezXML 0.8.6. | 4.3 |
2021-04-16 | CVE-2021-31347 | Ezxml Project Debian | XML Injection (aka Blind XPath Injection) vulnerability in multiple products An issue was discovered in libezxml.a in ezXML 0.8.6. | 4.3 |
2021-04-16 | CVE-2021-29443 | Jose Project | Information Exposure Through Discrepancy vulnerability in Jose Project Jose jose is an npm library providing a number of cryptographic operations. | 4.3 |
2021-04-16 | CVE-2018-19942 | Qnap | Cross-site Scripting vulnerability in Qnap QTS and Quts Hero A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. | 4.3 |
2021-04-15 | CVE-2021-28055 | Centreon | Cross-Site Request Forgery (CSRF) vulnerability in Centreon 20.10.0 An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. | 4.3 |
2021-04-15 | CVE-2021-31229 | Ezxml Project Debian | Out-of-bounds Write vulnerability in multiple products An issue was discovered in libezxml.a in ezXML 0.8.6. | 4.3 |
2021-04-15 | CVE-2021-23884 | Mcafee | Cleartext Transmission of Sensitive Information vulnerability in Mcafee Content Security Reporter Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR. | 4.3 |
2021-04-15 | CVE-2020-7270 | Mcafee | Unspecified vulnerability in Mcafee Advanced Threat Defense Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. | 4.3 |
2021-04-15 | CVE-2020-7269 | Mcafee | Unspecified vulnerability in Mcafee Advanced Threat Defense Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. | 4.3 |
2021-04-15 | CVE-2021-26076 | Atlassian | Unspecified vulnerability in Atlassian products The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https. | 4.3 |
2021-04-15 | CVE-2020-36288 | Atlassian | Cross-site Scripting vulnerability in Atlassian products The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. | 4.3 |
2021-04-14 | CVE-2021-28855 | In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c). | 4.3 | |
2021-04-14 | CVE-2020-35419 | Group Office | Cross-site Scripting vulnerability in Group-Office Group Office 6.4.196 Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter. | 4.3 |
2021-04-14 | CVE-2021-26832 | Priority Software | Cross-site Scripting vulnerability in Priority-Software Priority Enterprise Management System 8.00 Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site. | 4.3 |
2021-04-14 | CVE-2021-26805 | Tsmuxer Project | Classic Buffer Overflow vulnerability in Tsmuxer Project Tsmuxer 2.6.16 Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a malicious WAV file. | 4.3 |
2021-04-14 | CVE-2020-21087 | X2Engine | Cross-site Scripting vulnerability in X2Engine X2Crm Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool. | 4.3 |
2021-04-13 | CVE-2021-29435 | Trestle Auth Project | Cross-Site Request Forgery (CSRF) vulnerability in Trestle-Auth Project Trestle-Auth 0.4.0/0.4.1 trestle-auth is an authentication plugin for the Trestle admin framework. | 4.3 |
2021-04-13 | CVE-2021-21485 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Java An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. | 4.3 |
2021-04-13 | CVE-2020-28590 | Slic3R | Out-of-bounds Read vulnerability in Slic3R Libslic3R 1.3.0 An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. | 4.3 |
2021-04-13 | CVE-2021-21729 | ZTE | Cross-Site Request Forgery (CSRF) vulnerability in ZTE Zxhn H108N Firmware and Zxhn H168N Firmware Some ZTE products have CSRF vulnerability. | 4.3 |
2021-04-12 | CVE-2021-23270 | Gargoyle Router | Excessive Iteration vulnerability in Gargoyle-Router Gargoyle 1.12.0 In Gargoyle OS 1.12.0, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. | 4.3 |
2021-04-12 | CVE-2021-20519 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Team Server products are vulnerable to cross-site scripting. | 4.3 |
2021-04-12 | CVE-2020-4920 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Team Server products are vulnerable to stored cross-site scripting. | 4.3 |
2021-04-12 | CVE-2021-24231 | Patreon | Cross-Site Request Forgery (CSRF) vulnerability in Patreon Wordpress The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link. | 4.3 |
2021-04-13 | CVE-2021-28316 | Microsoft | Unspecified vulnerability in Microsoft products Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability | 4.2 |
2021-04-16 | CVE-2021-26074 | Atlassian | Improper Authentication vulnerability in Atlassian Connect Spring Boot Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. | 4.0 |
2021-04-15 | CVE-2021-29450 | Wordpress Debian | Information Exposure vulnerability in multiple products Wordpress is an open source CMS. | 4.0 |
2021-04-15 | CVE-2021-29433 | Matrix | Improper Input Validation vulnerability in Matrix Sydent Sydent is a reference Matrix identity server. | 4.0 |
2021-04-15 | CVE-2021-30209 | Textpattern | Unrestricted Upload of File with Dangerous Type vulnerability in Textpattern 4.8.4 Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions. | 4.0 |
2021-04-15 | CVE-2021-30487 | Zulip | Unspecified vulnerability in Zulip Server 3.0/3.1 In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. | 4.0 |
2021-04-15 | CVE-2021-30478 | Zulip | Improper Privilege Management vulnerability in Zulip Server An issue was discovered in Zulip Server before 3.4. | 4.0 |
2021-04-15 | CVE-2021-30477 | Zulip | Unspecified vulnerability in Zulip Server An issue was discovered in Zulip Server before 3.4. | 4.0 |
2021-04-15 | CVE-2021-26075 | Atlassian | Unspecified vulnerability in Atlassian products The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename. | 4.0 |
2021-04-14 | CVE-2021-27604 | SAP | XXE vulnerability in SAP Netweaver Process Integration In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | 4.0 |
2021-04-14 | CVE-2021-27599 | SAP | Information Exposure vulnerability in SAP Netweaver Process Integration SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted. | 4.0 |
2021-04-13 | CVE-2021-3473 | Lenovo | Cleartext Storage of Sensitive Information vulnerability in Lenovo Xclarity Controller An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. | 4.0 |
2021-04-13 | CVE-2021-27605 | SAP | Missing Authorization vulnerability in SAP ERP SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. | 4.0 |
2021-04-13 | CVE-2021-21483 | SAP | Information Exposure vulnerability in SAP Solution Manager 7.20 Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application. | 4.0 |
2021-04-13 | CVE-2021-28973 | Perforce | XXE vulnerability in Perforce Helix ALM 2020.3.1 The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks. | 4.0 |
2021-04-13 | CVE-2021-28938 | Siren | Unspecified vulnerability in Siren Federate Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts. | 4.0 |
2021-04-12 | CVE-2020-4964 | IBM | Unspecified vulnerability in IBM products IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users. | 4.0 |
2021-04-12 | CVE-2021-24024 | Fortinet | Information Exposure Through Log Files vulnerability in Fortinet Fortiadc A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker to read other local users' password in log files. | 4.0 |
2021-04-12 | CVE-2021-22190 | Gitlab | Path Traversal vulnerability in Gitlab A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token | 4.0 |
2021-04-12 | CVE-2020-15942 | Fortinet | Information Exposure vulnerability in Fortinet Fortiweb An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile. | 4.0 |
2021-04-12 | CVE-2019-17656 | Fortinet | Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. | 4.0 |
2021-04-12 | CVE-2021-24200 | TMS Outsource | SQL Injection vulnerability in Tms-Outsource Wpdatatables The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. | 4.0 |
2021-04-12 | CVE-2021-24199 | TMS Outsource | SQL Injection vulnerability in Tms-Outsource Wpdatatables The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. | 4.0 |
26 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-04-15 | CVE-2021-29432 | Matrix | Unspecified vulnerability in Matrix Sydent Sydent is a reference matrix identity server. | 3.5 |
2021-04-15 | CVE-2021-27673 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 8.8.52729 Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component. | 3.5 |
2021-04-15 | CVE-2021-27129 | Casap Automated Enrollment System Project | Cross-site Scripting vulnerability in Casap Automated Enrollment System Project Casap Automated Enrollment System 1.0 CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter. | 3.5 |
2021-04-14 | CVE-2020-35660 | Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. | 3.5 | |
2021-04-14 | CVE-2020-28124 | Lavalite | Cross-site Scripting vulnerability in Lavalite 5.8.0 Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field. | 3.5 |
2021-04-14 | CVE-2020-35418 | Group Office | Cross-site Scripting vulnerability in Group-Office Group Office 6.4.196 Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file. | 3.5 |
2021-04-14 | CVE-2021-27989 | Appspace | Cross-site Scripting vulnerability in Appspace 6.2.4 Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx. | 3.5 |
2021-04-13 | CVE-2021-27600 | SAP | Cross-site Scripting vulnerability in SAP Manufacturing Execution SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. | 3.5 |
2021-04-13 | CVE-2021-30637 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.0 htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. | 3.5 |
2021-04-13 | CVE-2021-30044 | Remoteclinic | Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php. | 3.5 |
2021-04-13 | CVE-2021-30042 | Remoteclinic | Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php | 3.5 |
2021-04-13 | CVE-2021-30039 | Remoteclinic | Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php. | 3.5 |
2021-04-13 | CVE-2021-30034 | Remoteclinic | Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php. | 3.5 |
2021-04-13 | CVE-2021-30030 | Remoteclinic | Cross-site Scripting vulnerability in Remoteclinic Remote Clinic 2.0 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php. | 3.5 |
2021-04-12 | CVE-2021-25925 | Sickrage | Cross-site Scripting vulnerability in Sickrage in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server. | 3.5 |
2021-04-14 | CVE-2021-25316 | Suse | Insecure Temporary File vulnerability in Suse S390-Tools 2.1.018.29.1 A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. | 3.3 |
2021-04-13 | CVE-2021-28312 | Microsoft | Unspecified vulnerability in Microsoft products Windows NTFS Denial of Service Vulnerability | 3.3 |
2021-04-14 | CVE-2021-27260 | Parallels | Out-of-bounds Read vulnerability in Parallels Desktop 16.0.1 This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. | 2.1 |
2021-04-13 | CVE-2021-0471 | Out-of-bounds Read vulnerability in Google Android In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow. | 2.1 | |
2021-04-13 | CVE-2021-0436 | Integer Overflow or Wraparound vulnerability in Google Android In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow. | 2.1 | |
2021-04-13 | CVE-2021-0428 | Missing Authorization vulnerability in Google Android 10.0 In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. | 2.1 | |
2021-04-13 | CVE-2021-0400 | Improper Input Validation vulnerability in Google Android 10.0/11.0/9.0 In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. | 2.1 | |
2021-04-13 | CVE-2021-28646 | Trendmicro | Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE and Officescan An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations. | 2.1 |
2021-04-13 | CVE-2021-0444 | Unspecified vulnerability in Google Android In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent. | 1.9 | |
2021-04-13 | CVE-2021-0443 | Race Condition vulnerability in Google Android In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. | 1.9 | |
2021-04-12 | CVE-2021-29429 | Gradle Quarkus | Insecure Temporary File vulnerability in multiple products In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. | 1.9 |