Weekly Vulnerabilities Reports > April 26 to May 2, 2021

Overview

341 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 66 high severity vulnerabilities. This weekly summary report vulnerabilities in 322 products from 136 vendors including Debian, Fedoraproject, Google, Arubanetworks, and Parallels. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Incorrect Authorization", "Improper Input Validation", and "Information Exposure".

  • 283 reported vulnerabilities are remotely exploitables.
  • 15 reported vulnerabilities have public exploit available.
  • 118 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 267 reported vulnerabilities are exploitable by an anonymous user.
  • Debian has the most reported vulnerabilities, with 54 reported vulnerabilities.
  • Arubanetworks has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-30 CVE-2020-24918 Ambarella Classic Buffer Overflow vulnerability in Ambarella Oryx Rtsp Server 20200107

A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash).

10.0
2021-04-28 CVE-2021-20716 Buffalo Unspecified vulnerability in Buffalo products

Hidden functionality in multiple Buffalo network devices (BHR-4RV firmware Ver.2.55 and prior, FS-G54 firmware Ver.2.04 and prior, WBR2-B11 firmware Ver.2.32 and prior, WBR2-G54 firmware Ver.2.32 and prior, WBR2-G54-KD firmware Ver.2.32 and prior, WBR-B11 firmware Ver.2.23 and prior, WBR-G54 firmware Ver.2.23 and prior, WBR-G54L firmware Ver.2.20 and prior, WHR2-A54G54 firmware Ver.2.25 and prior, WHR2-G54 firmware Ver.2.23 and prior, WHR2-G54V firmware Ver.2.55 and prior, WHR3-AG54 firmware Ver.2.23 and prior, WHR-G54 firmware Ver.2.16 and prior, WHR-G54-NF firmware Ver.2.10 and prior, WLA2-G54 firmware Ver.2.24 and prior, WLA2-G54C firmware Ver.2.24 and prior, WLA-B11 firmware Ver.2.20 and prior, WLA-G54 firmware Ver.2.20 and prior, WLA-G54C firmware Ver.2.20 and prior, WLAH-A54G54 firmware Ver.2.54 and prior, WLAH-AM54G54 firmware Ver.2.54 and prior, WLAH-G54 firmware Ver.2.54 and prior, WLI2-TX1-AG54 firmware Ver.2.53 and prior, WLI2-TX1-AMG54 firmware Ver.2.53 and prior, WLI2-TX1-G54 firmware Ver.2.20 and prior, WLI3-TX1-AMG54 firmware Ver.2.53 and prior, WLI3-TX1-G54 firmware Ver.2.53 and prior, WLI-T1-B11 firmware Ver.2.20 and prior, WLI-TX1-G54 firmware Ver.2.20 and prior, WVR-G54-NF firmware Ver.2.02 and prior, WZR-G108 firmware Ver.2.41 and prior, WZR-G54 firmware Ver.2.41 and prior, WZR-HP-G54 firmware Ver.2.41 and prior, WZR-RS-G54 firmware Ver.2.55 and prior, and WZR-RS-G54HP firmware Ver.2.55 and prior) allows a remote attacker to enable the debug option and to execute arbitrary code or OS commands, change the configuration, and cause a denial of service (DoS) condition.

10.0
2021-04-27 CVE-2021-30128 Apache Deserialization of Untrusted Data vulnerability in Apache Ofbiz

Apache OFBiz has unsafe deserialization prior to 17.12.07 version

10.0
2021-04-27 CVE-2021-30642 Symantec OS Command Injection vulnerability in Symantec Security Analytics 7.2.1/7.2.2/7.2.3

An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges.

10.0
2021-04-26 CVE-2021-20711 NEC OS Command Injection vulnerability in NEC Aterm Wg2600Hs Firmware 1.3.2

Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.

10.0
2021-04-29 CVE-2020-36327 Bundler Unspecified vulnerability in Bundler

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.

9.3
2021-04-29 CVE-2020-21992 Inim OS Command Injection vulnerability in Inim products

Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability.

9.0
2021-04-29 CVE-2021-29147 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

9.0
2021-04-28 CVE-2021-25152 Arubanetworks Deserialization of Untrusted Data vulnerability in Arubanetworks Airwave

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

9.0
2021-04-28 CVE-2021-25151 Arubanetworks Deserialization of Untrusted Data vulnerability in Arubanetworks Airwave

A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

9.0
2021-04-28 CVE-2021-30166 Meritlilin OS Command Injection vulnerability in Meritlilin products

The NTP Server configuration function of the IP camera device is not verified with special parameters.

9.0
2021-04-28 CVE-2021-30167 Meritlilin Insufficiently Protected Credentials vulnerability in Meritlilin products

The manage users profile services of the network camera device allows an authenticated.

9.0
2021-04-26 CVE-2021-22669 Advantech Incorrect Permission Assignment for Critical Resource vulnerability in Advantech Webaccess/Scada

Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password and login as an administrator to escalate privileges on the system.

9.0
2021-04-26 CVE-2021-20695 Dlink Improper Privilege Management vulnerability in Dlink Dap-1880Ac Firmware

Improper following of a certificate's chain of trust vulnerability in DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to gain root privileges via unspecified vectors.

9.0
2021-04-26 CVE-2021-20709 NEC Improper Validation of Integrity Check Value vulnerability in NEC products

Improper validation of integrity check value vulnerability in NEC Aterm WF1200CR firmware Ver1.3.2 and earlier, Aterm WG1200CR firmware Ver1.3.3 and earlier, and Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to a specific URL.

9.0
2021-04-26 CVE-2021-20708 NEC OS Command Injection vulnerability in NEC products

NEC Aterm devices (Aterm WF1200CR firmware Ver1.3.2 and earlier, Aterm WG1200CR firmware Ver1.3.3 and earlier, and Aterm WG2600HS firmware Ver1.5.1 and earlier) allow authenticated attackers to execute arbitrary OS commands by sending a specially crafted request to a specific URL.

9.0
2021-04-26 CVE-2021-20696 Dlink OS Command Injection vulnerability in Dlink Dap-1880Ac Firmware

DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to execute arbitrary OS commands by sending a specially crafted request to a specific CGI program.

9.0

66 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-27 CVE-2020-22000 Homeautomation Project OS Command Injection vulnerability in Homeautomation Project Homeautomation 3.3.2

HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin.

8.5
2021-04-28 CVE-2021-3512 Buffalo Incorrect Authorization vulnerability in Buffalo products

Improper access control vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 and prior, WZR-HP-AG300H firmware Ver.1.75 and prior, WZR-HP-G300NH firmware Ver.1.83 and prior, WZR-HP-G301NH firmware Ver.1.83 and prior, WZR-HP-G302H firmware Ver.1.85 and prior, WZR-HP-G450H firmware Ver.1.89 and prior, WZR-300HP firmware Ver.1.99 and prior, WZR-450HP firmware Ver.1.99 and prior, WZR-600DHP firmware Ver.1.99 and prior, WZR-D1100H firmware Ver.1.99 and prior, FS-HP-G300N firmware Ver.3.32 and prior, FS-600DHP firmware Ver.3.38 and prior, FS-R600DHP firmware Ver.3.39 and prior, and FS-G300N firmware Ver.3.13 and prior) allows remote unauthenticated attackers to bypass access restriction and to start telnet service and execute arbitrary OS commands with root privileges via unspecified vectors.

8.3
2021-04-26 CVE-2021-31802 Netgear Out-of-bounds Write vulnerability in Netgear R7000 Firmware

NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication.

8.3
2021-04-29 CVE-2021-1402 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Firepower Threat Defense

A vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

7.8
2021-04-29 CVE-2021-1501 A vulnerability in the SIP inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a crash and reload of an affected device, resulting in a denial of service (DoS) condition.The vulnerability is due to a crash that occurs during a hash lookup for a SIP pinhole connection.
7.8
2021-04-29 CVE-2021-25811 Mercusys Unspecified vulnerability in Mercusys Mercury X18G Firmware 1.0.5

MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listen_http_lan parameter.

7.8
2021-04-30 CVE-2020-15153 Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection.
7.5
2021-04-30 CVE-2021-28959 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Eventlog Analyzer

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive.

7.5
2021-04-30 CVE-2021-31872 Klibc Project Integer Overflow or Wraparound vulnerability in Klibc Project Klibc

An issue was discovered in klibc before 2.0.9.

7.5
2021-04-30 CVE-2021-31873 Klibc Project Integer Overflow or Wraparound vulnerability in Klibc Project Klibc

An issue was discovered in klibc before 2.0.9.

7.5
2021-04-30 CVE-2021-31870 Klibc Project Integer Overflow or Wraparound vulnerability in Klibc Project Klibc

An issue was discovered in klibc before 2.0.9.

7.5
2021-04-29 CVE-2020-22807 Vtiger SQL Injection vulnerability in Vtiger CRM 7.2.0

An issue was dicovered in vtiger crm 7.2.

7.5
2021-04-29 CVE-2021-1493 A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a buffer overflow on an affected system.
7.5
2021-04-29 CVE-2021-21388 systeminformation is an open source system and OS information library for node.js.
7.5
2021-04-29 CVE-2020-21452 Uniview Unrestricted Upload of File with Dangerous Type vulnerability in Uniview Isc2500-S Firmware

An issue was discovered in uniview ISC2500-S.

7.5
2021-04-29 CVE-2020-35430 Inxedu SQL Injection vulnerability in Inxedu 2.0.6

SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem.

7.5
2021-04-29 CVE-2021-30233 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/ZRIptv/setIptvInfo interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iptv_vlan parameter.

7.5
2021-04-29 CVE-2021-30228 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/ZRAndlink/set_ZRAndlink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iandlink_proc_enable parameter.

7.5
2021-04-29 CVE-2021-30234 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/ZRIGMP/set_MLD_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the MLD_PROXY_WAN_CONNECT parameter.

7.5
2021-04-29 CVE-2021-25812 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

Command injection vulnerability in China Mobile An Lianbao WF-1 1.01 via the 'ip' parameter with a POST request to /api/ZRQos/set_online_client.

7.5
2021-04-29 CVE-2021-30232 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/ZRIGMP/set_IGMP_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the IGMP_PROXY_WAN_CONNECT parameter.

7.5
2021-04-29 CVE-2021-30231 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/zrDm/set_ZRElink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the bssaddr, abiaddr, devtoken, devid, elinksync, or elink_proc_enable parameter.

7.5
2021-04-29 CVE-2021-30230 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/ZRFirmware/set_time_zone interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the zonename parameter.

7.5
2021-04-29 CVE-2021-20090 Buffalo Path Traversal vulnerability in Buffalo products

A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.

7.5
2021-04-29 CVE-2021-27651 Pega Weak Password Recovery Mechanism for Forgotten Password vulnerability in Pega Infinity

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

7.5
2021-04-29 CVE-2020-21995 Inim Use of Hard-coded Credentials vulnerability in Inim products

Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials.

7.5
2021-04-29 CVE-2021-29145 Arubanetworks Server-Side Request Forgery (SSRF) vulnerability in Arubanetworks Clearpass

A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

7.5
2021-04-29 CVE-2021-31875 Cesanta Out-of-bounds Write vulnerability in Cesanta Mongooseos MJS 1.26

In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow.

7.5
2021-04-28 CVE-2020-21994 AVE Insufficiently Protected Credentials vulnerability in AVE products

AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.

7.5
2021-04-28 CVE-2020-18020 Phpshe SQL Injection vulnerability in PHPshe Mall System 1.7

SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component.

7.5
2021-04-28 CVE-2020-21991 AVE Improper Authentication vulnerability in AVE products

AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script.

7.5
2021-04-28 CVE-2021-22514 Microfocus Code Injection vulnerability in Microfocus Application Performance Management 9.40/9.50/9.51

An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51.

7.5
2021-04-28 CVE-2021-30168 Meritlilin Information Exposure vulnerability in Meritlilin products

The sensitive information of webcam device is not properly protected.

7.5
2021-04-28 CVE-2021-31856 Layer5 SQL Injection vulnerability in Layer5 Meshery 0.5.2

A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).

7.5
2021-04-28 CVE-2020-36326 Phpmailer Project
Wordpress
Deserialization of Untrusted Data vulnerability in multiple products

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.

7.5
2021-04-27 CVE-2021-29441 Alibaba Authentication Bypass by Spoofing vulnerability in Alibaba Nacos

Nacos is a platform designed for dynamic service discovery and configuration and service management.

7.5
2021-04-27 CVE-2021-29476 Wordpress Deserialization of Untrusted Data vulnerability in Wordpress Requests 1.6.0/1.6.1/1.7.0

Requests is a HTTP library written in PHP.

7.5
2021-04-27 CVE-2021-29200 Apache Deserialization of Untrusted Data vulnerability in Apache Ofbiz

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

7.5
2021-04-27 CVE-2020-22001 Homeautomation Project Improper Authentication vulnerability in Homeautomation Project Homeautomation 3.3.2

HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution.

7.5
2021-04-27 CVE-2021-27480 Delta Industrial Automation COMMGR Versions 1.12 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute remote code.
7.5
2021-04-27 CVE-2019-25039 Nlnetlabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c.

7.5
2021-04-27 CVE-2019-25034 Nlnetlabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write.

7.5
2021-04-27 CVE-2019-25032 Nlnetlabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the regional allocator via regional_alloc.

7.5
2021-04-27 CVE-2019-25042 Nlnetlabs
Debian
Out-of-bounds Write vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy.

7.5
2021-04-27 CVE-2019-25033 Nlnetlabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the regional allocator via the ALIGN_UP macro.

7.5
2021-04-27 CVE-2019-25038 Nlnetlabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c.

7.5
2021-04-27 CVE-2019-25035 Nlnetlabs
Debian
Out-of-bounds Write vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par.

7.5
2021-04-26 CVE-2021-31784 Opendesign Out-of-bounds Write vulnerability in Opendesign Drawings SDK 2019

An out-of-bounds write vulnerability exists in the file-reading procedure in Open Design Alliance Drawings SDK before 2021.6 on all supported by ODA platforms in static configuration.

7.5
2021-04-26 CVE-2021-31646 Gestsup Improper Restriction of Excessive Authentication Attempts vulnerability in Gestsup

Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote).

7.5
2021-04-26 CVE-2021-26797 Hametech Weak Password Requirements vulnerability in Hametech Hame SD1 Wi-Fi Firmware

An access control vulnerability in Hame SD1 Wi-Fi firmware <=V.20140224154640 allows an attacker to get system administrator through an open Telnet service.

7.5
2021-04-26 CVE-2021-25928 Manta Unspecified vulnerability in Manta Safe-Obj 1.0.0/1.0.1/1.0.2

Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-04-26 CVE-2021-25927 Safe Flat Project Unspecified vulnerability in Safe-Flat Project Safe-Flat

Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-04-26 CVE-2021-20697 Dlink Missing Authentication for Critical Function vulnerability in Dlink Dap-1880Ac Firmware

Missing authentication for critical function in DAP-1880AC firmware version 1.21 and earlier allows a remote attacker to login to the device as an authenticated user without the access privilege via unspecified vectors.

7.5
2021-04-30 CVE-2021-21535 Dell Missing Authentication for Critical Function vulnerability in Dell Hybrid Client

Dell Hybrid Client versions prior to 1.5 contain a missing authentication for a critical function vulnerability.

7.2
2021-04-30 CVE-2020-27519 Pritunl Improper Privilege Management vulnerability in Pritunl Pritunl-Client-Electron 1.2.2550.20

Pritunl Client v1.2.2550.20 contains a local privilege escalation vulnerability in the pritunl-service component.

7.2
2021-04-29 CVE-2021-1488 A vulnerability in the upgrade process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject commands that could be executed with root privileges on the underlying operating system (OS).
7.2
2021-04-29 CVE-2021-1448 Cisco Improper Input Validation vulnerability in Cisco Firepower Threat Defense

A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device that is running in multi-instance mode.

7.2
2021-04-29 CVE-2021-1476 A vulnerability in the CLI of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device.
7.2
2021-04-29 CVE-2021-31426 Parallels Integer Overflow or Wraparound vulnerability in Parallels Desktop 16.1.249151

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151.

7.2
2021-04-29 CVE-2021-31425 Parallels Integer Overflow or Wraparound vulnerability in Parallels Desktop 16.1.249151

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-49151.

7.2
2021-04-29 CVE-2021-31776 Aviatrix Unquoted Search Path or Element vulnerability in Aviatrix VPN Client

Aviatrix VPN Client before 2.14.14 on Windows has an unquoted search path that enables local privilege escalation to the SYSTEM user, if the machine is misconfigured to allow unprivileged users to write to directories that are supposed to be restricted to administrators.

7.2
2021-04-28 CVE-2020-7123 Arubanetworks Improper Privilege Management vulnerability in Arubanetworks Clearpass Policy Manager

A local escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

7.2
2021-04-27 CVE-2021-3464 Lenovo Uncontrolled Search Path Element vulnerability in Lenovo Pcmanager 3.0.200.2042/3.0.50.9162

A DLL search path vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow privilege escalation.

7.2
2021-04-26 CVE-2021-20532 IBM Incorrect Default Permissions vulnerability in IBM products

IBM Spectrum Protect Client 8.1.0.0 through 8.1.11.0 could allow a local user to escalate their privileges to take full control of the system due to insecure directory permissions.

7.2
2021-04-26 CVE-2021-29672 IBM Out-of-bounds Write vulnerability in IBM products

IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing the current locale settings.

7.2
2021-04-26 CVE-2021-3472 X ORG
Fedoraproject
Debian
Redhat
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

A flaw was found in xorg-x11-server in versions before 1.20.11.

7.2

207 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-30 CVE-2021-21227 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-21233 Google
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-21232 Google
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-21231 Google
Debian
Fedoraproject
Insufficient Verification of Data Authenticity vulnerability in multiple products

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-21230 Google
Fedoraproject
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-29464 Exiv2 Out-of-bounds Write vulnerability in Exiv2

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files.

6.8
2021-04-29 CVE-2021-29468 Cygwin Improper Input Validation vulnerability in Cygwin GIT

Cygwin Git is a patch set for the git command line tool for the cygwin environment.

6.8
2021-04-29 CVE-2021-1489 A vulnerability in filesystem usage management for Cisco Firepower Device Manager (FDM) Software could allow an authenticated, remote attacker to exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected device.
6.8
2021-04-29 CVE-2020-18032 Graphviz
Debian
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.

6.8
2021-04-29 CVE-2021-31438 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-31436 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-31437 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-31435 Foxitsoftware Use of Uninitialized Variable vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-31434 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-31433 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.931.

6.8
2021-04-29 CVE-2021-21415 Prisma VS Code a VSCode extension for Prisma schema files.
6.8
2021-04-29 CVE-2021-20294 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Binutils

A flaw was found in binutils readelf 2.35 program.

6.8
2021-04-29 CVE-2021-30224 Rukovoditel Cross-Site Request Forgery (CSRF) vulnerability in Rukovoditel 2.8.3

Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.

6.8
2021-04-29 CVE-2021-25216 Debian
ISC
Reachable Assertion vulnerability in multiple products

In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

6.8
2021-04-28 CVE-2021-25147 Arubanetworks Improper Authentication vulnerability in Arubanetworks Airwave

A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

6.8
2021-04-27 CVE-2020-21989 Homeautomation Project Cross-Site Request Forgery (CSRF) vulnerability in Homeautomation Project Homeautomation 3.3.2

HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF).

6.8
2021-04-27 CVE-2021-29667 IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection.
6.8
2021-04-27 CVE-2021-22664 Criticalmanufacturing Out-of-bounds Write vulnerability in Criticalmanufacturing Cncsoft-B

CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code.

6.8
2021-04-27 CVE-2021-22660 Criticalmanufacturing Out-of-bounds Read vulnerability in Criticalmanufacturing Cncsoft-B

CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

6.8
2021-04-26 CVE-2021-21220 Google
Fedoraproject
Improper Input Validation vulnerability in multiple products

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21204 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Blink in Google Chrome on OS X prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21202 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

6.8
2021-04-26 CVE-2021-21226 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21203 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Blink in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21201 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21214 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Network API in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension.

6.8
2021-04-26 CVE-2021-21213 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21225 Google
Debian
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21224 Google
Debian
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21223 Google
Debian
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

6.8
2021-04-26 CVE-2021-21207 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

6.8
2021-04-26 CVE-2021-21206 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-04-30 CVE-2021-31933 Chamilo Improper Input Validation vulnerability in Chamilo

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht).

6.5
2021-04-30 CVE-2021-21530 Dell OS Command Injection vulnerability in Dell Openmanage Enterprise-Modular

Dell OpenManage Enterprise-Modular (OME-M) versions prior to 1.30.00 contain a security bypass vulnerability.

6.5
2021-04-29 CVE-2021-29350 Shipment 100 Design Material Download System Project SQL Injection vulnerability in Shipment 100-Design Material Download System Project Shipment 100-Design Material Download System 1.1

SQL injection in the getip function in conn/function.php in ??100-???????? 1.1 allows remote attackers to inject arbitrary SQL commands via the X-Forwarded-For header to admin/product_add.php.

6.5
2021-04-29 CVE-2021-30229 Chinamobile Command Injection vulnerability in Chinamobile AN Lianbao Wf-1 Firmware 1.0.1

The api/zrDm/set_zrDm interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the dm_enable, AppKey, or Pwd parameter.

6.5
2021-04-29 CVE-2021-20091 Buffalo Unspecified vulnerability in Buffalo products

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input.

6.5
2021-04-29 CVE-2021-25167 Arubanetworks Improper Privilege Management vulnerability in Arubanetworks Airwave

A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

6.5
2021-04-29 CVE-2021-25166 Arubanetworks Command Injection vulnerability in Arubanetworks Airwave

A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

6.5
2021-04-29 CVE-2021-21414 Prisma OS Command Injection vulnerability in Prisma

Prisma is an open source ORM for Node.js & TypeScript.

6.5
2021-04-28 CVE-2021-27648 Synology Externally Controlled Reference to a Resource in Another Sphere vulnerability in Synology Antivirus Essential

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.

6.5
2021-04-27 CVE-2021-29472 Getcomposer
Debian
Argument Injection or Modification vulnerability in multiple products

Composer is a dependency manager for PHP.

6.5
2021-04-27 CVE-2021-28269 Soyal Improper Privilege Management vulnerability in Soyal 701Client 9.0.1

Soyal Technology 701Client 9.0.1 is vulnerable to Insecure permissions via client.exe binary with Authenticated Users group with Full permissions.

6.5
2021-04-27 CVE-2021-28271 Soyal Incorrect Default Permissions vulnerability in Soyal 701Clientsql, 701Server and 701Serversql

Soyal Technologies SOYAL 701Server 9.0.1 suffers from an elevation of privileges vulnerability which can be used by an authenticated user to change the executable file with a binary choice.

6.5
2021-04-26 CVE-2021-20694 Dlink Incorrect Authorization vulnerability in Dlink Dap-1880Ac Firmware

Improper access control vulnerability in DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to bypass access restriction and to start a telnet service via unspecified vectors.

6.5
2021-04-30 CVE-2020-4039 Fossasia Relative Path Traversal vulnerability in Fossasia Susi.Ai

SUSI.AI is an intelligent Open Source personal assistant.

6.4
2021-04-30 CVE-2020-18070 Idreamsoft Path Traversal vulnerability in Idreamsoft Icms 7.0.13

Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".

6.4
2021-04-29 CVE-2021-29140 Arubanetworks XXE vulnerability in Arubanetworks Clearpass

A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1.

6.4
2021-04-26 CVE-2021-20432 IBM Unspecified vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.0 through 10.1.7 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

6.4
2021-04-28 CVE-2021-25154 Arubanetworks Improper Privilege Management vulnerability in Arubanetworks Airwave

A remote escalation of privilege vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

6.0
2021-04-29 CVE-2021-29137 Arubanetworks Open Redirect vulnerability in Arubanetworks Airwave

A remote URL redirection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

5.8
2021-04-29 CVE-2021-31879 GNU Open Redirect vulnerability in GNU Wget

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

5.8
2021-04-27 CVE-2020-21998 Homeautomation Project Open Redirect vulnerability in Homeautomation Project Homeautomation 3.3.2

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users.

5.8
2021-04-27 CVE-2021-28125 Apache Open Redirect vulnerability in Apache Superset

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious.

5.8
2021-04-26 CVE-2021-29475 Hedgedoc Server-Side Request Forgery (SSRF) vulnerability in Hedgedoc

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor.

5.8
2021-04-26 CVE-2021-21205 Google
Debian
Fedoraproject
Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
5.8
2021-04-30 CVE-2021-21540 Dell Out-of-bounds Write vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability.

5.5
2021-04-29 CVE-2021-1369 A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device.
5.5
2021-04-29 CVE-2021-25163 Arubanetworks XXE vulnerability in Arubanetworks Airwave

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

5.5
2021-04-28 CVE-2020-7037 Avaya XXE vulnerability in Avaya Equinox Conferencing 9.0.0/9.1.10/9.1.9

An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service.

5.5
2021-04-28 CVE-2021-25165 Arubanetworks XXE vulnerability in Arubanetworks Airwave

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

5.5
2021-04-28 CVE-2021-25164 Arubanetworks XXE vulnerability in Arubanetworks Airwave

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

5.5
2021-04-28 CVE-2021-25153 Arubanetworks SQL Injection vulnerability in Arubanetworks Airwave

A remote SQL injection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1.

5.5
2021-04-28 CVE-2021-31779 Yoast Server-Side Request Forgery (SSRF) vulnerability in Yoast SEO 7.2.0

The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.

5.5
2021-04-27 CVE-2021-20714 Wpfastestcache Path Traversal vulnerability in Wpfastestcache WP Fastest Cache

Directory traversal vulnerability in WP Fastest Cache versions prior to 0.9.1.7 allows a remote attacker with administrator privileges to delete arbitrary files on the server via unspecified vectors.

5.5
2021-04-26 CVE-2021-23365 TYK Improper Authentication vulnerability in TYK Tyk-Identity-Broker

The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass.

5.5
2021-04-30 CVE-2020-28944 OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.
5.0
2021-04-30 CVE-2021-21507 Dell Inadequate Encryption Strength vulnerability in Dell products

Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability.

5.0
2021-04-30 CVE-2021-29486 Cumulative Distribution Function Project Infinite Loop vulnerability in Cumulative-Distribution-Function Project Cumulative-Distribution-Function

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values.

5.0
2021-04-30 CVE-2020-7731 Gosaml2 Project NULL Pointer Dereference vulnerability in Gosaml2 Project Gosaml2

This affects all versions of package github.com/russellhaering/gosaml2.

5.0
2021-04-30 CVE-2021-31871 Klibc Project Integer Overflow or Wraparound vulnerability in Klibc Project Klibc

An issue was discovered in klibc before 2.0.9.

5.0
2021-04-30 CVE-2021-31919 An issue was discovered in the rkyv crate before 0.6.0 for Rust.
5.0
2021-04-29 CVE-2021-1495 Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP.
5.0
2021-04-29 CVE-2021-1445 Multiple vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
5.0
2021-04-29 CVE-2021-1504 Multiple vulnerabilities in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
5.0
2021-04-29 CVE-2021-30048 Novel Boutique House Plus Project Path Traversal vulnerability in Novel Boutique House-Plus Project Novel Boutique House-Plus 3.5.1

Directory Traversal in the fileDownload function in com/java2nb/common/controller/FileController.java in Novel-plus (?????-plus) 3.5.1 allows attackers to read arbitrary files via the filePath parameter.

5.0
2021-04-29 CVE-2021-20228 Redhat Insufficiently Protected Credentials vulnerability in Redhat products

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module.

5.0
2021-04-29 CVE-2020-22002 Inim Server-Side Request Forgery (SSRF) vulnerability in Inim products

An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality.

5.0
2021-04-29 CVE-2021-20092 Buffalo Information Exposure vulnerability in Buffalo products

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.

5.0
2021-04-29 CVE-2021-28899 Live555 Unspecified vulnerability in Live555 Streaming Media

Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16.

5.0
2021-04-29 CVE-2020-21997 Smartwares Information Exposure vulnerability in Smartwares Home Easy Firmware

Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability.

5.0
2021-04-29 CVE-2020-21990 Domoticz Incorrect Authorization vulnerability in Domoticz Mydomoathome 0.240

Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement.

5.0
2021-04-29 CVE-2021-25215 Debian
ISC
Fedoraproject
Reachable Assertion vulnerability in multiple products

In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check.

5.0
2021-04-28 CVE-2021-29483 Miraheze Information Exposure vulnerability in Miraheze Managewiki

ManageWiki is an extension to the MediaWiki project.

5.0
2021-04-28 CVE-2020-7038 Avaya Incorrect Authorization vulnerability in Avaya Equinox Conferencing 9.0.0/9.1.10/9.1.9

A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions.

5.0
2021-04-28 CVE-2020-22784 Etherpad Incorrect Authorization vulnerability in Etherpad Ueberdb

In Etherpad UeberDB < 0.4.4, due to MySQL omitting trailing spaces on char / varchar columns during comparisons, retrieving database records using UeberDB's MySQL connector could allow bypassing access controls enforced on key names.

5.0
2021-04-28 CVE-2020-22782 Etherpad Unspecified vulnerability in Etherpad

Etherpad < 1.8.3 is affected by a denial of service in the import functionality.

5.0
2021-04-28 CVE-2020-22785 Etherpad Allocation of Resources Without Limits or Throttling vulnerability in Etherpad

Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service.

5.0
2021-04-28 CVE-2020-22781 Etherpad SQL Injection vulnerability in Etherpad

In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash the instance).

5.0
2021-04-28 CVE-2021-29482 XZ Project Infinite Loop vulnerability in XZ Project XZ

xz is a compression and decompression library focusing on the xz format completely written in Go.

5.0
2021-04-28 CVE-2021-23364 Browserslist Project Unspecified vulnerability in Browserslist Project Browserslist

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

5.0
2021-04-28 CVE-2020-21996 AVE Command Injection vulnerability in AVE products

AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution.

5.0
2021-04-28 CVE-2020-18019 Xinfu SQL Injection vulnerability in Xinfu OA System 1.8.3

SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the "typeid" variable of the "createfolderAjax" function in the "mode_worcAction.php" component.

5.0
2021-04-28 CVE-2021-22332 Huawei Double Free vulnerability in Huawei products

There is a pointer double free vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800.

5.0
2021-04-28 CVE-2021-22331 Huawei Injection vulnerability in Huawei P30 Firmware

There is a JavaScript injection vulnerability in certain Huawei smartphones.

5.0
2021-04-28 CVE-2021-22393 Huawei Unspecified vulnerability in Huawei products

There is a denial of service vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800.

5.0
2021-04-28 CVE-2021-30169 Meritlilin Information Exposure vulnerability in Meritlilin products

The sensitive information of webcam device is not properly protected.

5.0
2021-04-28 CVE-2021-31866 Redmine
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.

5.0
2021-04-28 CVE-2021-31865 Redmine
Debian
Incorrect Authorization vulnerability in multiple products

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.

5.0
2021-04-28 CVE-2021-31864 Redmine
Debian
Incorrect Authorization vulnerability in multiple products

Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.

5.0
2021-04-28 CVE-2021-31863 Redmine
Debian
Improper Input Validation vulnerability in multiple products

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.

5.0
2021-04-27 CVE-2021-29442 Alibaba Missing Authentication for Critical Function vulnerability in Alibaba Nacos

Nacos is a platform designed for dynamic service discovery and configuration and service management.

5.0
2021-04-27 CVE-2021-30638 Apache Information Exposure vulnerability in Apache Tapestry 5.4.0

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL.

5.0
2021-04-27 CVE-2020-17517 Apache Missing Authorization vulnerability in Apache Ozone 0.4.2/0.5.0/1.0.0

The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default.

5.0
2021-04-27 CVE-2019-25041 Nlnetlabs
Debian
Reachable Assertion vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an assertion failure via a compressed name in dname_pkt_copy.

5.0
2021-04-27 CVE-2019-25040 Nlnetlabs
Debian
Infinite Loop vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy.

5.0
2021-04-27 CVE-2019-25037 Nlnetlabs
Debian
Reachable Assertion vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and denial of service in dname_pkt_copy via an invalid packet.

5.0
2021-04-27 CVE-2019-25036 Nlnetlabs
Debian
Reachable Assertion vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and denial of service in synth_cname.

5.0
2021-04-27 CVE-2021-31826 Shibboleth NULL Pointer Dereference vulnerability in Shibboleth Service Provider

Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature.

5.0
2021-04-27 CVE-2021-30635 Sonatype Path Traversal vulnerability in Sonatype Nexus Repository Manager

Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed).

5.0
2021-04-27 CVE-2021-31671 Pgsync Project Cleartext Transmission of Sensitive Information vulnerability in Pgsync Project Pgsync

pgsync before 0.6.7 is affected by Information Disclosure of sensitive information.

5.0
2021-04-27 CVE-2021-30165 Edimax Use of Hard-coded Credentials vulnerability in Edimax Ic-3140W Firmware 3.11

The default administrator account & password of the EDIMAX wireless network camera is hard-coded.

5.0
2021-04-26 CVE-2021-29474 Hedgedoc Improper Input Validation vulnerability in Hedgedoc

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor.

5.0
2021-04-26 CVE-2021-31783 Piwigo Insufficient Verification of Data Authenticity vulnerability in Piwigo Localfiles Editor

show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.

5.0
2021-04-26 CVE-2020-36325 Jansson Project Out-of-bounds Read vulnerability in Jansson Project Jansson

** DISPUTED ** An issue was discovered in Jansson through 2.13.1.

5.0
2021-04-26 CVE-2020-4562 IBM Information Exposure vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information by allowing cross-window communication with unrestricted target origin via documentation frames.

5.0
2021-04-26 CVE-2021-29694 IBM Inadequate Encryption Strength vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.0 through 10.1.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-04-26 CVE-2021-23382 Postcss Unspecified vulnerability in Postcss

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js.

5.0
2021-04-26 CVE-2021-28399 Orangehrm Unspecified vulnerability in Orangehrm 4.7

OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.

5.0
2021-04-26 CVE-2020-15078 Openvpn
Fedoraproject
Improper Authentication vulnerability in multiple products

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

5.0
2021-04-26 CVE-2021-25839 Minthcm Weak Password Requirements vulnerability in Minthcm 3.0.8

A weak password requirement vulnerability exists in the Create New User function of MintHCM RELEASE 3.0.8, which could lead an attacker to easier password brute-forcing.

5.0
2021-04-26 CVE-2021-20712 NEC Incorrect Authorization vulnerability in NEC Aterm Wg2600Hs Firmware and Aterm Wx3000Hp Firmware

Improper access control vulnerability in NEC Aterm WG2600HS firmware Ver1.5.1 and earlier, and Aterm WX3000HP firmware Ver1.1.2 and earlier allows a device connected to the LAN side to be accessed from the WAN side due to the defect in the IPv6 firewall function.

5.0
2021-04-26 CVE-2021-20693 Gurunavi Incorrect Authorization vulnerability in Gurunavi

Improper access control vulnerability in Gurunavi App for Android ver.10.0.10 and earlier and for iOS ver.11.1.2 and earlier allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.

5.0
2021-04-30 CVE-2021-21539 Dell Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a Time-of-check Time-of-use (TOCTOU) race condition vulnerability.

4.6
2021-04-30 CVE-2021-21531 Dell Incorrect Resource Transfer Between Spheres vulnerability in Dell products

Dell Unisphere for PowerMax versions prior to 9.2.1.6 contain an Authorization Bypass Vulnerability.

4.6
2021-04-30 CVE-2021-20515 IBM Out-of-bounds Write vulnerability in IBM Informix Dynamic Server 14.10

IBM Informix Dynamic Server 14.10 is vulnerable to a stack based buffer overflow, caused by improper bounds checking.

4.6
2021-04-29 CVE-2021-1084 Nvidia Improper Input Validation vulnerability in Nvidia Virtual GPU Manager

NVIDIA vGPU driver contains a vulnerability in the guest kernel mode driver and Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data or denial of service.

4.6
2021-04-29 CVE-2021-1085 Nvidia Improper Input Validation vulnerability in Nvidia Virtual GPU Manager

NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where there is the potential to write to a shared memory location and manipulate the data after the data has been validated, which may lead to denial of service and escalation of privileges and information disclosure but attacker doesn't have control over what information is obtained.

4.6
2021-04-29 CVE-2021-1083 NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service.
4.6
2021-04-29 CVE-2021-1082 NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service.
4.6
2021-04-29 CVE-2021-1081 NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and Virtual GPU manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service.
4.6
2021-04-29 CVE-2021-1080 NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which certain input data is not validated, which may lead to information disclosure, tampering of data, or denial of service.
4.6
2021-04-29 CVE-2021-31429 Parallels Heap-based Buffer Overflow vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309.

4.6
2021-04-29 CVE-2021-31420 Parallels Stack-based Buffer Overflow vulnerability in Parallels Desktop 16.1.048950

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.0-48950.

4.6
2021-04-29 CVE-2021-31428 Parallels Heap-based Buffer Overflow vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309.

4.6
2021-04-29 CVE-2021-31424 Parallels Heap-based Buffer Overflow vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309.

4.6
2021-04-29 CVE-2021-20095 Pocoo
Fedoraproject
Path Traversal vulnerability in multiple products

Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.

4.6
2021-04-30 CVE-2021-26807 GOG Untrusted Search Path vulnerability in GOG Galaxy 2.0.28.9

GalaxyClient version 2.0.28.9 loads unsigned DLLs such as zlib1.dll, libgcc_s_dw2-1.dll and libwinpthread-1.dll from PATH, which allows an attacker to potentially run code locally through unsigned DLL loading.

4.4
2021-04-29 CVE-2021-31422 Parallels Improper Locking vulnerability in Parallels Desktop 16.1.149141

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.1-49141.

4.4
2021-05-02 CVE-2021-28359 Apache
Python
Cross-site Scripting vulnerability in multiple products

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.

4.3
2021-04-30 CVE-2021-31935 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.

4.3
2021-04-30 CVE-2021-31934 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.

4.3
2021-04-30 CVE-2021-21229 Google
Debian
Fedoraproject
Origin Validation Error vulnerability in multiple products

Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

4.3
2021-04-30 CVE-2021-21228 Google
Debian
Fedoraproject
Incorrect Authorization vulnerability in multiple products

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

4.3
2021-04-30 CVE-2021-21541 Dell Cross-site Scripting vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a DOM-based cross-site scripting vulnerability.

4.3
2021-04-30 CVE-2020-18084 Yzmcms Cross-site Scripting vulnerability in Yzmcms 5.2

Cross Site Scripting (XSS) in yzmCMS v5.2 allows remote attackers to execute arbitrary code by injecting commands into the "referer" field of a POST request to the component "/member/index/login.html" when logging in.

4.3
2021-04-30 CVE-2021-29463 Exiv2 Out-of-bounds Read vulnerability in Exiv2

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files.

4.3
2021-04-30 CVE-2020-1721 Dogtagpki Cross-site Scripting vulnerability in Dogtagpki 10.10.5

A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability.

4.3
2021-04-29 CVE-2020-18035 Jeesns Cross-site Scripting vulnerability in Jeesns 1.4.2

Cross Site Scripting (XSS) in Jeesns v1.4.2 allows remote attackers to execute arbitrary code by injecting commands into the "CKEditorFuncNum" parameter in the component "CkeditorUploadController.java".

4.3
2021-04-29 CVE-2021-29484 Ghost Cross-site Scripting vulnerability in Ghost

Ghost is a Node.js CMS.

4.3
2021-04-29 CVE-2020-22808 An issue was found in yii2_fecshop 2.x.
4.3
2021-04-29 CVE-2021-21417 Fluidsynth
Debian
Use After Free vulnerability in multiple products

fluidsynth is a software synthesizer based on the SoundFont 2 specifications.

4.3
2021-04-29 CVE-2021-30227 Emlog Cross-site Scripting vulnerability in Emlog 6.0.0

Cross Site Scripting (XSS) vulnerability in the article comments feature in emlog 6.0.

4.3
2021-04-29 CVE-2021-25810 Mercusys Cross-site Scripting vulnerability in Mercusys Mercury X18G Firmware 1.0.5

Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters.

4.3
2021-04-29 CVE-2021-28280 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion PHPfusion 9.03.110

CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML

4.3
2021-04-29 CVE-2021-30219 Samurai Project NULL Pointer Dereference vulnerability in Samurai Project Samurai 1.2

samurai 1.2 has a NULL pointer dereference in printstatus() function in build.c via a crafted build file.

4.3
2021-04-29 CVE-2021-30218 Samurai Project NULL Pointer Dereference vulnerability in Samurai Project Samurai 1.2

samurai 1.2 has a NULL pointer dereference in writefile() in util.c via a crafted build file.

4.3
2021-04-29 CVE-2021-30027 Md4C Project Use of Uninitialized Resource vulnerability in Md4C Project Md4C 0.4.7

md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document.

4.3
2021-04-29 CVE-2021-21391 Ckeditor Resource Exhaustion vulnerability in Ckeditor products

CKEditor 5 provides a WYSIWYG editing solution.

4.3
2021-04-28 CVE-2020-22789 Safe Cross-site Scripting vulnerability in Safe FME Server

Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page.

4.3
2021-04-28 CVE-2020-18022 Qibosoft Cross-site Scripting vulnerability in Qibosoft Qibocms V7

Cross Site Scripting (XSS) in Qibosoft QiboCMS v7 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information by injecting arbitrary commands in a HTTP request to the "ewebeditor\3.1.1\kindeditor.js" component.

4.3
2021-04-28 CVE-2020-17999 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.10

Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php".

4.3
2021-04-28 CVE-2020-21993 Wems Cross-site Scripting vulnerability in Wems Enterprise Manager

In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user.

4.3
2021-04-28 CVE-2021-3508 Pdfresurrect Project Infinite Loop vulnerability in Pdfresurrect Project Pdfresurrect 0.22B

A flaw was found in PDFResurrect in version 0.22b.

4.3
2021-04-28 CVE-2021-29159 Sonatype Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager

A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1.

4.3
2021-04-28 CVE-2021-22327 Huawei Out-of-bounds Write vulnerability in Huawei P30 Firmware

There is an arbitrary memory write vulnerability in Huawei smart phone when processing file parsing.

4.3
2021-04-28 CVE-2021-27933 Pfsense Cross-site Scripting vulnerability in Pfsense 2.5.0

pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.

4.3
2021-04-27 CVE-2020-21987 Homeautomation Project Cross-site Scripting vulnerability in Homeautomation Project Homeautomation 3.3.2

HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS).

4.3
2021-04-27 CVE-2021-20715 Recruit Holdings Incorrect Authorization vulnerability in Recruit-Holdings HOT Pepper Gourmet

Improper access control vulnerability in Hot Pepper Gourmet App for Android ver.4.111.0 and earlier, and for iOS ver.4.111.0 and earlier allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.

4.3
2021-04-27 CVE-2019-25031 Nlnetlabs
Debian
Injection vulnerability in multiple products

** DISPUTED ** Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session.

4.3
2021-04-26 CVE-2021-21218 Google
Debian
Fedoraproject
Use of Uninitialized Resource vulnerability in multiple products

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

4.3
2021-04-26 CVE-2021-21211 Google
Debian
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21209 Google
Debian
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21219 Google
Debian
Fedoraproject
Information Exposure vulnerability in multiple products

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

4.3
2021-04-26 CVE-2021-21217 Google
Debian
Fedoraproject
Information Exposure vulnerability in multiple products

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

4.3
2021-04-26 CVE-2021-21212 Google
Debian
Fedoraproject
Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72 allowed a remote attacker to potentially compromise WiFi connection security via a malicious WAP.
4.3
2021-04-26 CVE-2021-21210 Google
Debian
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially access local UDP ports via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21216 Google
Debian
Fedoraproject
Authentication Bypass by Spoofing vulnerability in multiple products

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21215 Google
Debian
Fedoraproject
Authentication Bypass by Spoofing vulnerability in multiple products

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21222 Google
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21221 Google
Debian
Fedoraproject
Improper Input Validation vulnerability in multiple products

Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

4.3
2021-04-26 CVE-2021-21208 Google
Debian
Fedoraproject
Improper Input Validation vulnerability in multiple products

Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72 allowed an attacker displaying a QR code to perform domain spoofing via a crafted QR code.

4.3
2021-04-26 CVE-2021-3494 Theforeman Cleartext Transmission of Sensitive Information vulnerability in Theforeman Foreman

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack.

4.3
2021-04-26 CVE-2021-25838 Minthcm Cross-site Scripting vulnerability in Minthcm 3.0.8

The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting (XSS) payload in file-upload.

4.3
2021-04-26 CVE-2021-28079 Jamovi Cross-site Scripting vulnerability in Jamovi

Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability.

4.3
2021-04-26 CVE-2021-31804 Leocad Use After Free vulnerability in Leocad

LeoCAD before 21.03 sometimes allows a use-after-free during the opening of a new document.

4.3
2021-04-26 CVE-2021-31803 Cpanel Cross-site Scripting vulnerability in Cpanel

cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).

4.3
2021-04-26 CVE-2021-20710 Aterm Cross-site Scripting vulnerability in Aterm Wg2600Hs Firmware

Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.5.1 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

4.3
2021-04-26 CVE-2021-20680 NEC Cross-site Scripting vulnerability in NEC products

Cross-site scripting vulnerability in NEC Aterm devices (Aterm WG1900HP2 firmware Ver.1.3.1 and earlier, Aterm WG1900HP firmware Ver.2.5.1 and earlier, Aterm WG1800HP4 firmware Ver.1.3.1 and earlier, Aterm WG1800HP3 firmware Ver.1.5.1 and earlier, Aterm WG1200HS2 firmware Ver.2.5.0 and earlier, Aterm WG1200HP3 firmware Ver.1.3.1 and earlier, Aterm WG1200HP2 firmware Ver.2.5.0 and earlier, Aterm W1200EX firmware Ver.1.3.1 and earlier, Aterm W1200EX-MS firmware Ver.1.3.1 and earlier, Aterm WG1200HS firmware all versions Aterm WG1200HP firmware all versions Aterm WF800HP firmware all versions Aterm WF300HP2 firmware all versions Aterm WR8165N firmware all versions Aterm W500P firmware all versions, and Aterm W300P firmware all versions) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.

4.3
2021-04-30 CVE-2020-28943 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite

OX App Suite 7.10.4 and earlier allows SSRF via a snippet.

4.0
2021-04-30 CVE-2021-21544 Dell Incorrect Resource Transfer Between Spheres vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain an improper authentication vulnerability.

4.0
2021-04-30 CVE-2021-31926 Cubecoders Incorrect Authorization vulnerability in Cubecoders AMP

AMP Application Deployment Service in CubeCoders AMP 2.1.x before 2.1.1.2 allows a remote, authenticated user to open ports in the local system firewall by crafting an HTTP(S) request directly to the applicable API endpoint (despite not having permission to make changes to the system's network configuration).

4.0
2021-04-30 CVE-2021-20266 RPM
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

A flaw was found in RPM's hdrblobInit() in lib/header.c.

4.0
2021-04-30 CVE-2021-20326 Mongodb Incorrect Permission Assignment for Critical Resource vulnerability in Mongodb

A user authorized to performing a specific type of find query may trigger a denial of service.

4.0
2021-04-29 CVE-2020-15225 Django Filter Project Incorrect Conversion between Numeric Types vulnerability in Django-Filter Project Django-Filter

django-filter is a generic system for filtering Django QuerySets based on user selections.

4.0
2021-04-29 CVE-2021-1477 A vulnerability in an access control mechanism of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to access services beyond the scope of their authorization.
4.0
2021-04-29 CVE-2021-29141 Arubanetworks Incorrect Authorization vulnerability in Arubanetworks Clearpass

A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

4.0
2021-04-29 CVE-2021-29138 Arubanetworks Insufficiently Protected Credentials vulnerability in Arubanetworks Clearpass

A remote disclosure of privileged information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

4.0
2021-04-29 CVE-2021-29144 Arubanetworks Incorrect Authorization vulnerability in Arubanetworks Clearpass

A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

4.0
2021-04-29 CVE-2021-25214 ISC
Debian
Fedoraproject
Reachable Assertion vulnerability in multiple products

In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.

4.0
2021-04-28 CVE-2020-22783 Etherpad Cleartext Storage of Sensitive Information vulnerability in Etherpad

Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files.

4.0
2021-04-28 CVE-2021-31777 Dynamic Content Elements Project SQL Injection vulnerability in Dynamic Content Elements Project Dynamic Content Elements

The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.

4.0

51 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-04-29 CVE-2021-1086 NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure.
3.6
2021-04-29 CVE-2021-1256 A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to overwrite files on the file system of an affected device by using directory traversal techniques.
3.6
2021-04-27 CVE-2020-4981 IBM Improper Privilege Management vulnerability in IBM Spectrum Scale

IBM Spectrum Scale 5.0.4.1 through 5.1.0.3 could allow a local privileged user to overwrite files due to improper input validation.

3.6
2021-04-30 CVE-2021-31792 Salesagility Cross-site Scripting vulnerability in Salesagility Suitecrm

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field

3.5
2021-04-30 CVE-2021-21543 Dell Cross-site Scripting vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain multiple stored cross-site scripting vulnerabilities.

3.5
2021-04-30 CVE-2021-21542 Dell Cross-site Scripting vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.40.10.00 contain multiple stored cross-site scripting vulnerabilities.

3.5
2021-04-29 CVE-2021-1455 Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
3.5
2021-04-29 CVE-2021-1458 Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
3.5
2021-04-29 CVE-2021-1457 Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
3.5
2021-04-29 CVE-2021-1456 Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
3.5
2021-04-29 CVE-2020-21101 Screenly Cross-site Scripting vulnerability in Screenly

Cross Site Scriptiong vulnerabilityin Screenly screenly-ose all versions, including v1.8.2 (2019-09-25-Screenly-OSE-lite.img), in the 'Add Asset' page via manipulation of a 'URL' field, which could let a remote malicious user execute arbitrary code.

3.5
2021-04-29 CVE-2021-29139 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass

A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

3.5
2021-04-29 CVE-2021-29142 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass

A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

3.5
2021-04-29 CVE-2021-29146 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass

A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1.

3.5
2021-04-28 CVE-2020-22790 Safe Cross-site Scripting vulnerability in Safe FME Server

Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users.

3.5
2021-04-28 CVE-2021-29388 Budget Management System Project Cross-site Scripting vulnerability in Budget Management System Project Budget Management System 1.0

A stored cross-site scripting (XSS) vulnerability in SourceCodester Budget Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php via vulnerable field 'Budget Title'.

3.5
2021-04-28 CVE-2021-29387 Equipment Inventory System Project Cross-site Scripting vulnerability in Equipment Inventory System Project Equipment Inventory System 1.0

Multiple stored cross-site scripting (XSS) vulnerabilities in Sourcecodester Equipment Inventory System 1.0 allow remote attackers to inject arbitrary javascript via any "Add" sections, such as Add Item , Employee and Position or others in the Name Parameters.

3.5
2021-04-28 CVE-2021-31778 Media2Click Project Cross-site Scripting vulnerability in Media2Click Project Media2Click

The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account.

3.5
2021-04-27 CVE-2021-29460 Getkirby Cross-site Scripting vulnerability in Getkirby Kirby

Kirby is an open source CMS.

3.5
2021-04-27 CVE-2021-21365 Typo3 Cross-site Scripting vulnerability in Typo3

Bootstrap Package is a theme for TYPO3.

3.5
2021-04-27 CVE-2021-29666 IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is vulnerable to cross-site scripting.
3.5
2021-04-27 CVE-2021-20549 IBM Cross-site Scripting vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting.

3.5
2021-04-27 CVE-2021-20448 IBM Cross-site Scripting vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting.

3.5
2021-04-27 CVE-2021-20550 IBM Cross-site Scripting vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting.

3.5
2021-04-27 CVE-2020-35542 Unisys Cross-site Scripting vulnerability in Unisys Data Exchange Management Studio

Unisys Data Exchange Management Studio through 5.0.34 doesn't sanitize the input to a HTML document field.

3.5
2021-04-28 CVE-2021-22330 Huawei Out-of-bounds Write vulnerability in Huawei P30 Firmware 9.1.0.131(C00E130R1P21)

There is an out of bounds write vulnerability in Huawei Smartphone HUAWEI P30 versions 9.1.0.131(C00E130R1P21) when processing a message.

3.3
2021-04-28 CVE-2021-3511 Buffalo Incorrect Authorization vulnerability in Buffalo products

Disclosure of sensitive information to an unauthorized user vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 and prior, WZR-HP-AG300H firmware Ver.1.75 and prior, WZR-HP-G300NH firmware Ver.1.83 and prior, WZR-HP-G301NH firmware Ver.1.83 and prior, WZR-HP-G302H firmware Ver.1.85 and prior, WZR-HP-G450H firmware Ver.1.89 and prior, WZR-300HP firmware Ver.1.99 and prior, WZR-450HP firmware Ver.1.99 and prior, WZR-600DHP firmware Ver.1.99 and prior, WZR-D1100H firmware Ver.1.99 and prior, FS-HP-G300N firmware Ver.3.32 and prior, FS-600DHP firmware Ver.3.38 and prior, FS-R600DHP firmware Ver.3.39 and prior, and FS-G300N firmware Ver.3.13 and prior) allows remote unauthenticated attackers to obtain information such as configuration via unspecified vectors.

3.3
2021-04-26 CVE-2021-29473 Exiv2
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata.

2.6
2021-04-30 CVE-2021-21547 Dell Cleartext Storage of Sensitive Information vulnerability in Dell products

Dell EMC Unity, UnityVSA, and Unity XT versions prior to 5.0.7.0.5.008 contain a plain-text password storage vulnerability when the Dell Upgrade Readiness Utility is run on the system.

2.1
2021-04-30 CVE-2021-21537 Dell Information Exposure vulnerability in Dell Hybrid Client

Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability.

2.1
2021-04-30 CVE-2021-21536 Dell Information Exposure vulnerability in Dell Hybrid Client

Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability.

2.1
2021-04-30 CVE-2021-21534 Dell Information Exposure vulnerability in Dell Hybrid Client

Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability.

2.1
2021-04-30 CVE-2021-31231 Grafana Improper Input Validation vulnerability in Grafana Enterprise Metrics

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used.

2.1
2021-04-30 CVE-2021-31232 Linuxfoundation Improper Input Validation vulnerability in Linuxfoundation Cortex

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used.

2.1
2021-04-29 CVE-2021-1087 NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), which could allow an attacker to retrieve information that could lead to a Address Space Layout Randomization (ASLR) bypass.
2.1
2021-04-29 CVE-2021-31430 Parallels Out-of-bounds Read vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309.

2.1
2021-04-29 CVE-2021-31421 Parallels Path Traversal vulnerability in Parallels Desktop 16.1.149141

This vulnerability allows local attackers to delete arbitrary files on affected installations of Parallels Desktop 16.1.1-49141.

2.1
2021-04-29 CVE-2021-31419 Parallels Use of Uninitialized Resource vulnerability in Parallels Desktop 15.1.447270

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270.

2.1
2021-04-29 CVE-2021-31423 Parallels Use of Uninitialized Resource vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309.

2.1
2021-04-29 CVE-2021-31432 Parallels Out-of-bounds Read vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309.

2.1
2021-04-29 CVE-2021-31431 Parallels Out-of-bounds Read vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309.

2.1
2021-04-29 CVE-2021-31418 Parallels Use of Uninitialized Resource vulnerability in Parallels Desktop 15.1.447270

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270.

2.1
2021-04-29 CVE-2021-31417 Parallels Use of Uninitialized Resource vulnerability in Parallels Desktop 15.1.447270

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270.

2.1
2021-04-28 CVE-2021-2321 Oracle Out-of-bounds Read vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

2.1
2021-04-28 CVE-2021-31815 Google Cleartext Transmission of Sensitive Information vulnerability in Google Google/Apple Exposure Notifications

GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties.

2.1
2021-04-27 CVE-2021-21429 Openapi Generator Files or Directories Accessible to External Parties vulnerability in Openapi-Generator Openapi Generator

OpenAPI Generator allows generation of API client libraries, server stubs, documentation and configuration automatically given an OpenAPI Spec.

2.1
2021-04-27 CVE-2021-3451 Lenovo Incorrect Default Permissions vulnerability in Lenovo Pcmanager 3.0.200.2042/3.0.50.9162

A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow configuration files to be written to non-standard locations.

2.1
2021-04-26 CVE-2021-20536 IBM Information Exposure Through Log Files vulnerability in IBM Spectrum Protect Plus 10.1.6/10.1.7

IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user.

2.1
2021-04-26 CVE-2021-20546 IBM Out-of-bounds Write vulnerability in IBM products

IBM Spectrum Protect Client 8.1.0.0 through 8.1.11.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking.

2.1
2021-04-26 CVE-2021-27851 GNU Improper Privilege Management vulnerability in GNU Guix

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’.

2.1
2021-04-29 CVE-2021-31427 Parallels Improper Locking vulnerability in Parallels Desktop 15.1.547309

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309.

1.9