Weekly Vulnerabilities Reports > May 3 to 9, 2021
Overview
328 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 92 high severity vulnerabilities. This weekly summary report vulnerabilities in 1088 products from 122 vendors including Cisco, Foxitsoftware, Exim, Qualcomm, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Read", "Out-of-bounds Write", "Use After Free", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 264 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 105 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 220 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 41 reported vulnerabilities.
- Tenda has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
29 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-07 | CVE-2021-31755 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac11 Firmware An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. | 10.0 |
2021-05-07 | CVE-2021-31756 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac11 Firmware An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. | 10.0 |
2021-05-07 | CVE-2021-31757 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac11 Firmware An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. | 10.0 |
2021-05-07 | CVE-2021-31758 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac11 Firmware An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. | 10.0 |
2021-05-07 | CVE-2020-11279 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Memory corruption while processing crafted SDES packets due to improper length check in sdes packets recieved in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
2021-05-07 | CVE-2021-1910 | Qualcomm | Double Free vulnerability in Qualcomm products Double free in video due to lack of input buffer length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
2021-05-07 | CVE-2021-32090 | Localstack | Command Injection vulnerability in Localstack 0.12.6 The dashboard component of StackLift LocalStack 0.12.6 allows attackers to inject arbitrary shell commands via the functionName parameter. | 10.0 |
2021-05-06 | CVE-2021-29203 | HP | Missing Authentication for Critical Function vulnerability in HP Edgeline Infrastructure Manager 1.21 A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. | 10.0 |
2021-05-06 | CVE-2021-28152 | Hongdian | Improper Authentication vulnerability in Hongdian H8922 Firmware 3.0.5 Hongdian H8922 3.0.5 devices have an undocumented feature that allows access to a shell as a superuser. | 9.8 |
2021-05-06 | CVE-2021-20204 | Getdata Project Debian Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. | 9.8 |
2021-05-06 | CVE-2021-30473 | Aomedia Fedoraproject | Release of Invalid Pointer or Reference vulnerability in multiple products aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap. | 9.8 |
2021-05-06 | CVE-2020-19111 | Projectworlds | Improper Authentication vulnerability in Projectworlds Online Book Store Project in PHP 1.0 Incorrect Access Control vulnerability in Online Book Store v1.0 via admin_verify.php, which could let a remote mailicious user bypass authentication and obtain sensitive information. | 9.8 |
2021-05-06 | CVE-2020-28017 | Exim | Integer Overflow or Wraparound vulnerability in Exim Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. | 9.8 |
2021-05-06 | CVE-2021-1468 | Cisco | Improper Authentication vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 9.8 |
2021-05-06 | CVE-2021-1497 | Cisco | OS Command Injection vulnerability in Cisco Hyperflex HX Data Platform Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. | 9.8 |
2021-05-06 | CVE-2021-1498 | Cisco | Command Injection vulnerability in Cisco Hyperflex HX Data Platform Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. | 9.8 |
2021-05-06 | CVE-2021-21505 | Dell | Insecure Default Initialization of Resource vulnerability in Dell EMC Integrated System for Microsoft Azure Stack HUB Firmware 1906/2011 Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 – 2011, contain an undocumented default iDRAC account. | 9.8 |
2021-05-06 | CVE-2021-29921 | Python Oracle | In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. | 9.8 |
2021-05-05 | CVE-2021-31800 | Secureauth Fedoraproject | Path Traversal vulnerability in multiple products Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. | 9.8 |
2021-05-03 | CVE-2021-29369 | Gnuplot Project | OS Command Injection vulnerability in Gnuplot Project Gnuplot 0.0.1/0.0.2 The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. | 9.8 |
2021-05-07 | CVE-2020-11285 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Buffer over-read while unpacking the RTCP packet we may read extra byte if wrong length is provided in RTCP packets in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.4 |
2021-05-06 | CVE-2020-28026 | Exim | Unspecified vulnerability in Exim Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). | 9.3 |
2021-05-05 | CVE-2020-13664 | Drupal | Command Injection vulnerability in Drupal Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. | 9.3 |
2021-05-03 | CVE-2020-35757 | Librewireless | Missing Authentication for Critical Function vulnerability in Librewireless LS9 Firmware 7040 An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. | 9.3 |
2021-05-03 | CVE-2021-25631 | Libreoffice | Unspecified vulnerability in Libreoffice 7.0.4/7.1.0/7.1.1 In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type. | 9.3 |
2021-05-03 | CVE-2021-28860 | Adaltas | Unspecified vulnerability in Adaltas Mixme In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. | 9.1 |
2021-05-06 | CVE-2021-28151 | Hongdian | OS Command Injection vulnerability in Hongdian H8922 Firmware 3.0.5 Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. | 9.0 |
2021-05-06 | CVE-2020-28021 | Exim | Unspecified vulnerability in Exim Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. | 9.0 |
2021-05-04 | CVE-2020-21999 | IWT | OS Command Injection vulnerability in IWT Facesentry Access Control System Firmware 5.7.0/5.7.2/6.4.8 iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. | 9.0 |
92 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-06 | CVE-2021-29493 | Kennnyshiwa Cogs Project | Code Injection vulnerability in Kennnyshiwa-Cogs Project Kennnyshiwa-Cogs Kennnyshiwa-cogs contains cogs for Red Discordbot. | 8.8 |
2021-05-06 | CVE-2021-1284 | Cisco | Unspecified vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage A vulnerability in the web-based messaging service interface of Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to bypass authentication and authorization and modify the configuration of an affected system. | 8.8 |
2021-05-06 | CVE-2021-1400 | Cisco | Improper Privilege Management vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to obtain sensitive information from or inject arbitrary commands on an affected device. | 8.8 |
2021-05-06 | CVE-2021-1505 | Cisco | Missing Authorization vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 8.8 |
2021-05-06 | CVE-2021-1508 | Cisco | Missing Authorization vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 8.8 |
2021-05-06 | CVE-2021-24178 | Strategy11 | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. | 8.8 |
2021-05-06 | CVE-2021-24179 | Strategy11 | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. | 8.8 |
2021-05-04 | CVE-2021-29478 | Redislabs Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. | 8.8 |
2021-05-04 | CVE-2021-29477 | Redislabs Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. | 8.8 |
2021-05-06 | CVE-2021-1363 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager IM and Presence Service Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 8.1 |
2021-05-06 | CVE-2021-1365 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager IM and Presence Service Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 8.1 |
2021-05-07 | CVE-2020-11273 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Histogram type KPI was teardown with the assumption of the existence of histogram binning info and will lead to null pointer access when histogram binning info is missing due to lack of null check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 7.8 |
2021-05-07 | CVE-2020-11274 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Denial of service in MODEM due to assert to the invalid configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2021-05-07 | CVE-2021-1925 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible denial of service scenario due to improper handling of group management action frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
2021-05-06 | CVE-2020-35519 | Linux Netapp | Out-of-bounds Read vulnerability in multiple products An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. | 7.8 |
2021-05-06 | CVE-2021-1421 | Cisco | OS Command Injection vulnerability in Cisco Enterprise NFV Infrastructure Software A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to perform a command injection attack on an affected device. | 7.8 |
2021-05-06 | CVE-2021-1426 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1427 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1428 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1429 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1430 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1496 | Cisco | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. | 7.8 |
2021-05-06 | CVE-2021-1514 | Cisco | OS Command Injection vulnerability in Cisco products A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with Administrator privileges on the underlying operating system. | 7.8 |
2021-05-05 | CVE-2021-29100 | Esri | Path Traversal vulnerability in Esri Arcgis Earth A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. | 7.8 |
2021-05-05 | CVE-2021-31518 | Trendmicro | Unspecified vulnerability in Trendmicro Home Network Security Trend Micro Home Network Security 6.5.599 and earlier is vulnerable to a file-parsing vulnerability which could allow an attacker to exploit the vulnerability and cause a denial-of-service to the device. | 7.8 |
2021-05-05 | CVE-2021-31517 | Trendmicro | Unspecified vulnerability in Trendmicro Home Network Security Trend Micro Home Network Security 6.5.599 and earlier is vulnerable to a file-parsing vulnerability which could allow an attacker to exploit the vulnerability and cause a denial-of-service to the device. | 7.8 |
2021-05-04 | CVE-2021-21551 | Dell | Unspecified vulnerability in Dell Dbutil 2 3.Sys Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. | 7.8 |
2021-05-07 | CVE-2021-27573 | Remotemouse | Missing Authorization vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 4.0.0.0. | 7.5 |
2021-05-07 | CVE-2021-22671 | TI | Integer Overflow or Wraparound vulnerability in TI products Multiple integer overflow issues exist while processing long domain names, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). | 7.5 |
2021-05-07 | CVE-2021-22679 | TI | Integer Overflow or Wraparound vulnerability in TI products The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). | 7.5 |
2021-05-07 | CVE-2021-21984 | Vmware | Command Injection vulnerability in VMWare Vrealize Business for Cloud 7.0 VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. | 7.5 |
2021-05-07 | CVE-2021-32098 | Artica | Deserialization of Untrusted Data vulnerability in Artica Pandora FMS 742 Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. | 7.5 |
2021-05-07 | CVE-2021-32099 | Artica | SQL Injection vulnerability in Artica Pandora FMS 742 A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass. | 7.5 |
2021-05-06 | CVE-2021-31737 | Emlog | Unrestricted Upload of File with Dangerous Type vulnerability in Emlog 5.3.1/6.0.0 emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php. | 7.5 |
2021-05-06 | CVE-2021-28665 | Stormshield | Memory Leak vulnerability in Stormshield Network Security and Stormshield Network Security Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service. | 7.5 |
2021-05-06 | CVE-2020-18890 | Puppycms | Improper Preservation of Permissions vulnerability in Puppycms 5.1 Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php. | 7.5 |
2021-05-06 | CVE-2021-31918 | Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Openstack 16.1 A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. | 7.5 |
2021-05-06 | CVE-2021-32030 | Asus | Improper Authentication vulnerability in Asus Gt-Ac2900 Firmware 3.0.0.4.386.41793 The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. | 7.5 |
2021-05-06 | CVE-2020-19107 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the isbn parameter to edit_book.php, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-19108 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the pubid parameter to bookPerPub.php, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-19109 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to admin_edit.php, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-19110 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to book.php parameter, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-19112 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to admin_delete.php, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-19113 | Projectworlds | Unrestricted Upload of File with Dangerous Type vulnerability in PHP 1.0 Arbitrary File Upload vulnerability in Online Book Store v1.0 in admin_add.php, which may lead to remote code execution. | 7.5 |
2021-05-06 | CVE-2020-19114 | Projectworlds | SQL Injection vulnerability in PHP 1.0 SQL Injection vulnerability in Online Book Store v1.0 via the publisher parameter to edit_book.php, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-05-06 | CVE-2020-28018 | Exim | Use After Free vulnerability in Exim Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. | 7.5 |
2021-05-06 | CVE-2020-28020 | Exim | Classic Buffer Overflow vulnerability in Exim Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction. | 7.5 |
2021-05-06 | CVE-2020-28022 | Exim | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Exim Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. | 7.5 |
2021-05-06 | CVE-2020-28024 | Exim | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Exim Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF. | 7.5 |
2021-05-06 | CVE-2021-1275 | Cisco | Resource Exhaustion vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 7.5 |
2021-05-06 | CVE-2021-1509 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco SD-WAN vEdge Software could allow an attacker to execute arbitrary code as the root user or cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-05-06 | CVE-2021-1510 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco SD-WAN vEdge Software could allow an attacker to execute arbitrary code as the root user or cause a denial of service (DoS) condition on an affected device. | 7.5 |
2021-05-06 | CVE-2021-1513 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the vDaemon process of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a device to reload, resulting in a denial of service (DoS) condition. | 7.5 |
2021-05-06 | CVE-2021-24236 | Imagements Project | Unrestricted Upload of File with Dangerous Type vulnerability in Imagements Project Imagements The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. | 7.5 |
2021-05-05 | CVE-2021-29101 | Esri | Path Traversal vulnerability in Esri Arcgis Geoevent Server 10.8.1 ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. | 7.5 |
2021-05-05 | CVE-2020-4979 | IBM | Unspecified vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 is vulnerable to insecure inter-deployment communication. | 7.5 |
2021-05-05 | CVE-2021-31542 | Djangoproject Debian Fedoraproject | Path Traversal vulnerability in multiple products In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | 7.5 |
2021-05-05 | CVE-2020-13665 | Drupal | Unspecified vulnerability in Drupal Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. | 7.5 |
2021-05-05 | CVE-2016-20010 | Ewww | Unspecified vulnerability in Ewww Image Optimizer EWWW Image Optimizer before 2.8.5 allows remote command execution because it relies on a protection mechanism involving boolval, which is unavailable before PHP 5.5. | 7.5 |
2021-05-04 | CVE-2021-23343 | Path Parse Project | Unspecified vulnerability in Path-Parse Project Path-Parse All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. | 7.5 |
2021-05-04 | CVE-2021-23383 | Handlebarsjs Netapp | The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. | 7.5 |
2021-05-04 | CVE-2021-31164 | Apache | Injection vulnerability in Apache Unomi Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements. | 7.5 |
2021-05-03 | CVE-2020-23083 | Guojusoft | Unrestricted Upload of File with Dangerous Type vulnerability in Guojusoft Jeecg Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload". | 7.5 |
2021-05-03 | CVE-2021-32020 | Amazon | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Amazon Freertos The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory. | 7.5 |
2021-05-03 | CVE-2020-35758 | Librewireless | Improper Authentication vulnerability in Librewireless LS9 Firmware 7040 An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. | 7.5 |
2021-05-03 | CVE-2021-29242 | Codesys | Improper Input Validation vulnerability in Codesys products CODESYS Control Runtime system before 3.5.17.0 has improper input validation. | 7.5 |
2021-05-07 | CVE-2020-11284 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Locked memory can be unlocked and modified by non secure boot loader through improper system call sequence making the memory region untrusted source of input for secure boot loader in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-05-07 | CVE-2020-11288 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Out of bound write can occur in playready while processing command due to lack of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.2 |
2021-05-07 | CVE-2020-11289 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Out of bound write can occur in TZ command handler due to lack of validation of command ID in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-05-07 | CVE-2021-1895 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible integer overflow due to improper length check while flashing an image in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music | 7.2 |
2021-05-07 | CVE-2021-1905 | Qualcomm | Use After Free vulnerability in Qualcomm products Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. | 7.2 |
2021-05-07 | CVE-2021-1915 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Buffer overflow can occur due to improper validation of NDP application information length in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-05-07 | CVE-2021-1927 | Qualcomm | Use After Free vulnerability in Qualcomm products Possible use after free due to lack of null check while memory is being freed in FastRPC driver in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.2 |
2021-05-06 | CVE-2020-28007 | Exim | Link Following vulnerability in Exim Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. | 7.2 |
2021-05-06 | CVE-2020-28008 | Exim | Improper Privilege Management vulnerability in Exim Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. | 7.2 |
2021-05-06 | CVE-2020-28009 | Exim | Integer Overflow or Wraparound vulnerability in Exim Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. | 7.2 |
2021-05-06 | CVE-2020-28010 | Exim | Out-of-bounds Write vulnerability in Exim Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms). | 7.2 |
2021-05-06 | CVE-2020-28011 | Exim | Out-of-bounds Write vulnerability in Exim Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. | 7.2 |
2021-05-06 | CVE-2020-28012 | Exim | Unspecified vulnerability in Exim Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. | 7.2 |
2021-05-06 | CVE-2020-28013 | Exim | Out-of-bounds Write vulnerability in Exim Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. | 7.2 |
2021-05-06 | CVE-2020-28015 | Exim | Unspecified vulnerability in Exim Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. | 7.2 |
2021-05-06 | CVE-2020-28016 | Exim | Out-of-bounds Write vulnerability in Exim Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase. | 7.2 |
2021-05-06 | CVE-2021-1401 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to obtain sensitive information from or inject arbitrary commands on an affected device. | 7.2 |
2021-05-06 | CVE-2021-1506 | Cisco | Missing Authorization vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. | 7.2 |
2021-05-06 | CVE-2021-21527 | Dell | OS Command Injection vulnerability in Dell EMC Powerscale Onefs 9.0.0.0/9.1.0.0 Dell PowerScale OneFS 8.1.0-9.1.0 contain an improper neutralization of special elements used in an OS command vulnerability. | 7.2 |
2021-05-06 | CVE-2021-21550 | Dell | OS Command Injection vulnerability in Dell EMC Powerscale Onefs Dell EMC PowerScale OneFS 8.1.0-9.1.0 contain an improper neutralization of special elements used in an OS command vulnerability. | 7.2 |
2021-05-06 | CVE-2021-24248 | Strategy11 | Unrestricted Upload of File with Dangerous Type vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE | 7.2 |
2021-05-06 | CVE-2021-24252 | WP Eventmanager | Unrestricted Upload of File with Dangerous Type vulnerability in Wp-Eventmanager Event Banner The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. | 7.2 |
2021-05-05 | CVE-2021-25319 | Opensuse | Incorrect Default Permissions vulnerability in Opensuse Factory A Incorrect Default Permissions vulnerability in the packaging of virtualbox of openSUSE Factory allows local attackers in the vboxusers groupu to escalate to root. | 7.2 |
2021-05-04 | CVE-2020-27518 | Windscribe | Improper Privilege Management vulnerability in Windscribe All versions of Windscribe VPN for Mac and Windows <= v2.02.10 contain a local privilege escalation vulnerability in the WindscribeService component. | 7.2 |
2021-05-06 | CVE-2021-1530 | Cisco | XXE vulnerability in Cisco Broadworks Messaging Server 22.0 A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. | 7.1 |
2021-05-06 | CVE-2020-28198 | IBM | Out-of-bounds Write vulnerability in IBM Tivoli Storage Manager 5.2.0.1 The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. | 7.0 |
172 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-07 | CVE-2021-31441 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31442 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31449 | Foxitsoftware | Double Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31450 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31451 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31452 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31453 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31454 | Foxitsoftware | Heap-based Buffer Overflow vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31455 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31456 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31457 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31458 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31459 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31460 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31461 | Foxitsoftware | Type Confusion vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31465 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. | 6.8 |
2021-05-07 | CVE-2021-31466 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. | 6.8 |
2021-05-07 | CVE-2021-31468 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. | 6.8 |
2021-05-07 | CVE-2021-31470 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-31472 | Foxitsoftware | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. | 6.8 |
2021-05-07 | CVE-2021-27572 | Remotemouse | Authentication Bypass by Capture-replay vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 4.0.0.0. | 6.8 |
2021-05-07 | CVE-2021-27574 | Remotemouse | Cleartext Transmission of Sensitive Information vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 4.0.0.0. | 6.8 |
2021-05-07 | CVE-2020-14009 | Proofpoint | Improper Validation of Integrity Check Value vulnerability in Proofpoint Enterprise Protection 8.14.2 Proofpoint Enterprise Protection (PPS/PoD) before 8.16.4 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. | 6.8 |
2021-05-07 | CVE-2021-32096 | NSA | Cross-Site Request Forgery (CSRF) vulnerability in NSA Emissary 5.9.0 The ConsoleAction component of U.S. | 6.8 |
2021-05-06 | CVE-2020-23264 | Fork CMS | Cross-Site Request Forgery (CSRF) vulnerability in Fork-Cms Fork CMS Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators. | 6.8 |
2021-05-06 | CVE-2020-23127 | Chamilo | Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.10 Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user. | 6.8 |
2021-05-06 | CVE-2021-26543 | Wayfair | OS Command Injection vulnerability in Wayfair Git-Parse 1.0.2/1.0.3/1.0.4 The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. | 6.8 |
2021-05-06 | CVE-2021-31616 | Shapeshift | Out-of-bounds Write vulnerability in Shapeshift Keepkey Firmware 7.0.3 Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.1.0 allow a stack buffer overflow via crafted messages. | 6.8 |
2021-05-05 | CVE-2021-20254 | Samba Fedoraproject Redhat Debian | Out-of-bounds Read vulnerability in multiple products A flaw was found in samba. | 6.8 |
2021-05-05 | CVE-2020-36334 | Themegrill | Cross-Site Request Forgery (CSRF) vulnerability in Themegrill Demo Importer themegrill-demo-importer before 1.6.3 allows CSRF, as demonstrated by wiping the database. | 6.8 |
2021-05-04 | CVE-2021-29240 | Codesys | Unspecified vulnerability in Codesys Development System The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content. | 6.8 |
2021-05-03 | CVE-2021-29238 | Codesys | Cross-Site Request Forgery (CSRF) vulnerability in Codesys Automation Server CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF). | 6.8 |
2021-05-06 | CVE-2021-1447 | Cisco | Improper Privilege Management vulnerability in Cisco Content Security Management Appliance A vulnerability in the user account management system of Cisco AsyncOS for Cisco Content Security Management Appliance (SMA) could allow an authenticated, local attacker to elevate their privileges to root. | 6.7 |
2021-05-06 | CVE-2021-1520 | Cisco | Write-what-where Condition vulnerability in Cisco products A vulnerability in the internal message processing of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, local attacker to run arbitrary commands with root privileges on the underlying operating system (OS). | 6.7 |
2021-05-07 | CVE-2021-22675 | TI | Integer Overflow or Wraparound vulnerability in TI products The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). | 6.5 |
2021-05-07 | CVE-2021-32094 | NSA | Unrestricted Upload of File with Dangerous Type vulnerability in NSA Emissary 5.9.0 U.S. | 6.5 |
2021-05-07 | CVE-2021-32102 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr 5.0.2.1 A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | 6.5 |
2021-05-07 | CVE-2021-32104 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr 5.0.2.1 A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | 6.5 |
2021-05-06 | CVE-2021-1478 | Cisco | Unspecified vulnerability in Cisco Unified Communications Manager A vulnerability in the Java Management Extensions (JMX) component of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. | 6.5 |
2021-05-06 | CVE-2021-1511 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products Multiple vulnerabilities in Cisco SD-WAN vEdge Software could allow an attacker to execute arbitrary code as the root user or cause a denial of service (DoS) condition on an affected device. | 6.5 |
2021-05-06 | CVE-2021-1516 | Cisco | Information Exposure Through Source Code vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA), Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. | 6.5 |
2021-05-06 | CVE-2021-1521 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products A vulnerability in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause an affected IP camera to reload. | 6.5 |
2021-05-06 | CVE-2021-1532 | Cisco | Path Traversal vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system. | 6.5 |
2021-05-06 | CVE-2021-24249 | Strategy11 | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | 6.5 |
2021-05-06 | CVE-2021-24253 | Classyfrieds Project | Unrestricted Upload of File with Dangerous Type vulnerability in Classyfrieds Project Classyfrieds The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. | 6.5 |
2021-05-06 | CVE-2021-24254 | College Publisher Import Project | Unrestricted Upload of File with Dangerous Type vulnerability in College Publisher Import Project College Publisher Import The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. | 6.5 |
2021-05-05 | CVE-2021-29246 | Btcpayserver | Path Traversal vulnerability in Btcpayserver Btcpay Server BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. | 6.5 |
2021-05-04 | CVE-2021-26804 | Centreon | Incorrect Default Permissions vulnerability in Centreon web 19.10.18/20.04.8/20.10.2 Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application. | 6.5 |
2021-05-07 | CVE-2020-4901 | IBM | Unspecified vulnerability in IBM Robotic Process Automation With Automation Anywhere IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. | 6.4 |
2021-05-07 | CVE-2021-27437 | Advantech | Use of Hard-coded Credentials vulnerability in Advantech Wise-Paas/Rmm 3.3.29 The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. | 6.4 |
2021-05-07 | CVE-2020-36128 | Paxtechnology | Authentication Bypass by Spoofing vulnerability in Paxtechnology Paxstore Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. | 6.4 |
2021-05-07 | CVE-2021-32101 | Open EMR | Incorrect Permission Assignment for Critical Resource vulnerability in Open-Emr Openemr 5.0.2.1 The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. | 6.4 |
2021-05-05 | CVE-2020-36333 | Themegrill | Missing Authentication for Critical Function vulnerability in Themegrill Demo Importer themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. | 6.4 |
2021-05-06 | CVE-2021-27216 | Exim | Improper Privilege Management vulnerability in Exim Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. | 6.3 |
2021-05-06 | CVE-2021-31916 | Linux Redhat Debian | Out-of-bounds Write vulnerability in multiple products An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. | 6.1 |
2021-05-06 | CVE-2021-32052 | Djangoproject Fedoraproject | Cross-site Scripting vulnerability in multiple products In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). | 6.1 |
2021-05-06 | CVE-2021-3507 | Qemu Debian Redhat | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). | 6.1 |
2021-05-06 | CVE-2021-1397 | Cisco | Open Redirect vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. | 6.1 |
2021-05-06 | CVE-2021-1490 | Cisco | Cross-site Scripting vulnerability in Cisco web Security Appliance A vulnerability in the web-based management interface of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. | 6.1 |
2021-05-07 | CVE-2021-22673 | TI | Out-of-bounds Write vulnerability in TI products The affected product is vulnerable to stack-based buffer overflow while processing over-the-air firmware updates from the CDN server, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). | 6.0 |
2021-05-06 | CVE-2021-1512 | Cisco | Files or Directories Accessible to External Parties vulnerability in Cisco products A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to overwrite arbitrary files in the underlying file system of an affected system. | 6.0 |
2021-05-05 | CVE-2021-32055 | Mutt Neomutt | Out-of-bounds Read vulnerability in multiple products Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. | 5.8 |
2021-05-05 | CVE-2020-13662 | Drupal | Open Redirect vulnerability in Drupal Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. | 5.8 |
2021-05-03 | CVE-2020-23015 | Opnsense | Open Redirect vulnerability in Opnsense An open redirect issue was discovered in OPNsense through 20.1.5. | 5.8 |
2021-05-06 | CVE-2020-28014 | Exim | Improper Privilege Management vulnerability in Exim Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. | 5.6 |
2021-05-07 | CVE-2021-3502 | Avahi | Reachable Assertion vulnerability in Avahi 0.85 A flaw was found in avahi 0.8-5. | 5.5 |
2021-05-07 | CVE-2020-36125 | Paxtechnology | Improper Authentication vulnerability in Paxtechnology Paxstore Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly. | 5.5 |
2021-05-07 | CVE-2020-36126 | Paxtechnology | Authorization Bypass Through User-Controlled Key vulnerability in Paxtechnology Paxstore Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. | 5.5 |
2021-05-07 | CVE-2021-32095 | NSA | Missing Authorization vulnerability in NSA Emissary 5.9.0 U.S. | 5.5 |
2021-05-06 | CVE-2021-31828 | Amazon | Server-Side Request Forgery (SSRF) vulnerability in Amazon Open Distro An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope. | 5.5 |
2021-05-06 | CVE-2021-31829 | Linux Fedoraproject Debian | Incorrect Authorization vulnerability in multiple products kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. | 5.5 |
2021-05-06 | CVE-2021-28128 | Strapi | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Strapi In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. | 5.5 |
2021-05-06 | CVE-2021-1438 | Cisco | Exposure of Resource to Wrong Sphere vulnerability in Cisco Wide Area Application Services A vulnerability in Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to gain access to sensitive information on an affected device. | 5.5 |
2021-05-06 | CVE-2021-1519 | Cisco | Improper Input Validation vulnerability in Cisco Anyconnect Secure Mobility Client A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. | 5.5 |
2021-05-05 | CVE-2020-5013 | IBM | XXE vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. | 5.5 |
2021-05-06 | CVE-2021-1507 | Cisco | Cross-site Scripting vulnerability in Cisco Sd-Wan Vmanage A vulnerability in an API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the application web-based interface. | 5.4 |
2021-05-06 | CVE-2021-24246 | Purethemes | Cross-site Scripting vulnerability in Purethemes Workscout and Workscout Core The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues | 5.4 |
2021-05-06 | CVE-2021-24250 | Strategy11 | Cross-site Scripting vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. | 5.4 |
2021-05-05 | CVE-2021-24270 | Detheme | Cross-site Scripting vulnerability in Detheme Dethemekit for Elementor The “DeTheme Kit for Elementor” WordPress Plugin before 1.5.5.5 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 5.4 |
2021-05-05 | CVE-2021-24261 | Hasthemes | Cross-site Scripting vulnerability in Hasthemes HT Mega The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 5.4 |
2021-05-07 | CVE-2021-21419 | Eventlet Fedoraproject | Resource Exhaustion vulnerability in multiple products Eventlet is a concurrent networking library for Python. | 5.3 |
2021-05-06 | CVE-2021-1486 | Cisco | Information Exposure Through Discrepancy vulnerability in Cisco Catalyst Sd-Wan Manager and Sd-Wan Vmanage A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to enumerate user accounts. | 5.3 |
2021-05-06 | CVE-2021-1499 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco Hyperflex HX Data Platform A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. | 5.3 |
2021-05-06 | CVE-2021-1535 | Cisco | Exposure of System Data to an Unauthorized Control Sphere vulnerability in Cisco Sd-Wan Vmanage A vulnerability in the cluster management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. | 5.3 |
2021-05-06 | CVE-2021-32062 | Osgeo Fedoraproject | Path Traversal vulnerability in multiple products MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded (with MapServer CGI). | 5.3 |
2021-05-03 | CVE-2021-21264 | Octobercms | Unspecified vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 5.2 |
2021-05-07 | CVE-2021-27569 | Remotemouse | Cleartext Transmission of Sensitive Information vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 4.0.0.0. | 5.0 |
2021-05-07 | CVE-2021-27570 | Remotemouse | Missing Authentication for Critical Function vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 3.015. | 5.0 |
2021-05-07 | CVE-2021-27571 | Remotemouse | Missing Authentication for Critical Function vulnerability in Remotemouse Emote Remote Mouse An issue was discovered in Emote Remote Mouse through 4.0.0.0. | 5.0 |
2021-05-07 | CVE-2021-29495 | NIM Lang | Improper Certificate Validation vulnerability in Nim-Lang NIM Nim is a statically typed compiled systems programming language. | 5.0 |
2021-05-07 | CVE-2021-29488 | Sabnzbd | Relative Path Traversal vulnerability in Sabnzbd SABnzbd is an open source binary newsreader. | 5.0 |
2021-05-07 | CVE-2020-11268 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Potential UE reset while decoding a crafted Sib1 or SIB1 that schedules unsupported SIBs and can lead to denial of service in Snapdragon Auto, Snapdragon Mobile | 5.0 |
2021-05-07 | CVE-2021-32074 | Hashicorp | Information Exposure Through Log Files vulnerability in Hashicorp Vault-Action HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. | 5.0 |
2021-05-06 | CVE-2021-32077 | Veritystream | Unspecified vulnerability in Veritystream Msow Solutions Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search selectors. | 5.0 |
2021-05-06 | CVE-2020-18888 | Puppycms | Missing Authorization vulnerability in Puppycms 5.1 Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php. | 5.0 |
2021-05-06 | CVE-2019-25043 | Trustwave | Improper Handling of Exceptional Conditions vulnerability in Trustwave Modsecurity ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. | 5.0 |
2021-05-06 | CVE-2021-31793 | Nightowlsp | Missing Authentication for Critical Function vulnerability in Nightowlsp Wdb-20 Firmware 20190314 An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. | 5.0 |
2021-05-06 | CVE-2021-22209 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. | 5.0 |
2021-05-06 | CVE-2021-22210 | Gitlab | Allocation of Resources Without Limits or Throttling vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. | 5.0 |
2021-05-06 | CVE-2020-28019 | Exim | Improper Initialization vulnerability in Exim Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. | 5.0 |
2021-05-06 | CVE-2020-28023 | Exim | Out-of-bounds Read vulnerability in Exim Exim 4 before 4.94.2 allows Out-of-bounds Read. | 5.0 |
2021-05-06 | CVE-2020-28025 | Exim | Out-of-bounds Read vulnerability in Exim Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory. | 5.0 |
2021-05-06 | CVE-2021-29490 | Jellyfin | Server-Side Request Forgery (SSRF) vulnerability in Jellyfin Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. | 5.0 |
2021-05-06 | CVE-2021-31409 | Vaadin | Resource Exhaustion vulnerability in Vaadin Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | 5.0 |
2021-05-05 | CVE-2021-29247 | Btcpayserver | Information Exposure vulnerability in Btcpayserver Btcpay Server BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie. | 5.0 |
2021-05-05 | CVE-2021-29245 | Btcpayserver | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Btcpayserver Btcpay Server BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key. | 5.0 |
2021-05-05 | CVE-2021-29248 | Btcpayserver | Information Exposure vulnerability in Btcpayserver Btcpay Server BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie. | 5.0 |
2021-05-04 | CVE-2021-3154 | Solarwinds | Injection vulnerability in Solarwinds Serv-U 15.1.6/15.2.1 An issue was discovered in SolarWinds Serv-U before 15.2.2. | 5.0 |
2021-05-03 | CVE-2020-35755 | Librewireless | Missing Authentication for Critical Function vulnerability in Librewireless LS9 Firmware 7040 An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. | 5.0 |
2021-05-03 | CVE-2020-35756 | Librewireless | Missing Authentication for Critical Function vulnerability in Librewireless LS9 Firmware 7040 An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. | 5.0 |
2021-05-03 | CVE-2021-29241 | Codesys | NULL Pointer Dereference vulnerability in Codesys products CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS). | 5.0 |
2021-05-03 | CVE-2021-31996 | Algorithmica Project | Double Free vulnerability in Algorithmica Project Algorithmica An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. | 5.0 |
2021-05-07 | CVE-2021-22677 | TI | Integer Overflow or Wraparound vulnerability in TI products An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). | 4.6 |
2021-05-07 | CVE-2020-11294 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Out of bound write in logger due to prefix size is not validated while prepended to logging string in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 4.6 |
2021-05-07 | CVE-2020-11295 | Qualcomm | Use After Free vulnerability in Qualcomm products Use after free in camera If the threadmanager is being cleaned up while the worker thread is processing objects in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 4.6 |
2021-05-07 | CVE-2021-1891 | Qualcomm | Use After Free vulnerability in Qualcomm products A possible use-after-free occurrence in audio driver can happen when pointers are not properly handled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 4.6 |
2021-05-06 | CVE-2021-31532 | NXP | Unspecified vulnerability in NXP products NXP LPC55S6x microcontrollers (0A and 1B), i.MX RT500 (silicon rev B1 and B2), i.MX RT600 (silicon rev A0, B0), LPC55S6x, LPC55S2x, LPC552x (silicon rev 0A, 1B), LPC55S1x, LPC551x (silicon rev 0A) and LPC55S0x, LPC550x (silicon rev 0A) include an undocumented ROM patch peripheral that allows unsigned, non-persistent modification of the internal ROM. | 4.6 |
2021-05-05 | CVE-2021-31411 | Vaadin | Unspecified vulnerability in Vaadin Flow Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds. | 4.6 |
2021-05-05 | CVE-2021-20401 | IBM | Use of Hard-coded Credentials vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 4.6 |
2021-05-05 | CVE-2020-4932 | IBM | Use of Hard-coded Credentials vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 4.6 |
2021-05-04 | CVE-2021-22547 | In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. | 4.6 | |
2021-05-03 | CVE-2021-29239 | CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. | 4.6 | |
2021-05-07 | CVE-2021-31443 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31444 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31445 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31446 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31447 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31448 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Reader This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31462 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.3.37598. | 4.3 |
2021-05-07 | CVE-2021-31463 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.3.37598. | 4.3 |
2021-05-07 | CVE-2021-31464 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.3.37598. | 4.3 |
2021-05-07 | CVE-2021-31467 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.3.37598. | 4.3 |
2021-05-07 | CVE-2021-31469 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-31471 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware 3D This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 10.1.1.37576. | 4.3 |
2021-05-07 | CVE-2021-32470 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 3.6.13 has an XSS vulnerability. | 4.3 |
2021-05-07 | CVE-2021-26122 | Livinglogic | Cross-site Scripting vulnerability in Livinglogic Xist4C LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm. | 4.3 |
2021-05-07 | CVE-2021-26123 | Livinglogic | Cross-site Scripting vulnerability in Livinglogic Xist4C LivingLogic XIST4C before 0.107.8 allows XSS via login.htm, login.wihtm, or login-form.htm. | 4.3 |
2021-05-07 | CVE-2021-32091 | Localstack | Cross-site Scripting vulnerability in Localstack 0.12.6 A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6. | 4.3 |
2021-05-07 | CVE-2021-32092 | NSA | Cross-site Scripting vulnerability in NSA Emissary 5.9.0 A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. | 4.3 |
2021-05-06 | CVE-2020-23263 | Fork CMS | Cross-site Scripting vulnerability in Fork-Cms Fork CMS 5.8.2 Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add. | 4.3 |
2021-05-06 | CVE-2020-18889 | Puppycms | Cross-Site Request Forgery (CSRF) vulnerability in Puppycms 5.1 Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php. | 4.3 |
2021-05-06 | CVE-2021-1515 | Cisco | Unspecified vulnerability in Cisco Sd-Wan Vmanage A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. | 4.3 |
2021-05-06 | CVE-2021-24214 | Daggerhartlab | Cross-site Scripting vulnerability in Daggerhartlab Openid Connect Generic Client 3.8.0/3.8.1 The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. | 4.3 |
2021-05-06 | CVE-2021-24245 | Trumani | Cross-site Scripting vulnerability in Trumani Stop Spammers The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue. | 4.3 |
2021-05-06 | CVE-2021-24251 | Strategy11 | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Business Directory Plugin - Easy Listing Directories The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example) | 4.3 |
2021-05-06 | CVE-2021-31245 | Openmptcprouter | Improper Authentication vulnerability in Openmptcprouter omr-admin.py in openmptcprouter-vps-admin 0.57.3 and earlier compares the user provided password with the original password in a length dependent manner, which allows remote attackers to guess the password via a timing attack. | 4.3 |
2021-05-05 | CVE-2021-24293 | Imagely | Cross-site Scripting vulnerability in Imagely Nextgen Gallery In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call get_cart_items via photocrati_ajax , after that the settings[shipping_address][name] is able to inject malicious javascript. | 4.3 |
2021-05-05 | CVE-2021-24272 | Codeinitiator | Cross-Site Request Forgery (CSRF) vulnerability in Codeinitiator Fitness Calculators The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. | 4.3 |
2021-05-05 | CVE-2021-24276 | Supsystic | Cross-site Scripting vulnerability in Supsystic Contact Form The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | 4.3 |
2021-05-05 | CVE-2021-24275 | Supsystic | Cross-site Scripting vulnerability in Supsystic Popup The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | 4.3 |
2021-05-05 | CVE-2021-24274 | Supsystic | Cross-site Scripting vulnerability in Supsystic Ultimate Maps The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | 4.3 |
2021-05-05 | CVE-2021-20397 | IBM | Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. | 4.3 |
2021-05-05 | CVE-2020-13666 | Cross-site scripting vulnerability in Drupal Core. | 4.3 | |
2021-05-05 | CVE-2021-25179 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U File Server SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. | 4.3 |
2021-05-03 | CVE-2020-28945 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item. | 4.3 |
2021-05-07 | CVE-2021-29499 | Sylabs | Use of Insufficiently Random Values vulnerability in Sylabs Singularity Image Format SIF is an open source implementation of the Singularity Container Image Format. | 4.0 |
2021-05-07 | CVE-2020-36124 | Paxtechnology | XXE vulnerability in Paxtechnology Paxstore Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. | 4.0 |
2021-05-07 | CVE-2020-36127 | Paxtechnology | Improper Certificate Validation vulnerability in Paxtechnology Paxstore Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. | 4.0 |
2021-05-07 | CVE-2021-30173 | Junhetec | Absolute Path Traversal vulnerability in Junhetec Omnidirectional Communication System 2007.2103 Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file. | 4.0 |
2021-05-07 | CVE-2020-29445 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence Server Affected versions of Confluence Server before 7.4.8, and versions from 7.5.0 before 7.11.0 allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters. | 4.0 |
2021-05-07 | CVE-2021-32093 | NSA | Missing Authorization vulnerability in NSA Emissary 5.9.0 The ConfigFileAction component of U.S. | 4.0 |
2021-05-07 | CVE-2021-32100 | Artica | Unspecified vulnerability in Artica Pandora FMS 742 A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. | 4.0 |
2021-05-06 | CVE-2021-28149 | Hongdian | Path Traversal vulnerability in Hongdian H8922 Firmware 3.0.5 Hongdian H8922 3.0.5 devices allow Directory Traversal. | 4.0 |
2021-05-06 | CVE-2021-22206 | Gitlab | Cleartext Storage of Sensitive Information vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 11.6. | 4.0 |
2021-05-06 | CVE-2021-22208 | Gitlab | Missing Authorization vulnerability in Gitlab An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. | 4.0 |
2021-05-06 | CVE-2020-23128 | Chamilo | Improper Privilege Management vulnerability in Chamilo LMS 1.11.10 Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | 4.0 |
2021-05-06 | CVE-2021-24244 | Wpbakery Page Builder Clipboard Project | Incorrect Authorization vulnerability in Wpbakery Page Builder Clipboard Project Wpbakery Page Builder Clipboard An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email). | 4.0 |
2021-05-05 | CVE-2021-24258 | Wpmet | Cross-site Scripting vulnerability in Wpmet Elements KIT Elementor Addons The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 4.0 |
2021-05-05 | CVE-2020-4993 | IBM | Path Traversal vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. | 4.0 |
2021-05-05 | CVE-2020-4883 | IBM | Information Exposure vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 could disclose sensitive information about other domains which could be used in further attacks against the system. | 4.0 |
2021-05-03 | CVE-2020-20218 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.44.6 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. | 4.0 |
2021-05-03 | CVE-2020-20247 | Mikrotik | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.46.5 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. | 4.0 |
35 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-07 | CVE-2020-11293 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bound read can happen in Widevine TA while copying data to buffer from user data due to lack of check of buffer length received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 3.6 |
2021-05-06 | CVE-2021-3501 | Linux Redhat Fedoraproject Netapp | Out-of-bounds Write vulnerability in multiple products A flaw was found in the Linux kernel in versions before 5.12. | 3.6 |
2021-05-07 | CVE-2021-30170 | Junhetec | Cross-site Scripting vulnerability in Junhetec Enterprise Resource Planning Point of Sale System 2013.10 Special characters of ERP POS customer profile page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information. | 3.5 |
2021-05-07 | CVE-2021-30171 | Junhetec | Cross-site Scripting vulnerability in Junhetec Enterprise Resource Planning Point of Sale System 2013.10 Special characters of ERP POS news page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information. | 3.5 |
2021-05-07 | CVE-2021-30172 | Junhetec | Cross-site Scripting vulnerability in Junhetec Omnidirectional Communication System 2007.1901 Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer’s information. | 3.5 |
2021-05-07 | CVE-2020-29444 | Atlassian | Cross-site Scripting vulnerability in Atlassian Confluence Data Center and Confluence Server Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. | 3.5 |
2021-05-07 | CVE-2021-32103 | Open EMR | Cross-site Scripting vulnerability in Open-Emr Openemr A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter. | 3.5 |
2021-05-06 | CVE-2021-22211 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. | 3.5 |
2021-05-06 | CVE-2021-24243 | Wpbakery Page Builder Clipboard Project | Cross-site Scripting vulnerability in Wpbakery Page Builder Clipboard Project Wpbakery Page Builder Clipboard An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. | 3.5 |
2021-05-06 | CVE-2021-24247 | Mooveagency | Cross-site Scripting vulnerability in Mooveagency Contact Form Check Tester The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. | 3.5 |
2021-05-05 | CVE-2021-24263 | Ideabox | Cross-site Scripting vulnerability in Ideabox Powerpack Addons for Elementor The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24271 | Brainstormforce | Cross-site Scripting vulnerability in Brainstormforce Ultimate Addons for Elementor The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24269 | Sinaextra | Cross-site Scripting vulnerability in Sinaextra Sina Extension for Elementor The “Sina Extension for Elementor” WordPress Plugin before 3.3.12 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24264 | Blocksera | Cross-site Scripting vulnerability in Blocksera Image Hover Effects The “Image Hover Effects – Elementor Addon” WordPress Plugin before 1.3.4 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24262 | Hasthemes | Cross-site Scripting vulnerability in Hasthemes Woolentor - Woocommerce Elementor Addons + Builder The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24255 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Essential Addons for Elementor The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24268 | The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 | |
2021-05-05 | CVE-2021-24267 | Themesgrove | Cross-site Scripting vulnerability in Themesgrove All-In-One Addons for Elementor The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24266 | Posimyth | Cross-site Scripting vulnerability in Posimyth the Plus Addons for Elementor Page Builder Lite The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24265 | Apollo13Themes | Cross-site Scripting vulnerability in Apollo13Themes Rife Elementor Extensions & Templates The “Rife Elementor Extensions & Templates” WordPress Plugin before 1.1.6 has a widget that is vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24273 | Cleversoft | Cross-site Scripting vulnerability in Cleversoft Clever Addons for Elementor The “Clever Addons for Elementor” WordPress Plugin before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24260 | Livemeshelementor | Cross-site Scripting vulnerability in Livemeshelementor Addons for Elementor The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24259 | Webtechstreet | Cross-site Scripting vulnerability in Webtechstreet Elementor Addon Elements The “Elementor Addon Elements” WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24257 | Leap13 | Cross-site Scripting vulnerability in Leap13 Premium Addons for Elementor The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-24256 | Brainstormforce | Cross-site Scripting vulnerability in Brainstormforce Elementor - Header, Footer & Blocks Template The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | 3.5 |
2021-05-05 | CVE-2021-29489 | Highcharts Netapp | Cross-site Scripting vulnerability in multiple products Highcharts JS is a JavaScript charting library based on SVG. | 3.5 |
2021-05-05 | CVE-2020-4929 | IBM | Cross-site Scripting vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. | 3.5 |
2021-05-05 | CVE-2021-29250 | Btcpayserver | Cross-site Scripting vulnerability in Btcpayserver Btcpay Server BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. | 3.5 |
2021-05-05 | CVE-2020-22428 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U FTP Server and Serv-U MFT Server SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload. | 3.5 |
2021-05-04 | CVE-2020-4987 | IBM | Cross-site Scripting vulnerability in IBM Flashsystem 900 Firmware 1.4 The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting in code versions 1.5.2.8 and prior and 1.6.1.2 and prior. | 3.5 |
2021-05-05 | CVE-2021-25317 | Suse Fedoraproject | Incorrect Default Permissions vulnerability in multiple products A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. | 3.3 |
2021-05-07 | CVE-2020-11254 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Memory corruption during buffer allocation due to dereferencing session ctx pointer without checking if pointer is valid in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile | 2.1 |
2021-05-07 | CVE-2021-1906 | Qualcomm | Improper Handling of Exceptional Conditions vulnerability in Qualcomm products Improper handling of address deregistration on failure can lead to new GPU address allocation failure. | 2.1 |
2021-05-06 | CVE-2021-27941 | Coolkit | Insufficiently Protected Credentials vulnerability in Coolkit Ewelink Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process. | 2.1 |
2021-05-06 | CVE-2021-28150 | Hongdian | Forced Browsing vulnerability in Hongdian H8922 Firmware 3.0.5 Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi. | 2.1 |