Weekly Vulnerabilities Reports > May 17 to 23, 2021

Overview

266 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 23 high severity vulnerabilities. This weekly summary report vulnerabilities in 582 products from 120 vendors including GNU, Redhat, Cisco, IBM, and Mikrotik. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Command Injection", "Cross-Site Request Forgery (CSRF)", and "Information Exposure".

  • 236 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 93 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 192 reported vulnerabilities are exploitable by an anonymous user.
  • GNU has the most reported vulnerabilities, with 24 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

20 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-21 CVE-2021-33514 Netgear OS Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field.

10.0
2021-05-21 CVE-2021-31474 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Network Performance Monitor

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1.

10.0
2021-05-18 CVE-2021-31316 Centos Webpanel SQL Injection vulnerability in Centos-Webpanel Centos web Panel

The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.

10.0
2021-05-18 CVE-2021-31324 Centos Webpanel Command Injection vulnerability in Centos-Webpanel Centos web Panel

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.

10.0
2021-05-18 CVE-2021-32305 Websvn OS Command Injection vulnerability in Websvn

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

10.0
2021-05-18 CVE-2021-32238 Psyonix Out-of-bounds Write vulnerability in Psyonix Rocket League

Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow.

9.3
2021-05-22 CVE-2021-1487 Cisco OS Command Injection vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary commands on an affected system.

9.0
2021-05-22 CVE-2021-1531 Cisco Argument Injection or Modification vulnerability in Cisco Modeling Labs

A vulnerability in the web UI of Cisco Modeling Labs could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the web application on the underlying operating system of an affected Cisco Modeling Labs server.

9.0
2021-05-22 CVE-2021-1547 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1548 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1549 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1550 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1551 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1552 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1553 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1554 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1555 Cisco Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

9.0
2021-05-22 CVE-2021-1559 Cisco OS Command Injection vulnerability in Cisco DNA Spaces: Connector 2.0

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device.

9.0
2021-05-22 CVE-2021-1560 Cisco OS Command Injection vulnerability in Cisco DNA Spaces: Connector 2.0

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device.

9.0
2021-05-21 CVE-2021-31475 Solarwinds Incorrect Permission Assignment for Critical Resource vulnerability in Solarwinds Orion JOB Scheduler 2020.2.1

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2.

9.0

23 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-21 CVE-2021-33509 Plone Incorrect Permission Assignment for Critical Resource vulnerability in Plone

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.

8.5
2021-05-20 CVE-2021-20719 Nippon Antenna OS Command Injection vulnerability in Nippon-Antenna Rfntps Firmware

RFNTPS firmware versions System_01000004 and earlier, and Web_01000004 and earlier allow an attacker on the same network segment to execute arbitrary OS commands with a root privilege via unspecified vectors.

7.7
2021-05-21 CVE-2018-25011 Webmproject
Redhat
Out-of-bounds Write vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

7.5
2021-05-21 CVE-2018-25014 Webmproject
Redhat
Use of Uninitialized Resource vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

7.5
2021-05-21 CVE-2020-36328 Webmproject
Redhat
Out-of-bounds Write vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

7.5
2021-05-21 CVE-2020-36329 Webmproject
Redhat
Use After Free vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

7.5
2021-05-20 CVE-2021-27459 Emerson Unrestricted Upload of File with Dangerous Type vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

7.5
2021-05-20 CVE-2021-20720 Kujirahand SQL Injection vulnerability in Kujirahand Konawiki

SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 allows remote attackers to execute arbitrary SQL commands and to obtain/alter the information stored in the database via unspecified vectors.

7.5
2021-05-20 CVE-2021-20721 Kujirahand Unrestricted Upload of File with Dangerous Type vulnerability in Kujirahand Konawiki

KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload arbitrary files via unspecified vectors.

7.5
2021-05-19 CVE-2021-33204 Pgxn Command Injection vulnerability in Pgxn PG Partman

In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.

7.5
2021-05-19 CVE-2017-17674 BMC Server-Side Request Forgery (SSRF) vulnerability in BMC Remedy Mid-Tier 9.1

BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion.

7.5
2021-05-19 CVE-2021-3517 Xmlsoft
Redhat
Fedoraproject
Debian
Netapp
Out-of-bounds Write vulnerability in multiple products

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11.

7.5
2021-05-18 CVE-2020-18178 Hongcms Project Path Traversal vulnerability in Hongcms Project Hongcms 4.0.0

Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax."

7.5
2021-05-18 CVE-2020-20951 Pluck CMS Command Injection vulnerability in Pluck-Cms Pluck 4.7.10

In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.

7.5
2021-05-17 CVE-2021-24314 Boostifythemes SQL Injection vulnerability in Boostifythemes Goto 2.0

The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue

7.5
2021-05-17 CVE-2021-27734 Belden Insufficiently Protected Credentials vulnerability in Belden Hirschmann Hios and Hisecos

Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.

7.5
2021-05-22 CVE-2021-1557 Cisco OS Command Injection vulnerability in Cisco DNA Spaces: Connector

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root.

7.2
2021-05-22 CVE-2021-1558 Cisco OS Command Injection vulnerability in Cisco DNA Spaces: Connector

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root.

7.2
2021-05-21 CVE-2021-21552 Microsoft Incorrect Authorization vulnerability in Microsoft Windows 10

Dell Wyse Windows Embedded System versions WIE10 LTSC 2019 and earlier contain an improper authorization vulnerability.

7.2
2021-05-20 CVE-2020-24395 HOM EE Insufficient Verification of Data Authenticity vulnerability in Hom.Ee Brain Cube Core 2.28.2/2.28.4

The USB firmware update script of homee Brain Cube v2 (2.28.2 and 2.28.4) devices allows an attacker with physical access to install compromised firmware.

7.2
2021-05-17 CVE-2021-25264 Sophos Code Injection vulnerability in Sophos Home and Intercept X

In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.

7.2
2021-05-17 CVE-2021-31727 Malwarefox Incorrect Authorization vulnerability in Malwarefox Antimalware 2.74.0.150

Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively.

7.2
2021-05-17 CVE-2021-31728 Malwarefox Incorrect Authorization vulnerability in Malwarefox Antimalware 2.74.0.150

Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges.

7.2

193 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-21 CVE-2021-31440 Linux Incorrect Calculation vulnerability in Linux Kernel 5.11.15

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15.

6.9
2021-05-17 CVE-2020-24755 UI Uncontrolled Search Path Element vulnerability in UI Unifi Video 3.10.13

In Ubiquiti UniFi Video v3.10.13, when the executable starts, its first library validation is in the current directory.

6.9
2021-05-21 CVE-2021-21549 Dell Cross-Site Request Forgery (CSRF) vulnerability in Dell Xtremio Management Server 6.3.0

Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS.

6.8
2021-05-21 CVE-2021-31473 Foxitsoftware Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598.

6.8
2021-05-20 CVE-2021-25931 Opennms Cross-Site Request Forgery (CSRF) vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`.

6.8
2021-05-18 CVE-2021-30145 MPV Use of Externally-Controlled Format String vulnerability in MPV

A format string vulnerability in mpv through 0.33.0 allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file.

6.8
2021-05-18 CVE-2021-3518 Xmlsoft
Debian
Redhat
Fedoraproject
Netapp
Use After Free vulnerability in multiple products

There's a flaw in libxml2 in versions before 2.9.11.

6.8
2021-05-17 CVE-2020-18195 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."

6.8
2021-05-17 CVE-2020-18198 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9

Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."

6.8
2021-05-17 CVE-2020-21831 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.

6.8
2021-05-17 CVE-2020-21842 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.

6.8
2021-05-17 CVE-2020-21843 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC ../../src/bits.c:318.

6.8
2021-05-17 CVE-2020-21844 GNU Unspecified vulnerability in GNU Libredwg 0.10

GNU LibreDWG 0.10 is affected by: memcpy-param-overlap.

6.8
2021-05-17 CVE-2020-21830 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213.

6.8
2021-05-17 CVE-2020-21832 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417.

6.8
2021-05-17 CVE-2020-21833 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440.

6.8
2021-05-17 CVE-2020-21836 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_preview ../../src/decode.c:3175.

6.8
2021-05-17 CVE-2020-21838 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_appinfo ../../src/decode.c:2842.

6.8
2021-05-17 CVE-2020-21840 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_search_sentinel ../../src/bits.c:1985.

6.8
2021-05-17 CVE-2020-21841 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B ../../src/bits.c:135.

6.8
2021-05-17 CVE-2020-21827 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2379.

6.8
2021-05-17 CVE-2020-21814 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlwescape ../../programs/escape.c:97.

6.8
2021-05-17 CVE-2020-21816 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641

A heab based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:46.

6.8
2021-05-17 CVE-2020-21818 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:48.

6.8
2021-05-17 CVE-2020-21819 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape ../../programs/escape.c:51.

6.8
2021-05-17 CVE-2020-21813 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641

A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114.

6.8
2021-05-17 CVE-2021-32402 Intelbras Cross-Site Request Forgery (CSRF) vulnerability in Intelbras RF 301K Firmware 1.1.2

Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.

6.8
2021-05-17 CVE-2021-32403 Intelbras Cross-Site Request Forgery (CSRF) vulnerability in Intelbras RF 301K Firmware 1.1.2

Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.

6.8
2021-05-21 CVE-2020-23765 Bludit Unrestricted Upload of File with Dangerous Type vulnerability in Bludit 3.12.0

A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0.

6.5
2021-05-21 CVE-2021-27811 Qibosoft Code Injection vulnerability in Qibosoft 1.0

A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1 v1.0.

6.5
2021-05-21 CVE-2021-32634 NSA Deserialization of Untrusted Data vulnerability in NSA Emissary 6.4.0

Emissary is a distributed, peer-to-peer, data-driven workflow framework.

6.5
2021-05-21 CVE-2021-32633 Plone
Zope
Path Traversal vulnerability in multiple products

Zope is an open-source web application server.

6.5
2021-05-20 CVE-2021-33477 Eterm Project
Mrxvt Project
Rxvt Unicode Project
Rxvt Project
Improper Handling of Exceptional Conditions vulnerability in multiple products

rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q).

6.5
2021-05-20 CVE-2021-32630 Admidio Unrestricted Upload of File with Dangerous Type vulnerability in Admidio

Admidio is a free, open source user management system for websites of organizations and groups.

6.5
2021-05-20 CVE-2021-29686 IBM Incorrect Permission Assignment for Critical Resource vulnerability in IBM Security Identity Manager 7.0.2

IBM Security Identity Manager 7.0.2 could allow an authenticated user to bypass security and perform actions that they should not have access to.

6.5
2021-05-20 CVE-2021-28111 Draeger Use of Hard-coded Credentials vulnerability in Draeger X-Dock Firmware

Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker.

6.5
2021-05-20 CVE-2021-28112 Draeger Unspecified vulnerability in Draeger X-Dock Firmware

Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a debug port, leading to remote code execution by an authenticated attacker.

6.5
2021-05-19 CVE-2017-17677 BMC Incorrect Permission Assignment for Critical Resource vulnerability in BMC Remedy Mid-Tier 9.1

BMC Remedy 9.1SP3 is affected by authenticated code execution.

6.5
2021-05-18 CVE-2021-31827 Progress SQL Injection vulnerability in Progress Moveit Transfer

In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database.

6.5
2021-05-17 CVE-2021-24289 DE Baat Improper Privilege Management vulnerability in De-Baat Store Locator Plus

There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.

6.5
2021-05-17 CVE-2021-29053 Liferay SQL Injection vulnerability in Liferay DXP and Liferay Portal

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.

6.5
2021-05-21 CVE-2018-25009 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-21 CVE-2018-25010 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-21 CVE-2018-25012 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-21 CVE-2018-25013 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-21 CVE-2020-36330 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-21 CVE-2020-36331 Webmproject
Redhat
Out-of-bounds Read vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

6.4
2021-05-19 CVE-2020-36364 Smartstore Path Traversal vulnerability in Smartstore Smartstorenet

An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0.

6.4
2021-05-17 CVE-2020-4669 IBM Missing Authorization vulnerability in IBM Planning Analytics Cloud and Planning Analytics Local

IBM Planning Analytics Local 2.0 connects to a MongoDB server.

6.4
2021-05-17 CVE-2020-4670 IBM Improper Authentication vulnerability in IBM Planning Analytics Cloud and Planning Analytics Local

IBM Planning Analytics Local 2.0 connects to a Redis server.

6.4
2021-05-17 CVE-2021-32455 Sitel SA Resource Exhaustion vulnerability in Sitel-Sa Cap/Prx Firmware 5.2.01

SITEL CAP/PRX firmware version 5.2.01, allows an attacker with access to the device´s network to cause a denial of service condition on the device.

6.1
2021-05-22 CVE-2021-1358 Cisco Open Redirect vulnerability in Cisco Finesse

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to redirect a user to an undesired web page.

5.8
2021-05-21 CVE-2021-31439 Synology Heap-based Buffer Overflow vulnerability in Synology Diskstation Manager

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager.

5.8
2021-05-20 CVE-2021-27467 Emerson Improper Restriction of Rendered UI Layers or Frames vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

5.8
2021-05-19 CVE-2021-29622 Prometheus Open Redirect vulnerability in Prometheus

Prometheus is an open-source monitoring system and time series database.

5.8
2021-05-19 CVE-2020-36365 Smartstore Open Redirect vulnerability in Smartstore Smartstorenet

Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.

5.8
2021-05-18 CVE-2021-31320 Telegram Out-of-bounds Write vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the VGradientCache::generateGradientColorTable function of their custom fork of the rlottie library.

5.8
2021-05-18 CVE-2021-31321 Telegram Out-of-bounds Write vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the gray_split_cubic function of their custom fork of the rlottie library.

5.8
2021-05-17 CVE-2021-23384 KOA Remove Trailing Slashes Project Open Redirect vulnerability in Koa-Remove-Trailing-Slashes Project Koa-Remove-Trailing-Slashes 1.0.0/2.0.0/2.0.1

The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/).

5.8
2021-05-17 CVE-2021-32454 Sitel SA Use of Hard-coded Credentials vulnerability in Sitel-Sa Remote Cap/Prx Firmware 5.2.01

SITEL CAP/PRX firmware version 5.2.01 makes use of a hardcoded password.

5.8
2021-05-17 CVE-2021-32618 Flask Security Project Open Redirect vulnerability in Flask-Security Project Flask-Security

The Python "Flask-Security-Too" package is used for adding security features to your Flask application.

5.8
2021-05-17 CVE-2021-24288 Acymailing Open Redirect vulnerability in Acymailing

When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized.

5.8
2021-05-21 CVE-2020-23766 Htmly Improper Input Validation vulnerability in Htmly 2.7.5

An arbitrary file deletion vulnerability was discovered on htmly v2.7.5 which allows remote attackers to use any absolute path to delete any file in the server should they gain Administrator privileges.

5.5
2021-05-20 CVE-2020-21057 Fusionpbx Path Traversal vulnerability in Fusionpbx 4.5.7

Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php.

5.5
2021-05-19 CVE-2021-3445 RPM
Fedoraproject
Redhat
Improper Verification of Cryptographic Signature vulnerability in multiple products

A flaw was found in libdnf's signature verification functionality in versions before 0.60.1.

5.1
2021-05-21 CVE-2021-33511 Plone Server-Side Request Forgery (SSRF) vulnerability in Plone

Plone though 5.2.4 allows SSRF via the lxml parser.

5.0
2021-05-21 CVE-2021-33500 Putty Unspecified vulnerability in Putty

PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls.

5.0
2021-05-21 CVE-2020-23768 Phpyun Information Exposure vulnerability in PHPyun 4.6

An information disclosure vulnerability was discovered in alipay_function.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1.

5.0
2021-05-21 CVE-2021-29681 IBM Information Exposure vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information by injecting parameters into an HTML query.

5.0
2021-05-21 CVE-2020-36332 Webmproject
Redhat
Resource Exhaustion vulnerability in multiple products

A flaw was found in libwebp in versions before 1.0.1.

5.0
2021-05-21 CVE-2020-12061 Nitrokey Insufficiently Protected Credentials vulnerability in Nitrokey Fido U2F Firmware

An issue was discovered in Nitrokey FIDO U2F firmware through 1.1.

5.0
2021-05-21 CVE-2021-32032 Linaro Memory Leak vulnerability in Linaro Trusted Firmware-M

In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak.

5.0
2021-05-21 CVE-2021-28798 Qnap Relative Path Traversal vulnerability in Qnap QTS

A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero.

5.0
2021-05-20 CVE-2020-27209 Micro ECC Project Unspecified vulnerability in Micro-Ecc Project Micro-Ecc 1.0

The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key.

5.0
2021-05-20 CVE-2020-18220 Html JS Inadequate Encryption Strength vulnerability in Html-Js Doracms

Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.

5.0
2021-05-20 CVE-2021-28902 Cesnet Unchecked Return Value vulnerability in Cesnet Libyang

In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL.

5.0
2021-05-20 CVE-2021-28903 Cesnet Uncontrolled Recursion vulnerability in Cesnet Libyang

A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem().

5.0
2021-05-20 CVE-2021-28904 Cesnet Unchecked Return Value vulnerability in Cesnet Libyang

In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL.

5.0
2021-05-20 CVE-2021-28905 Cesnet Reachable Assertion vulnerability in Cesnet Libyang

In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL.

5.0
2021-05-20 CVE-2021-28906 Cesnet Unchecked Return Value vulnerability in Cesnet Libyang

In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL.

5.0
2021-05-20 CVE-2021-28682 Envoyproxy Integer Overflow or Wraparound vulnerability in Envoyproxy Envoy

An issue was discovered in Envoy through 1.71.1.

5.0
2021-05-20 CVE-2021-28683 Envoyproxy NULL Pointer Dereference vulnerability in Envoyproxy Envoy 1.16.2/1.17.1

An issue was discovered in Envoy through 1.71.1.

5.0
2021-05-20 CVE-2021-29258 Envoyproxy Reachable Assertion vulnerability in Envoyproxy Envoy

An issue was discovered in Envoy 1.14.0.

5.0
2021-05-20 CVE-2020-35580 Searchblox Insufficiently Protected Credentials vulnerability in Searchblox

A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request.

5.0
2021-05-20 CVE-2021-27432 Opcfoundation Uncontrolled Recursion vulnerability in Opcfoundation Ua-.Net-Legacy and UA .Net Standard Stack

OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

5.0
2021-05-20 CVE-2020-4850 IBM Improper Encoding or Escaping of Output vulnerability in IBM Gpfs.Tct.Server

IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration.

5.0
2021-05-20 CVE-2021-29682 IBM Information Exposure Through an Error Message vulnerability in IBM Security Identity Manager 7.0.2

IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.0
2021-05-20 CVE-2021-29687 IBM Information Exposure Through Discrepancy vulnerability in IBM Security Identity Manager 6.0.2

IBM Security Identity Manager 7.0.2 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts.

5.0
2021-05-20 CVE-2021-29688 IBM Information Exposure Through an Error Message vulnerability in IBM Security Identity Manager 6.0.2/7.0.2

IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.0
2021-05-20 CVE-2021-29691 IBM Use of Hard-coded Credentials vulnerability in IBM Security Identity Manager 7.0.2

IBM Security Identity Manager 7.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

5.0
2021-05-20 CVE-2020-24396 HOM EE Missing Encryption of Sensitive Data vulnerability in Hom.Ee Brain Cube Core 2.28.2/2.28.4

homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images.

5.0
2021-05-20 CVE-2021-27434 Unified Automation Information Exposure vulnerability in Unified-Automation .Net Based OPC UA Client/Server SDK

Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

5.0
2021-05-20 CVE-2021-3480 Slapi NIS Project
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A flaw was found in slapi-nis in versions before 0.56.7.

5.0
2021-05-20 CVE-2021-27457 Emerson Inadequate Encryption Strength vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

5.0
2021-05-20 CVE-2021-27461 Emerson Path Traversal vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

5.0
2021-05-20 CVE-2021-27463 Emerson Information Exposure Through Persistent Cookies vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

5.0
2021-05-20 CVE-2021-20718 Zmartzone Resource Exhaustion vulnerability in Zmartzone MOD Auth Openidc

mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.

5.0
2021-05-19 CVE-2021-20529 IBM Information Exposure vulnerability in IBM Control Center 6.2.0.0

IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further attacks against the system.

5.0
2021-05-19 CVE-2021-25644 Couchbase Cleartext Storage of Sensitive Information vulnerability in Couchbase Server

An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta.

5.0
2021-05-19 CVE-2017-17675 BMC Information Exposure Through Log Files vulnerability in BMC Remedy Mid-Tier 9.1

BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking.

5.0
2021-05-19 CVE-2021-20589 Mitsubishi Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mitsubishi products

Buffer access with incorrect length value vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.38.000, GT25 model communication driver versions 01.19.000 through 01.38.000, GT23 model communication driver versions 01.19.000 through 01.38.000 and GT21 model communication driver versions 01.21.000 through 01.39.000, GOT SIMPLE series GS21 model communication driver versions 01.21.000 through 01.39.000, GT SoftGOT2000 versions 1.170C through 1.250L and Tension Controller LE7-40GU-L Screen package data for MODBUS/TCP V1.00 allows a remote unauthenticated attacker to stop the communication function of the products via specially crafted packets.

5.0
2021-05-19 CVE-2021-21732 ZTE Incorrect Default Permissions vulnerability in ZTE Axon 11 5G Firmware

A mobile phone of ZTE is impacted by improper access control vulnerability.

5.0
2021-05-18 CVE-2002-2438 Linux Improper Authentication vulnerability in Linux Kernel

TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g.

5.0
2021-05-18 CVE-2020-25709 Openldap
Debian
Apple
Redhat
Reachable Assertion vulnerability in multiple products

A flaw was found in OpenLDAP.

5.0
2021-05-18 CVE-2021-3531 Redhat
Fedoraproject
Improper Input Validation vulnerability in multiple products

A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21.

5.0
2021-05-17 CVE-2021-29023 Invoiceplane Improper Restriction of Excessive Authentication Attempts vulnerability in Invoiceplane 1.5.11

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.

5.0
2021-05-17 CVE-2021-29024 Invoiceplane Files or Directories Accessible to External Parties vulnerability in Invoiceplane 1.5.11

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download.

5.0
2021-05-17 CVE-2021-24295 Cleantalk SQL Injection vulnerability in Cleantalk Spam Protection, Antispam, Firewall

It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4.

5.0
2021-05-17 CVE-2021-29747 IBM Improper Authentication vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain highly sensitive information due to a vulnerability in the authentication mechanism.

5.0
2021-05-21 CVE-2020-27208 Solokeys
Nitrokey
Inadequate Encryption Strength vulnerability in multiple products

The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token.

4.6
2021-05-20 CVE-2021-3438 HP
Samsung
Classic Buffer Overflow vulnerability in multiple products

A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.

4.6
2021-05-18 CVE-2021-22117 Vmware Code Injection vulnerability in VMWare Rabbitmq

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.

4.6
2021-05-18 CVE-2021-3423 Bitdefender Uncontrolled Search Path Element vulnerability in Bitdefender Gravityzone Business Security

Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges.

4.6
2021-05-17 CVE-2021-3483 Linux Use After Free vulnerability in Linux Kernel

A flaw was found in the Nosy driver in the Linux kernel.

4.6
2021-05-21 CVE-2020-27212 ST Injection vulnerability in ST Stm32Cubel4 Firmware

STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control.

4.4
2021-05-17 CVE-2021-32622 Matrix React SDK Project Unrestricted Upload of File with Dangerous Type vulnerability in Matrix-React-Sdk Project Matrix-React-Sdk

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page.

4.4
2021-05-22 CVE-2021-1254 Cisco Cross-site Scripting vulnerability in Cisco Finesse

Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

4.3
2021-05-21 CVE-2021-33507 Plone
Zope
Cross-site Scripting vulnerability in multiple products

Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.

4.3
2021-05-21 CVE-2008-3280 Openid Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Openid

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166).

4.3
2021-05-20 CVE-2021-27956 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Adselfservice Plus

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

4.3
2021-05-20 CVE-2020-21345 Halo Cross-site Scripting vulnerability in Halo 1.1.3

Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code.

4.3
2021-05-20 CVE-2020-21054 Fusionpbx Cross-site Scripting vulnerability in Fusionpbx 4.5.7

Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php.

4.3
2021-05-20 CVE-2021-32632 Pajbot Cross-Site Request Forgery (CSRF) vulnerability in Pajbot

Pajbot is a Twitch chat bot.

4.3
2021-05-20 CVE-2020-21053 Fusionpbx Cross-site Scripting vulnerability in Fusionpbx 4.5.7

Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php.

4.3
2021-05-20 CVE-2021-29692 IBM Unspecified vulnerability in IBM Security Identity Manager 7.0.2

IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

4.3
2021-05-20 CVE-2021-25930 Opennms Cross-Site Request Forgery (CSRF) vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user.

4.3
2021-05-20 CVE-2020-15522 Bouncycastle Race Condition vulnerability in Bouncycastle products

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

4.3
2021-05-20 CVE-2021-27465 Emerson Cross-site Scripting vulnerability in Emerson products

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer.

4.3
2021-05-19 CVE-2021-29624 Fastify Reliance on Cookies without Validation and Integrity Checking vulnerability in Fastify Fastify-Csrf

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks.

4.3
2021-05-19 CVE-2021-29625 Adminer Cross-site Scripting vulnerability in Adminer

Adminer is open-source database management software.

4.3
2021-05-19 CVE-2021-27924 Couchbase Cleartext Transmission of Sensitive Information vulnerability in Couchbase Server

An issue was discovered in Couchbase Server 6.x through 6.6.1.

4.3
2021-05-19 CVE-2021-29503 Hedgedoc Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Hedgedoc

HedgeDoc is a platform to write and share markdown.

4.3
2021-05-19 CVE-2021-31930 Concerto Signage Cross-site Scripting vulnerability in Concerto-Signage Concerto

Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration.

4.3
2021-05-19 CVE-2017-17678 BMC Cross-site Scripting vulnerability in BMC Remedy Mid-Tier 9.1

BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS).

4.3
2021-05-19 CVE-2021-3421 RPM
Redhat
Fedoraproject
Improper Verification of Cryptographic Signature vulnerability in multiple products

A flaw was found in the RPM package in the read functionality.

4.3
2021-05-18 CVE-2021-31315 Telegram Out-of-bounds Write vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-31317 Telegram Type Confusion vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-31318 Telegram Type Confusion vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-31319 Telegram Integer Overflow or Wraparound vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by an Integer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-31322 Telegram Out-of-bounds Write vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-31323 Telegram Out-of-bounds Write vulnerability in Telegram

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LottieParserImpl::parseDashProperty function of their custom fork of the rlottie library.

4.3
2021-05-18 CVE-2021-3200 Opensuse Classic Buffer Overflow vulnerability in Opensuse Libsolv

Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service

4.3
2021-05-18 CVE-2020-23861 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10.1

A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.

4.3
2021-05-18 CVE-2020-24740 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.10

An issue was discovered in Pluck 4.7.10-dev2.

4.3
2021-05-18 CVE-2020-23851 Ffjpeg Project Out-of-bounds Write vulnerability in Ffjpeg Project Ffjpeg

A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image.

4.3
2021-05-18 CVE-2020-23852 Ffjpeg Project Out-of-bounds Write vulnerability in Ffjpeg Project Ffjpeg

A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of service by submitting a malicious jpeg image.

4.3
2021-05-18 CVE-2020-24026 Tinyshop Project Cross-site Scripting vulnerability in Tinyshop Project Tinyshop 1.2.0

TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0.

4.3
2021-05-17 CVE-2020-18194 Emlog Cross-site Scripting vulnerability in Emlog 6.0.0

Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.

4.3
2021-05-17 CVE-2020-21834 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.10

A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.

4.3
2021-05-17 CVE-2020-21835 GNU NULL Pointer Dereference vulnerability in GNU Libredwg 0.10

A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337.

4.3
2021-05-17 CVE-2020-21839 GNU Improper Resource Shutdown or Release vulnerability in GNU Libredwg 0.10

An issue was discovered in GNU LibreDWG 0.10.

4.3
2021-05-17 CVE-2020-21815 GNU NULL Pointer Dereference vulnerability in GNU Libredwg 0.10.2641

A null pointer deference issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114, which causes a denial of service (application crash).

4.3
2021-05-17 CVE-2020-21817 GNU NULL Pointer Dereference vulnerability in GNU Libredwg 0.10.2641

A null pointer dereference issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:29.

4.3
2021-05-17 CVE-2020-29205 Projectworlds Cross-site Scripting vulnerability in Projectworlds Travel Management System 1.0

XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field

4.3
2021-05-17 CVE-2021-32617 Exiv2 Resource Exhaustion vulnerability in Exiv2

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files.

4.3
2021-05-17 CVE-2020-13667 Drupal Incorrect Default Permissions vulnerability in Drupal

Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions.

4.3
2021-05-17 CVE-2021-24290 DE Baat Cross-site Scripting vulnerability in De-Baat Store Locator Plus

There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.

4.3
2021-05-17 CVE-2021-24299 Catzsoft Cross-site Scripting vulnerability in Catzsoft Redi Restaurant Reservation

The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations.

4.3
2021-05-17 CVE-2021-24324 Clogica Cross-Site Request Forgery (CSRF) vulnerability in Clogica ALL 404 Redirect TO Homepage

The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings.

4.3
2021-05-17 CVE-2021-24325 Clogica Cross-site Scripting vulnerability in Clogica SEO Redirection Plugin 1.3

The tab parameter of the settings page of the 404 SEO Redirection WordPress plugin through 1.3 is vulnerable to a reflected Cross-Site Scripting (XSS) issue as user input is not properly sanitised or escaped before being output in an attribute.

4.3
2021-05-17 CVE-2021-33041 VMD Project Cross-site Scripting vulnerability in VMD Project VMD

vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS.

4.3
2021-05-17 CVE-2021-3524 Redhat
Fedoraproject
Debian
Improper Input Validation vulnerability in multiple products

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21.

4.3
2021-05-17 CVE-2019-14827 Moodle Code Injection vulnerability in Moodle

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts.

4.3
2021-05-17 CVE-2021-27342 Dlink Information Exposure Through Discrepancy vulnerability in Dlink Dir-842E Firmware

An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack

4.3
2021-05-17 CVE-2007-5967 Mozilla Improper Certificate Validation vulnerability in Mozilla Firefox

A flaw in Mozilla's embedded certificate code might allow web sites to install root certificates on devices without user approval.

4.3
2021-05-17 CVE-2021-29048 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter.

4.3
2021-05-17 CVE-2021-29051 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter.

4.3
2021-05-17 CVE-2021-29043 Liferay Information Exposure vulnerability in Liferay DXP 7.0

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.

4.3
2021-05-17 CVE-2021-29044 Liferay Cross-site Scripting vulnerability in Liferay DXP 7.0

Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter.

4.3
2021-05-17 CVE-2021-29045 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter.

4.3
2021-05-17 CVE-2021-29046 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter.

4.3
2021-05-21 CVE-2021-33510 Plone Server-Side Request Forgery (SSRF) vulnerability in Plone

Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.

4.0
2021-05-20 CVE-2021-23386 DNS Packet Project Information Exposure vulnerability in Dns-Packet Project Dns-Packet

This affects the package dns-packet before 5.2.2.

4.0
2021-05-20 CVE-2020-21055 Fusionpbx Path Traversal vulnerability in Fusionpbx 4.5.7

A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php.

4.0
2021-05-20 CVE-2020-21056 Fusionpbx Path Traversal vulnerability in Fusionpbx 4.5.7

Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php.

4.0
2021-05-20 CVE-2021-29683 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Identity Manager 7.0.2

IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user.

4.0
2021-05-20 CVE-2021-29659 Owncloud Incorrect Authorization vulnerability in Owncloud 10.7.0

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure.

4.0
2021-05-19 CVE-2020-4646 IBM Incorrect Authorization vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could allow an authenticated user to view pages they shoiuld not have access to due to improper authorization control.

4.0
2021-05-19 CVE-2021-31158 Couchbase Incorrect Authorization vulnerability in Couchbase Server

In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.

4.0
2021-05-19 CVE-2020-20264 Mikrotik Divide By Zero vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.47 (stable tree) in the /ram/pckg/advanced-tools/nova/bin/netwatch process.

4.0
2021-05-19 CVE-2020-20266 Mikrotik NULL Pointer Dereference vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/dot1x process.

4.0
2021-05-19 CVE-2021-21733 ZTE Information Exposure vulnerability in ZTE Zxcdn

The management system of ZXCDN is impacted by the information leak vulnerability.

4.0
2021-05-18 CVE-2020-20220 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros

Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process.

4.0
2021-05-18 CVE-2020-20227 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros 6.47

Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process.

4.0
2021-05-18 CVE-2020-20245 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros 6.46.3

Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process.

4.0
2021-05-18 CVE-2020-20246 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros 6.46.3

Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process.

4.0
2021-05-18 CVE-2020-20214 Mikrotik Reachable Assertion vulnerability in Mikrotik Routeros 6.44.6

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process.

4.0
2021-05-18 CVE-2020-20222 Mikrotik NULL Pointer Dereference vulnerability in Mikrotik Routeros 6.44.6

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process.

4.0
2021-05-18 CVE-2020-20236 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros 6.46.3

Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process.

4.0
2021-05-18 CVE-2020-20237 Mikrotik Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros 6.46.3

Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process.

4.0
2021-05-18 CVE-2020-20253 Mikrotik Divide By Zero vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.47 (stable tree) suffers from a divison by zero vulnerability in the /nova/bin/lcdstat process.

4.0
2021-05-18 CVE-2020-20254 Mikrotik NULL Pointer Dereference vulnerability in Mikrotik Routeros

Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process.

4.0
2021-05-17 CVE-2021-29052 Liferay Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal

The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls.

4.0

30 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-22 CVE-2021-1306 Cisco Externally Controlled Reference to a Resource in Another Sphere vulnerability in Cisco products

A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system.

3.6
2021-05-21 CVE-2021-29414 ST Injection vulnerability in ST Stm32Cubel4 Firmware

STMicroelectronics STM32L4 devices through 2021-03-29 have incorrect physical access control.

3.6
2021-05-21 CVE-2021-33508 Plone Cross-site Scripting vulnerability in Plone

Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.

3.5
2021-05-21 CVE-2021-33512 Plone Cross-site Scripting vulnerability in Plone

Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.

3.5
2021-05-21 CVE-2021-33513 Plone Cross-site Scripting vulnerability in Plone

Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.

3.5
2021-05-20 CVE-2021-22339 Huawei Insufficient Verification of Data Authenticity vulnerability in Huawei Manageone

There is a denial of service vulnerability in some versions of ManageOne.

3.5
2021-05-20 CVE-2021-22409 Huawei Improper Handling of Exceptional Conditions vulnerability in Huawei Manageone

There is a denial of service vulnerability in some versions of ManageOne.

3.5
2021-05-20 CVE-2021-3313 Plone Cross-site Scripting vulnerability in Plone

Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality.

3.5
2021-05-20 CVE-2021-25929 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint.

3.5
2021-05-20 CVE-2021-25933 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters.

3.5
2021-05-20 CVE-2021-3536 Redhat Cross-site Scripting vulnerability in Redhat products

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS.

3.5
2021-05-19 CVE-2021-20374 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.6.0/7.6.1

IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting.

3.5
2021-05-19 CVE-2021-20528 IBM Cross-site Scripting vulnerability in IBM Control Center 6.2.0.0

IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting.

3.5
2021-05-19 CVE-2021-27925 Couchbase Cleartext Transmission of Sensitive Information vulnerability in Couchbase Server

An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1.

3.5
2021-05-18 CVE-2020-19924 Issuehunt Cross-site Scripting vulnerability in Issuehunt Boostnote 0.12.1

In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.

3.5
2021-05-17 CVE-2020-24992 Cmswing Cross-site Scripting vulnerability in Cmswing 1.3.7

There is a cross site scripting vulnerability on CmsWing 1.3.7.

3.5
2021-05-17 CVE-2020-24993 Cmswing Cross-site Scripting vulnerability in Cmswing 1.3.7

There is a cross site scripting vulnerability on CmsWing 1.3.7.

3.5
2021-05-17 CVE-2021-24292 Wedevs Cross-site Scripting vulnerability in Wedevs Happy Addons for Elementor

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter.

3.5
2021-05-17 CVE-2021-24315 Givewp Cross-site Scripting vulnerability in Givewp Give

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues.

3.5
2021-05-17 CVE-2021-24323 Woocommerce Cross-site Scripting vulnerability in Woocommerce

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

3.5
2021-05-17 CVE-2021-24326 Clogica Cross-site Scripting vulnerability in Clogica ALL 404 Redirect TO Homepage

The tab parameter of the settings page of the All 404 Redirect to Homepage WordPress plugin before 1.21 was vulnerable to an authenticated reflected Cross-Site Scripting (XSS) issue as user input was not properly sanitised before being output in an attribute.

3.5
2021-05-17 CVE-2021-24327 Clogica Cross-site Scripting vulnerability in Clogica SEO Redirection Plugin

The SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 6.4 did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users (even with the unfiltered_html disabled) to set XSS payloads

3.5
2021-05-21 CVE-2020-27211 Nordicsemi Injection vulnerability in Nordicsemi Nrf52840 Firmware

Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels.

3.3
2021-05-17 CVE-2021-32456 Sitel SA Cleartext Transmission of Sensitive Information vulnerability in Sitel-Sa Remote Cap/Prx Firmware 5.2.01

SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network of the device to obtain the authentication passwords by analysing the network traffic.

3.3
2021-05-20 CVE-2021-3426 Python
Fedoraproject
Debian
Redhat
Information Exposure vulnerability in multiple products

There's a flaw in Python 3's pydoc.

2.7
2021-05-21 CVE-2021-29415 Nordicsemi Unspecified vulnerability in Nordicsemi Nrf52840 Firmware

The elliptic curve cryptography (ECC) hardware accelerator, part of the ARM® TrustZone® CryptoCell 310, contained in the NordicSemiconductor nRF52840 through 2021-03-29 has a non-constant time ECDSA implemenation.

2.1
2021-05-19 CVE-2020-4765 IBM Insecure Storage of Sensitive Information vulnerability in IBM Cloud PAK for Multicloud Management

IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system.

2.1
2021-05-18 CVE-2020-23856 GNU Use After Free vulnerability in GNU Cflow 1.6

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.

2.1
2021-05-18 CVE-2020-15279 Bitdefender Incorrect Authorization vulnerability in Bitdefender Endpoint Security Tools 6.6.18.261

An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths.

2.1
2021-05-17 CVE-2021-32453 Sitel SA Information Exposure vulnerability in Sitel-Sa Cap/Prx Firmware 5.2.01

SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network, to access via HTTP to the internal configuration database of the device without any authentication.

2.1