Weekly Vulnerabilities Reports > May 17 to 23, 2021
Overview
266 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 46 high severity vulnerabilities. This weekly summary report vulnerabilities in 616 products from 122 vendors including GNU, Redhat, Cisco, IBM, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Command Injection", "Path Traversal", and "Cross-Site Request Forgery (CSRF)".
- 231 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 183 reported vulnerabilities are exploitable by an anonymous user.
- GNU has the most reported vulnerabilities, with 24 reported vulnerabilities.
- Redhat has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
18 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-21 | CVE-2021-33514 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field. | 10.0 |
2021-05-21 | CVE-2021-31474 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Network Performance Monitor This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. | 10.0 |
2021-05-18 | CVE-2021-32305 | Websvn | OS Command Injection vulnerability in Websvn WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter. | 10.0 |
2021-05-21 | CVE-2018-25011 | Webmproject Redhat | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16(). | 9.8 |
2021-05-21 | CVE-2018-25014 | Webmproject Redhat | Use of Uninitialized Resource vulnerability in multiple products A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol(). | 9.8 |
2021-05-21 | CVE-2020-36328 | Webmproject Redhat Netapp Debian Apple | Out-of-bounds Write vulnerability in multiple products A flaw was found in libwebp in versions before 1.0.1. | 9.8 |
2021-05-21 | CVE-2020-36329 | Webmproject Redhat Netapp Debian Apple | Use After Free vulnerability in multiple products A flaw was found in libwebp in versions before 1.0.1. | 9.8 |
2021-05-21 | CVE-2020-12061 | Nitrokey | Insufficiently Protected Credentials vulnerability in Nitrokey Fido U2F Firmware An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. | 9.8 |
2021-05-18 | CVE-2021-31316 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | 9.8 |
2021-05-18 | CVE-2021-31324 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. | 9.8 |
2021-05-18 | CVE-2020-20951 | Pluck CMS | Command Injection vulnerability in Pluck-Cms Pluck 4.7.10 In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files. | 9.8 |
2021-05-18 | CVE-2021-32238 | Psyonix | Out-of-bounds Write vulnerability in Psyonix Rocket League Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow. | 9.3 |
2021-05-21 | CVE-2018-25009 | Webmproject Redhat | Out-of-bounds Read vulnerability in multiple products A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16(). | 9.1 |
2021-05-21 | CVE-2018-25010 | Webmproject Redhat | Out-of-bounds Read vulnerability in multiple products A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter(). | 9.1 |
2021-05-21 | CVE-2018-25012 | Webmproject Redhat | Out-of-bounds Read vulnerability in multiple products A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24(). | 9.1 |
2021-05-21 | CVE-2018-25013 | Webmproject Redhat | Out-of-bounds Read vulnerability in multiple products A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes(). | 9.1 |
2021-05-21 | CVE-2020-36331 | Webmproject Redhat Netapp Debian Apple | Out-of-bounds Read vulnerability in multiple products A flaw was found in libwebp in versions before 1.0.1. | 9.1 |
2021-05-21 | CVE-2021-31475 | Solarwinds | Incorrect Permission Assignment for Critical Resource vulnerability in Solarwinds Orion JOB Scheduler 2020.2.1 This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. | 9.0 |
46 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-22 | CVE-2021-1487 | Cisco | OS Command Injection vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. | 8.8 |
2021-05-22 | CVE-2021-1531 | Cisco | Argument Injection or Modification vulnerability in Cisco Modeling Labs A vulnerability in the web UI of Cisco Modeling Labs could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the web application on the underlying operating system of an affected Cisco Modeling Labs server. | 8.8 |
2021-05-21 | CVE-2021-31439 | Synology Debian Netatalk | Out-of-bounds Write vulnerability in multiple products This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. | 8.8 |
2021-05-20 | CVE-2021-33477 | Eterm Project Mrxvt Project Rxvt Project Rxvt Unicode Project Fedoraproject Debian | Improper Handling of Exceptional Conditions vulnerability in multiple products rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). | 8.8 |
2021-05-18 | CVE-2021-3518 | Xmlsoft Debian Redhat Fedoraproject Netapp Oracle | Use After Free vulnerability in multiple products There's a flaw in libxml2 in versions before 2.9.11. | 8.8 |
2021-05-19 | CVE-2021-3517 | Xmlsoft Redhat Fedoraproject Debian Netapp Oracle | Out-of-bounds Write vulnerability in multiple products There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. | 8.6 |
2021-05-21 | CVE-2021-33509 | Plone | Incorrect Permission Assignment for Critical Resource vulnerability in Plone Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. | 8.5 |
2021-05-18 | CVE-2021-22117 | Vmware | Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Rabbitmq RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins. | 7.8 |
2021-05-17 | CVE-2020-21827 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2379. | 7.8 |
2021-05-20 | CVE-2021-20719 | Nippon Antenna | OS Command Injection vulnerability in Nippon-Antenna Rfntps Firmware RFNTPS firmware versions System_01000004 and earlier, and Web_01000004 and earlier allow an attacker on the same network segment to execute arbitrary OS commands with a root privilege via unspecified vectors. | 7.7 |
2021-05-21 | CVE-2020-36332 | Webmproject Redhat Debian Netapp | Resource Exhaustion vulnerability in multiple products A flaw was found in libwebp in versions before 1.0.1. | 7.5 |
2021-05-21 | CVE-2021-28798 | Qnap | Path Traversal vulnerability in Qnap QTS and Quts Hero A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. | 7.5 |
2021-05-20 | CVE-2020-24396 | HOM EE | Insufficiently Protected Credentials vulnerability in Hom.Ee Brain Cube Core 2.28.2/2.28.4 homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images. | 7.5 |
2021-05-20 | CVE-2021-27434 | Unified Automation | Uncontrolled Recursion vulnerability in Unified-Automation .Net Based OPC UA Client/Server SDK 3.0.7 Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow. | 7.5 |
2021-05-20 | CVE-2021-3480 | Slapi NIS Project Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A flaw was found in slapi-nis in versions before 0.56.7. | 7.5 |
2021-05-20 | CVE-2021-27459 | Emerson | Unrestricted Upload of File with Dangerous Type vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 7.5 |
2021-05-20 | CVE-2021-20718 | Openidc Fedoraproject Oracle | Resource Exhaustion vulnerability in multiple products mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors. | 7.5 |
2021-05-20 | CVE-2021-20720 | Kujirahand | SQL Injection vulnerability in Kujirahand Konawiki SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 allows remote attackers to execute arbitrary SQL commands and to obtain/alter the information stored in the database via unspecified vectors. | 7.5 |
2021-05-20 | CVE-2021-20721 | Kujirahand | Unrestricted Upload of File with Dangerous Type vulnerability in Kujirahand Konawiki KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload arbitrary files via unspecified vectors. | 7.5 |
2021-05-19 | CVE-2021-33204 | Pgxn | Command Injection vulnerability in Pgxn PG Partman In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set. | 7.5 |
2021-05-19 | CVE-2017-17674 | BMC | Server-Side Request Forgery (SSRF) vulnerability in BMC Remedy Mid-Tier 9.1 BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. | 7.5 |
2021-05-19 | CVE-2021-3445 | RPM Fedoraproject Redhat | Improper Verification of Cryptographic Signature vulnerability in multiple products A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. | 7.5 |
2021-05-19 | CVE-2021-20589 | Mitsubishi | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mitsubishi products Buffer access with incorrect length value vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.38.000, GT25 model communication driver versions 01.19.000 through 01.38.000, GT23 model communication driver versions 01.19.000 through 01.38.000 and GT21 model communication driver versions 01.21.000 through 01.39.000, GOT SIMPLE series GS21 model communication driver versions 01.21.000 through 01.39.000, GT SoftGOT2000 versions 1.170C through 1.250L and Tension Controller LE7-40GU-L Screen package data for MODBUS/TCP V1.00 allows a remote unauthenticated attacker to stop the communication function of the products via specially crafted packets. | 7.5 |
2021-05-18 | CVE-2020-18178 | Hongcms Project | Path Traversal vulnerability in Hongcms Project Hongcms 4.0.0 Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax." | 7.5 |
2021-05-18 | CVE-2002-2438 | Linux | Improper Authentication vulnerability in Linux Kernel TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. | 7.5 |
2021-05-18 | CVE-2020-25709 | Openldap Debian Apple Redhat | Reachable Assertion vulnerability in multiple products A flaw was found in OpenLDAP. | 7.5 |
2021-05-17 | CVE-2021-29024 | Invoiceplane | Files or Directories Accessible to External Parties vulnerability in Invoiceplane 1.5.11 In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. | 7.5 |
2021-05-17 | CVE-2021-24314 | Boostifythemes | SQL Injection vulnerability in Boostifythemes Goto 2.0 The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue | 7.5 |
2021-05-17 | CVE-2021-27734 | Belden | Improper Authentication vulnerability in Belden Hirschmann Hios and Hisecos Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users. | 7.5 |
2021-05-22 | CVE-2021-1547 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1548 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1549 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1550 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1551 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1552 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1553 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1554 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1555 | Cisco | Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. | 7.2 |
2021-05-22 | CVE-2021-1559 | Cisco | OS Command Injection vulnerability in Cisco DNA Spaces: Connector 2.0 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. | 7.2 |
2021-05-22 | CVE-2021-1560 | Cisco | Command Injection vulnerability in Cisco DNA Spaces: Connector 2.0 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. | 7.2 |
2021-05-21 | CVE-2021-21552 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 2019 Dell Wyse Windows Embedded System versions WIE10 LTSC 2019 and earlier contain an improper authorization vulnerability. | 7.2 |
2021-05-20 | CVE-2020-24395 | HOM EE | Insufficient Verification of Data Authenticity vulnerability in Hom.Ee Brain Cube Core 2.28.2/2.28.4 The USB firmware update script of homee Brain Cube v2 (2.28.2 and 2.28.4) devices allows an attacker with physical access to install compromised firmware. | 7.2 |
2021-05-17 | CVE-2021-25264 | Sophos | Unspecified vulnerability in Sophos Home and Intercept X In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges. | 7.2 |
2021-05-17 | CVE-2021-31727 | Malwarefox | Unspecified vulnerability in Malwarefox Antimalware 2.74.0.150 Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. | 7.2 |
2021-05-17 | CVE-2021-31728 | Malwarefox | Unspecified vulnerability in Malwarefox Antimalware 2.74.0.150 Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges. | 7.2 |
2021-05-21 | CVE-2021-31440 | Linux Netapp | Incorrect Calculation vulnerability in multiple products This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. | 7.0 |
178 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-17 | CVE-2020-24755 | UI | Uncontrolled Search Path Element vulnerability in UI Unifi Video 3.10.13 In Ubiquiti UniFi Video v3.10.13, when the executable starts, its first library validation is in the current directory. | 6.9 |
2021-05-21 | CVE-2021-21549 | Dell | Cross-Site Request Forgery (CSRF) vulnerability in Dell Xtremio Management Server 6.3.0 Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS. | 6.8 |
2021-05-21 | CVE-2021-31473 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Phantompdf This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. | 6.8 |
2021-05-20 | CVE-2021-25931 | Opennms | Cross-Site Request Forgery (CSRF) vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. | 6.8 |
2021-05-18 | CVE-2021-30145 | MPV | Use of Externally-Controlled Format String vulnerability in MPV A format string vulnerability in mpv through 0.33.0 allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file. | 6.8 |
2021-05-17 | CVE-2020-18195 | Pluck CMS | Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9 Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page." | 6.8 |
2021-05-17 | CVE-2020-18198 | Pluck CMS | Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.9 Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images." | 6.8 |
2021-05-17 | CVE-2020-21831 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637. | 6.8 |
2021-05-17 | CVE-2020-21842 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051. | 6.8 |
2021-05-17 | CVE-2020-21843 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC ../../src/bits.c:318. | 6.8 |
2021-05-17 | CVE-2020-21844 | GNU | Unspecified vulnerability in GNU Libredwg 0.10 GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. | 6.8 |
2021-05-17 | CVE-2020-21830 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213. | 6.8 |
2021-05-17 | CVE-2020-21832 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417. | 6.8 |
2021-05-17 | CVE-2020-21833 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440. | 6.8 |
2021-05-17 | CVE-2020-21836 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_preview ../../src/decode.c:3175. | 6.8 |
2021-05-17 | CVE-2020-21838 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_appinfo ../../src/decode.c:2842. | 6.8 |
2021-05-17 | CVE-2020-21840 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_search_sentinel ../../src/bits.c:1985. | 6.8 |
2021-05-17 | CVE-2020-21841 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B ../../src/bits.c:135. | 6.8 |
2021-05-17 | CVE-2020-21814 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641 A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlwescape ../../programs/escape.c:97. | 6.8 |
2021-05-17 | CVE-2020-21816 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641 A heab based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:46. | 6.8 |
2021-05-17 | CVE-2020-21818 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:48. | 6.8 |
2021-05-17 | CVE-2020-21819 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641 A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape ../../programs/escape.c:51. | 6.8 |
2021-05-17 | CVE-2020-21813 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.2641 A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114. | 6.8 |
2021-05-17 | CVE-2021-32402 | Intelbras | Cross-Site Request Forgery (CSRF) vulnerability in Intelbras RF 301K Firmware 1.1.2 Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules. | 6.8 |
2021-05-17 | CVE-2021-32403 | Intelbras | Cross-Site Request Forgery (CSRF) vulnerability in Intelbras RF 301K Firmware 1.1.2 Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules. | 6.8 |
2021-05-22 | CVE-2021-1557 | Cisco | OS Command Injection vulnerability in Cisco DNA Spaces: Connector Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. | 6.7 |
2021-05-22 | CVE-2021-1558 | Cisco | OS Command Injection vulnerability in Cisco DNA Spaces: Connector Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. | 6.7 |
2021-05-21 | CVE-2020-23765 | Bludit | Unrestricted Upload of File with Dangerous Type vulnerability in Bludit 3.12.0 A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. | 6.5 |
2021-05-21 | CVE-2021-27811 | Qibosoft | Code Injection vulnerability in Qibosoft 1.0 A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1 v1.0. | 6.5 |
2021-05-21 | CVE-2021-32634 | NSA | Deserialization of Untrusted Data vulnerability in NSA Emissary 6.4.0 Emissary is a distributed, peer-to-peer, data-driven workflow framework. | 6.5 |
2021-05-21 | CVE-2021-32633 | Plone Zope | Path Traversal vulnerability in multiple products Zope is an open-source web application server. | 6.5 |
2021-05-20 | CVE-2021-32630 | Admidio | Unrestricted Upload of File with Dangerous Type vulnerability in Admidio Admidio is a free, open source user management system for websites of organizations and groups. | 6.5 |
2021-05-20 | CVE-2021-29686 | IBM | Unspecified vulnerability in IBM Security Identity Manager 7.0.2 IBM Security Identity Manager 7.0.2 could allow an authenticated user to bypass security and perform actions that they should not have access to. | 6.5 |
2021-05-20 | CVE-2021-28111 | Draeger | Use of Hard-coded Credentials vulnerability in Draeger X-Dock Firmware Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker. | 6.5 |
2021-05-20 | CVE-2021-28112 | Draeger | Unspecified vulnerability in Draeger X-Dock Firmware Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a debug port, leading to remote code execution by an authenticated attacker. | 6.5 |
2021-05-19 | CVE-2021-29624 | Fastify | Cross-Site Request Forgery (CSRF) vulnerability in Fastify Fastify-Csrf fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. | 6.5 |
2021-05-19 | CVE-2017-17677 | BMC | Incorrect Permission Assignment for Critical Resource vulnerability in BMC Remedy Mid-Tier 9.1 BMC Remedy 9.1SP3 is affected by authenticated code execution. | 6.5 |
2021-05-18 | CVE-2021-31827 | Progress | SQL Injection vulnerability in Progress Moveit Transfer In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. | 6.5 |
2021-05-17 | CVE-2020-21839 | GNU | Memory Leak vulnerability in GNU Libredwg 0.10 An issue was discovered in GNU LibreDWG 0.10. | 6.5 |
2021-05-17 | CVE-2021-32456 | Sitel SA | Cleartext Transmission of Sensitive Information vulnerability in Sitel-Sa Remote Cap/Prx Firmware 5.2.01 SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network of the device to obtain the authentication passwords by analysing the network traffic. | 6.5 |
2021-05-17 | CVE-2021-24289 | DE Baat | Improper Privilege Management vulnerability in De-Baat Store Locator Plus There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. | 6.5 |
2021-05-17 | CVE-2021-3524 | Redhat Fedoraproject Debian | Injection vulnerability in multiple products A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. | 6.5 |
2021-05-17 | CVE-2021-29053 | Liferay | SQL Injection vulnerability in Liferay DXP and Liferay Portal Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. | 6.5 |
2021-05-21 | CVE-2020-36330 | Webmproject Debian Redhat Netapp Apple | Out-of-bounds Read vulnerability in multiple products A flaw was found in libwebp in versions before 1.0.1. | 6.4 |
2021-05-19 | CVE-2020-36364 | Smartstore | Path Traversal vulnerability in Smartstore Smartstorenet An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. | 6.4 |
2021-05-17 | CVE-2020-4669 | IBM | Missing Authorization vulnerability in IBM Planning Analytics Cloud and Planning Analytics Local IBM Planning Analytics Local 2.0 connects to a MongoDB server. | 6.4 |
2021-05-17 | CVE-2020-4670 | IBM | Improper Authentication vulnerability in IBM Planning Analytics Cloud and Planning Analytics Local IBM Planning Analytics Local 2.0 connects to a Redis server. | 6.4 |
2021-05-22 | CVE-2021-1358 | Cisco | Open Redirect vulnerability in Cisco Finesse A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. | 6.1 |
2021-05-17 | CVE-2021-32455 | Sitel SA | Resource Exhaustion vulnerability in Sitel-Sa Cap/Prx Firmware 5.2.01 SITEL CAP/PRX firmware version 5.2.01, allows an attacker with access to the device´s network to cause a denial of service condition on the device. | 6.1 |
2021-05-20 | CVE-2021-27467 | Emerson | Improper Restriction of Rendered UI Layers or Frames vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 5.8 |
2021-05-19 | CVE-2021-29622 | Prometheus | Open Redirect vulnerability in Prometheus Prometheus is an open-source monitoring system and time series database. | 5.8 |
2021-05-19 | CVE-2020-36365 | Smartstore | Open Redirect vulnerability in Smartstore Smartstorenet Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. | 5.8 |
2021-05-18 | CVE-2021-31320 | Telegram | Out-of-bounds Write vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the VGradientCache::generateGradientColorTable function of their custom fork of the rlottie library. | 5.8 |
2021-05-18 | CVE-2021-31321 | Telegram | Out-of-bounds Write vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the gray_split_cubic function of their custom fork of the rlottie library. | 5.8 |
2021-05-17 | CVE-2021-23384 | KOA Remove Trailing Slashes Project | Open Redirect vulnerability in Koa-Remove-Trailing-Slashes Project Koa-Remove-Trailing-Slashes 1.0.0/2.0.0/2.0.1 The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). | 5.8 |
2021-05-17 | CVE-2021-32454 | Sitel SA | Use of Hard-coded Credentials vulnerability in Sitel-Sa Remote Cap/Prx Firmware 5.2.01 SITEL CAP/PRX firmware version 5.2.01 makes use of a hardcoded password. | 5.8 |
2021-05-17 | CVE-2021-32618 | Flask Security Project | Open Redirect vulnerability in Flask-Security Project Flask-Security The Python "Flask-Security-Too" package is used for adding security features to your Flask application. | 5.8 |
2021-05-17 | CVE-2021-24288 | Acymailing | Open Redirect vulnerability in Acymailing When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. | 5.8 |
2021-05-20 | CVE-2021-3426 | Python Fedoraproject Debian Redhat Netapp Oracle | Path Traversal vulnerability in multiple products There's a flaw in Python 3's pydoc. | 5.7 |
2021-05-21 | CVE-2020-23766 | Htmly | Path Traversal vulnerability in Htmly 2.7.5 An arbitrary file deletion vulnerability was discovered on htmly v2.7.5 which allows remote attackers to use any absolute path to delete any file in the server should they gain Administrator privileges. | 5.5 |
2021-05-20 | CVE-2020-21057 | Fusionpbx | Path Traversal vulnerability in Fusionpbx 4.5.7 Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php. | 5.5 |
2021-05-19 | CVE-2021-3421 | RPM Redhat Fedoraproject | Improper Verification of Cryptographic Signature vulnerability in multiple products A flaw was found in the RPM package in the read functionality. | 5.5 |
2021-05-18 | CVE-2020-23851 | Rockcarry | Out-of-bounds Write vulnerability in Rockcarry Ffjpeg A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image. | 5.5 |
2021-05-18 | CVE-2020-23852 | Rockcarry | Out-of-bounds Write vulnerability in Rockcarry Ffjpeg A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of service by submitting a malicious jpeg image. | 5.5 |
2021-05-18 | CVE-2020-23856 | GNU Fedoraproject | Use After Free vulnerability in multiple products Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee. | 5.5 |
2021-05-17 | CVE-2021-32617 | Exiv2 Fedoraproject | Resource Exhaustion vulnerability in multiple products Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. | 5.5 |
2021-05-18 | CVE-2021-3531 | Redhat Fedoraproject | Reachable Assertion vulnerability in multiple products A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. | 5.3 |
2021-05-17 | CVE-2021-29023 | Invoiceplane | Improper Restriction of Excessive Authentication Attempts vulnerability in Invoiceplane 1.5.11 InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable. | 5.3 |
2021-05-21 | CVE-2021-33511 | Plone | Server-Side Request Forgery (SSRF) vulnerability in Plone Plone though 5.2.4 allows SSRF via the lxml parser. | 5.0 |
2021-05-21 | CVE-2021-33500 | Putty | Unspecified vulnerability in Putty PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. | 5.0 |
2021-05-21 | CVE-2020-23768 | Phpyun | Information Exposure vulnerability in PHPyun 4.6 An information disclosure vulnerability was discovered in alipay_function.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1. | 5.0 |
2021-05-21 | CVE-2021-29681 | IBM | Information Exposure vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information by injecting parameters into an HTML query. | 5.0 |
2021-05-21 | CVE-2021-32032 | Linaro | Memory Leak vulnerability in Linaro Trusted Firmware-M In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak. | 5.0 |
2021-05-20 | CVE-2020-27209 | Micro ECC Project | Unspecified vulnerability in Micro-Ecc Project Micro-Ecc 1.0 The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key. | 5.0 |
2021-05-20 | CVE-2020-18220 | Html JS | Inadequate Encryption Strength vulnerability in Html-Js Doracms Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks. | 5.0 |
2021-05-20 | CVE-2021-28902 | Cesnet | Unchecked Return Value vulnerability in Cesnet Libyang In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. | 5.0 |
2021-05-20 | CVE-2021-28903 | Cesnet | Uncontrolled Recursion vulnerability in Cesnet Libyang A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). | 5.0 |
2021-05-20 | CVE-2021-28904 | Cesnet | Unchecked Return Value vulnerability in Cesnet Libyang In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. | 5.0 |
2021-05-20 | CVE-2021-28905 | Cesnet | Reachable Assertion vulnerability in Cesnet Libyang In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. | 5.0 |
2021-05-20 | CVE-2021-28906 | Cesnet | Unchecked Return Value vulnerability in Cesnet Libyang In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. | 5.0 |
2021-05-20 | CVE-2021-28682 | Envoyproxy | Integer Overflow or Wraparound vulnerability in Envoyproxy Envoy An issue was discovered in Envoy through 1.71.1. | 5.0 |
2021-05-20 | CVE-2021-28683 | Envoyproxy | NULL Pointer Dereference vulnerability in Envoyproxy Envoy 1.16.2/1.17.1 An issue was discovered in Envoy through 1.71.1. | 5.0 |
2021-05-20 | CVE-2021-29258 | Envoyproxy | Reachable Assertion vulnerability in Envoyproxy Envoy An issue was discovered in Envoy 1.14.0. | 5.0 |
2021-05-20 | CVE-2020-35580 | Searchblox | Path Traversal vulnerability in Searchblox A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. | 5.0 |
2021-05-20 | CVE-2021-27432 | Opcfoundation | Uncontrolled Recursion vulnerability in Opcfoundation Ua-.Net-Legacy and UA .Net Standard Stack OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow. | 5.0 |
2021-05-20 | CVE-2020-4850 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Gpfs.Tct.Server IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration. | 5.0 |
2021-05-20 | CVE-2021-29682 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Identity Manager 7.0.2 IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2021-05-20 | CVE-2021-29687 | IBM | Information Exposure Through Discrepancy vulnerability in IBM Security Identity Manager 6.0.2 IBM Security Identity Manager 7.0.2 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. | 5.0 |
2021-05-20 | CVE-2021-29688 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Identity Manager 6.0.2/7.0.2 IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2021-05-20 | CVE-2021-29691 | IBM | Use of Hard-coded Credentials vulnerability in IBM Security Identity Manager 7.0.2 IBM Security Identity Manager 7.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 5.0 |
2021-05-20 | CVE-2021-27457 | Emerson | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 5.0 |
2021-05-20 | CVE-2021-27461 | Emerson | Path Traversal vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 5.0 |
2021-05-20 | CVE-2021-27463 | Emerson | Information Exposure Through Persistent Cookies vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 5.0 |
2021-05-19 | CVE-2021-20529 | IBM | Information Exposure vulnerability in IBM Control Center 6.2.0.0 IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further attacks against the system. | 5.0 |
2021-05-19 | CVE-2021-25644 | Couchbase | Cleartext Storage of Sensitive Information vulnerability in Couchbase Server An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. | 5.0 |
2021-05-19 | CVE-2017-17675 | BMC | Information Exposure Through Log Files vulnerability in BMC Remedy Mid-Tier 9.1 BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. | 5.0 |
2021-05-19 | CVE-2021-21732 | ZTE | Incorrect Default Permissions vulnerability in ZTE Axon 11 5G Firmware A mobile phone of ZTE is impacted by improper access control vulnerability. | 5.0 |
2021-05-17 | CVE-2021-24295 | Cleantalk | SQL Injection vulnerability in Cleantalk Spam Protection, Antispam, Firewall It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. | 5.0 |
2021-05-17 | CVE-2021-29747 | IBM | Unspecified vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain highly sensitive information due to a vulnerability in the authentication mechanism. | 5.0 |
2021-05-22 | CVE-2021-1254 | Cisco | Cross-site Scripting vulnerability in Cisco Finesse Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 4.8 |
2021-05-20 | CVE-2021-25933 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. | 4.8 |
2021-05-17 | CVE-2021-24315 | Givewp | Cross-site Scripting vulnerability in Givewp The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues. | 4.8 |
2021-05-17 | CVE-2021-24327 | Clogica | Cross-site Scripting vulnerability in Clogica SEO Redirection Plugin The SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 6.4 did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users (even with the unfiltered_html disabled) to set XSS payloads | 4.8 |
2021-05-21 | CVE-2020-27208 | Solokeys Nitrokey | Inadequate Encryption Strength vulnerability in multiple products The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. | 4.6 |
2021-05-20 | CVE-2021-3438 | HP Samsung | Classic Buffer Overflow vulnerability in multiple products A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege. | 4.6 |
2021-05-18 | CVE-2021-3423 | Bitdefender | Uncontrolled Search Path Element vulnerability in Bitdefender Gravityzone Business Security Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. | 4.6 |
2021-05-17 | CVE-2021-3483 | Linux Debian Netapp | Use After Free vulnerability in multiple products A flaw was found in the Nosy driver in the Linux kernel. | 4.6 |
2021-05-21 | CVE-2020-27212 | ST | Injection vulnerability in ST Stm32Cubel4 Firmware STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. | 4.4 |
2021-05-17 | CVE-2021-32622 | Matrix React SDK Project | Unrestricted Upload of File with Dangerous Type vulnerability in Matrix-React-Sdk Project Matrix-React-Sdk Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. | 4.4 |
2021-05-21 | CVE-2021-33507 | Plone Zope | Cross-site Scripting vulnerability in multiple products Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. | 4.3 |
2021-05-21 | CVE-2008-3280 | Openid | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Openid It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). | 4.3 |
2021-05-20 | CVE-2021-27956 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | 4.3 |
2021-05-20 | CVE-2020-21345 | Halo | Cross-site Scripting vulnerability in Halo 1.1.3 Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code. | 4.3 |
2021-05-20 | CVE-2020-21054 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.5.7 Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php. | 4.3 |
2021-05-20 | CVE-2021-32632 | Pajbot | Cross-Site Request Forgery (CSRF) vulnerability in Pajbot Pajbot is a Twitch chat bot. | 4.3 |
2021-05-20 | CVE-2020-21053 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx 4.5.7 Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php. | 4.3 |
2021-05-20 | CVE-2021-29692 | IBM | Unspecified vulnerability in IBM Security Identity Manager 7.0.2 IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. | 4.3 |
2021-05-20 | CVE-2021-25930 | Opennms | Cross-Site Request Forgery (CSRF) vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. | 4.3 |
2021-05-20 | CVE-2020-15522 | Bouncycastle | Race Condition vulnerability in Bouncycastle products Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures. | 4.3 |
2021-05-20 | CVE-2021-27465 | Emerson | Cross-site Scripting vulnerability in Emerson products A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. | 4.3 |
2021-05-19 | CVE-2021-29625 | Adminer | Cross-site Scripting vulnerability in Adminer Adminer is open-source database management software. | 4.3 |
2021-05-19 | CVE-2021-27924 | Couchbase | Cleartext Transmission of Sensitive Information vulnerability in Couchbase Server An issue was discovered in Couchbase Server 6.x through 6.6.1. | 4.3 |
2021-05-19 | CVE-2021-29503 | Hedgedoc | Cross-site Scripting vulnerability in Hedgedoc HedgeDoc is a platform to write and share markdown. | 4.3 |
2021-05-19 | CVE-2021-31930 | Concerto Signage | Cross-site Scripting vulnerability in Concerto-Signage Concerto Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. | 4.3 |
2021-05-19 | CVE-2017-17678 | BMC | Cross-site Scripting vulnerability in BMC Remedy Mid-Tier 9.1 BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). | 4.3 |
2021-05-18 | CVE-2021-31315 | Telegram | Out-of-bounds Write vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-31317 | Telegram | Type Confusion vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-31318 | Telegram | Type Confusion vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-31319 | Telegram | Integer Overflow or Wraparound vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by an Integer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-31322 | Telegram | Out-of-bounds Write vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-31323 | Telegram | Out-of-bounds Write vulnerability in Telegram Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LottieParserImpl::parseDashProperty function of their custom fork of the rlottie library. | 4.3 |
2021-05-18 | CVE-2021-3200 | Opensuse Oracle | Classic Buffer Overflow vulnerability in multiple products Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service | 4.3 |
2021-05-18 | CVE-2020-23861 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10.1 A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file. | 4.3 |
2021-05-18 | CVE-2020-24740 | Pluck CMS | Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.10 An issue was discovered in Pluck 4.7.10-dev2. | 4.3 |
2021-05-18 | CVE-2020-24026 | Tinyshop Project | Cross-site Scripting vulnerability in Tinyshop Project Tinyshop 1.2.0 TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. | 4.3 |
2021-05-17 | CVE-2020-18194 | Emlog | Cross-site Scripting vulnerability in Emlog 6.0.0 Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post. | 4.3 |
2021-05-17 | CVE-2020-21834 | GNU | Out-of-bounds Write vulnerability in GNU Libredwg 0.10 A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164. | 4.3 |
2021-05-17 | CVE-2020-21835 | GNU | NULL Pointer Dereference vulnerability in GNU Libredwg 0.10 A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337. | 4.3 |
2021-05-17 | CVE-2020-21815 | GNU | NULL Pointer Dereference vulnerability in GNU Libredwg 0.10.2641 A null pointer deference issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114, which causes a denial of service (application crash). | 4.3 |
2021-05-17 | CVE-2020-21817 | GNU | NULL Pointer Dereference vulnerability in GNU Libredwg 0.10.2641 A null pointer dereference issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:29. | 4.3 |
2021-05-17 | CVE-2020-29205 | Projectworlds | Cross-site Scripting vulnerability in Projectworlds Travel Management System 1.0 XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field | 4.3 |
2021-05-17 | CVE-2020-13667 | Drupal | Incorrect Default Permissions vulnerability in Drupal Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. | 4.3 |
2021-05-17 | CVE-2021-24290 | DE Baat | Cross-site Scripting vulnerability in De-Baat Store Locator Plus There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. | 4.3 |
2021-05-17 | CVE-2021-24299 | Catzsoft | Cross-site Scripting vulnerability in Catzsoft Redi Restaurant Reservation The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. | 4.3 |
2021-05-17 | CVE-2021-24324 | Clogica | Cross-Site Request Forgery (CSRF) vulnerability in Clogica ALL 404 Redirect TO Homepage The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. | 4.3 |
2021-05-17 | CVE-2021-24325 | Clogica | Cross-site Scripting vulnerability in Clogica SEO Redirection Plugin 1.3 The tab parameter of the settings page of the 404 SEO Redirection WordPress plugin through 1.3 is vulnerable to a reflected Cross-Site Scripting (XSS) issue as user input is not properly sanitised or escaped before being output in an attribute. | 4.3 |
2021-05-17 | CVE-2021-33041 | VMD Project | Cross-site Scripting vulnerability in VMD Project VMD vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS. | 4.3 |
2021-05-17 | CVE-2019-14827 | Moodle | Code Injection vulnerability in Moodle A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. | 4.3 |
2021-05-17 | CVE-2021-27342 | Dlink | Information Exposure Through Discrepancy vulnerability in Dlink Dir-842E Firmware An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack | 4.3 |
2021-05-17 | CVE-2007-5967 | Mozilla | Improper Certificate Validation vulnerability in Mozilla Firefox A flaw in Mozilla's embedded certificate code might allow web sites to install root certificates on devices without user approval. | 4.3 |
2021-05-17 | CVE-2021-29048 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name parameter. | 4.3 |
2021-05-17 | CVE-2021-29051 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXXXXXXXXXXX_assetEntryId parameter. | 4.3 |
2021-05-17 | CVE-2021-29043 | Liferay | Information Exposure vulnerability in Liferay DXP 7.0 The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. | 4.3 |
2021-05-17 | CVE-2021-29044 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0 Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments parameter. | 4.3 |
2021-05-17 | CVE-2021-29045 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL parameter. | 4.3 |
2021-05-17 | CVE-2021-29046 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet_title parameter. | 4.3 |
2021-05-21 | CVE-2021-33510 | Plone | Server-Side Request Forgery (SSRF) vulnerability in Plone Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | 4.0 |
2021-05-20 | CVE-2021-23386 | DNS Packet Project | Missing Initialization of Resource vulnerability in Dns-Packet Project Dns-Packet This affects the package dns-packet before 5.2.2. | 4.0 |
2021-05-20 | CVE-2020-21055 | Fusionpbx | Path Traversal vulnerability in Fusionpbx 4.5.7 A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php. | 4.0 |
2021-05-20 | CVE-2020-21056 | Fusionpbx | Path Traversal vulnerability in Fusionpbx 4.5.7 Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php. | 4.0 |
2021-05-20 | CVE-2021-29683 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Security Identity Manager 7.0.2 IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. | 4.0 |
2021-05-20 | CVE-2021-29659 | Owncloud | Unspecified vulnerability in Owncloud 10.7.0 ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. | 4.0 |
2021-05-19 | CVE-2020-4646 | IBM | Unspecified vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could allow an authenticated user to view pages they shoiuld not have access to due to improper authorization control. | 4.0 |
2021-05-19 | CVE-2021-31158 | Couchbase | Incorrect Authorization vulnerability in Couchbase Server In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access. | 4.0 |
2021-05-19 | CVE-2020-20264 | Mikrotik | Divide By Zero vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) in the /ram/pckg/advanced-tools/nova/bin/netwatch process. | 4.0 |
2021-05-19 | CVE-2020-20266 | Mikrotik | NULL Pointer Dereference vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/dot1x process. | 4.0 |
2021-05-19 | CVE-2021-21733 | ZTE | Information Exposure vulnerability in ZTE Zxcdn The management system of ZXCDN is impacted by the information leak vulnerability. | 4.0 |
2021-05-18 | CVE-2020-20220 | Mikrotik | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mikrotik Routeros Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. | 4.0 |
2021-05-18 | CVE-2020-20227 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.47 Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. | 4.0 |
2021-05-18 | CVE-2020-20245 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.46.3 Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. | 4.0 |
2021-05-18 | CVE-2020-20246 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.46.3 Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. | 4.0 |
2021-05-18 | CVE-2020-20214 | Mikrotik | Reachable Assertion vulnerability in Mikrotik Routeros 6.44.6 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process. | 4.0 |
2021-05-18 | CVE-2020-20222 | Mikrotik | NULL Pointer Dereference vulnerability in Mikrotik Routeros 6.44.6 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. | 4.0 |
2021-05-18 | CVE-2020-20236 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.46.3 Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. | 4.0 |
2021-05-18 | CVE-2020-20237 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.46.3 Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. | 4.0 |
2021-05-18 | CVE-2020-20253 | Mikrotik | Divide By Zero vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) suffers from a divison by zero vulnerability in the /nova/bin/lcdstat process. | 4.0 |
2021-05-18 | CVE-2020-20254 | Mikrotik | NULL Pointer Dereference vulnerability in Mikrotik Routeros Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. | 4.0 |
2021-05-17 | CVE-2021-29052 | Liferay | Incorrect Default Permissions vulnerability in Liferay DXP and Liferay Portal The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 does not check permissions in DataDefinitionResourceImpl.getSiteDataDefinitionByContentTypeByDataDefinitionKey, which allows remote authenticated users to view DDMStructures via GET API calls. | 4.0 |
24 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-21 | CVE-2021-29414 | ST | Injection vulnerability in ST Stm32Cubel4 Firmware STMicroelectronics STM32L4 devices through 2021-03-29 have incorrect physical access control. | 3.6 |
2021-05-21 | CVE-2021-33508 | Plone | Cross-site Scripting vulnerability in Plone Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. | 3.5 |
2021-05-21 | CVE-2021-33512 | Plone | Cross-site Scripting vulnerability in Plone Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | 3.5 |
2021-05-21 | CVE-2021-33513 | Plone | Cross-site Scripting vulnerability in Plone Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | 3.5 |
2021-05-20 | CVE-2021-22339 | Huawei | Insufficient Verification of Data Authenticity vulnerability in Huawei Manageone There is a denial of service vulnerability in some versions of ManageOne. | 3.5 |
2021-05-20 | CVE-2021-22409 | Huawei | Unspecified vulnerability in Huawei Manageone There is a denial of service vulnerability in some versions of ManageOne. | 3.5 |
2021-05-20 | CVE-2021-3313 | Plone | Cross-site Scripting vulnerability in Plone Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. | 3.5 |
2021-05-20 | CVE-2021-25929 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. | 3.5 |
2021-05-20 | CVE-2021-3536 | Redhat | Cross-site Scripting vulnerability in Redhat products A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. | 3.5 |
2021-05-19 | CVE-2021-20374 | IBM | Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.6.0/7.6.1 IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cross-site scripting. | 3.5 |
2021-05-19 | CVE-2021-20528 | IBM | Cross-site Scripting vulnerability in IBM Control Center 6.2.0.0 IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. | 3.5 |
2021-05-19 | CVE-2021-27925 | Couchbase | Race Condition vulnerability in Couchbase Server An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. | 3.5 |
2021-05-18 | CVE-2020-19924 | Issuehunt | Cross-site Scripting vulnerability in Issuehunt Boostnote 0.12.1 In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks. | 3.5 |
2021-05-17 | CVE-2020-24992 | Cmswing | Cross-site Scripting vulnerability in Cmswing 1.3.7 There is a cross site scripting vulnerability on CmsWing 1.3.7. | 3.5 |
2021-05-17 | CVE-2020-24993 | Cmswing | Cross-site Scripting vulnerability in Cmswing 1.3.7 There is a cross site scripting vulnerability on CmsWing 1.3.7. | 3.5 |
2021-05-17 | CVE-2021-24292 | Wedevs | Cross-site Scripting vulnerability in Wedevs Happy Addons for Elementor The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. | 3.5 |
2021-05-17 | CVE-2021-24323 | Woocommerce | Cross-site Scripting vulnerability in Woocommerce When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | 3.5 |
2021-05-17 | CVE-2021-24326 | Clogica | Cross-site Scripting vulnerability in Clogica ALL 404 Redirect TO Homepage The tab parameter of the settings page of the All 404 Redirect to Homepage WordPress plugin before 1.21 was vulnerable to an authenticated reflected Cross-Site Scripting (XSS) issue as user input was not properly sanitised before being output in an attribute. | 3.5 |
2021-05-22 | CVE-2021-1306 | Cisco | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Cisco Identity Services Engine A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. | 3.4 |
2021-05-21 | CVE-2020-27211 | Nordicsemi | Information Exposure Through Discrepancy vulnerability in Nordicsemi Nrf52840 Firmware 20201019 Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. | 3.3 |
2021-05-18 | CVE-2020-15279 | Bitdefender | Unspecified vulnerability in Bitdefender Endpoint Security Tools 6.6.18.261 An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. | 3.3 |
2021-05-17 | CVE-2021-32453 | Sitel SA | Missing Authentication for Critical Function vulnerability in Sitel-Sa Cap/Prx Firmware 5.2.01 SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network, to access via HTTP to the internal configuration database of the device without any authentication. | 3.3 |
2021-05-21 | CVE-2021-29415 | Nordicsemi | Information Exposure Through Discrepancy vulnerability in Nordicsemi Nrf52840 Firmware 20201019/20210329 The elliptic curve cryptography (ECC) hardware accelerator, part of the ARM® TrustZone® CryptoCell 310, contained in the NordicSemiconductor nRF52840 through 2021-03-29 has a non-constant time ECDSA implemenation. | 2.1 |
2021-05-19 | CVE-2020-4765 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Cloud PAK for Multicloud Management IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. | 2.1 |