Weekly Vulnerabilities Reports > May 24 to 30, 2021

Overview

397 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 59 high severity vulnerabilities. This weekly summary report vulnerabilities in 359 products from 169 vendors including Redhat, Debian, Fedoraproject, Ffmpeg, and Schneider Electric. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Improper Input Validation", "Classic Buffer Overflow", and "Improper Privilege Management".

  • 305 reported vulnerabilities are remotely exploitables.
  • 5 reported vulnerabilities have public exploit available.
  • 123 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 295 reported vulnerabilities are exploitable by an anonymous user.
  • Redhat has the most reported vulnerabilities, with 46 reported vulnerabilities.
  • Nagios has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

20 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-26 CVE-2019-25029 Versa Networks Command Injection vulnerability in Versa-Networks Versa Director

In Versa Director, the command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

10.0
2021-05-26 CVE-2021-21985 Vmware Improper Input Validation vulnerability in VMWare Vcenter Server 6.5/6.7/7.0

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

10.0
2021-05-26 CVE-2021-21986 Vmware Improper Authentication vulnerability in VMWare Vcenter Server 6.5/6.7/7.0

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.

10.0
2021-05-24 CVE-2021-29300 Ronomon Command Injection vulnerability in Ronomon Opened

The @ronomon/opened library before 1.5.2 is vulnerable to a command injection vulnerability which would allow a remote attacker to execute commands on the system if the library was used with untrusted input.

10.0
2021-05-24 CVE-2020-28900 Nagios Insufficient Verification of Data Authenticity vulnerability in Nagios Fusion and Nagios XI

Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.

10.0
2021-05-24 CVE-2020-28901 Nagios Command Injection vulnerability in Nagios Fusion

Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php.

10.0
2021-05-24 CVE-2020-28902 Nagios Command Injection vulnerability in Nagios Fusion

Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php.

10.0
2021-05-24 CVE-2020-28907 Nagios Improper Certificate Validation vulnerability in Nagios Fusion

Incorrect SSL certificate validation in Nagios Fusion 4.1.8 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to download of an untrusted update package in upgrade_to_latest.sh.

10.0
2021-05-24 CVE-2020-28910 Nagios Incorrect Default Permissions vulnerability in Nagios XI

Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.

10.0
2021-05-28 CVE-2020-1716 Ceph Use of Hard-coded Credentials vulnerability in Ceph Ceph-Ansible

A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services.

9.0
2021-05-27 CVE-2021-20026 Sonicwall OS Command Injection vulnerability in Sonicwall Network Security Manager 2.2.0

A vulnerability in the SonicWall NSM On-Prem product allows an authenticated attacker to perform OS command injection using a crafted HTTP request.

9.0
2021-05-27 CVE-2021-22894 Pulsesecure Classic Buffer Overflow vulnerability in Pulsesecure Pulse Connect Secure 7.1/9.0/9.1

A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

9.0
2021-05-27 CVE-2021-22908 Pulsesecure Classic Buffer Overflow vulnerability in Pulsesecure Pulse Connect Secure 9.0/9.0Rx/9.1

A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user.

9.0
2021-05-24 CVE-2021-33525 Eyesofnetwork OS Command Injection vulnerability in Eyesofnetwork

EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.

9.0
2021-05-24 CVE-2021-29256 ARM Use After Free vulnerability in ARM Bifrost, Midguard and Valhall

.

9.0
2021-05-24 CVE-2021-20385 IBM Unspecified vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system.

9.0
2021-05-24 CVE-2021-20557 IBM OS Command Injection vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

9.0
2021-05-24 CVE-2020-28906 Nagios Incorrect Default Permissions vulnerability in Nagios Fusion and Nagios XI

Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root.

9.0
2021-05-24 CVE-2020-28909 Nagios Incorrect Permission Assignment for Critical Resource vulnerability in Nagios Fusion

Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts.

9.0
2021-05-24 CVE-2021-24307 Aioseo Code Injection vulnerability in ONE SEO

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host.

9.0

59 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-25 CVE-2021-29695 IBM Path Traversal vulnerability in IBM products

IBM Host firmware for LC-class Systems could allow a remote attacker to traverse directories on the system.

8.5
2021-05-28 CVE-2021-20240 Gnome
Fedoraproject
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

A flaw was found in gdk-pixbuf in versions before 2.42.0.

8.3
2021-05-27 CVE-2021-22359 Huawei Improper Input Validation vulnerability in Huawei S5700 Firmware and S6700 Firmware

There is a denial of service vulnerability in the verisions V200R005C00SPC500 of S5700 and V200R005C00SPC500 of S6700.

7.8
2021-05-26 CVE-2021-22699 SE Improper Input Validation vulnerability in SE Modicon M241 Firmware and Modicon M251 Firmware

Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP.

7.8
2021-05-27 CVE-2021-22909 UI Improper Certificate Validation vulnerability in UI Edgemax Edgerouter Firmware

A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update.

7.6
2021-05-29 CVE-2021-30461 Voipmonitor Code Injection vulnerability in Voipmonitor

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61.

7.5
2021-05-29 CVE-2021-31703 Frontiersoftware Unrestricted Upload of File with Dangerous Type vulnerability in Frontiersoftware Ichris 5.18

Frontier ichris through 5.18 allows users to upload malicious executable files that might later be downloaded and run by any client user.

7.5
2021-05-28 CVE-2021-29492 Envoyproxy Path Traversal vulnerability in Envoyproxy Envoy

Envoy is a cloud-native edge/middle/service proxy.

7.5
2021-05-28 CVE-2021-32619 Deno Improper Authorization vulnerability in Deno

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust.

7.5
2021-05-28 CVE-2021-22519 Microfocus Code Injection vulnerability in Microfocus Sitescope

Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93).

7.5
2021-05-28 CVE-2021-32646 DAV Cogs Project Improper Authentication vulnerability in Dav-Cogs Project Dav-Cogs

Roomer is a discord bot cog (extension) which provides automatic voice channel generation as well as private voice and text channels.

7.5
2021-05-28 CVE-2021-32637 Authelia Improper Authentication vulnerability in Authelia

Authelia is a a single sign-on multi-factor portal for web apps.

7.5
2021-05-28 CVE-2021-32642 Uninett Improper Input Validation vulnerability in Uninett Radsecproxy

radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports.

7.5
2021-05-28 CVE-2020-15782 Siemens Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens products

A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

7.5
2021-05-28 CVE-2020-27847 Linuxfoundation Authentication Bypass by Spoofing vulnerability in Linuxfoundation DEX

A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation.

7.5
2021-05-28 CVE-2021-20236 Zeromq
Redhat
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

A flaw was found in the ZeroMQ server in versions before 4.3.3.

7.5
2021-05-27 CVE-2021-27852 Checkbox Deserialization of Untrusted Data vulnerability in Checkbox Survey

Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code.

7.5
2021-05-27 CVE-2021-31535 X ORG
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code.

7.5
2021-05-27 CVE-2021-22891 Citrix Missing Authorization vulnerability in Citrix Sharefile Storagezones Controller

A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.

7.5
2021-05-27 CVE-2021-22911 Rocket Chat Improper Input Validation vulnerability in Rocket.Chat 3.11.0/3.12.0/3.13.0

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

7.5
2021-05-27 CVE-2021-33590 Labapart Out-of-bounds Write vulnerability in Labapart Gattlib 0.3

GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac in dbus/gattlib.c.

7.5
2021-05-27 CVE-2021-30499 Libcaca Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libcaca Project Libcaca

A flaw was found in libcaca.

7.5
2021-05-26 CVE-2021-30498 Libcaca Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libcaca Project Libcaca

A flaw was found in libcaca.

7.5
2021-05-26 CVE-2021-22731 Schenider Electric Weak Password Recovery Mechanism for Forgotten Password vulnerability in Schenider-Electric products

Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker.

7.5
2021-05-26 CVE-2021-33470 Covid19 Testing Management System Project SQL Injection vulnerability in Covid19 Testing Management System Project Covid19 Testing Management System 1.0

COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.

7.5
2021-05-26 CVE-2021-25945 JS Extend Project Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Js-Extend Project Js-Extend

Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-05-26 CVE-2021-22160 Apache Improper Verification of Cryptographic Signature vulnerability in Apache Pulsar

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none".

7.5
2021-05-25 CVE-2021-33575 Pixar Unspecified vulnerability in Pixar Ruby-Jss

The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing.

7.5
2021-05-25 CVE-2021-33574 GNU Use After Free vulnerability in GNU Glibc

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free.

7.5
2021-05-25 CVE-2021-25944 Deep Defaults Project Unspecified vulnerability in Deep-Defaults Project Deep-Defaults

Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-05-25 CVE-2021-25946 Nconf Toml Project Unspecified vulnerability in Nconf-Toml Project Nconf-Toml

Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.

7.5
2021-05-25 CVE-2020-10064 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr

Improper Input Frame Validation in ieee802154 Processing.

7.5
2021-05-25 CVE-2020-13601 Zephyrproject Out-of-bounds Read vulnerability in Zephyrproject Zephyr

Possible read out of bounds in dns read.

7.5
2021-05-25 CVE-2021-30188 Codesys Out-of-bounds Write vulnerability in Codesys V2 Runtime System SP

CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.

7.5
2021-05-25 CVE-2021-30189 Codesys Out-of-bounds Write vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has a Stack-based Buffer Overflow.

7.5
2021-05-25 CVE-2021-30190 Codesys Exposure of Resource to Wrong Sphere vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control.

7.5
2021-05-25 CVE-2021-30192 Codesys Incorrect Authorization vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.

7.5
2021-05-25 CVE-2021-30193 Codesys Out-of-bounds Write vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Write.

7.5
2021-05-24 CVE-2019-12348 Zzcms SQL Injection vulnerability in Zzcms 2019

An issue was discovered in zzcms 2019.

7.5
2021-05-24 CVE-2021-20426 IBM Use of Hard-coded Credentials vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

7.5
2021-05-24 CVE-2020-25409 College Management System Project SQL Injection vulnerability in College Management System Project College Management System 1.0

Projectsworlds College Management System Php 1.0 is vulnerable to SQL injection issues over multiple parameters.

7.5
2021-05-24 CVE-2020-28904 Nagios Improper Privilege Management vulnerability in Nagios Fusion

Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installation of a malicious component containing PHP code.

7.5
2021-05-24 CVE-2020-28908 Nagios Command Injection vulnerability in Nagios Fusion

Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to nagios.

7.5
2021-05-24 CVE-2021-32075 RE Logic Deserialization of Untrusted Data vulnerability in Re-Logic Terraria

Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization.

7.5
2021-05-28 CVE-2021-27032 Autodesk Incorrect Default Permissions vulnerability in Autodesk Licensing Services 9.0.1.1462.100

Autodesk Licensing Installer was found to be vulnerable to privilege escalation issues.

7.2
2021-05-28 CVE-2021-20292 Linux
Fedoraproject
Redhat
Use After Free vulnerability in multiple products

There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem.

7.2
2021-05-27 CVE-2020-10145 Adobe Incorrect Authorization vulnerability in Adobe Coldfusion 2016/2018/2021

The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\.

7.2
2021-05-27 CVE-2021-31154 Pleaseedit Project Link Following vulnerability in Pleaseedit Project Pleaseedit

pleaseedit in please before 0.4 uses predictable temporary filenames in /tmp and the target directory.

7.2
2021-05-27 CVE-2021-31155 Umask Project Improper Privilege Management vulnerability in Umask Project Umask

Failure to normalize the umask in please before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.

7.2
2021-05-27 CVE-2021-33200 Linux
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579.

7.2
2021-05-27 CVE-2021-22907 Citrix Improper Privilege Management vulnerability in Citrix Workspace

An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4.

7.2
2021-05-27 CVE-2021-32458 Trendmicro Out-of-bounds Write vulnerability in Trendmicro Home Network Security

Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl which could lead to code execution on affected devices.

7.2
2021-05-26 CVE-2018-16497 Versa Networks Improper Privilege Management vulnerability in Versa-Networks Versa Analytics

In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server.

7.2
2021-05-26 CVE-2020-15076 Openvpn Link Following vulnerability in Openvpn Private Tunnel

Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access via symlinks in /tmp.

7.2
2021-05-26 CVE-2020-25669 Linux
Debian
Use After Free vulnerability in multiple products

A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed.

7.2
2021-05-26 CVE-2020-25670 Linux
Fedoraproject
Use After Free vulnerability in multiple products

A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.

7.2
2021-05-26 CVE-2020-25671 Linux
Fedoraproject
Use After Free vulnerability in multiple products

A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.

7.2
2021-05-25 CVE-2020-13600 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr

Malformed SPI in response for eswifi can corrupt kernel memory.

7.2
2021-05-25 CVE-2020-9452 Acronis Improper Privilege Management vulnerability in Acronis True Image 2020 24.5.22510

An issue was discovered in Acronis True Image 2020 24.5.22510.

7.2

242 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-26 CVE-2020-25668 Linux
Debian
Use After Free vulnerability in multiple products

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

6.9
2021-05-29 CVE-2021-33564 Dragonfly Project Argument Injection or Modification vulnerability in Dragonfly Project Dragonfly

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled.

6.8
2021-05-28 CVE-2021-32635 Sylabs Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Sylabs Singularity 3.7.2/3.7.3

Singularity is an open source container platform.

6.8
2021-05-28 CVE-2020-26641 Idreamsoft Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms 7.0.16

A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.

6.8
2021-05-28 CVE-2021-20195 Redhat Improper Input Validation vulnerability in Redhat Keycloak

A flaw was found in keycloak in versions before 13.0.0.

6.8
2021-05-28 CVE-2021-33591 Naver Unspecified vulnerability in Naver Comic Viewer

An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

6.8
2021-05-27 CVE-2020-15180 Mariadb
Debian
Percona
Galeracluster
Static Code Injection vulnerability in multiple products

A flaw was found in the mysql-wsrep component of mariadb.

6.8
2021-05-27 CVE-2020-22016 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability in FFmpeg 4.2 at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22017 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22022 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22023 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerabililty exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22025 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22027 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 in deflate16 at libavfilter/vf_neighbor.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22032 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22034 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_floodfill.c, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22029 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_colorconstancy.c: in slice_get_derivative, which crossfade_samples_fltp, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22030 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/af_afade.c in crossfade_samples_fltp, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2020-22031 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A Heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_w3fdif.c in filter16_complex_low, which might lead to memory corruption and other potential consequences.

6.8
2021-05-27 CVE-2021-27490 Datakit
Luxion
Siemens
Out-of-bounds Read vulnerability in multiple products

Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

6.8
2021-05-27 CVE-2021-27488 Datakit
Luxion
Siemens
Out-of-bounds Write vulnerability in multiple products

Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing CATPart files.

6.8
2021-05-27 CVE-2021-27494 Datakit
Luxion
Siemens
Stack-based Buffer Overflow vulnerability in multiple products

Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing STP files.

6.8
2021-05-27 CVE-2021-27496 Datakit
Luxion
Siemens
Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing PRT files.
6.8
2021-05-27 CVE-2021-30500 UPX Project
Redhat
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

Null pointer dereference was found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.

6.8
2021-05-26 CVE-2009-3721 Gnome
Ytnef Project
Path Traversal vulnerability in multiple products

Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF.

6.8
2021-05-26 CVE-2021-30472 Podofo Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Podofo Project Podofo 0.9.7

A flaw was found in PoDoFo 0.9.7.

6.8
2021-05-26 CVE-2020-22015 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code.

6.8
2021-05-26 CVE-2019-14836 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat 3Scale 2.4

A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF.

6.8
2021-05-28 CVE-2021-29505 Xstream Project
Debian
Fedoraproject
Netapp
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

XStream is software for serializing Java objects to XML and back again.

6.5
2021-05-28 CVE-2021-32621 Xwiki Code Injection vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.5
2021-05-27 CVE-2021-22899 Pulsesecure Command Injection vulnerability in Pulsesecure Pulse Connect Secure

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

6.5
2021-05-27 CVE-2021-22900 Pulsesecure Code Injection vulnerability in Pulsesecure Pulse Connect Secure 7.1/9.0/9.1

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

6.5
2021-05-26 CVE-2021-22734 Schneider Electric Improper Verification of Cryptographic Signature vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Improper Verification of Cryptographic Signature vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause remote code execution when an attacker loads unauthorized code.

6.5
2021-05-26 CVE-2021-22735 Schneider Electric Improper Verification of Cryptographic Signature vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Improper Verification of Cryptographic Signature vulnerability exists inhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could allow remote code execution when unauthorized code is copied to the device.

6.5
2021-05-26 CVE-2018-16494 Versa Networks Exposure of Resource to Wrong Sphere vulnerability in Versa-Networks Versa Operating System 20.2.0/21.1.0

In VOS and overly permissive "umask" may allow for authorized users of the server to gain unauthorized access through insecure file permissions that can result in an arbitrary read, write, or execution of newly created files and directories.

6.5
2021-05-26 CVE-2018-16495 Versa Networks Session Fixation vulnerability in Versa-Networks Versa Operating System 20.2.0/21.1.0

In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application.

6.5
2021-05-26 CVE-2021-20487 IBM Improper Verification of Cryptographic Signature vulnerability in IBM products

IBM Power9 Self Boot Engine(SBE) could allow a privileged user to inject malicious code and compromise the integrity of the host firmware bypassing the host firmware signature verification process.

6.5
2021-05-26 CVE-2020-24020 Ffmpeg Classic Buffer Overflow vulnerability in Ffmpeg 4.2.3

Buffer Overflow vulnerability in FFMpeg 4.2.3 in dnn_execute_layer_pad in libavfilter/dnn/dnn_backend_native_layer_pad.c due to a call to memcpy without length checks, which could let a remote malicious user execute arbitrary code.

6.5
2021-05-26 CVE-2020-26677 Vfairs SQL Injection vulnerability in Vfairs 3.3

Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API.

6.5
2021-05-26 CVE-2020-26678 Vfairs Unrestricted Upload of File with Dangerous Type vulnerability in Vfairs 3.3

vFairs 3.3 is affected by Remote Code Execution.

6.5
2021-05-25 CVE-2021-21657 Jenkins XXE vulnerability in Jenkins Filesystem Trigger

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

6.5
2021-05-24 CVE-2021-30081 Emlog SQL Injection vulnerability in Emlog 6.0.0

An issue was discovered in emlog 6.0.0stable.

6.5
2021-05-24 CVE-2020-4990 IBM SQL Injection vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 is vulnerable to SQL injection.

6.5
2021-05-24 CVE-2020-28905 Nagios Improper Input Validation vulnerability in Nagios Fusion

Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination.

6.5
2021-05-27 CVE-2020-12403 Mozilla Out-of-bounds Read vulnerability in Mozilla NSS

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55.

6.4
2021-05-26 CVE-2018-10866 Redhat Missing Authorization vulnerability in Redhat Certification 7.0

It has been discovered that redhat-certification does not perform an authorization check and it allows an unauthenticated user to remove a "system" file, that is an xml file with host related information, not belonging to him.

6.4
2021-05-26 CVE-2018-10867 Redhat Files or Directories Accessible to External Parties vulnerability in Redhat Certification 7.0

It has been discovered that redhat-certification does not restrict file access in the /update/results page.

6.4
2021-05-26 CVE-2021-20492 IBM XXE vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

6.4
2021-05-25 CVE-2021-21658 Jenkins XXE vulnerability in Jenkins Nuget

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

6.4
2021-05-25 CVE-2021-30194 Codesys Out-of-bounds Read vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Read.

6.4
2021-05-24 CVE-2021-30108 Feehi Server-Side Request Forgery (SSRF) vulnerability in Feehi CMS 2.1.1

Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability.

6.4
2021-05-24 CVE-2020-20907 Metinfo Improper Input Validation vulnerability in Metinfo 7.0.0

MetInfo 7.0 beta is affected by a file modification vulnerability.

6.4
2021-05-24 CVE-2021-33497 Dutchcoders Path Traversal vulnerability in Dutchcoders Transfer.Sh

Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files.

6.4
2021-05-26 CVE-2020-27815 Linux
Debian
Netapp
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges.

6.1
2021-05-27 CVE-2020-27832 Redhat Cross-site Scripting vulnerability in Redhat Quay

A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification.

6.0
2021-05-27 CVE-2021-30465 Linuxfoundation
Fedoraproject
Path Traversal vulnerability in multiple products

runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal.

6.0
2021-05-24 CVE-2021-3485 Bitdefender Improper Input Validation vulnerability in Bitdefender Endpoint Security Tools 6.2.21.18

An Improper Input Validation vulnerability in the Product Update feature of Bitdefender Endpoint Security Tools for Linux allows a man-in-the-middle attacker to abuse the DownloadFile function of the Product Update to achieve remote code execution.

6.0
2021-05-28 CVE-2021-20278 Kiali Authentication Bypass by Spoofing vulnerability in Kiali

An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used.

5.8
2021-05-27 CVE-2020-14387 Samba Improper Validation of Certificate with Host Mismatch vulnerability in Samba Rsync

A flaw was found in rsync in versions since 3.2.0pre1.

5.8
2021-05-27 CVE-2021-32645 Tenancy Open Redirect vulnerability in Tenancy Multi-Tenant

Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework.

5.8
2021-05-27 CVE-2020-17514 Apache Unspecified vulnerability in Apache Fineract

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method.

5.8
2021-05-26 CVE-2021-32614 Dmg2Img Project Out-of-bounds Read vulnerability in Dmg2Img Project Dmg2Img 20170502

A flaw was found in dmg2img through 20170502.

5.8
2021-05-26 CVE-2021-3561 Fig2Dev Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fig2Dev Project Fig2Dev 3.2.8

An Out of Bounds flaw was found fig2dev version 3.2.8a.

5.8
2021-05-26 CVE-2021-3548 Dmg2Img Project Out-of-bounds Read vulnerability in Dmg2Img Project Dmg2Img 20170502

A flaw was found in dmg2img through 20170502.

5.8
2021-05-26 CVE-2021-3549 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Binutils 2.36

An out of bounds flaw was found in GNU binutils objdump utility version 2.36.

5.8
2021-05-25 CVE-2020-10065 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr

Missing Size Checks in Bluetooth HCI over SPI.

5.8
2021-05-25 CVE-2021-20096 Lucyparsonslabs Cross-Site Request Forgery (CSRF) vulnerability in Lucyparsonslabs Openoversight 0.6.4

Cross-site request forgery in OpenOversight 0.6.4 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.

5.8
2021-05-24 CVE-2021-23387 Trailing Slash Project Open Redirect vulnerability in Trailing-Slash Project Trailing-Slash

The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/).

5.8
2021-05-24 CVE-2020-26559 Bluetooth Incorrect Authorization vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device.

5.8
2021-05-24 CVE-2021-33516 Gnome Unspecified vulnerability in Gnome Gupnp

An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5.

5.8
2021-05-28 CVE-2021-20267 Openstack
Redhat
Insufficient Verification of Data Authenticity vulnerability in multiple products

A flaw was found in openstack-neutron's default Open vSwitch firewall rules.

5.5
2021-05-28 CVE-2021-32543 Sysjust Improper Authentication vulnerability in Sysjust CTS web

The CTS Web transaction system related to authentication management is implemented incorrectly.

5.5
2021-05-27 CVE-2021-33394 Cubecart Session Fixation vulnerability in Cubecart 6.4.2

Cubecart 6.4.2 allows Session Fixation.

5.5
2021-05-27 CVE-2021-32459 Trendmicro Use of Hard-coded Credentials vulnerability in Trendmicro Home Network Security

Trend Micro Home Network Security version 6.6.604 and earlier contains a hard-coded password vulnerability in the log collection server which could allow an attacker to use a specially crafted network request to lead to arbitrary authentication.

5.5
2021-05-26 CVE-2020-25634 Redhat Improper Access Control vulnerability in Redhat 3Scale and 3Scale API Management

A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials.

5.5
2021-05-25 CVE-2021-21659 Jenkins XXE vulnerability in Jenkins Urltrigger

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

5.5
2021-05-29 CVE-2021-31702 Frontiersoftware Unspecified vulnerability in Frontiersoftware Ichris 5.18

Frontier ichris through 5.18 mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS.

5.0
2021-05-28 CVE-2020-18395 GNU NULL Pointer Dereference vulnerability in GNU Gama 2.04

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs.

5.0
2021-05-28 CVE-2021-33587 CSS What Project
Netapp
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
5.0
2021-05-28 CVE-2021-33623 Trim Newlines Project
Netapp
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
5.0
2021-05-28 CVE-2021-29628 Freebsd Incorrect Authorization vulnerability in Freebsd 12.2/13.0

In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the duration of the system call.

5.0
2021-05-28 CVE-2021-29629 Freebsd Improper Input Validation vulnerability in Freebsd 11.4/12.2/13.0

In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing message validation in libradius(3) could allow malicious clients or servers to trigger denial of service in vulnerable servers or clients respectively.

5.0
2021-05-28 CVE-2020-25710 Openldap
Redhat
Debian
Fedoraproject
Reachable Assertion vulnerability in multiple products

A flaw was found in OpenLDAP in versions before 2.4.56.

5.0
2021-05-28 CVE-2021-20201 Spice Project
Redhat
Resource Exhaustion vulnerability in multiple products

A flaw was found in spice in versions before 0.14.92.

5.0
2021-05-28 CVE-2021-32541 Sysjust Improper Authentication vulnerability in Sysjust CTS web

The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services

5.0
2021-05-27 CVE-2021-32643 Typelevel Path Traversal vulnerability in Typelevel Http4S

Http4s is a Scala interface for HTTP services.

5.0
2021-05-27 CVE-2021-22362 Huawei Out-of-bounds Write vulnerability in Huawei products

There is an out of bounds write vulnerability in some Huawei products.

5.0
2021-05-27 CVE-2021-22885 Rubyonrails Information Exposure Through an Error Message vulnerability in Rubyonrails Actionpack Page-Caching and Rails

A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.

5.0
2021-05-27 CVE-2021-22892 Rocket Chat Information Exposure vulnerability in Rocket.Chat

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks.

5.0
2021-05-27 CVE-2021-28651 Squid Cache
Debian
Fedoraproject
Netapp
Memory Leak vulnerability in multiple products

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6.

5.0
2021-05-27 CVE-2021-33558 BOA Information Exposure vulnerability in BOA 0.94.13

Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js.

5.0
2021-05-26 CVE-2021-28170 Eclipse
Quarkus
Improper Input Validation vulnerability in multiple products

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

5.0
2021-05-26 CVE-2021-22736 Schneider Electric Path Traversal vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a denial of service when an unauthorized file is uploaded.

5.0
2021-05-26 CVE-2021-22737 Schneider Electric Insufficiently Protected Credentials vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Insufficiently Protected Credentials vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access of when credentials are discovered after a brute force attack.

5.0
2021-05-26 CVE-2021-22738 Schneider Electric Use of a Broken or Risky Cryptographic Algorithm vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access when credentials are discovered after a brute force attack.

5.0
2021-05-26 CVE-2018-10863 Redhat Files or Directories Accessible to External Parties vulnerability in Redhat Certification 7.0

It has been discovered that redhat-certification is not properly configured and it lists all files and directories in the /var/www/rhcert/store/transfer directory through the /rhcert-transfer URL.

5.0
2021-05-26 CVE-2018-10865 Redhat Missing Authorization vulnerability in Redhat Certification 7.0

It has been discovered that redhat-certification does not perform an authorization check and allows an unauthenticated user to call a "restart" RPC method on any host accessible by the system.

5.0
2021-05-26 CVE-2018-10868 Redhat XML Entity Expansion vulnerability in Redhat Certification 7.0

It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host.

5.0
2021-05-26 CVE-2018-16496 Versa Networks Improper Authentication vulnerability in Versa-Networks Versa Director

In Versa Director, the un-authentication request found.

5.0
2021-05-26 CVE-2021-33194 Golang Infinite Loop vulnerability in Golang GO

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

5.0
2021-05-26 CVE-2021-33506 8X8 Incorrect Default Permissions vulnerability in 8X8 Jitsi Meet 5023/5024/5025

jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure that restrict_room_creation is set by default.

5.0
2021-05-26 CVE-2021-33038 Hyperkitty Project
Debian
Information Exposure vulnerability in multiple products

An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4.

5.0
2021-05-25 CVE-2016-20011 Gnome Improper Certificate Validation vulnerability in Gnome Libgrss

libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection.

5.0
2021-05-25 CVE-2020-25672 Linux
Fedoraproject
Memory Leak vulnerability in multiple products

A memory leak vulnerability was found in Linux kernel in llcp_sock_connect

5.0
2021-05-25 CVE-2021-20209 Privoxy Memory Leak vulnerability in Privoxy

A memory leak vulnerability was found in Privoxy before 3.0.29 in the show-status CGI handler when no action files are configured.

5.0
2021-05-25 CVE-2020-20450 Ffmpeg
Debian
NULL Pointer Dereference vulnerability in multiple products

FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service.

5.0
2021-05-25 CVE-2020-20451 Ffmpeg
Debian
Memory Leak vulnerability in multiple products

Denial of Service issue in FFmpeg 4.2 due to resource management errors via fftools/cmdutils.c.

5.0
2021-05-25 CVE-2021-32640 WS Project Resource Exhaustion vulnerability in WS Project WS

ws is an open source WebSocket client and server library for Node.js.

5.0
2021-05-25 CVE-2021-23937 Apache Improper Input Validation vulnerability in Apache Wicket

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized.

5.0
2021-05-25 CVE-2021-3320 Zephyrproject Type Confusion vulnerability in Zephyrproject Zephyr

Type Confusion in 802154 ACK Frames Handling.

5.0
2021-05-25 CVE-2021-27823 Mediateknet Information Exposure vulnerability in Mediateknet Netwave System 1.0

An information disclosure vulnerability was discovered in /index.class.php (via port 8181) on NetWave System 1.0 which allows unauthenticated attackers to exfiltrate sensitive information from the system.

5.0
2021-05-25 CVE-2021-30186 Codesys Out-of-bounds Write vulnerability in Codesys Plcwinnt and Runtime Toolkit

CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.

5.0
2021-05-25 CVE-2021-30191 Codesys Classic Buffer Overflow vulnerability in Codesys V2 web Server

CODESYS V2 Web-Server before 1.1.9.20 has a a Buffer Copy without Checking the Size of the Input.

5.0
2021-05-25 CVE-2021-30195 Codesys Out-of-bounds Read vulnerability in Codesys Plcwinnt and Runtime Toolkit

CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.

5.0
2021-05-24 CVE-2021-33563 Koel Use of Password Hash With Insufficient Computational Effort vulnerability in Koel

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username.

5.0
2021-05-24 CVE-2020-20178 Whohas Project Unspecified vulnerability in Whohas Project Whohas

Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#code.sol latest version is affected by a denial of service vulnerability in the affected payout function.

5.0
2021-05-24 CVE-2020-21041 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service

5.0
2021-05-24 CVE-2021-33502 Normalize URL Project Unspecified vulnerability in Normalize-Url Project Normalize-Url

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

5.0
2021-05-24 CVE-2021-20419 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2021-05-24 CVE-2021-20428 IBM Information Exposure Through an Error Message vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.0
2021-05-24 CVE-2021-21000 Wago Allocation of Resources Without Limits or Throttling vulnerability in Wago products

On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime.

5.0
2021-05-28 CVE-2020-27826 Redhat Execution with Unnecessary Privileges vulnerability in Redhat Keycloak

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API.

4.9
2021-05-26 CVE-2020-25673 Linux
Fedoraproject
Resource Exhaustion vulnerability in multiple products

A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.

4.9
2021-05-25 CVE-2021-27562 ARM Out-of-bounds Write vulnerability in ARM Trusted Firmware M

In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.

4.9
2021-05-24 CVE-2020-26555 Bluetooth
Fedoraproject
Incorrect Authorization vulnerability in multiple products

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.

4.8
2021-05-24 CVE-2020-26560 Bluetooth Incorrect Authorization vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey.

4.8
2021-05-28 CVE-2013-4536 Qemu Improper Privilege Management vulnerability in Qemu

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

4.6
2021-05-28 CVE-2010-3843 Ettercap Project Classic Buffer Overflow vulnerability in Ettercap-Project Ettercap 0.7.3

The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file.

4.6
2021-05-28 CVE-2020-35506 Qemu Use After Free vulnerability in Qemu

A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI).

4.6
2021-05-27 CVE-2021-22118 Vmware
Oracle
Netapp
Improper Privilege Management vulnerability in multiple products

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

4.6
2021-05-26 CVE-2020-10695 Redhat Incorrect Privilege Assignment vulnerability in Redhat Single Sign-On

An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container.

4.6
2021-05-26 CVE-2021-22705 Schneider Electric
SE
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause denial of service or unauthorized access to system information when interacting directly with a driver installed by Vijeo Designer or EcoStruxure Machine Expert

4.6
2021-05-26 CVE-2021-22732 Schneider Electric Improper Privilege Management vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Improper Privilege Management vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a code execution issue when an attacker loads unauthorized code on the web server.

4.6
2021-05-26 CVE-2021-22733 Schneider Electric Improper Privilege Management vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Improper Privilege Management vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause shell access when unauthorized code is loaded into the system folder.

4.6
2021-05-26 CVE-2021-22741 Schneider Electric Use of Password Hash With Insufficient Computational Effort vulnerability in Schneider-Electric products

Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available.

4.6
2021-05-26 CVE-2021-32457 Trendmicro Improper Privilege Management vulnerability in Trendmicro Home Network Security 6.1.567

Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices.

4.6
2021-05-26 CVE-2021-22543 Linux
Debian
Fedoraproject
Netapp
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest.

4.6
2021-05-26 CVE-2021-31924 Yubico Unspecified vulnerability in Yubico Pam-U2F

Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass.

4.6
2021-05-25 CVE-2020-10072 Zephyrproject Unspecified vulnerability in Zephyrproject Zephyr

Improper Handling of Insufficient Permissions or Privileges in zephyr.

4.6
2021-05-25 CVE-2020-13598 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr

FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat.

4.6
2021-05-25 CVE-2020-13603 Zephyrproject Integer Overflow or Wraparound vulnerability in Zephyrproject Zephyr

Integer Overflow in memory allocating functions.

4.6
2021-05-25 CVE-2021-29708 IBM Improper Privilege Management vulnerability in IBM Spectrum Scale 5.1.0.1

IBM Spectrum Scale 5.1.0.1 could allow a local with access to the GUI pod container to obtain sensitive cryptographic keys that could allow them to elevate their privileges.

4.6
2021-05-25 CVE-2021-29202 HP Classic Buffer Overflow vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A local buffer overflow vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

4.6
2021-05-25 CVE-2020-9450 Acronis Incorrect Default Permissions vulnerability in Acronis True Image 2020 24.5.22510

An issue was discovered in Acronis True Image 2020 24.5.22510.

4.6
2021-05-25 CVE-2021-30187 Codesys OS Command Injection vulnerability in Codesys Runtime Toolkit 2.4.7.54

CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.

4.6
2021-05-24 CVE-2021-32629 Bytecodealliance Access of Memory Location After End of Buffer vulnerability in Bytecodealliance Cranelift-Codegen

Cranelift is an open-source code generator maintained by Bytecode Alliance.

4.6
2021-05-24 CVE-2021-20713 Qualitysoft Improper Privilege Management vulnerability in Qualitysoft QND 10.3I/10.4I

Privilege escalation vulnerability in QND Advance/Premium/Standard Ver.11.0.4i and earlier allows an attacker who can log in to the PC where the product's Windows client is installed to gain administrative privileges via unspecified vectors.

4.6
2021-05-26 CVE-2019-4588 IBM Uncontrolled Search Path Element vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to execute arbitrary code and conduct DLL hijacking attacks.

4.4
2021-05-26 CVE-2020-25697 X ORG Missing Authentication for Critical Function vulnerability in X.Org X Server

A privilege escalation flaw was found in the Xorg-x11-server due to a lack of authentication for X11 clients.

4.4
2021-05-24 CVE-2021-20722 Fujitsu Untrusted Search Path vulnerability in Fujitsu Scansnap Manager

Untrusted search path vulnerability in the installers of ScanSnap Manager prior to versions V7.0L20 and the Software Download Installer prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.

4.4
2021-05-24 CVE-2021-20726 Overwolf Untrusted Search Path vulnerability in Overwolf 0.149.2.30

Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.

4.4
2021-05-28 CVE-2020-18392 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_array Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36366 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_value Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36367 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_block Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36368 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_statement Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36369 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_statement_list Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36370 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_unary Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36371 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_mul_div_rem Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36372 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_plus_minus Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36373 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_shifts Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36374 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_comparison Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2020-36375 Cesanta Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1

Stack overflow vulnerability in parse_equality Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

4.3
2021-05-28 CVE-2021-32616 1Cdn Project Cross-site Scripting vulnerability in 1Cdn Project 1Cdn

1CDN is open-source file sharing software.

4.3
2021-05-28 CVE-2020-26642 Seacms Cross-site Scripting vulnerability in Seacms 11.0

A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML.

4.3
2021-05-28 CVE-2020-25715 Dogtagpki Cross-site Scripting vulnerability in Dogtagpki 10.9.0

A flaw was found in pki-core 10.9.0.

4.3
2021-05-28 CVE-2021-20237 Zeromq Resource Exhaustion vulnerability in Zeromq Libzmq

An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3.

4.3
2021-05-28 CVE-2021-32542 Sysjust Cross-site Scripting vulnerability in Sysjust CTS web

The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users’ connection token that triggered the attack.

4.3
2021-05-27 CVE-2020-1702 Containers Image Project
Redhat
Resource Exhaustion vulnerability in multiple products

A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform.

4.3
2021-05-27 CVE-2020-1761 Redhat Improperly Implemented Security Check for Standard vulnerability in Redhat Openshift

A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage.

4.3
2021-05-27 CVE-2020-10688 Redhat Cross-site Scripting vulnerability in Redhat Resteasy

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs.

4.3
2021-05-27 CVE-2020-22033 Ffmpeg
Debian
Out-of-bounds Write vulnerability in multiple products

A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at libavfilter/vf_vmafmotion.c in convolution_y_8bit, which could let a remote malicious user cause a Denial of Service.

4.3
2021-05-27 CVE-2021-27492 Datakit
Luxion
Siemens
XXE vulnerability in multiple products

When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers.

4.3
2021-05-27 CVE-2021-28662 Squid Cache
Debian
Improper Encoding or Escaping of Output vulnerability in multiple products

An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6.

4.3
2021-05-27 CVE-2021-20727 Zettlr Cross-site Scripting vulnerability in Zettlr

Cross-site scripting vulnerability in Zettlr from 0.20.0 to 1.8.8 allows an attacker to execute an arbitrary script by loading a file or code snippet containing an invalid iframe into Zettlr.

4.3
2021-05-27 CVE-2021-30501 UPX Project
Redhat
Fedoraproject
Improper Input Validation vulnerability in multiple products

An assertion abort was found in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0.

4.3
2021-05-27 CVE-2021-3509 Redhat Cross-site Scripting vulnerability in Redhat Ceph Storage 4.0

A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component.

4.3
2021-05-26 CVE-2021-30469 Podofo Project
Fedoraproject
Redhat
Use After Free vulnerability in multiple products

A flaw was found in PoDoFo 0.9.7.

4.3
2021-05-26 CVE-2021-30470 Podofo Project
Redhat
Fedoraproject
Uncontrolled Recursion vulnerability in multiple products

A flaw was found in PoDoFo 0.9.7.

4.3
2021-05-26 CVE-2021-30471 Podofo Project
Redhat
Fedoraproject
Uncontrolled Recursion vulnerability in multiple products

A flaw was found in PoDoFo 0.9.7.

4.3
2021-05-26 CVE-2021-3486 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi 9.5.4

GLPi 9.5.4 does not sanitize the metadata.

4.3
2021-05-26 CVE-2020-22024 Ffmpeg Classic Buffer Overflow vulnerability in Ffmpeg 4.2

Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame16 function in libavfilter/vf_lagfun.c, which could let a remote malicious user cause Denial of Service.

4.3
2021-05-26 CVE-2020-22026 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service.

4.3
2021-05-26 CVE-2020-22028 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service.

4.3
2021-05-26 CVE-2020-22019 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability in FFmpeg 4.2 at convolution_y_10bit in libavfilter/vf_vmafmotion.c, which could let a remote malicious user cause a Denial of Service.

4.3
2021-05-26 CVE-2020-22020 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability in FFmpeg 4.2 in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service.

4.3
2021-05-26 CVE-2020-22021 Ffmpeg
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service.

4.3
2021-05-26 CVE-2021-22739 Schneider Electric Information Exposure vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a device to be compromised when it is first configured.

4.3
2021-05-26 CVE-2018-16499 Versa Networks Inadequate Encryption Strength vulnerability in Versa-Networks Versa Operating System

In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks.

4.3
2021-05-26 CVE-2020-18221 Typora Cross-site Scripting vulnerability in Typora

Cross Site Scripting (XSS) in Typora v0.9.65 and earlier allows remote attackers to execute arbitrary code by injecting commands during block rendering of a mathematical formula.

4.3
2021-05-26 CVE-2021-26032 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.26.

4.3
2021-05-26 CVE-2021-26033 Joomla Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.26.

4.3
2021-05-26 CVE-2021-26034 Joomla Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.26.

4.3
2021-05-25 CVE-2021-27821 Openwrt Cross-site Scripting vulnerability in Openwrt Luci

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.

4.3
2021-05-24 CVE-2020-26558 Bluetooth
Fedoraproject
Improper Authentication vulnerability in multiple products

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session.

4.3
2021-05-24 CVE-2021-30082 Gris CMS Project Cross-site Scripting vulnerability in Gris CMS Project Gris CMS 0.1

An issue was discovered in Gris CMS v0.1.

4.3
2021-05-24 CVE-2021-30083 Webfairy Cross-site Scripting vulnerability in Webfairy Mediat 1.4.1

An issue was discovered in Mediat 1.4.1.

4.3
2021-05-24 CVE-2021-20386 IBM Cross-site Scripting vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 is vulnerable to cross-site scripting.

4.3
2021-05-24 CVE-2020-25408 College Management System Project Cross-Site Request Forgery (CSRF) vulnerability in College Management System Project College Management System 1.0

A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data.

4.3
2021-05-24 CVE-2020-25411 Online Examination System Project Cross-Site Request Forgery (CSRF) vulnerability in Online Examination System Project Online Examination System 1.0

Projectworlds Online Examination System 1.0 is vulnerable to CSRF, which allows a remote attacker to delete the existing user.

4.3
2021-05-24 CVE-2020-26006 Online Examination System Project Cross-site Scripting vulnerability in Online Examination System Project Online Examination System 1.0

Project Worlds Online Examination System 1.0 is affected by Cross Site Scripting (XSS) via account.php.

4.3
2021-05-24 CVE-2020-28903 Nagios Cross-site Scripting vulnerability in Nagios Fusion

Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS.

4.3
2021-05-24 CVE-2021-24294 Mlfactory Cross-site Scripting vulnerability in ONE for WP

The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log).

4.3
2021-05-24 CVE-2021-24297 Boostifythemes Cross-site Scripting vulnerability in Boostifythemes Goto 2.0

The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.

4.3
2021-05-24 CVE-2021-24298 Ibenic Cross-site Scripting vulnerability in Ibenic Simple Giveaways

The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS

4.3
2021-05-24 CVE-2021-24300 Pickplugins Cross-site Scripting vulnerability in Pickplugins Product Slider for Woocommerce

The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue

4.3
2021-05-24 CVE-2021-24305 Targetfirst Cross-site Scripting vulnerability in Targetfirst Watcheezy 2.0

The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability.

4.3
2021-05-24 CVE-2021-25938 Arangodb Cross-site Scripting vulnerability in Arangodb

In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to.

4.3
2021-05-24 CVE-2021-33496 Dutchcoders Cross-site Scripting vulnerability in Dutchcoders Transfer.Sh

Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view.

4.3
2021-05-24 CVE-2021-20723 Mailform01 Project Cross-site Scripting vulnerability in Mailform01 Project Mailform01

Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to 2018 July 27) allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-05-24 CVE-2021-20724 Telop01 Project Cross-site Scripting vulnerability in Telop01 Project Telop01

Reflected cross-site scripting vulnerability in the admin page of [Telop01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-05-24 CVE-2021-20725 Calendar01 Project Cross-site Scripting vulnerability in Calendar01 Project Calendar01 1.0.0/1.0.1

Reflected cross-site scripting vulnerability in the admin page of [Calendar01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-05-28 CVE-2021-29507 Genivi Improper Input Validation vulnerability in Genivi Diagnostic LOG and Trace

GENIVI Diagnostic Log and Trace (DLT) provides a log and trace interface.

4.0
2021-05-28 CVE-2021-32620 Xwiki Improper Authorization vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

4.0
2021-05-28 CVE-2021-3514 Redhat NULL Pointer Dereference vulnerability in Redhat 389 Directory Server

When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash.

4.0
2021-05-28 CVE-2021-21734 ZTE Cleartext Storage of Sensitive Information vulnerability in ZTE products

Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command.

4.0
2021-05-28 CVE-2021-33620 Squid Cache Improper Input Validation vulnerability in Squid-Cache Squid

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response.

4.0
2021-05-27 CVE-2021-33408 Abinitio Cleartext Transmission of Sensitive Information vulnerability in Abinitio Control>Center 4.0.3.0

Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files.

4.0
2021-05-27 CVE-2020-14301 Redhat Improper Cross-boundary Removal of Sensitive Data vulnerability in Redhat Enterprise Linux and Libvirt

An information disclosure vulnerability was found in libvirt in versions before 6.3.0.

4.0
2021-05-27 CVE-2020-1701 Kubevirt Incorrect Permission Assignment for Critical Resource vulnerability in Kubevirt

A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler.

4.0
2021-05-27 CVE-2020-10701 Redhat Missing Authorization vulnerability in Redhat Libvirt

A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout.

4.0
2021-05-27 CVE-2020-10716 Redhat
Theforeman
Improper Authorization vulnerability in multiple products

A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view.

4.0
2021-05-27 CVE-2021-31808 Squid Cache
Debian
Netapp
Fedoraproject
Improper Input Validation vulnerability in multiple products

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6.

4.0
2021-05-27 CVE-2021-22358 Huawei Improper Input Validation vulnerability in Huawei Fusioncompute 8.0.0

There is an insufficient input validation vulnerability in FusionCompute 8.0.0.

4.0
2021-05-27 CVE-2021-22360 Huawei Allocation of Resources Without Limits or Throttling vulnerability in Huawei Usg9500 Firmware V500R001C60Spc500/V500R005C00Spc100/V500R005C00Spc200

There is a resource management error vulnerability in the verisions V500R001C60SPC500, V500R005C00SPC100, V500R005C00SPC200 of USG9500.

4.0
2021-05-27 CVE-2021-22411 Huawei Out-of-bounds Write vulnerability in Huawei products

There is an out-of-bounds write vulnerability in some Huawei products.

4.0
2021-05-27 CVE-2021-31806 Squid Cache
Debian
Fedoraproject
Netapp
Improper Encoding or Escaping of Output vulnerability in multiple products

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6.

4.0
2021-05-27 CVE-2021-28652 Squid Cache
Debian
Memory Leak vulnerability in multiple products

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6.

4.0
2021-05-27 CVE-2021-31920 Istio Incorrect Authorization vulnerability in Istio

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

4.0
2021-05-27 CVE-2021-33586 Inspircd Incorrect Permission Assignment for Critical Resource vulnerability in Inspircd 3.8.0/3.8.1/3.9.0

InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the "malformed PONG" issue.

4.0
2021-05-27 CVE-2020-27831 Redhat Improper Access Control vulnerability in Redhat Quay

A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications.

4.0
2021-05-26 CVE-2020-25724 Redhat
Quarkus
Unsynchronized Access to Shared Data in a Multithreaded Context vulnerability in multiple products

A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided.

4.0
2021-05-26 CVE-2021-25643 Couchbase Cleartext Transmission of Sensitive Information vulnerability in Couchbase Server

An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2.

4.0
2021-05-26 CVE-2021-22740 Schneider Electric Information Exposure vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware

Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause information to be exposed when an unauthorized file is uploaded.

4.0
2021-05-26 CVE-2021-20486 IBM Information Exposure vulnerability in IBM Cloud PAK for Data 3.0

IBM Cloud Pak for Data 3.0 could allow an authenticated user to obtain sensitive information when installed with additional plugins.

4.0
2021-05-26 CVE-2020-26679 Vfairs Incorrect Default Permissions vulnerability in Vfairs 3.3

vFairs 3.3 is affected by Insecure Permissions.

4.0
2021-05-25 CVE-2020-20453 Ffmpeg
Debian
Divide By Zero vulnerability in multiple products

FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service

4.0
2021-05-25 CVE-2020-20445 Ffmpeg
Debian
Divide By Zero vulnerability in multiple products

FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.

4.0
2021-05-25 CVE-2020-20446 Ffmpeg
Debian
Divide By Zero vulnerability in multiple products

FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service.

4.0
2021-05-25 CVE-2020-20448 Ffmpeg Divide By Zero vulnerability in Ffmpeg 4.1.3

FFmpeg 4.1.3 is affected by a Divide By Zero issue via libavcodec/ratecontrol.c, which allows a remote malicious user to cause a Denial of Service.

4.0
2021-05-25 CVE-2020-4839 IBM Out-of-bounds Write vulnerability in IBM products

IBM Host firmware for LC-class Systems is vulnerable to a stack based buffer overflow, caused by improper bounds checking.

4.0
2021-05-24 CVE-2020-28911 Nagios Insecure Storage of Sensitive Information vulnerability in Nagios Fusion

Incorrect Access Control in Nagios Fusion 4.1.8 and earlier allows low-privileged authenticated users to extract passwords used to manage fused servers via the test_server command in ajaxhelper.php.

4.0
2021-05-24 CVE-2021-3559 Redhat Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Redhat Libvirt 6.10.0

A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0.

4.0
2021-05-24 CVE-2021-21001 Wago Path Traversal vulnerability in Wago products

On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.

4.0

76 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-05-27 CVE-2020-10697 Redhat Missing Authorization vulnerability in Redhat Ansible Tower

A flaw was found in Ansible Tower when running Openshift.

3.6
2021-05-27 CVE-2020-10709 Redhat Operation on a Resource after Expiration or Release vulnerability in Redhat Ansible Tower

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application.

3.6
2021-05-28 CVE-2021-32539 Hundredplus Cross-site Scripting vulnerability in Hundredplus 101Eip 200925

Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack.

3.5
2021-05-28 CVE-2021-32540 Hundredplus Cross-site Scripting vulnerability in Hundredplus 101Eip 200925

Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack.

3.5
2021-05-27 CVE-2020-18229 Phpmywind Cross-site Scripting vulnerability in PHPmywind 5.5

Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".

3.5
2021-05-27 CVE-2020-18230 Phpmywind Cross-site Scripting vulnerability in PHPmywind 5.5

Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".

3.5
2021-05-26 CVE-2020-27839 Redhat Insufficiently Protected Credentials vulnerability in Redhat Ceph

A flaw was found in ceph-dashboard.

3.5
2021-05-26 CVE-2021-33469 Covid19 Testing Management System Project Cross-site Scripting vulnerability in Covid19 Testing Management System Project Covid19 Testing Management System 1.0

COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter.

3.5
2021-05-26 CVE-2020-26680 Vfairs Cross-site Scripting vulnerability in Vfairs 3.3

In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload.

3.5
2021-05-26 CVE-2021-27676 Centreon Cross-site Scripting vulnerability in Centreon 20.10.2

Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability.

3.5
2021-05-26 CVE-2021-29252 RSA Cross-site Scripting vulnerability in RSA Archer

RSA Archer before 6.9 SP1 P1 (6.9.1.1) contains a stored XSS vulnerability.

3.5
2021-05-25 CVE-2021-33570 Postbird Project Cross-site Scripting vulnerability in Postbird Project Postbird 0.8.4

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table.

3.5
2021-05-25 CVE-2021-25934 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter.

3.5
2021-05-25 CVE-2021-25935 Opennms Cross-site Scripting vulnerability in Opennms Horizon and Meridian

In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter.

3.5
2021-05-25 CVE-2021-21660 Jenkins Cross-site Scripting vulnerability in Jenkins Markdown Formatter 0.1.0

Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.

3.5
2021-05-25 CVE-2021-29208 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29209 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29210 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29211 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29201 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29204 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29205 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29206 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-29207 HP Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5

A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

3.5
2021-05-25 CVE-2021-33425 Openwrt Cross-site Scripting vulnerability in Openwrt 19.07.0

A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.

3.5
2021-05-24 CVE-2021-33561 Shopizer Cross-site Scripting vulnerability in Shopizer

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration.

3.5
2021-05-24 CVE-2021-33562 Shopizer Cross-site Scripting vulnerability in Shopizer

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.

3.5
2021-05-24 CVE-2021-32624 Keystonejs Information Exposure vulnerability in Keystonejs Keystone-5

Keystone 5 is an open source CMS platform to build Node.js applications.

3.5
2021-05-24 CVE-2021-24296 Gowebsolutions Cross-site Scripting vulnerability in Gowebsolutions WP Customer Reviews

The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled

3.5
2021-05-24 CVE-2021-24301 Bluemedicinelabs Cross-site Scripting vulnerability in Bluemedicinelabs Hotjar Connecticator 1.1.1

The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea.

3.5
2021-05-24 CVE-2021-24302 Neox Cross-site Scripting vulnerability in Neox Hana FLV Player

The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field.

3.5
2021-05-24 CVE-2021-24306 Ultimatemember Cross-site Scripting vulnerability in Ultimatemember Ultimate Member

The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue.

3.5
2021-05-24 CVE-2021-24308 Lifterlms Cross-site Scripting vulnerability in Lifterlms

The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue.

3.5
2021-05-24 CVE-2021-24332 Autoptimize Cross-site Scripting vulnerability in Autoptimize

The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues

3.5
2021-05-26 CVE-2021-25217 ISC
Fedoraproject
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC.

3.3
2021-05-25 CVE-2020-10066 Zephyrproject NULL Pointer Dereference vulnerability in Zephyrproject Zephyr

Incorrect Error Handling in Bluetooth HCI core.

3.3
2021-05-25 CVE-2020-10069 Zephyrproject Unspecified vulnerability in Zephyrproject Zephyr

Zephyr Bluetooth unchecked packet data results in denial of service.

3.3
2021-05-24 CVE-2020-26556 Bluetooth Improper Restriction of Excessive Authentication Attempts vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.

2.9
2021-05-24 CVE-2020-26557 Bluetooth Incorrect Authorization vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).

2.9
2021-05-27 CVE-2021-31525 Golang Uncontrolled Recursion vulnerability in Golang GO

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse.

2.6
2021-05-28 CVE-2020-1729 Redhat Incorrect Authorization vulnerability in Redhat Smallrye Config

A flaw was found in SmallRye's API through version 1.6.1.

2.1
2021-05-28 CVE-2020-35504 Qemu
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.

2.1
2021-05-28 CVE-2020-35505 Qemu NULL Pointer Dereference vulnerability in Qemu

A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0.

2.1
2021-05-28 CVE-2021-20239 Linux
Redhat
Fedoraproject
Untrusted Pointer Dereference vulnerability in multiple products

A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol.

2.1
2021-05-27 CVE-2020-14327 Redhat Server-Side Request Forgery (SSRF) vulnerability in Redhat Ansible Tower

A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2.

2.1
2021-05-27 CVE-2020-14328 Redhat Server-Side Request Forgery (SSRF) vulnerability in Redhat Ansible Tower

A flaw was found in Ansible Tower in versions before 3.7.2.

2.1
2021-05-27 CVE-2020-14329 Redhat Information Exposure vulnerability in Redhat Ansible Tower

A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint.

2.1
2021-05-27 CVE-2020-10698 Redhat Information Exposure vulnerability in Redhat Ansible Tower

A flaw was found in Ansible Tower when running jobs.

2.1
2021-05-27 CVE-2020-10729 Redhat
Debian
Use of Insufficiently Random Values vulnerability in multiple products

A flaw was found in the use of insufficiently random values in Ansible.

2.1
2021-05-27 CVE-2020-10774 Linux Buffer Access with Incorrect Length Value vulnerability in Linux Kernel

A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file.

2.1
2021-05-27 CVE-2008-2544 Linux Exposure of Resource to Wrong Sphere vulnerability in Linux Kernel

Mounting /proc filesystem via chroot command silently mounts it in read-write mode.

2.1
2021-05-27 CVE-2021-22364 Huawei Unspecified vulnerability in Huawei Mate 30 5G Firmware and Mate 30 Firmware

There is a denial of service vulnerability in the versions 10.1.0.126(C00E125R5P3) of HUAWEI Mate 30 and 10.1.0.152(C00E136R7P2) of HUAWEI Mate 30 (5G) .

2.1
2021-05-27 CVE-2021-31153 Please Project Exposure of Resource to Wrong Sphere vulnerability in Please Project Please

please before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the --check option, or the -d option.

2.1
2021-05-26 CVE-2021-20196 Qemu NULL Pointer Dereference vulnerability in Qemu 5.2.0

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU.

2.1
2021-05-26 CVE-2021-3527 Qemu
Redhat
Debian
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

A flaw was found in the USB redirector device (usb-redir) of QEMU.

2.1
2021-05-26 CVE-2021-20177 Linux Out-of-bounds Read vulnerability in Linux Kernel

A flaw was found in the Linux kernel's implementation of string matching within a packet.

2.1
2021-05-26 CVE-2021-20191 Oracle
Redhat
Information Exposure Through Log Files vulnerability in multiple products

A flaw was found in ansible.

2.1
2021-05-26 CVE-2021-20297 Gnome
Redhat
Fedoraproject
Improper Input Validation vulnerability in multiple products

A flaw was found in NetworkManager in versions before 1.30.0.

2.1
2021-05-26 CVE-2021-22742 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2021-22743 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TCM 4351B installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2021-22744 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2021-22745 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2021-22746 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2021-22747 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position.

2.1
2021-05-26 CVE-2018-16498 Versa Networks Cleartext Storage of Sensitive Information vulnerability in Versa-Networks Versa Director

In Versa Director, the unencrypted backup files stored on the Versa deployment contain credentials stored within configuration files.

2.1
2021-05-26 CVE-2019-25030 Versa Networks Insufficiently Protected Credentials vulnerability in Versa-Networks products

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage.

2.1
2021-05-26 CVE-2021-20178 Redhat
Fedoraproject
Information Exposure Through Log Files vulnerability in multiple products

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module.

2.1
2021-05-26 CVE-2021-29253 RSA Insufficiently Protected Credentials vulnerability in RSA Archer

The Tableau integration in RSA Archer 6.4 P1 (6.4.0.1) through 6.9 P2 (6.9.0.2) is affected by an insecure credential storage vulnerability.

2.1
2021-05-25 CVE-2020-13599 Zephyrproject Incorrect Default Permissions vulnerability in Zephyrproject Zephyr

Security problem with settings and littlefs.

2.1
2021-05-25 CVE-2020-13602 Zephyrproject Infinite Loop vulnerability in Zephyrproject Zephyr

Remote Denial of Service in LwM2M do_write_op_tlv.

2.1
2021-05-25 CVE-2021-32638 Github Information Exposure Through Process Environment vulnerability in Github Codeql Action

Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository.

2.1
2021-05-25 CVE-2020-9451 Acronis Incorrect Default Permissions vulnerability in Acronis True Image 2020 24.5.22510

An issue was discovered in Acronis True Image 2020 24.5.22510.

2.1
2021-05-24 CVE-2021-20389 IBM Insufficiently Protected Credentials vulnerability in IBM Security Guardium 11.2

IBM Security Guardium 11.2 stores user credentials in plain clear text which can be read by a local user.

2.1
2021-05-24 CVE-2021-21987 Vmware Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser).

2.1
2021-05-24 CVE-2021-21988 Vmware Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser).

2.1
2021-05-24 CVE-2021-21989 Vmware Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser).

2.1