Weekly Vulnerabilities Reports > May 24 to 30, 2021
Overview
397 new vulnerabilities reported during this period, including 36 critical vulnerabilities and 91 high severity vulnerabilities. This weekly summary report vulnerabilities in 422 products from 169 vendors including Debian, Redhat, Fedoraproject, Ffmpeg, and Netapp. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Classic Buffer Overflow", "Out-of-bounds Read", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 294 reported vulnerabilities are remotely exploitables.
- 5 reported vulnerabilities have public exploit available.
- 118 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 274 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 53 reported vulnerabilities.
- Nagios has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
36 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-26 | CVE-2019-25029 | Versa Networks | Command Injection vulnerability in Versa-Networks Versa Director In Versa Director, the command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. | 10.0 |
2021-05-26 | CVE-2021-21985 | Vmware | Improper Input Validation vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. | 10.0 |
2021-05-26 | CVE-2021-21986 | Vmware | Missing Authentication for Critical Function vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. | 10.0 |
2021-05-24 | CVE-2021-29300 | Ronomon | Command Injection vulnerability in Ronomon Opened The @ronomon/opened library before 1.5.2 is vulnerable to a command injection vulnerability which would allow a remote attacker to execute commands on the system if the library was used with untrusted input. | 10.0 |
2021-05-24 | CVE-2020-28900 | Nagios | Insufficient Verification of Data Authenticity vulnerability in Nagios Fusion and Nagios XI Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh. | 10.0 |
2021-05-24 | CVE-2020-28901 | Nagios | Command Injection vulnerability in Nagios Fusion Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php. | 10.0 |
2021-05-24 | CVE-2020-28902 | Nagios | Command Injection vulnerability in Nagios Fusion Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php. | 10.0 |
2021-05-24 | CVE-2020-28907 | Nagios | Improper Certificate Validation vulnerability in Nagios Fusion Incorrect SSL certificate validation in Nagios Fusion 4.1.8 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to download of an untrusted update package in upgrade_to_latest.sh. | 10.0 |
2021-05-24 | CVE-2020-28910 | Nagios | Incorrect Permission Assignment for Critical Resource vulnerability in Nagios XI Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh. | 10.0 |
2021-05-28 | CVE-2021-22519 | Microfocus | Unspecified vulnerability in Microfocus Sitescope Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). | 9.8 |
2021-05-28 | CVE-2020-27847 | Linuxfoundation | Improper Handling of Syntactically Invalid Structure vulnerability in Linuxfoundation DEX A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. | 9.8 |
2021-05-28 | CVE-2021-20236 | Zeromq Redhat Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in the ZeroMQ server in versions before 4.3.3. | 9.8 |
2021-05-27 | CVE-2021-27852 | Checkbox | Deserialization of Untrusted Data vulnerability in Checkbox Survey Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. | 9.8 |
2021-05-27 | CVE-2021-31535 | X ORG Fedoraproject | Classic Buffer Overflow vulnerability in multiple products LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. | 9.8 |
2021-05-26 | CVE-2021-22737 | Schneider Electric | Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Insufficiently Protected Credentials vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access of when credentials are discovered after a brute force attack. | 9.8 |
2021-05-26 | CVE-2021-33470 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0 COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel. | 9.8 |
2021-05-26 | CVE-2021-22160 | Apache | Improper Verification of Cryptographic Signature vulnerability in Apache Pulsar If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". | 9.8 |
2021-05-25 | CVE-2021-33574 | GNU Fedoraproject Netapp Debian | Use After Free vulnerability in multiple products The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. | 9.8 |
2021-05-25 | CVE-2021-25944 | Deep Defaults Project | Unspecified vulnerability in Deep-Defaults Project Deep-Defaults Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2021-05-25 | CVE-2021-25946 | Nconf Toml Project | Unspecified vulnerability in Nconf-Toml Project Nconf-Toml 0.0.1/0.0.2 Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2021-05-28 | CVE-2021-32642 | Uninett Fedoraproject | Injection vulnerability in multiple products radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. | 9.4 |
2021-05-27 | CVE-2020-12403 | Mozilla | Out-of-bounds Read vulnerability in Mozilla NSS A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. | 9.1 |
2021-05-26 | CVE-2018-10866 | Redhat | Missing Authorization vulnerability in Redhat Certification 7.0 It was discovered that the /configuration view of redhat-certification 7 does not perform an authorization check and it allows an unauthenticated user to remove a "system" file, that is an xml file with host related information, not belonging to him. | 9.1 |
2021-05-26 | CVE-2018-10867 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat Certification 7.0 Files are accessible without restrictions from the /update/results page of redhat-certification 7 package, allowing an attacker to remove any file accessible by the apached user. | 9.1 |
2021-05-25 | CVE-2021-21658 | Jenkins | Unspecified vulnerability in Jenkins Nuget Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.1 |
2021-05-24 | CVE-2020-20907 | Metinfo | Path Traversal vulnerability in Metinfo 7.0.0 MetInfo 7.0 beta is affected by a file modification vulnerability. | 9.1 |
2021-05-28 | CVE-2020-1716 | Ceph | Use of Hard-coded Credentials vulnerability in Ceph Ceph-Ansible A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. | 9.0 |
2021-05-27 | CVE-2020-15180 | Mariadb Debian Percona Galeracluster | Command Injection vulnerability in multiple products A flaw was found in the mysql-wsrep component of mariadb. | 9.0 |
2021-05-27 | CVE-2021-20026 | Sonicwall | OS Command Injection vulnerability in Sonicwall Network Security Manager 2.2.0 A vulnerability in the SonicWall NSM On-Prem product allows an authenticated attacker to perform OS command injection using a crafted HTTP request. | 9.0 |
2021-05-24 | CVE-2021-33525 | Eyesofnetwork | OS Command Injection vulnerability in Eyesofnetwork EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell. | 9.0 |
2021-05-24 | CVE-2021-29256 | ARM | Use After Free vulnerability in ARM Bifrost, Midgard and Valhall . | 9.0 |
2021-05-24 | CVE-2021-20385 | IBM | Unspecified vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system. | 9.0 |
2021-05-24 | CVE-2021-20557 | IBM | OS Command Injection vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | 9.0 |
2021-05-24 | CVE-2020-28906 | Nagios | Incorrect Default Permissions vulnerability in Nagios Fusion and Nagios XI Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. | 9.0 |
2021-05-24 | CVE-2020-28909 | Nagios | Incorrect Permission Assignment for Critical Resource vulnerability in Nagios Fusion Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts. | 9.0 |
2021-05-24 | CVE-2021-24307 | Aioseo | Deserialization of Untrusted Data vulnerability in Aioseo ALL in ONE SEO The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. | 9.0 |
91 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-28 | CVE-2021-29505 | Xstream Project Debian Fedoraproject Netapp Oracle | Deserialization of Untrusted Data vulnerability in multiple products XStream is software for serializing Java objects to XML and back again. | 8.8 |
2021-05-28 | CVE-2021-32621 | Xwiki | Code Injection vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 8.8 |
2021-05-28 | CVE-2021-20240 | Gnome Fedoraproject | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products A flaw was found in gdk-pixbuf in versions before 2.42.0. | 8.8 |
2021-05-27 | CVE-2020-22025 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences. | 8.8 |
2021-05-27 | CVE-2020-22032 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memory corruption and other potential consequences. | 8.8 |
2021-05-27 | CVE-2020-22034 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_floodfill.c, which might lead to memory corruption and other potential consequences. | 8.8 |
2021-05-27 | CVE-2020-22029 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_colorconstancy.c: in slice_get_derivative, which crossfade_samples_fltp, which might lead to memory corruption and other potential consequences. | 8.8 |
2021-05-27 | CVE-2021-22894 | Pulsesecure Ivanti | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room. | 8.8 |
2021-05-27 | CVE-2021-22899 | Pulsesecure Ivanti | Command Injection vulnerability in multiple products A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature | 8.8 |
2021-05-27 | CVE-2021-22908 | Pulsesecure Ivanti | Classic Buffer Overflow vulnerability in multiple products A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. | 8.8 |
2021-05-26 | CVE-2020-24020 | Ffmpeg | Classic Buffer Overflow vulnerability in Ffmpeg 4.2.3 Buffer Overflow vulnerability in FFMpeg 4.2.3 in dnn_execute_layer_pad in libavfilter/dnn/dnn_backend_native_layer_pad.c due to a call to memcpy without length checks, which could let a remote malicious user execute arbitrary code. | 8.8 |
2021-05-26 | CVE-2019-14836 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat 3Scale 2.4 A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. | 8.8 |
2021-05-25 | CVE-2020-10065 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr Missing Size Checks in Bluetooth HCI over SPI. | 8.8 |
2021-05-25 | CVE-2021-21657 | Jenkins | Unspecified vulnerability in Jenkins Filesystem Trigger Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.8 |
2021-05-24 | CVE-2021-32629 | Bytecodealliance | Access of Memory Location After End of Buffer vulnerability in Bytecodealliance Cranelift-Codegen Cranelift is an open-source code generator maintained by Bytecode Alliance. | 8.8 |
2021-05-27 | CVE-2021-30465 | Linuxfoundation Fedoraproject | Race Condition vulnerability in multiple products runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. | 8.5 |
2021-05-25 | CVE-2021-29695 | IBM | Path Traversal vulnerability in IBM products IBM Host firmware for LC-class Systems could allow a remote attacker to traverse directories on the system. | 8.5 |
2021-05-25 | CVE-2021-21659 | Jenkins | Unspecified vulnerability in Jenkins Urltrigger Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
2021-05-28 | CVE-2013-4536 | Qemu | Improper Privilege Management vulnerability in Qemu An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | 7.8 |
2021-05-28 | CVE-2021-27032 | Autodesk | Incorrect Default Permissions vulnerability in Autodesk Licensing Services 9.0.1.1462.100 Autodesk Licensing Installer was found to be vulnerable to privilege escalation issues. | 7.8 |
2021-05-27 | CVE-2021-22118 | Vmware Oracle Netapp | Exposure of Resource to Wrong Sphere vulnerability in multiple products In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. | 7.8 |
2021-05-27 | CVE-2021-22359 | Huawei | Improper Input Validation vulnerability in Huawei S5700 Firmware and S6700 Firmware There is a denial of service vulnerability in the verisions V200R005C00SPC500 of S5700 and V200R005C00SPC500 of S6700. | 7.8 |
2021-05-27 | CVE-2021-33200 | Linux Fedoraproject Netapp | Out-of-bounds Write vulnerability in multiple products kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. | 7.8 |
2021-05-27 | CVE-2021-30499 | Libcaca Project Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in libcaca. | 7.8 |
2021-05-26 | CVE-2021-30472 | Podofo Project | Out-of-bounds Write vulnerability in Podofo Project Podofo 0.9.7 A flaw was found in PoDoFo 0.9.7. | 7.8 |
2021-05-26 | CVE-2021-30498 | Libcaca Project Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in libcaca. | 7.8 |
2021-05-26 | CVE-2021-22699 | Schneider Electric | Improper Input Validation vulnerability in Schneider-Electric Modicon M241 Firmware and Modicon M251 Firmware Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP. | 7.8 |
2021-05-26 | CVE-2020-27815 | Linux Debian Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. | 7.8 |
2021-05-26 | CVE-2020-25669 | Linux Debian Netapp | Use After Free vulnerability in multiple products A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. | 7.8 |
2021-05-26 | CVE-2020-25670 | Linux Fedoraproject Netapp Debian | Use After Free vulnerability in multiple products A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. | 7.8 |
2021-05-26 | CVE-2020-25671 | Linux Fedoraproject Netapp Debian | Use After Free vulnerability in multiple products A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations. | 7.8 |
2021-05-26 | CVE-2021-22543 | Linux Fedoraproject Debian Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. | 7.8 |
2021-05-29 | CVE-2021-30461 | Voipmonitor | Code Injection vulnerability in Voipmonitor A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. | 7.5 |
2021-05-29 | CVE-2021-31703 | Frontiersoftware | Unrestricted Upload of File with Dangerous Type vulnerability in Frontiersoftware Ichris 5.18 Frontier ichris through 5.18 allows users to upload malicious executable files that might later be downloaded and run by any client user. | 7.5 |
2021-05-28 | CVE-2021-29492 | Envoyproxy | Path Traversal vulnerability in Envoyproxy Envoy Envoy is a cloud-native edge/middle/service proxy. | 7.5 |
2021-05-28 | CVE-2021-32619 | Deno | Incorrect Authorization vulnerability in Deno Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. | 7.5 |
2021-05-28 | CVE-2021-33587 | CSS What Project Netapp | The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. | 7.5 |
2021-05-28 | CVE-2021-32646 | DAV Cogs Project | Unspecified vulnerability in Dav-Cogs Project Dav-Cogs Roomer is a discord bot cog (extension) which provides automatic voice channel generation as well as private voice and text channels. | 7.5 |
2021-05-28 | CVE-2021-33623 | Trim Newlines Project Netapp Debian | Resource Exhaustion vulnerability in multiple products The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. | 7.5 |
2021-05-28 | CVE-2021-32637 | Authelia | Improper Authentication vulnerability in Authelia Authelia is a a single sign-on multi-factor portal for web apps. | 7.5 |
2021-05-28 | CVE-2020-15782 | Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens products A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. | 7.5 |
2021-05-28 | CVE-2020-25710 | Openldap Redhat Debian Fedoraproject | Reachable Assertion vulnerability in multiple products A flaw was found in OpenLDAP in versions before 2.4.56. | 7.5 |
2021-05-27 | CVE-2021-22891 | Citrix | Missing Authorization vulnerability in Citrix Sharefile Storagezones Controller A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller. | 7.5 |
2021-05-27 | CVE-2021-22909 | UI | Improper Certificate Validation vulnerability in UI Edgemax Edgerouter Firmware 2.0.9 A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. | 7.5 |
2021-05-27 | CVE-2021-22911 | Rocket Chat | Unspecified vulnerability in Rocket.Chat 3.11.0/3.12.0/3.13.0 A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. | 7.5 |
2021-05-27 | CVE-2021-28651 | Squid Cache Debian Fedoraproject Netapp | Memory Leak vulnerability in multiple products An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. | 7.5 |
2021-05-27 | CVE-2021-33558 | BOA | Unspecified vulnerability in BOA 0.94.13 Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. | 7.5 |
2021-05-27 | CVE-2021-33590 | Labapart | Out-of-bounds Read vulnerability in Labapart Gattlib 0.3 GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac in dbus/gattlib.c. | 7.5 |
2021-05-26 | CVE-2021-22731 | Schneider Electric | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Schneider-Electric products Weak Password Recovery Mechanism for Forgotten Password vulnerability exists on Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior which could cause an unauthorized password change through HTTP / HTTPS when basic user information is known by a remote attacker. | 7.5 |
2021-05-26 | CVE-2018-10863 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat Certification 7.0 It was discovered that redhat-certification 7 is not properly configured and it lists all files and directories in the /var/www/rhcert/store/transfer directory, through the /rhcert-transfer URL. | 7.5 |
2021-05-26 | CVE-2018-10865 | Redhat | Missing Authorization vulnerability in Redhat Certification 7.0 It was discovered that the /configuration view of redhat-certification 7 does not perform an authorization check and it allows an unauthenticated user to call a "restart" RPC method on any host accessible by the system, even if not belonging to him. | 7.5 |
2021-05-26 | CVE-2018-10868 | Redhat | XML Entity Expansion vulnerability in Redhat Certification 7.0 redhat-certification 7 does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack" by replying to XMLRPC methods when getting the status of an host. | 7.5 |
2021-05-26 | CVE-2021-25945 | JS Extend Project | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Js-Extend Project Js-Extend Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | 7.5 |
2021-05-26 | CVE-2021-33194 | Golang Fedoraproject | Infinite Loop vulnerability in multiple products golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. | 7.5 |
2021-05-25 | CVE-2021-33575 | Pixar | Unspecified vulnerability in Pixar Ruby-Jss The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing. | 7.5 |
2021-05-25 | CVE-2020-25672 | Linux Fedoraproject Debian Netapp | Memory Leak vulnerability in multiple products A memory leak vulnerability was found in Linux kernel in llcp_sock_connect | 7.5 |
2021-05-25 | CVE-2021-20209 | Privoxy | Memory Leak vulnerability in Privoxy A memory leak vulnerability was found in Privoxy before 3.0.29 in the show-status CGI handler when no action files are configured. | 7.5 |
2021-05-25 | CVE-2020-10064 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr Improper Input Frame Validation in ieee802154 Processing. | 7.5 |
2021-05-25 | CVE-2020-13601 | Zephyrproject | Out-of-bounds Read vulnerability in Zephyrproject Zephyr Possible read out of bounds in dns read. | 7.5 |
2021-05-25 | CVE-2021-23937 | Apache | Information Exposure vulnerability in Apache Wicket A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. | 7.5 |
2021-05-25 | CVE-2021-30188 | Codesys | Out-of-bounds Write vulnerability in Codesys V2 Runtime System SP CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow. | 7.5 |
2021-05-25 | CVE-2021-30189 | Codesys | Out-of-bounds Write vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has a Stack-based Buffer Overflow. | 7.5 |
2021-05-25 | CVE-2021-30190 | Codesys | Missing Authentication for Critical Function vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control. | 7.5 |
2021-05-25 | CVE-2021-30192 | Codesys | Unspecified vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check. | 7.5 |
2021-05-25 | CVE-2021-30193 | Codesys | Out-of-bounds Write vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Write. | 7.5 |
2021-05-24 | CVE-2019-12348 | Zzcms | SQL Injection vulnerability in Zzcms 2019 An issue was discovered in zzcms 2019. | 7.5 |
2021-05-24 | CVE-2021-33502 | Normalize URL Project | Unspecified vulnerability in Normalize-Url Project Normalize-Url The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. | 7.5 |
2021-05-24 | CVE-2021-20426 | IBM | Use of Hard-coded Credentials vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 7.5 |
2021-05-24 | CVE-2020-25409 | College Management System Project | SQL Injection vulnerability in College Management System Project College Management System 1.0 Projectsworlds College Management System Php 1.0 is vulnerable to SQL injection issues over multiple parameters. | 7.5 |
2021-05-24 | CVE-2020-28904 | Nagios | Improper Privilege Management vulnerability in Nagios Fusion Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installation of a malicious component containing PHP code. | 7.5 |
2021-05-24 | CVE-2020-28908 | Nagios | Command Injection vulnerability in Nagios Fusion Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to nagios. | 7.5 |
2021-05-24 | CVE-2021-32075 | RE Logic | Deserialization of Untrusted Data vulnerability in Re-Logic Terraria Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. | 7.5 |
2021-05-27 | CVE-2020-17514 | Apache | Unspecified vulnerability in Apache Fineract Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. | 7.4 |
2021-05-26 | CVE-2021-25217 | ISC Fedoraproject Debian Siemens Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. | 7.4 |
2021-05-27 | CVE-2020-10145 | Adobe | Incorrect Default Permissions vulnerability in Adobe Coldfusion 2016/2018/2021 The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. | 7.2 |
2021-05-27 | CVE-2021-31154 | Pleaseedit Project | Exposure of Resource to Wrong Sphere vulnerability in Pleaseedit Project Pleaseedit pleaseedit in please before 0.4 uses predictable temporary filenames in /tmp and the target directory. | 7.2 |
2021-05-27 | CVE-2021-31155 | Umask Project | Incorrect Permission Assignment for Critical Resource vulnerability in Umask Project Umask Failure to normalize the umask in please before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command. | 7.2 |
2021-05-27 | CVE-2021-22900 | Pulsesecure Ivanti | Incorrect Resource Transfer Between Spheres vulnerability in multiple products A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. | 7.2 |
2021-05-27 | CVE-2021-22907 | Citrix | Unspecified vulnerability in Citrix Workspace An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4. | 7.2 |
2021-05-27 | CVE-2021-32458 | Trendmicro | Out-of-bounds Write vulnerability in Trendmicro Home Network Security Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl which could lead to code execution on affected devices. | 7.2 |
2021-05-26 | CVE-2018-16497 | Versa Networks | Improper Privilege Management vulnerability in Versa-Networks Versa Analytics In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. | 7.2 |
2021-05-26 | CVE-2020-15076 | Openvpn | Link Following vulnerability in Openvpn Private Tunnel Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access via symlinks in /tmp. | 7.2 |
2021-05-25 | CVE-2020-13600 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr Malformed SPI in response for eswifi can corrupt kernel memory. | 7.2 |
2021-05-25 | CVE-2020-9452 | Acronis | Link Following vulnerability in Acronis True Image 2020 24.5.22510 An issue was discovered in Acronis True Image 2020 24.5.22510. | 7.2 |
2021-05-28 | CVE-2021-20267 | Openstack Redhat | Insufficient Verification of Data Authenticity vulnerability in multiple products A flaw was found in openstack-neutron's default Open vSwitch firewall rules. | 7.1 |
2021-05-27 | CVE-2020-10709 | Redhat | Insufficient Session Expiration vulnerability in Redhat Ansible Tower A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. | 7.1 |
2021-05-26 | CVE-2021-32614 | Dmg2Img Project | Out-of-bounds Read vulnerability in Dmg2Img Project Dmg2Img 20170502 A flaw was found in dmg2img through 20170502. | 7.1 |
2021-05-26 | CVE-2021-3561 | Fig2Dev Project Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An Out of Bounds flaw was found fig2dev version 3.2.8a. | 7.1 |
2021-05-26 | CVE-2021-3549 | GNU | Out-of-bounds Write vulnerability in GNU Binutils 2.36 An out of bounds flaw was found in GNU binutils objdump utility version 2.36. | 7.1 |
2021-05-26 | CVE-2020-25697 | X ORG | Missing Authentication for Critical Function vulnerability in X.Org X Server A privilege escalation flaw was found in the Xorg-x11-server due to a lack of authentication for X11 clients. | 7.0 |
2021-05-26 | CVE-2020-25668 | Linux Debian Netapp | Improper Synchronization vulnerability in multiple products A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op. | 7.0 |
208 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-29 | CVE-2021-33564 | Dragonfly Project | Argument Injection or Modification vulnerability in Dragonfly Project Dragonfly An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. | 6.8 |
2021-05-28 | CVE-2021-32635 | Sylabs | Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Sylabs Singularity 3.7.2/3.7.3 Singularity is an open source container platform. | 6.8 |
2021-05-28 | CVE-2020-26641 | Idreamsoft | Cross-Site Request Forgery (CSRF) vulnerability in Idreamsoft Icms 7.0.16 A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. | 6.8 |
2021-05-28 | CVE-2021-20195 | Redhat | Improper Encoding or Escaping of Output vulnerability in Redhat Keycloak A flaw was found in keycloak in versions before 13.0.0. | 6.8 |
2021-05-28 | CVE-2021-33591 | Naver | Unspecified vulnerability in Naver Comic Viewer An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | 6.8 |
2021-05-27 | CVE-2020-22016 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability in FFmpeg 4.2 at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22017 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22022 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22023 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerabililty exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22027 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 in deflate16 at libavfilter/vf_neighbor.c, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22030 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/af_afade.c in crossfade_samples_fltp, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2020-22031 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A Heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_w3fdif.c in filter16_complex_low, which might lead to memory corruption and other potential consequences. | 6.8 |
2021-05-27 | CVE-2021-27490 | Datakit Luxion Siemens | Out-of-bounds Read vulnerability in multiple products Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code. | 6.8 |
2021-05-27 | CVE-2021-27488 | Datakit Luxion Siemens | Out-of-bounds Write vulnerability in multiple products Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing CATPart files. | 6.8 |
2021-05-27 | CVE-2021-27494 | Datakit Luxion Siemens | Stack-based Buffer Overflow vulnerability in multiple products Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing STP files. | 6.8 |
2021-05-27 | CVE-2021-27496 | Datakit Luxion Siemens | Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing PRT files. | 6.8 |
2021-05-27 | CVE-2021-30500 | UPX Project Redhat Fedoraproject | NULL Pointer Dereference vulnerability in multiple products Null pointer dereference was found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0. | 6.8 |
2021-05-26 | CVE-2009-3721 | Gnome Ytnef Project | Path Traversal vulnerability in multiple products Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. | 6.8 |
2021-05-26 | CVE-2020-22015 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. | 6.8 |
2021-05-26 | CVE-2021-31924 | Yubico Fedoraproject | Improper Authentication vulnerability in multiple products Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. | 6.8 |
2021-05-28 | CVE-2021-20292 | Linux Fedoraproject Redhat Debian | Use After Free vulnerability in multiple products There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. | 6.7 |
2021-05-24 | CVE-2021-3485 | Bitdefender | Download of Code Without Integrity Check vulnerability in Bitdefender Endpoint Security Tools 6.2.21.18 An Improper Input Validation vulnerability in the Product Update feature of Bitdefender Endpoint Security Tools for Linux allows a man-in-the-middle attacker to abuse the DownloadFile function of the Product Update to achieve remote code execution. | 6.6 |
2021-05-28 | CVE-2021-3514 | Redhat | Unspecified vulnerability in Redhat 389 Directory Server When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash. | 6.5 |
2021-05-28 | CVE-2021-33620 | Squid Cache Fedoraproject Debian | Improper Input Validation vulnerability in multiple products Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. | 6.5 |
2021-05-27 | CVE-2020-10716 | Redhat Theforeman | A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. | 6.5 |
2021-05-27 | CVE-2020-22033 | Ffmpeg Debian | Out-of-bounds Write vulnerability in multiple products A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at libavfilter/vf_vmafmotion.c in convolution_y_8bit, which could let a remote malicious user cause a Denial of Service. | 6.5 |
2021-05-27 | CVE-2021-31808 | Squid Cache Debian Netapp Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. | 6.5 |
2021-05-27 | CVE-2021-31806 | Squid Cache Debian Fedoraproject Netapp | Improper Encoding or Escaping of Output vulnerability in multiple products An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. | 6.5 |
2021-05-27 | CVE-2021-28662 | Squid Cache Debian Fedoraproject | Improper Encoding or Escaping of Output vulnerability in multiple products An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. | 6.5 |
2021-05-26 | CVE-2021-20196 | Qemu Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. | 6.5 |
2021-05-26 | CVE-2020-22020 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability in FFmpeg 4.2 in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service. | 6.5 |
2021-05-26 | CVE-2021-22734 | Schneider Electric | Improper Verification of Cryptographic Signature vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Improper Verification of Cryptographic Signature vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause remote code execution when an attacker loads unauthorized code. | 6.5 |
2021-05-26 | CVE-2021-22735 | Schneider Electric | Improper Verification of Cryptographic Signature vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Improper Verification of Cryptographic Signature vulnerability exists inhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could allow remote code execution when unauthorized code is copied to the device. | 6.5 |
2021-05-26 | CVE-2018-16494 | Versa Networks | Exposure of Resource to Wrong Sphere vulnerability in Versa-Networks Versa Operating System 20.2.0/21.1.0 In VOS and overly permissive "umask" may allow for authorized users of the server to gain unauthorized access through insecure file permissions that can result in an arbitrary read, write, or execution of newly created files and directories. | 6.5 |
2021-05-26 | CVE-2018-16495 | Versa Networks | Session Fixation vulnerability in Versa-Networks Versa Operating System 20.2.0/21.1.0 In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. | 6.5 |
2021-05-26 | CVE-2021-20487 | IBM | Improper Verification of Cryptographic Signature vulnerability in IBM products IBM Power9 Self Boot Engine(SBE) could allow a privileged user to inject malicious code and compromise the integrity of the host firmware bypassing the host firmware signature verification process. | 6.5 |
2021-05-26 | CVE-2020-26677 | Vfairs | SQL Injection vulnerability in Vfairs 3.3 Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. | 6.5 |
2021-05-26 | CVE-2020-26678 | Vfairs | Unrestricted Upload of File with Dangerous Type vulnerability in Vfairs 3.3 vFairs 3.3 is affected by Remote Code Execution. | 6.5 |
2021-05-24 | CVE-2021-30081 | Emlog | SQL Injection vulnerability in Emlog 6.0.0 An issue was discovered in emlog 6.0.0stable. | 6.5 |
2021-05-24 | CVE-2020-4990 | IBM | SQL Injection vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 is vulnerable to SQL injection. | 6.5 |
2021-05-24 | CVE-2020-28905 | Nagios | Code Injection vulnerability in Nagios Fusion Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination. | 6.5 |
2021-05-26 | CVE-2021-20492 | IBM | XXE vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 6.4 |
2021-05-25 | CVE-2021-30194 | Codesys | Out-of-bounds Read vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Read. | 6.4 |
2021-05-24 | CVE-2021-30108 | Feehi | Server-Side Request Forgery (SSRF) vulnerability in Feehi CMS 2.1.1 Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. | 6.4 |
2021-05-24 | CVE-2021-33497 | Dutchcoders | Path Traversal vulnerability in Dutchcoders Transfer.Sh Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files. | 6.4 |
2021-05-28 | CVE-2021-32542 | Sysjust | Cross-site Scripting vulnerability in Sysjust CTS web The parameters of the specific functions in the CTS Web trading system do not filter special characters, which allows unauthenticated attackers can remotely perform reflected XSS and obtain the users’ connection token that triggered the attack. | 6.1 |
2021-05-26 | CVE-2021-3486 | Glpi Project | Cross-site Scripting vulnerability in Glpi-Project Glpi 9.5.4 GLPi 9.5.4 does not sanitize the metadata. | 6.1 |
2021-05-27 | CVE-2020-27832 | Redhat | Cross-site Scripting vulnerability in Redhat Quay A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. | 6.0 |
2021-05-27 | CVE-2021-31525 | Golang Fedoraproject | Uncontrolled Recursion vulnerability in multiple products net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. | 5.9 |
2021-05-28 | CVE-2021-20278 | Kiali | Improper Authentication vulnerability in Kiali An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. | 5.8 |
2021-05-27 | CVE-2020-14387 | Samba | Improper Validation of Certificate with Host Mismatch vulnerability in Samba Rsync A flaw was found in rsync in versions since 3.2.0pre1. | 5.8 |
2021-05-27 | CVE-2021-32645 | Tenancy | Open Redirect vulnerability in Tenancy Multi-Tenant Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. | 5.8 |
2021-05-26 | CVE-2021-3548 | Dmg2Img Project | Out-of-bounds Read vulnerability in Dmg2Img Project Dmg2Img 20170502 A flaw was found in dmg2img through 20170502. | 5.8 |
2021-05-25 | CVE-2021-20096 | Lucyparsonslabs | Cross-Site Request Forgery (CSRF) vulnerability in Lucyparsonslabs Openoversight 0.6.4 Cross-site request forgery in OpenOversight 0.6.4 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | 5.8 |
2021-05-24 | CVE-2021-23387 | Trailing Slash Project | Open Redirect vulnerability in Trailing-Slash Project Trailing-Slash The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). | 5.8 |
2021-05-24 | CVE-2020-26559 | Bluetooth | Incorrect Authorization vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1 Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. | 5.8 |
2021-05-24 | CVE-2021-33516 | Gnome | Unspecified vulnerability in Gnome Gupnp An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. | 5.8 |
2021-05-28 | CVE-2020-18392 | Cesanta | Uncontrolled Recursion vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_array Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 5.5 |
2021-05-28 | CVE-2021-32543 | Sysjust | Improper Authentication vulnerability in Sysjust CTS web The CTS Web transaction system related to authentication management is implemented incorrectly. | 5.5 |
2021-05-27 | CVE-2021-33394 | Cubecart | Session Fixation vulnerability in Cubecart 6.4.2 Cubecart 6.4.2 allows Session Fixation. | 5.5 |
2021-05-27 | CVE-2021-32459 | Trendmicro | Use of Hard-coded Credentials vulnerability in Trendmicro Home Network Security Trend Micro Home Network Security version 6.6.604 and earlier contains a hard-coded password vulnerability in the log collection server which could allow an attacker to use a specially crafted network request to lead to arbitrary authentication. | 5.5 |
2021-05-27 | CVE-2021-30501 | UPX Project Redhat Fedoraproject | Reachable Assertion vulnerability in multiple products An assertion abort was found in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. | 5.5 |
2021-05-26 | CVE-2021-30469 | Podofo Project Fedoraproject Redhat | Use After Free vulnerability in multiple products A flaw was found in PoDoFo 0.9.7. | 5.5 |
2021-05-26 | CVE-2021-30470 | Podofo Project Redhat Fedoraproject | Uncontrolled Recursion vulnerability in multiple products A flaw was found in PoDoFo 0.9.7. | 5.5 |
2021-05-26 | CVE-2021-30471 | Podofo Project Redhat Fedoraproject | Uncontrolled Recursion vulnerability in multiple products A flaw was found in PoDoFo 0.9.7. | 5.5 |
2021-05-26 | CVE-2021-3527 | Qemu Redhat Debian | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A flaw was found in the USB redirector device (usb-redir) of QEMU. | 5.5 |
2021-05-26 | CVE-2021-20191 | Oracle Redhat | Information Exposure Through Log Files vulnerability in multiple products A flaw was found in ansible. | 5.5 |
2021-05-26 | CVE-2021-20178 | Redhat Fedoraproject | Information Exposure Through Log Files vulnerability in multiple products A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. | 5.5 |
2021-05-26 | CVE-2020-25673 | Linux Fedoraproject Netapp | Resource Exhaustion vulnerability in multiple products A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. | 5.5 |
2021-05-26 | CVE-2020-25634 | Redhat | Missing Authentication for Critical Function vulnerability in Redhat 3Scale and 3Scale API Management A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. | 5.4 |
2021-05-25 | CVE-2021-33570 | Postbird Project | Cross-site Scripting vulnerability in Postbird Project Postbird 0.8.4 Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. | 5.4 |
2021-05-25 | CVE-2021-21660 | Jenkins | Cross-site Scripting vulnerability in Jenkins Markdown Formatter 0.1.0 Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter. | 5.4 |
2021-05-25 | CVE-2021-33425 | Openwrt | Cross-site Scripting vulnerability in Openwrt 19.07.0 A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation. | 5.4 |
2021-05-24 | CVE-2020-26555 | Bluetooth Fedoraproject Intel | Incorrect Authorization vulnerability in multiple products Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. | 5.4 |
2021-05-24 | CVE-2021-24306 | Ultimatemember | Cross-site Scripting vulnerability in Ultimatemember Ultimate Member The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. | 5.4 |
2021-05-28 | CVE-2021-20201 | Spice Project Redhat | A flaw was found in spice in versions before 0.14.92. | 5.3 |
2021-05-25 | CVE-2021-32640 | WS Project Netapp | Resource Exhaustion vulnerability in multiple products ws is an open source WebSocket client and server library for Node.js. | 5.3 |
2021-05-29 | CVE-2021-31702 | Frontiersoftware | Unspecified vulnerability in Frontiersoftware Ichris 5.18 Frontier ichris through 5.18 mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS. | 5.0 |
2021-05-28 | CVE-2020-18395 | GNU | NULL Pointer Dereference vulnerability in GNU Gama 2.04 A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs. | 5.0 |
2021-05-28 | CVE-2021-29628 | Freebsd | Incorrect Authorization vulnerability in Freebsd 12.2/13.0 In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the duration of the system call. | 5.0 |
2021-05-28 | CVE-2021-29629 | Freebsd | Improper Input Validation vulnerability in Freebsd 11.4/12.2/13.0 In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing message validation in libradius(3) could allow malicious clients or servers to trigger denial of service in vulnerable servers or clients respectively. | 5.0 |
2021-05-28 | CVE-2021-32541 | Sysjust | Improper Authentication vulnerability in Sysjust CTS web The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services | 5.0 |
2021-05-27 | CVE-2021-32643 | Typelevel | Path Traversal vulnerability in Typelevel Http4S Http4s is a Scala interface for HTTP services. | 5.0 |
2021-05-27 | CVE-2021-22362 | Huawei | Out-of-bounds Write vulnerability in Huawei products There is an out of bounds write vulnerability in some Huawei products. | 5.0 |
2021-05-27 | CVE-2021-22885 | Rubyonrails Debian | Information Exposure Through an Error Message vulnerability in multiple products A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | 5.0 |
2021-05-27 | CVE-2021-22892 | Rocket Chat | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks. | 5.0 |
2021-05-26 | CVE-2021-28170 | Eclipse Quarkus Oracle | Expression Language Injection vulnerability in multiple products In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. | 5.0 |
2021-05-26 | CVE-2021-22736 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a denial of service when an unauthorized file is uploaded. | 5.0 |
2021-05-26 | CVE-2021-22738 | Schneider Electric | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access when credentials are discovered after a brute force attack. | 5.0 |
2021-05-26 | CVE-2018-16496 | Versa Networks | Improper Authentication vulnerability in Versa-Networks Versa Director In Versa Director, the un-authentication request found. | 5.0 |
2021-05-26 | CVE-2021-33506 | 8X8 | Incorrect Default Permissions vulnerability in 8X8 Jitsi Meet jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure that restrict_room_creation is set by default. | 5.0 |
2021-05-26 | CVE-2021-33038 | Hyperkitty Project Debian | Information Exposure vulnerability in multiple products An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. | 5.0 |
2021-05-25 | CVE-2016-20011 | Gnome | Improper Certificate Validation vulnerability in Gnome Libgrss libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. | 5.0 |
2021-05-25 | CVE-2020-20450 | Ffmpeg Debian | NULL Pointer Dereference vulnerability in multiple products FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service. | 5.0 |
2021-05-25 | CVE-2020-20451 | Ffmpeg Debian | Memory Leak vulnerability in multiple products Denial of Service issue in FFmpeg 4.2 due to resource management errors via fftools/cmdutils.c. | 5.0 |
2021-05-25 | CVE-2021-3320 | Zephyrproject | Type Confusion vulnerability in Zephyrproject Zephyr Type Confusion in 802154 ACK Frames Handling. | 5.0 |
2021-05-25 | CVE-2021-27823 | Mediateknet | Information Exposure vulnerability in Mediateknet Netwave System 1.0 An information disclosure vulnerability was discovered in /index.class.php (via port 8181) on NetWave System 1.0 which allows unauthenticated attackers to exfiltrate sensitive information from the system. | 5.0 |
2021-05-25 | CVE-2021-30186 | Codesys | Out-of-bounds Write vulnerability in Codesys Plcwinnt and Runtime Toolkit CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow. | 5.0 |
2021-05-25 | CVE-2021-30191 | Codesys | Classic Buffer Overflow vulnerability in Codesys V2 web Server CODESYS V2 Web-Server before 1.1.9.20 has a a Buffer Copy without Checking the Size of the Input. | 5.0 |
2021-05-25 | CVE-2021-30195 | Codesys | Out-of-bounds Read vulnerability in Codesys Plcwinnt and Runtime Toolkit CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation. | 5.0 |
2021-05-24 | CVE-2021-33563 | Koel | Use of Password Hash With Insufficient Computational Effort vulnerability in Koel Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. | 5.0 |
2021-05-24 | CVE-2020-20178 | Whohas Project | Unspecified vulnerability in Whohas Project Whohas Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#code.sol latest version is affected by a denial of service vulnerability in the affected payout function. | 5.0 |
2021-05-24 | CVE-2020-21041 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service | 5.0 |
2021-05-24 | CVE-2021-20419 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2021-05-24 | CVE-2021-20428 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2021-05-24 | CVE-2021-21000 | Wago | Allocation of Resources Without Limits or Throttling vulnerability in Wago products On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime. | 5.0 |
2021-05-28 | CVE-2020-27826 | Redhat | Execution with Unnecessary Privileges vulnerability in Redhat Keycloak A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. | 4.9 |
2021-05-27 | CVE-2021-28652 | Squid Cache Debian Fedoraproject | Memory Leak vulnerability in multiple products An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. | 4.9 |
2021-05-25 | CVE-2021-27562 | ARM | Out-of-bounds Write vulnerability in ARM Trusted Firmware M In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode. | 4.9 |
2021-05-26 | CVE-2021-33469 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Covid19 Testing Management System 1.0 COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter. | 4.8 |
2021-05-24 | CVE-2020-26560 | Bluetooth | Incorrect Authorization vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1 Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey. | 4.8 |
2021-05-24 | CVE-2021-24332 | Autoptimize | Cross-site Scripting vulnerability in Autoptimize The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues | 4.8 |
2021-05-28 | CVE-2010-3843 | Ettercap Project | Classic Buffer Overflow vulnerability in Ettercap-Project Ettercap 0.7.3 The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. | 4.6 |
2021-05-28 | CVE-2020-35506 | Qemu | Use After Free vulnerability in Qemu A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). | 4.6 |
2021-05-26 | CVE-2020-10695 | Redhat | Incorrect Privilege Assignment vulnerability in Redhat Single Sign-On An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. | 4.6 |
2021-05-26 | CVE-2021-22705 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Ecostruxure Machine Expert and Vijeo Designer Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause denial of service or unauthorized access to system information when interacting directly with a driver installed by Vijeo Designer or EcoStruxure Machine Expert | 4.6 |
2021-05-26 | CVE-2021-22732 | Schneider Electric | Improper Privilege Management vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Improper Privilege Management vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a code execution issue when an attacker loads unauthorized code on the web server. | 4.6 |
2021-05-26 | CVE-2021-22733 | Schneider Electric | Improper Privilege Management vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Improper Privilege Management vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause shell access when unauthorized code is loaded into the system folder. | 4.6 |
2021-05-26 | CVE-2021-22741 | Schneider Electric | Use of Password Hash With Insufficient Computational Effort vulnerability in Schneider-Electric products Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available. | 4.6 |
2021-05-26 | CVE-2021-32457 | Trendmicro | Unspecified vulnerability in Trendmicro Home Network Security 6.1.567/6.6.604 Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices. | 4.6 |
2021-05-25 | CVE-2020-10072 | Zephyrproject | Unspecified vulnerability in Zephyrproject Zephyr Improper Handling of Insufficient Permissions or Privileges in zephyr. | 4.6 |
2021-05-25 | CVE-2020-13598 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat. | 4.6 |
2021-05-25 | CVE-2020-13603 | Zephyrproject | Integer Overflow or Wraparound vulnerability in Zephyrproject Zephyr Integer Overflow in memory allocating functions. | 4.6 |
2021-05-25 | CVE-2021-29708 | IBM | Unspecified vulnerability in IBM Spectrum Scale 5.1.0.1 IBM Spectrum Scale 5.1.0.1 could allow a local with access to the GUI pod container to obtain sensitive cryptographic keys that could allow them to elevate their privileges. | 4.6 |
2021-05-25 | CVE-2021-29202 | HP | Classic Buffer Overflow vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A local buffer overflow vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 4.6 |
2021-05-25 | CVE-2020-9450 | Acronis | Incorrect Default Permissions vulnerability in Acronis True Image 2020 24.5.22510 An issue was discovered in Acronis True Image 2020 24.5.22510. | 4.6 |
2021-05-25 | CVE-2021-30187 | Codesys | OS Command Injection vulnerability in Codesys Runtime Toolkit 2.4.7.54 CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command. | 4.6 |
2021-05-24 | CVE-2021-20713 | Qualitysoft | Improper Privilege Management vulnerability in Qualitysoft QND 10.3I/10.4I Privilege escalation vulnerability in QND Advance/Premium/Standard Ver.11.0.4i and earlier allows an attacker who can log in to the PC where the product's Windows client is installed to gain administrative privileges via unspecified vectors. | 4.6 |
2021-05-27 | CVE-2020-10697 | Redhat | Unspecified vulnerability in Redhat Ansible Tower A flaw was found in Ansible Tower when running Openshift. | 4.4 |
2021-05-26 | CVE-2019-4588 | IBM | Uncontrolled Search Path Element vulnerability in IBM DB2 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to execute arbitrary code and conduct DLL hijacking attacks. | 4.4 |
2021-05-24 | CVE-2021-20722 | Fujitsu | Uncontrolled Search Path Element vulnerability in Fujitsu Scansnap Manager Untrusted search path vulnerability in the installers of ScanSnap Manager prior to versions V7.0L20 and the Software Download Installer prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory. | 4.4 |
2021-05-24 | CVE-2021-20726 | Overwolf | Uncontrolled Search Path Element vulnerability in Overwolf Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory. | 4.4 |
2021-05-28 | CVE-2020-36366 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_value Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36367 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_block Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36368 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_statement Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36369 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_statement_list Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36370 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_unary Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36371 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_mul_div_rem Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36372 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_plus_minus Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36373 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_shifts Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36374 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_comparison Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2020-36375 | Cesanta | Out-of-bounds Write vulnerability in Cesanta MJS 1.20.1 Stack overflow vulnerability in parse_equality Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2021-05-28 | CVE-2021-32616 | 1Cdn Project | Cross-site Scripting vulnerability in 1Cdn Project 1Cdn 1CDN is open-source file sharing software. | 4.3 |
2021-05-28 | CVE-2020-26642 | Seacms | Cross-site Scripting vulnerability in Seacms 11.0 A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML. | 4.3 |
2021-05-28 | CVE-2020-25715 | Dogtagpki | Cross-site Scripting vulnerability in Dogtagpki 10.9.0 A flaw was found in pki-core 10.9.0. | 4.3 |
2021-05-28 | CVE-2021-20237 | Zeromq | Memory Leak vulnerability in Zeromq Libzmq An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. | 4.3 |
2021-05-27 | CVE-2020-1702 | Containers Image Project Redhat | Resource Exhaustion vulnerability in multiple products A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. | 4.3 |
2021-05-27 | CVE-2020-1761 | Redhat | Unspecified vulnerability in Redhat Openshift A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. | 4.3 |
2021-05-27 | CVE-2020-10688 | Redhat | Cross-site Scripting vulnerability in Redhat products A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. | 4.3 |
2021-05-27 | CVE-2021-27492 | Datakit Luxion Siemens | XXE vulnerability in multiple products When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. | 4.3 |
2021-05-27 | CVE-2021-20727 | Zettlr | Cross-site Scripting vulnerability in Zettlr Cross-site scripting vulnerability in Zettlr from 0.20.0 to 1.8.8 allows an attacker to execute an arbitrary script by loading a file or code snippet containing an invalid iframe into Zettlr. | 4.3 |
2021-05-27 | CVE-2020-27831 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Quay A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. | 4.3 |
2021-05-27 | CVE-2021-3509 | Redhat | Cross-site Scripting vulnerability in Redhat Ceph Storage 4.0 A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. | 4.3 |
2021-05-26 | CVE-2020-22024 | Ffmpeg | Classic Buffer Overflow vulnerability in Ffmpeg 4.2 Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame16 function in libavfilter/vf_lagfun.c, which could let a remote malicious user cause Denial of Service. | 4.3 |
2021-05-26 | CVE-2020-22026 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. | 4.3 |
2021-05-26 | CVE-2020-22028 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. | 4.3 |
2021-05-26 | CVE-2020-22019 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability in FFmpeg 4.2 at convolution_y_10bit in libavfilter/vf_vmafmotion.c, which could let a remote malicious user cause a Denial of Service. | 4.3 |
2021-05-26 | CVE-2020-22021 | Ffmpeg Debian | Classic Buffer Overflow vulnerability in multiple products Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. | 4.3 |
2021-05-26 | CVE-2021-22739 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a device to be compromised when it is first configured. | 4.3 |
2021-05-26 | CVE-2018-16499 | Versa Networks | Inadequate Encryption Strength vulnerability in Versa-Networks Versa Operating System In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. | 4.3 |
2021-05-26 | CVE-2020-18221 | Typora | Cross-site Scripting vulnerability in Typora Cross Site Scripting (XSS) in Typora v0.9.65 and earlier allows remote attackers to execute arbitrary code by injecting commands during block rendering of a mathematical formula. | 4.3 |
2021-05-26 | CVE-2021-26032 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.26. | 4.3 |
2021-05-26 | CVE-2021-26033 | Joomla | Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.26. | 4.3 |
2021-05-26 | CVE-2021-26034 | Joomla | Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.26. | 4.3 |
2021-05-25 | CVE-2021-27821 | Openwrt | Cross-site Scripting vulnerability in Openwrt Luci The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. | 4.3 |
2021-05-24 | CVE-2021-30082 | Gris CMS Project | Cross-site Scripting vulnerability in Gris CMS Project Gris CMS 0.1 An issue was discovered in Gris CMS v0.1. | 4.3 |
2021-05-24 | CVE-2021-30083 | Webfairy | Cross-site Scripting vulnerability in Webfairy Mediat 1.4.1 An issue was discovered in Mediat 1.4.1. | 4.3 |
2021-05-24 | CVE-2021-20386 | IBM | Cross-site Scripting vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 is vulnerable to cross-site scripting. | 4.3 |
2021-05-24 | CVE-2020-25408 | College Management System Project | Cross-Site Request Forgery (CSRF) vulnerability in College Management System Project College Management System 1.0 A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data. | 4.3 |
2021-05-24 | CVE-2020-25411 | Online Examination System Project | Cross-Site Request Forgery (CSRF) vulnerability in Online Examination System Project Online Examination System 1.0 Projectworlds Online Examination System 1.0 is vulnerable to CSRF, which allows a remote attacker to delete the existing user. | 4.3 |
2021-05-24 | CVE-2020-26006 | Online Examination System Project | Cross-site Scripting vulnerability in Online Examination System Project Online Examination System 1.0 Project Worlds Online Examination System 1.0 is affected by Cross Site Scripting (XSS) via account.php. | 4.3 |
2021-05-24 | CVE-2020-28903 | Nagios | Cross-site Scripting vulnerability in Nagios Fusion Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS. | 4.3 |
2021-05-24 | CVE-2021-24294 | Mlfactory | Cross-site Scripting vulnerability in ONE for WP The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). | 4.3 |
2021-05-24 | CVE-2021-24297 | Boostifythemes | Cross-site Scripting vulnerability in Boostifythemes Goto 2.0 The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | 4.3 |
2021-05-24 | CVE-2021-24298 | Ibenic | Cross-site Scripting vulnerability in Ibenic Simple Giveaways The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS | 4.3 |
2021-05-24 | CVE-2021-24300 | Pickplugins | Cross-site Scripting vulnerability in Pickplugins Product Slider for Woocommerce The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue | 4.3 |
2021-05-24 | CVE-2021-24305 | Targetfirst | Cross-site Scripting vulnerability in Targetfirst Watcheezy 2.0 The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. | 4.3 |
2021-05-24 | CVE-2021-25938 | Arangodb | Cross-site Scripting vulnerability in Arangodb In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. | 4.3 |
2021-05-24 | CVE-2021-33496 | Dutchcoders | Cross-site Scripting vulnerability in Dutchcoders Transfer.Sh Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. | 4.3 |
2021-05-24 | CVE-2021-20723 | Mailform01 Project | Cross-site Scripting vulnerability in Mailform01 Project Mailform01 Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to 2018 July 27) allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-05-24 | CVE-2021-20724 | Telop01 Project | Cross-site Scripting vulnerability in Telop01 Project Telop01 Reflected cross-site scripting vulnerability in the admin page of [Telop01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-05-24 | CVE-2021-20725 | Calendar01 Project | Cross-site Scripting vulnerability in Calendar01 Project Calendar01 1.0.0/1.0.1 Reflected cross-site scripting vulnerability in the admin page of [Calendar01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. | 4.3 |
2021-05-24 | CVE-2020-26558 | Bluetooth Fedoraproject Debian Linux Intel | Improper Authentication vulnerability in multiple products Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. | 4.2 |
2021-05-28 | CVE-2021-29507 | Genivi | Unspecified vulnerability in Genivi Diagnostic LOG and Trace GENIVI Diagnostic Log and Trace (DLT) provides a log and trace interface. | 4.0 |
2021-05-28 | CVE-2021-32620 | Xwiki | Incorrect Authorization vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 4.0 |
2021-05-28 | CVE-2021-21734 | ZTE | Cleartext Storage of Sensitive Information vulnerability in ZTE products Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command. | 4.0 |
2021-05-27 | CVE-2021-33408 | Abinitio | Cleartext Transmission of Sensitive Information vulnerability in Abinitio Control>Center 4.0.3.0 Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. | 4.0 |
2021-05-27 | CVE-2020-14301 | Redhat Netapp | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products An information disclosure vulnerability was found in libvirt in versions before 6.3.0. | 4.0 |
2021-05-27 | CVE-2020-1701 | Kubevirt | Incorrect Permission Assignment for Critical Resource vulnerability in Kubevirt A flaw was found in the KubeVirt main virt-handler versions before 0.26.0 regarding the access permissions of virt-handler. | 4.0 |
2021-05-27 | CVE-2020-10701 | Redhat | Missing Authorization vulnerability in Redhat Libvirt A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. | 4.0 |
2021-05-27 | CVE-2021-22358 | Huawei | Improper Input Validation vulnerability in Huawei Fusioncompute 8.0.0 There is an insufficient input validation vulnerability in FusionCompute 8.0.0. | 4.0 |
2021-05-27 | CVE-2021-22360 | Huawei | Allocation of Resources Without Limits or Throttling vulnerability in Huawei Usg9500 Firmware V500R001C60Spc500/V500R005C00Spc100/V500R005C00Spc200 There is a resource management error vulnerability in the verisions V500R001C60SPC500, V500R005C00SPC100, V500R005C00SPC200 of USG9500. | 4.0 |
2021-05-27 | CVE-2021-22411 | Huawei | Out-of-bounds Write vulnerability in Huawei products There is an out-of-bounds write vulnerability in some Huawei products. | 4.0 |
2021-05-27 | CVE-2021-31920 | Istio | Use of Incorrectly-Resolved Name or Reference vulnerability in Istio Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. | 4.0 |
2021-05-27 | CVE-2021-33586 | Inspircd | Incorrect Permission Assignment for Critical Resource vulnerability in Inspircd 3.8.0/3.8.1/3.9.0 InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the "malformed PONG" issue. | 4.0 |
2021-05-26 | CVE-2020-25724 | Redhat Quarkus | Unsynchronized Access to Shared Data in a Multithreaded Context vulnerability in multiple products A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. | 4.0 |
2021-05-26 | CVE-2021-25643 | Couchbase | Cleartext Transmission of Sensitive Information vulnerability in Couchbase Server An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. | 4.0 |
2021-05-26 | CVE-2021-22740 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric Homelynk Firmware and Spacelynk Firmware Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause information to be exposed when an unauthorized file is uploaded. | 4.0 |
2021-05-26 | CVE-2021-20486 | IBM | Information Exposure vulnerability in IBM Cloud PAK for Data 3.0 IBM Cloud Pak for Data 3.0 could allow an authenticated user to obtain sensitive information when installed with additional plugins. | 4.0 |
2021-05-26 | CVE-2020-26679 | Vfairs | Authorization Bypass Through User-Controlled Key vulnerability in Vfairs 3.3 vFairs 3.3 is affected by Insecure Permissions. | 4.0 |
2021-05-25 | CVE-2020-20453 | Ffmpeg Debian | Divide By Zero vulnerability in multiple products FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service | 4.0 |
2021-05-25 | CVE-2020-20445 | Ffmpeg Debian | Divide By Zero vulnerability in multiple products FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service. | 4.0 |
2021-05-25 | CVE-2020-20446 | Ffmpeg Debian | Divide By Zero vulnerability in multiple products FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. | 4.0 |
2021-05-25 | CVE-2020-20448 | Ffmpeg | Divide By Zero vulnerability in Ffmpeg 4.1.3 FFmpeg 4.1.3 is affected by a Divide By Zero issue via libavcodec/ratecontrol.c, which allows a remote malicious user to cause a Denial of Service. | 4.0 |
2021-05-25 | CVE-2020-4839 | IBM | Out-of-bounds Write vulnerability in IBM products IBM Host firmware for LC-class Systems is vulnerable to a stack based buffer overflow, caused by improper bounds checking. | 4.0 |
2021-05-24 | CVE-2020-28911 | Nagios | Insecure Storage of Sensitive Information vulnerability in Nagios Fusion Incorrect Access Control in Nagios Fusion 4.1.8 and earlier allows low-privileged authenticated users to extract passwords used to manage fused servers via the test_server command in ajaxhelper.php. | 4.0 |
2021-05-24 | CVE-2021-3559 | Redhat Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. | 4.0 |
2021-05-24 | CVE-2021-21001 | Wago | Path Traversal vulnerability in Wago products On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges. | 4.0 |
62 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-05-28 | CVE-2021-32539 | Hundredplus | Cross-site Scripting vulnerability in Hundredplus 101Eip 200925 Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack. | 3.5 |
2021-05-28 | CVE-2021-32540 | Hundredplus | Cross-site Scripting vulnerability in Hundredplus 101Eip 200925 Add announcement function in the 101EIP system does not filter special characters, which allows authenticated users to inject JavaScript and perform a stored XSS attack. | 3.5 |
2021-05-27 | CVE-2020-18229 | Phpmywind | Cross-site Scripting vulnerability in PHPmywind 5.5 Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php". | 3.5 |
2021-05-27 | CVE-2020-18230 | Phpmywind | Cross-site Scripting vulnerability in PHPmywind 5.5 Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php". | 3.5 |
2021-05-26 | CVE-2020-27839 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Ceph A flaw was found in ceph-dashboard. | 3.5 |
2021-05-26 | CVE-2020-26680 | Vfairs | Cross-site Scripting vulnerability in Vfairs 3.3 In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. | 3.5 |
2021-05-26 | CVE-2021-27676 | Centreon | Cross-site Scripting vulnerability in Centreon 20.10.2 Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. | 3.5 |
2021-05-26 | CVE-2021-29252 | RSA | Cross-site Scripting vulnerability in RSA Archer RSA Archer before 6.9 SP1 P1 (6.9.1.1) contains a stored XSS vulnerability. | 3.5 |
2021-05-25 | CVE-2021-25934 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. | 3.5 |
2021-05-25 | CVE-2021-25935 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. | 3.5 |
2021-05-25 | CVE-2021-29208 | HP | Injection vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29209 | HP | Injection vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29210 | HP | Injection vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29211 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29201 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29204 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29205 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29206 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-25 | CVE-2021-29207 | HP | Cross-site Scripting vulnerability in HP Integrated Lights-Out 4 and Integrated Lights-Out 5 A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78. | 3.5 |
2021-05-24 | CVE-2021-33561 | Shopizer | Cross-site Scripting vulnerability in Shopizer A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. | 3.5 |
2021-05-24 | CVE-2021-33562 | Shopizer | Cross-site Scripting vulnerability in Shopizer A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL. | 3.5 |
2021-05-24 | CVE-2021-32624 | Keystonejs | Information Exposure vulnerability in Keystonejs Keystone-5 Keystone 5 is an open source CMS platform to build Node.js applications. | 3.5 |
2021-05-24 | CVE-2021-24296 | Gowebsolutions | Cross-site Scripting vulnerability in Gowebsolutions WP Customer Reviews The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled | 3.5 |
2021-05-24 | CVE-2021-24301 | Bluemedicinelabs | Cross-site Scripting vulnerability in Bluemedicinelabs Hotjar Connecticator 1.1.1 The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. | 3.5 |
2021-05-24 | CVE-2021-24302 | Neox | Cross-site Scripting vulnerability in Neox Hana FLV Player The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field. | 3.5 |
2021-05-24 | CVE-2021-24308 | Lifterlms | Cross-site Scripting vulnerability in Lifterlms The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. | 3.5 |
2021-05-28 | CVE-2021-20239 | Linux Redhat Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. | 3.3 |
2021-05-25 | CVE-2020-10066 | Zephyrproject | NULL Pointer Dereference vulnerability in Zephyrproject Zephyr Incorrect Error Handling in Bluetooth HCI core. | 3.3 |
2021-05-25 | CVE-2020-10069 | Zephyrproject | Unspecified vulnerability in Zephyrproject Zephyr Zephyr Bluetooth unchecked packet data results in denial of service. | 3.3 |
2021-05-24 | CVE-2020-26556 | Bluetooth | Improper Restriction of Excessive Authentication Attempts vulnerability in Bluetooth Core Specification and Mesh Profile Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment. | 2.9 |
2021-05-24 | CVE-2020-26557 | Bluetooth | Improper Authentication vulnerability in Bluetooth Mesh Profile 1.0.0/1.0.1 Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time). | 2.9 |
2021-05-28 | CVE-2020-1729 | Redhat | Incorrect Authorization vulnerability in Redhat Smallrye Config A flaw was found in SmallRye's API through version 1.6.1. | 2.1 |
2021-05-28 | CVE-2020-35504 | Qemu Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. | 2.1 |
2021-05-28 | CVE-2020-35505 | Qemu Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. | 2.1 |
2021-05-27 | CVE-2020-14327 | Redhat | Server-Side Request Forgery (SSRF) vulnerability in Redhat Ansible Tower A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. | 2.1 |
2021-05-27 | CVE-2020-14328 | Redhat | Server-Side Request Forgery (SSRF) vulnerability in Redhat Ansible Tower A flaw was found in Ansible Tower in versions before 3.7.2. | 2.1 |
2021-05-27 | CVE-2020-14329 | Redhat | Information Exposure vulnerability in Redhat Ansible Tower A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. | 2.1 |
2021-05-27 | CVE-2020-10698 | Redhat | Unspecified vulnerability in Redhat Ansible Tower A flaw was found in Ansible Tower when running jobs. | 2.1 |
2021-05-27 | CVE-2020-10729 | Redhat Debian | Use of Insufficiently Random Values vulnerability in multiple products A flaw was found in the use of insufficiently random values in Ansible. | 2.1 |
2021-05-27 | CVE-2020-10774 | Linux | Buffer Access with Incorrect Length Value vulnerability in Linux Kernel A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. | 2.1 |
2021-05-27 | CVE-2008-2544 | Linux | Exposure of Resource to Wrong Sphere vulnerability in Linux Kernel Mounting /proc filesystem via chroot command silently mounts it in read-write mode. | 2.1 |
2021-05-27 | CVE-2021-22364 | Huawei | Unspecified vulnerability in Huawei Mate 30 5G Firmware and Mate 30 Firmware There is a denial of service vulnerability in the versions 10.1.0.126(C00E125R5P3) of HUAWEI Mate 30 and 10.1.0.152(C00E136R7P2) of HUAWEI Mate 30 (5G) . | 2.1 |
2021-05-27 | CVE-2021-31153 | Please Project | Unspecified vulnerability in Please Project Please please before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the --check option, or the -d option. | 2.1 |
2021-05-26 | CVE-2021-20177 | Linux | Out-of-bounds Read vulnerability in Linux Kernel A flaw was found in the Linux kernel's implementation of string matching within a packet. | 2.1 |
2021-05-26 | CVE-2021-20297 | Gnome Redhat Fedoraproject | Improper Input Validation vulnerability in multiple products A flaw was found in NetworkManager in versions before 1.30.0. | 2.1 |
2021-05-26 | CVE-2021-22742 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2021-22743 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TCM 4351B installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2021-22744 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2021-22745 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2021-22746 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2021-22747 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex Model 3009 MP installed on Tricon V11.3.x systems that could cause module reset when TCM receives malformed TriStation packets while the write-protect keyswitch is in the program position. | 2.1 |
2021-05-26 | CVE-2018-16498 | Versa Networks | Cleartext Storage of Sensitive Information vulnerability in Versa-Networks Versa Director In Versa Director, the unencrypted backup files stored on the Versa deployment contain credentials stored within configuration files. | 2.1 |
2021-05-26 | CVE-2019-25030 | Versa Networks | Insufficiently Protected Credentials vulnerability in Versa-Networks products In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. | 2.1 |
2021-05-26 | CVE-2021-29253 | RSA | Insufficiently Protected Credentials vulnerability in RSA Archer The Tableau integration in RSA Archer 6.4 P1 (6.4.0.1) through 6.9 P2 (6.9.0.2) is affected by an insecure credential storage vulnerability. | 2.1 |
2021-05-25 | CVE-2020-13599 | Zephyrproject | Incorrect Default Permissions vulnerability in Zephyrproject Zephyr Security problem with settings and littlefs. | 2.1 |
2021-05-25 | CVE-2020-13602 | Zephyrproject | Infinite Loop vulnerability in Zephyrproject Zephyr Remote Denial of Service in LwM2M do_write_op_tlv. | 2.1 |
2021-05-25 | CVE-2021-32638 | Github | Information Exposure vulnerability in Github Codeql Action Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. | 2.1 |
2021-05-25 | CVE-2020-9451 | Acronis | Incorrect Default Permissions vulnerability in Acronis True Image 2020 24.5.22510 An issue was discovered in Acronis True Image 2020 24.5.22510. | 2.1 |
2021-05-24 | CVE-2021-20389 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security Guardium 11.2 IBM Security Guardium 11.2 stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2021-05-24 | CVE-2021-21987 | Vmware | Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). | 2.1 |
2021-05-24 | CVE-2021-21988 | Vmware | Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser). | 2.1 |
2021-05-24 | CVE-2021-21989 | Vmware | Out-of-bounds Read vulnerability in VMWare Horizon Client and Workstation VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). | 2.1 |