Weekly Vulnerabilities Reports > June 28 to July 4, 2021

Overview

319 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 43 high severity vulnerabilities. This weekly summary report vulnerabilities in 360 products from 129 vendors including Huawei, Adobe, Fedoraproject, IBM, and Nvidia. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Use After Free", "Out-of-bounds Read", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 277 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 105 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 224 reported vulnerabilities are exploitable by an anonymous user.
  • Huawei has the most reported vulnerabilities, with 31 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

21 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-06-30 CVE-2021-22323 Huawei Missing Release of Resource after Effective Lifetime vulnerability in Huawei Emui and Magic UI

There is an Integer Overflow Vulnerability in Huawei Smartphone.

10.0
2021-06-30 CVE-2021-35973 Netgear Incorrect Comparison vulnerability in Netgear Wac104 Firmware 1.0.4.13

NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/mini_httpd, allowing an unauthenticated attacker to invoke any action by adding the &currentsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866.

10.0
2021-06-29 CVE-2020-7868 Helpu Unspecified vulnerability in Helpu 2020.6.27.1

A remote code execution vulnerability exists in helpUS(remote administration tool) due to improper validation of parameter of ShellExecutionExA function used for login.

10.0
2021-06-30 CVE-2019-18906 Opensuse Improper Authentication vulnerability in Opensuse Cryptctl

A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it.

9.8
2021-06-30 CVE-2021-22369 Huawei Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Huawei Emui and Magic UI

There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Huawei Smartphone.

9.3
2021-06-29 CVE-2021-22439 Huawei Deserialization of Untrusted Data vulnerability in Huawei Anyoffice V200R006C10

There is a deserialization vulnerability in Huawei AnyOffice V200R006C10.

9.3
2021-06-28 CVE-2021-21090 Adobe Path Traversal vulnerability in Adobe Incopy 15.1.3/16.0

Adobe InCopy version 16.0 (and earlier) is affected by an path traversal vulnerability when parsing a crafted file.

9.3
2021-06-28 CVE-2021-21098 Adobe Out-of-bounds Write vulnerability in Adobe Indesign

Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-06-28 CVE-2021-21099 Adobe Out-of-bounds Write vulnerability in Adobe Indesign

Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted file.

9.3
2021-06-28 CVE-2021-21101 Adobe Out-of-bounds Write vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a specially crafted file.

9.3
2021-06-28 CVE-2021-21102 Adobe Path Traversal vulnerability in Adobe Illustrator

Adobe Illustrator version 25.2 (and earlier) is affected by a Path Traversal vulnerability when parsing a specially crafted file.

9.3
2021-06-28 CVE-2021-28570 Adobe Uncontrolled Search Path Element vulnerability in Adobe After Effects

Adobe After Effects version 18.1 (and earlier) is affected by an Uncontrolled Search Path element vulnerability.

9.3
2021-06-28 CVE-2021-28586 Adobe Out-of-bounds Write vulnerability in Adobe After Effects

After Effects version 18.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

9.3
2021-06-28 CVE-2021-20745 Inkdrop OS Command Injection vulnerability in Inkdrop

Inkdrop versions prior to v5.3.1 allows an attacker to execute arbitrary OS commands on the system where it runs by loading a file or code snippet containing an invalid iframe into Inkdrop.

9.3
2021-06-29 CVE-2021-31838 Mcafee OS Command Injection vulnerability in Mcafee Mvision EDR 3.2.0/3.3.0

A command injection vulnerability in MVISION EDR (MVEDR) prior to 3.4.0 allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'.

9.1
2021-07-02 CVE-2021-34527 Microsoft Improper Privilege Management vulnerability in Microsoft products

Windows Print Spooler Remote Code Execution Vulnerability

9.0
2021-07-01 CVE-2020-27362 Akkadianlabs Incorrect Authorization vulnerability in Akkadianlabs Akkadian Provisioning Manager 4.50.02

An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges.

9.0
2021-06-30 CVE-2021-30648 Broadcom Improper Authentication vulnerability in Broadcom products

The Symantec Advanced Secure Gateway (ASG) and ProxySG web management consoles are susceptible to an authentication bypass vulnerability.

9.0
2021-06-29 CVE-2020-7869 Mastersoft Improper Input Validation vulnerability in Mastersoft Zook 2.0.4.6

An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file.

9.0
2021-06-28 CVE-2021-28588 Adobe Path Traversal vulnerability in Adobe Robohelp Server

Adobe RoboHelp Server version 2019.0.9 (and earlier) is affected by a Path Traversal vulnerability when parsing a crafted HTTP POST request.

9.0
2021-06-28 CVE-2021-20740 Hitachi
NEC
OS Command Injection vulnerability in multiple products

Hitachi Virtual File Platform Versions prior to 5.5.3-09 and Versions prior to 6.4.3-09, and NEC Storage M Series NAS Gateway Nh4a/Nh8a versions prior to FOS 5.5.3-08(NEC2.5.4a) and Nh4b/Nh8b, Nh4c/Nh8c versions prior to FOS 6.4.3-08(NEC3.4.2) allow remote authenticated attackers to execute arbitrary OS commands with root privileges via unspecified vectors.

9.0

43 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-06-30 CVE-2021-22349 Huawei Improper Input Validation vulnerability in Huawei Emui and Magic UI

There is an Input Verification Vulnerability in Huawei Smartphone.

7.8
2021-06-30 CVE-2021-22350 Huawei Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui and Magic UI

There is a Memory Buffer Improper Operation Limit Vulnerability in Huawei Smartphone.

7.8
2021-06-30 CVE-2021-22353 Huawei Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui and Magic UI

There is a Memory Buffer Improper Operation Limit Vulnerability in Huawei Smartphone.

7.8
2021-06-30 CVE-2021-25321 Suse Link Following vulnerability in Suse Arpwatch 2.1A15/2.1A15169.5/2.1A15Lp152.5.5

A UNIX Symbolic Link (Symlink) Following vulnerability in arpwatch of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Factory, Leap 15.2 allows local attackers with control of the runtime user to run arpwatch as to escalate to root upon the next restart of arpwatch.

7.8
2021-06-29 CVE-2021-21871 Poweriso Out-of-bounds Write vulnerability in Poweriso 7.9

A memory corruption vulnerability exists in the DMG File Format Handler functionality of PowerISO 7.9.

7.8
2021-07-02 CVE-2021-35209 Zimbra Server-Side Request Forgery (SSRF) vulnerability in Zimbra Collaboration

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16.

7.5
2021-07-02 CVE-2021-23403 TS Nodash Project Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Ts-Nodash Project Ts-Nodash

All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.

7.5
2021-07-02 CVE-2021-23402 Record Like Deep Assign Project Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Record-Like-Deep-Assign Project Record-Like-Deep-Assign

All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.

7.5
2021-07-02 CVE-2021-36126 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in the AbuseFilter extension in MediaWiki through 1.36.

7.5
2021-07-02 CVE-2021-36128 Mediawiki Improper Handling of Exceptional Conditions vulnerability in Mediawiki

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36.

7.5
2021-07-02 CVE-2021-35029 Zyxel Improper Authentication vulnerability in Zyxel products

An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.

7.5
2021-07-02 CVE-2021-35042 Djangoproject
Fedoraproject
SQL Injection vulnerability in multiple products

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

7.5
2021-07-01 CVE-2021-27477 Jtekt Out-of-bounds Write vulnerability in Jtekt products

When JTEKT Corporation TOYOPUC PLC versions PC10G-CPU, 2PORT-EFR, Plus CPU, Plus EX, Plus EX2, Plus EFR, Plus EFR2, Plus 2P-EFR, PC10P-DP, PC10P-DP-IO, Plus BUS-EX, Nano 10GX, Nano 2ET,PC10PE, PC10PE-16/16P, PC10E, FL/ET-T-V2H, PC10B,PC10B-P, Nano CPU, PC10P, and PC10GE receive an invalid frame, the outside area of a receive buffer for FL-net are overwritten.

7.5
2021-07-01 CVE-2021-35336 Tieline Insecure Default Initialization of Resource vulnerability in Tieline IP Audtio Gateway Firmware 2.6.4.8

Tieline IP Audio Gateway 2.6.4.8 and below is affected by Incorrect Access Control.

7.5
2021-07-01 CVE-2018-25017 Rawspeed Out-of-bounds Write vulnerability in Rawspeed 3.1

RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in TableLookUp::setTable.

7.5
2021-07-01 CVE-2020-36400 Zeromq Out-of-bounds Write vulnerability in Zeromq Libzmq 4.3.3

ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.

7.5
2021-07-01 CVE-2021-36088 Treasuredata Double Free vulnerability in Treasuredata Fluent BIT 1.7.0

Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do).

7.5
2021-07-01 CVE-2021-28802 Qnap OS Command Injection vulnerability in Qnap QTS

A command injection vulnerabilities have been reported to affect QTS and QuTS hero.

7.5
2021-07-01 CVE-2021-28804 Qnap OS Command Injection vulnerability in Qnap QTS

A command injection vulnerabilities have been reported to affect QTS and QuTS hero.

7.5
2021-06-30 CVE-2021-22345 Huawei Improper Input Validation vulnerability in Huawei Emui and Magic UI

There is an Input Verification Vulnerability in Huawei Smartphone.

7.5
2021-06-30 CVE-2021-22348 Huawei Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui and Magic UI

There is a Memory Buffer Improper Operation Limit Vulnerability in Huawei Smartphone.

7.5
2021-06-30 CVE-2021-22367 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Key Management Errors Vulnerability in Huawei Smartphone.

7.5
2021-06-30 CVE-2021-35971 Veeam Deserialization of Untrusted Data vulnerability in Veeam Backup & Replication 10.0

Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and 11 before 11.0.0.837 P20210507 mishandles deserialization during Microsoft .NET remoting.

7.5
2021-06-30 CVE-2021-22375 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Key Management Errors Vulnerability in Huawei Smartphone.

7.5
2021-06-30 CVE-2021-27903 Craftcms Missing Authorization vulnerability in Craftcms Craft CMS

An issue was discovered in Craft CMS before 3.6.7.

7.5
2021-06-30 CVE-2021-35474 Apache
Debian
Out-of-bounds Write vulnerability in multiple products

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server.

7.5
2021-06-29 CVE-2021-32988 Fatek Out-of-bounds Write vulnerability in Fatek Winproladder 3.28/3.30

FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code.

7.5
2021-06-29 CVE-2021-32990 Fatek Out-of-bounds Read vulnerability in Fatek Winproladder 3.28/3.30

FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

7.5
2021-06-29 CVE-2021-32992 Fatek Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Fatek Winproladder 3.28/3.30

FATEK Automation WinProladder Versions 3.30 and prior do not properly restrict operations within the bounds of a memory buffer, which may allow an attacker to execute arbitrary code.

7.5
2021-06-29 CVE-2021-31531 Zohocorp Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.5

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

7.5
2021-06-29 CVE-2020-7871 Cnesty Improper Input Validation vulnerability in Cnesty Helpcom

A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command.

7.5
2021-06-28 CVE-2020-23711 Naviwebs SQL Injection vulnerability in Naviwebs Navigate CMS 2.9

SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.

7.5
2021-06-28 CVE-2021-34187 Chamilo SQL Injection vulnerability in Chamilo

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.

7.5
2021-06-28 CVE-2021-35456 Online PET Shop WEB Application Project SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0

Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload

7.5
2021-06-28 CVE-2021-21083 Adobe Unspecified vulnerability in Adobe Experience Manager

AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by an Improper Access Control vulnerability.

7.5
2021-06-28 CVE-2021-35514 Narou Project Code Injection vulnerability in Narou Project Narou

Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.

7.5
2021-06-28 CVE-2021-23399 Wincred Project OS Command Injection vulnerability in Wincred Project Wincred

This affects all versions of package wincred.

7.5
2021-06-30 CVE-2021-22376 Huawei Improper Privilege Management vulnerability in Huawei Harmonyos 2.0

A component of the HarmonyOS has a Improper Privilege Management vulnerability.

7.2
2021-06-29 CVE-2021-20079 Tenable Unspecified vulnerability in Tenable Nessus

Nessus versions 8.13.2 and earlier were found to contain a privilege escalation vulnerability which could allow a Nessus administrator user to upload a specially crafted file that could lead to gaining administrator privileges on the Nessus host.

7.2
2021-06-29 CVE-2021-23275 Tibco Incorrect Permission Assignment for Critical Resource vulnerability in Tibco products

The Windows Installation component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Statistics Services, and TIBCO Spotfire Statistics Services contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software.

7.2
2021-06-29 CVE-2021-28830 Tibco Unspecified vulnerability in Tibco products

The TIBCO Spotfire Server and TIBCO Enterprise Runtime for R components of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Statistics Services, and TIBCO Spotfire Statistics Services contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software.

7.2
2021-06-29 CVE-2021-31505 Arlo Use of Hard-coded Credentials vulnerability in Arlo Q Plus Firmware 1.9.0.3278

This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278.

7.2
2021-06-28 CVE-2021-35523 Securepoint Improper Privilege Management vulnerability in Securepoint Openvpn-Client

Securepoint SSL VPN Client v2 before 2.0.32 on Windows has unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM.

7.2

198 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-02 CVE-2021-36148 Linux Classic Buffer Overflow vulnerability in Linux Acrn

An issue was discovered in ACRN before 2.5.

6.8
2021-07-02 CVE-2021-30554 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-07-02 CVE-2021-30555 Google Use After Free vulnerability in Google Chrome

Use after free in Sharing in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page and user gesture.

6.8
2021-07-02 CVE-2021-30556 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-07-02 CVE-2021-30557 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

6.8
2021-07-02 CVE-2021-27412 Deltaww Out-of-bounds Read vulnerability in Deltaww Dopsoft

Delta Electronics DOPSoft Versions 4.0.10.17 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

6.8
2021-07-01 CVE-2017-20006 Rarlab Out-of-bounds Write vulnerability in Rarlab Unrar 5.6.1.2/5.6.1.3

UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack::CopyString (called from Unpack::Unpack5 and CmdExtract::ExtractCurrentFile).

6.8
2021-07-01 CVE-2018-25018 Rarlab Out-of-bounds Write vulnerability in Rarlab Unrar 6.0.3

UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write during a memcpy in QuickOpen::ReadRaw when called from QuickOpen::ReadNext.

6.8
2021-07-01 CVE-2020-36401 Mruby Double Free vulnerability in Mruby 2.1.2

mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_free and obj_free).

6.8
2021-07-01 CVE-2020-36402 Soliditylang Out-of-bounds Write vulnerability in Soliditylang Solidity 0.7.5

Solidity 0.7.5 has a stack-use-after-return issue in smtutil::CHCSmtLib2Interface::querySolver.

6.8
2021-07-01 CVE-2020-36403 Htslib Out-of-bounds Write vulnerability in Htslib 1.10/1.10.1/1.10.2

HTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).

6.8
2021-07-01 CVE-2020-36404 Keystone Engine Release of Invalid Pointer or Reference vulnerability in Keystone-Engine Keystone 0.9.2

Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVectorImpl<llvm_ks::MCFixup>::~SmallVectorImpl.

6.8
2021-07-01 CVE-2020-36405 Keystone Engine Use After Free vulnerability in Keystone-Engine Keystone Engine 0.9.2

Keystone Engine 0.9.2 has a use-after-free in llvm_ks::X86Operand::getToken.

6.8
2021-07-01 CVE-2020-36406 Uwebsockets Project Out-of-bounds Write vulnerability in Uwebsockets Project Uwebsockets 18.11.0/18.12.0

** DISPUTED ** uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in uWS::TopicTree::trimTree (called from uWS::TopicTree::unsubscribeAll).

6.8
2021-07-01 CVE-2020-36407 Aomedia Out-of-bounds Write vulnerability in Aomedia Libavif 0.8.0/0.8.1

libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataFillImageGrid.

6.8
2021-07-01 CVE-2021-36080 GNU Double Free vulnerability in GNU Libredwg

GNU LibreDWG 0.12.3.4163 through 0.12.3.4191 has a double-free in bit_chain_free (called from dwg_encode_MTEXT and dwg_encode_add_object).

6.8
2021-07-01 CVE-2021-36081 Tesseract OCR Project Use After Free vulnerability in Tesseract OCR Project Tesseract OCR 5.0.0

Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call.

6.8
2021-07-01 CVE-2021-36082 Ntop Out-of-bounds Write vulnerability in Ntop Ndpi 3.4

ntop nDPI 3.4 has a stack-based buffer overflow in processClientServerHello.

6.8
2021-07-01 CVE-2021-36089 Zope Out-of-bounds Write vulnerability in Zope Grok

Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in grk::FileFormatDecompress::apply_palette_clr (called from grk::FileFormatDecompress::applyColour).

6.8
2021-06-30 CVE-2021-22352 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Configuration Defect Vulnerability in Huawei Smartphone.

6.8
2021-06-29 CVE-2021-20102 Machform Cross-Site Request Forgery (CSRF) vulnerability in Machform

Machform prior to version 16 is vulnerable to cross-site request forgery due to a lack of CSRF tokens in place.

6.8
2021-06-29 CVE-2021-20104 Machform Unrestricted Upload of File with Dangerous Type vulnerability in Machform

Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php.

6.8
2021-06-29 CVE-2021-31507 Opentext Stack-based Buffer Overflow vulnerability in Opentext Brava! Desktop 16.6.3.84

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84.

6.8
2021-06-29 CVE-2021-31508 Opentext Out-of-bounds Write vulnerability in Opentext Brava! Desktop 16.6.3.84

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84.

6.8
2021-06-29 CVE-2021-31509 Opentext Out-of-bounds Write vulnerability in Opentext Brava! Desktop 16.6.3.84

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84.

6.8
2021-06-29 CVE-2021-31510 Opentext Out-of-bounds Read vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

6.8
2021-06-29 CVE-2021-31511 Opentext Out-of-bounds Write vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

6.8
2021-06-29 CVE-2021-31512 Opentext Out-of-bounds Read vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

6.8
2021-06-29 CVE-2021-31513 Opentext Out-of-bounds Write vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

6.8
2021-06-29 CVE-2021-31514 Opentext Out-of-bounds Write vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

6.8
2021-06-29 CVE-2021-31515 Vector35 Out-of-bounds Read vulnerability in Vector35 Binary Ninja 2.3.2660

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Vector 35 Binary Ninja 2.3.2660 (Build ID 88f343c3).

6.8
2021-06-29 CVE-2021-31516 Vector35 Use After Free vulnerability in Vector35 Binary Ninja 2.3.2660

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Vector 35 Binary Ninja 2.3.2660 (Build ID 88f343c3).

6.8
2021-06-29 CVE-2021-23400 Nodemailer Injection vulnerability in Nodemailer

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

6.8
2021-06-28 CVE-2021-28562 Adobe Use After Free vulnerability in Adobe Acrobat DC

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability when executing search queries through Javascript.

6.8
2021-06-28 CVE-2021-31337 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the service is enabled.

6.8
2021-06-30 CVE-2021-22326 Huawei Improper Privilege Management vulnerability in Huawei Harmonyos 2.0

A component of the HarmonyOS has a Privilege Dropping / Lowering Errors vulnerability.

6.6
2021-07-02 CVE-2021-32639 NSA Server-Side Request Forgery (SSRF) vulnerability in NSA Emissary

Emissary is a P2P-based, data-driven workflow engine.

6.5
2021-07-02 CVE-2021-27950 Sitasoftware SQL Injection vulnerability in Sitasoftware Azurcms 1.2.3.12

A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop.

6.5
2021-07-01 CVE-2020-23219 Monstra Code Injection vulnerability in Monstra CMS 3.0.4

Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.

6.5
2021-07-01 CVE-2020-4902 IBM SQL Injection vulnerability in IBM Datacap Navigator 9.1.7

IBM Datacap Taskmaster Capture (IBM Datacap Navigator 9.1.7) is vulnerable to SQL injection.

6.5
2021-07-01 CVE-2021-28423 Teachers Record Management System Project SQL Injection vulnerability in Teachers Record Management System Project Teachers Record Management System 1.0

Multiple SQL Injection vulnerabilities in Teachers Record Management System 1.0 allow remote authenticated users to execute arbitrary SQL commands via the 'editid' GET parameter in edit-subjects-detail.php, edit-teacher-detail.php, or the 'searchdata' POST parameter in search.php.

6.5
2021-07-01 CVE-2021-27660 Johnsoncontrols Improper Input Validation vulnerability in Johnsoncontrols C-Cure 9000 Firmware

An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs.

6.5
2021-07-01 CVE-2021-27661 Johnsoncontrols Incorrect Authorization vulnerability in Johnsoncontrols F4-Snc Firmware 11

Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.

6.5
2021-06-29 CVE-2021-29485 Ratpack Project Deserialization of Untrusted Data vulnerability in Ratpack Project Ratpack

Ratpack is a toolkit for creating web applications.

6.5
2021-06-29 CVE-2020-21394 Crmeb SQL Injection vulnerability in Crmeb 2.60/3.1

SQL Injection vulnerability in Zhong Bang Technology Co., Ltd CRMEB mall system V2.60 and V3.1 via the tablename parameter in SystemDatabackup.php.

6.5
2021-06-29 CVE-2020-7870 Unidocs Out-of-bounds Write vulnerability in Unidocs Ezpdf Editor and Ezpdf Reader

A memory corruption vulnerability exists when ezPDF improperly handles the parameter.

6.5
2021-06-29 CVE-2021-34824 Istio Unspecified vulnerability in Istio

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

6.5
2021-06-28 CVE-2021-20574 IBM Injection vulnerability in IBM Security Identity Manager Adapter 6.0.0.0/7.0.0.0

IBM Security Identity Manager Adapters 6.0 and 7.0 could allow a remote authenticated attacker to conduct an LDAP injection.

6.5
2021-06-28 CVE-2021-28584 Magento Path Traversal vulnerability in Magento

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker.

6.5
2021-07-01 CVE-2021-22343 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Configuration Defect vulnerability in Huawei Smartphone.

6.4
2021-06-30 CVE-2021-22354 Huawei Type Confusion vulnerability in Huawei Emui and Magic UI

There is an Information Disclosure Vulnerability in Huawei Smartphone.

6.4
2021-06-30 CVE-2021-22373 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Defects Introduced in the Design Process Vulnerability in Huawei Smartphone.

6.4
2021-06-30 CVE-2021-22380 Huawei Cleartext Transmission of Sensitive Information vulnerability in Huawei Emui 9.1.0

There is a Cleartext Transmission of Sensitive Information Vulnerability in Huawei Smartphone.

6.4
2021-06-30 CVE-2021-35958 Google Path Traversal vulnerability in Google Tensorflow

** DISPUTED ** TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True.

6.4
2021-06-28 CVE-2021-28563 Magento Unspecified vulnerability in Magento

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint.

6.4
2021-07-02 CVE-2021-36132 Mediawiki Incorrect Authorization vulnerability in Mediawiki

An issue was discovered in the FileImporter extension in MediaWiki through 1.36.

6.0
2021-07-02 CVE-2021-34807 Zimbra Open Redirect vulnerability in Zimbra Collaboration

An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0.

5.8
2021-07-01 CVE-2019-25048 Openbsd Out-of-bounds Read vulnerability in Openbsd Libressl

LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_print_ex (called from asn1_item_print_ctx and ASN1_item_print).

5.8
2021-07-01 CVE-2019-25049 Openbsd Out-of-bounds Read vulnerability in Openbsd Libressl

LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_print_ctx (called from asn1_template_print_ctx).

5.8
2021-06-30 CVE-2021-21673 Jenkins Open Redirect vulnerability in Jenkins CAS

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

5.8
2021-06-29 CVE-2021-32721 Powermux Project Open Redirect vulnerability in Powermux Project Powermux 1.0.0/1.1.0

PowerMux is a drop-in replacement for Go's http.ServeMux.

5.8
2021-06-29 CVE-2021-20101 Machform Injection vulnerability in Machform

Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers.

5.8
2021-06-29 CVE-2021-20105 Machform Open Redirect vulnerability in Machform

Machform prior to version 16 is vulnerable to an open redirect in Safari_init.php due to an improperly sanitized 'ref' parameter.

5.8
2021-06-29 CVE-2021-1134 Cisco Improper Certificate Validation vulnerability in Cisco DNA Center

A vulnerability in the Cisco Identity Services Engine (ISE) integration feature of the Cisco DNA Center Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.

5.8
2021-06-28 CVE-2021-34254 Umbraco Open Redirect vulnerability in Umbraco CMS

Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.

5.8
2021-06-30 CVE-2021-28692 XEN Improper Privilege Management vulnerability in XEN

inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands.

5.6
2021-07-02 CVE-2020-23178 PHP Fusion Authentication Bypass by Capture-replay vulnerability in PHP-Fusion 9.03.50

An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user.

5.5
2021-07-01 CVE-2021-32729 Xwiki Incorrect Permission Assignment for Critical Resource vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

5.5
2021-06-30 CVE-2021-22351 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Credentials Management Errors Vulnerability in Huawei Smartphone.

5.5
2021-06-28 CVE-2021-28597 Adobe Exposure of Resource to Wrong Sphere vulnerability in Adobe Photoshop Elements

Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability.

5.5
2021-06-28 CVE-2021-28623 Adobe Exposure of Resource to Wrong Sphere vulnerability in Adobe Premiere Elements 3.0.0/5.2

Adobe Premiere Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability.

5.5
2021-07-01 CVE-2021-32731 Xwiki Information Exposure vulnerability in Xwiki 13.1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

5.3
2021-06-30 CVE-2021-21671 Jenkins Session Fixation vulnerability in Jenkins

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

5.1
2021-07-02 CVE-2021-36143 Linux NULL Pointer Dereference vulnerability in Linux Acrn

ACRN before 2.5 has a hw/pci/virtio/virtio.c vq_endchains NULL Pointer Dereference.

5.0
2021-07-02 CVE-2021-36144 Linux Use After Free vulnerability in Linux Acrn

The polling timer handler in ACRN before 2.5 has a use-after-free for a freed virtio device, related to devicemodel/hw/pci/virtio/*.c.

5.0
2021-07-02 CVE-2021-36145 Linux Use After Free vulnerability in Linux Acrn

The Device Model in ACRN through 2.5 has a devicemodel/core/mem.c use-after-free for a freed rb_entry.

5.0
2021-07-02 CVE-2021-36146 Linux NULL Pointer Dereference vulnerability in Linux Acrn

ACRN before 2.5 has a devicemodel/hw/pci/xhci.c NULL Pointer Dereference for a trb pointer.

5.0
2021-07-02 CVE-2021-36147 Linux NULL Pointer Dereference vulnerability in Linux Acrn

An issue was discovered in ACRN before 2.5.

5.0
2021-07-02 CVE-2021-35197 Mediawiki
Debian
Fedoraproject
Incorrect Authorization vulnerability in multiple products

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access.

5.0
2021-07-02 CVE-2021-36125 Mediawiki Infinite Loop vulnerability in Mediawiki

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36.

5.0
2021-07-01 CVE-2020-27361 Akkadianlabs Exposure of Resource to Wrong Sphere vulnerability in Akkadianlabs Akkadian Provisioning Manager 4.50.02

An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.

5.0
2021-07-01 CVE-2021-28127 Stormshield Improper Restriction of Excessive Authentication Attempts vulnerability in Stormshield Network Security

An issue was discovered in Stormshield SNS through 4.2.1.

5.0
2021-07-01 CVE-2020-9158 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Missing Cryptographic Step vulnerability in Huawei Smartphone.

5.0
2021-07-01 CVE-2021-22344 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is an Improper Access Control vulnerability in Huawei Smartphone.

5.0
2021-07-01 CVE-2021-22347 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is an Improper Access Control vulnerability in Huawei Smartphone.

5.0
2021-07-01 CVE-2021-20778 EC Cube Unspecified vulnerability in Ec-Cube 4.0.6

Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors.

5.0
2021-06-30 CVE-2021-22346 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI

There is an Improper Permission Management Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-22368 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI

There is a Permission Control Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-32736 Thinkjs Unspecified vulnerability in Thinkjs Think-Helper

think-helper defines a set of helper functions for ThinkJS.

5.0
2021-06-30 CVE-2021-22371 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI

There is an Improper Permission Management Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-22374 Huawei Improper Validation of Array Index vulnerability in Huawei Emui and Magic UI

There is an Improper Validation of Array Index Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-35970 Voxmedia Incorrect Comparison vulnerability in Voxmedia Coral Talk

Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because permission checks use an incorrect data type.

5.0
2021-06-30 CVE-2021-22370 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Credentials Management Errors Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-22372 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a Security Features Vulnerability in Huawei Smartphone.

5.0
2021-06-30 CVE-2021-28993 Plixer SQL Injection vulnerability in Plixer Scrutinizer 19.0.2

Plixer Scrutinizer 19.0.2 is affected by: SQL Injection.

5.0
2021-06-30 CVE-2021-25951 Xml2Dict Project XXE vulnerability in Xml2Dict Project Xml2Dict 0.2.2

XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.

5.0
2021-06-30 CVE-2021-32566 Apache
Debian
Improper Input Validation vulnerability in multiple products

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server.

5.0
2021-06-30 CVE-2021-32567 Apache
Debian
Improper Input Validation vulnerability in multiple products

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server.

5.0
2021-06-29 CVE-2021-35941 Westerndigital Missing Authentication for Critical Function vulnerability in Westerndigital products

Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.

5.0
2021-06-29 CVE-2021-22338 Huawei XXE vulnerability in Huawei Ecns280 Firmware V100R005C00/V100R005C10

There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10.

5.0
2021-06-29 CVE-2021-29481 Ratpack Project Cleartext Storage of Sensitive Information vulnerability in Ratpack Project Ratpack

Ratpack is a toolkit for creating web applications.

5.0
2021-06-29 CVE-2021-22119 Vmware
Oracle
Incorrect Authorization vulnerability in multiple products

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application.

5.0
2021-06-29 CVE-2021-31160 Zohocorp Unspecified vulnerability in Zohocorp products

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

5.0
2021-06-29 CVE-2021-31530 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.5

Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.

5.0
2021-06-29 CVE-2021-27577 Apache
Debian
HTTP Request Smuggling vulnerability in multiple products

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache.

5.0
2021-06-29 CVE-2021-32565 Apache
Debian
HTTP Request Smuggling vulnerability in multiple products

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests.

5.0
2021-06-29 CVE-2021-34549 Torproject Resource Exhaustion vulnerability in Torproject TOR

An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005.

5.0
2021-06-29 CVE-2021-34550 Torproject Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Torproject TOR

An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006.

5.0
2021-06-29 CVE-2021-33503 Python
Fedoraproject
Oracle
Resource Exhaustion vulnerability in multiple products

An issue was discovered in urllib3 before 1.26.5.

5.0
2021-06-29 CVE-2021-34548 Torproject Incorrect Authorization vulnerability in Torproject TOR

An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003.

5.0
2021-06-28 CVE-2021-35299 Zammad Information Exposure Through Log Files vulnerability in Zammad

Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.

5.0
2021-06-28 CVE-2021-35301 Zammad Unspecified vulnerability in Zammad

Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.

5.0
2021-06-28 CVE-2021-35302 Zammad Unspecified vulnerability in Zammad

Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.

5.0
2021-06-28 CVE-2021-32720 Sylius Information Exposure vulnerability in Sylius

Sylius is an Open Source eCommerce platform on top of Symfony.

5.0
2021-06-28 CVE-2021-35525 Postsrsd Project Unspecified vulnerability in Postsrsd Project Postsrsd

PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses.

5.0
2021-06-28 CVE-2020-23715 Webport CMS Project Path Traversal vulnerability in Webport CMS Project Webport CMS 1.19.10.17121

Directory Traversal vulnerability in Webport CMS 1.19.10.17121 via the file parameter to file/download.

5.0
2021-06-28 CVE-2021-20413 IBM Information Exposure Through an Error Message vulnerability in IBM Guardium Data Encryption 4.0.0.4

IBM Guardium Data Encryption (GDE) 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.0
2021-06-28 CVE-2021-28585 Magento Improper Input Validation vulnerability in Magento

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.

5.0
2021-07-02 CVE-2020-23182 PHP Fusion Open Redirect vulnerability in PHP-Fusion 9.03.60

The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel.

4.9
2021-06-30 CVE-2021-20107 Sloan Improper Authentication vulnerability in Sloan products

There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS.

4.8
2021-06-28 CVE-2021-33515 Dovecot
Fedoraproject
Debian
Command Injection vulnerability in multiple products

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp.

4.8
2021-06-29 CVE-2021-22340 Huawei Race Condition vulnerability in Huawei Manageone and Smc2.0

There is a multiple threads race condition vulnerability in Huawei product.

4.7
2021-07-02 CVE-2021-33889 Openthread Out-of-bounds Write vulnerability in Openthread Wpantund 20200528

OpenThread wpantund through 2021-07-02 has a stack-based Buffer Overflow because of an inconsistency in the integer data type for metric_len.

4.6
2021-06-30 CVE-2021-34374 Nvidia Improper Input Validation vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in command handlers where the length of input buffers is not verified.

4.6
2021-06-30 CVE-2021-34375 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in all trusted applications (TAs) where the stack cookie was not randomized, which might result in stack-based buffer overflow, leading to denial of service, escalation of privileges, and information disclosure.

4.6
2021-06-30 CVE-2021-34376 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 5 is missing.

4.6
2021-06-30 CVE-2021-34377 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 9 is missing.

4.6
2021-06-30 CVE-2021-34378 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 11 is missing.

4.6
2021-06-30 CVE-2021-34379 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Jetson Linux

Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 10 is missing.

4.6
2021-06-30 CVE-2021-34380 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

Bootloader contains a vulnerability in NVIDIA MB2 where potential heap overflow might cause corruption of the heap metadata, which might lead to arbitrary code execution, denial of service, and information disclosure during secure boot.

4.6
2021-06-30 CVE-2021-34381 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Jetson Linux

Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function, which might lead to denial of service, information disclosure, or data tampering.

4.6
2021-06-30 CVE-2021-34382 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Jetson Linux

Trusty TLK contains a vulnerability in the NVIDIA TLK kernel’s tz_map_shared_mem function where an integer overflow on the size parameter causes the request buffer and the logging buffer to overflow, allowing writes to arbitrary addresses within the kernel.

4.6
2021-06-30 CVE-2021-34383 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

Bootloader contains a vulnerability in NVIDIA MB2 where a potential heap overflow might lead to denial of service or escalation of privileges.

4.6
2021-06-30 CVE-2021-34384 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

Bootloader contains a vulnerability in NVIDIA MB2 where a potential heap overflow could cause memory corruption, which might lead to denial of service or code execution.

4.6
2021-06-30 CVE-2021-34385 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Jetson Linux

Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the calculation of a length could lead to a heap overflow.

4.6
2021-06-29 CVE-2021-22545 Google Use After Free vulnerability in Google Bindiff

An attacker can craft a specific IdaPro *.i64 file that will cause the BinDiff plugin to load an invalid memory offset.

4.6
2021-06-29 CVE-2021-28691 Linux
Netapp
Use After Free vulnerability in multiple products

Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet.

4.6
2021-06-28 CVE-2021-20099 Tenable Unspecified vulnerability in Tenable Nessus

Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host.

4.6
2021-06-28 CVE-2021-20100 Tenable Unspecified vulnerability in Tenable Nessus

Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host.

4.6
2021-07-02 CVE-2021-3606 Openvpn Uncontrolled Search Path Element vulnerability in Openvpn

OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe).

4.4
2021-07-02 CVE-2021-3613 Openvpn Uncontrolled Search Path Element vulnerability in Openvpn Connect

OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).

4.4
2021-07-02 CVE-2021-35207 Zimbra Cross-site Scripting vulnerability in Zimbra Collaboration

An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16.

4.3
2021-07-02 CVE-2021-31874 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus

Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

4.3
2021-07-02 CVE-2021-27455 Deltaww Out-of-bounds Read vulnerability in Deltaww Dopsoft

Delta Electronics DOPSoft Versions 4.0.10.17 and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to disclose information.

4.3
2021-07-01 CVE-2021-32730 Xwiki Cross-Site Request Forgery (CSRF) vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

4.3
2021-07-01 CVE-2021-20752 Ikalka RSS Reader Project Cross-site Scripting vulnerability in Ikalka RSS Reader Project Ikalka RSS Reader

Cross-site scripting vulnerability in IkaIka RSS Reader all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.

4.3
2021-07-01 CVE-2021-36083 KDE Out-of-bounds Write vulnerability in KDE Kimageformats

KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE.

4.3
2021-07-01 CVE-2020-36194 Qnap Cross-site Scripting vulnerability in Qnap QTS

An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero.

4.3
2021-07-01 CVE-2020-36196 Qnap Cross-site Scripting vulnerability in Qnap Qulog Center

A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center.

4.3
2021-06-30 CVE-2021-34075 Artica Insufficiently Protected Credentials vulnerability in Artica Pandora FMS

In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.

4.3
2021-06-30 CVE-2021-21675 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Requests

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

4.3
2021-06-30 CVE-2021-3630 Djvulibre Project
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may lead to crash and segmentation fault.

4.3
2021-06-30 CVE-2021-27902 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

An issue was discovered in Craft CMS before 3.6.0.

4.3
2021-06-30 CVE-2021-31721 Chevereto Cross-site Scripting vulnerability in Chevereto

Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage.

4.3
2021-06-29 CVE-2020-18066 Zrlog Cross-site Scripting vulnerability in Zrlog 2.1.0

Cross Site Scripting vulnerability in ZrLog 2.1.0 via the (1) userName and (2) email parameters in post/addComment.

4.3
2021-06-29 CVE-2021-20103 Machform Cross-site Scripting vulnerability in Machform

Machform prior to version 16 is vulnerable to stored cross-site scripting due to insufficient sanitization of file attachments uploaded with forms through upload.php.

4.3
2021-06-29 CVE-2021-20580 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

4.3
2021-06-29 CVE-2021-31506 Opentext Out-of-bounds Read vulnerability in Opentext Brava! Desktop 16.6.4.55

This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenText Brava! Desktop Build 16.6.4.55.

4.3
2021-06-28 CVE-2020-21142 Ipfire Cross-site Scripting vulnerability in Ipfire 2.23

Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi.

4.3
2021-06-28 CVE-2021-32723 Prismjs
Oracle
Resource Exhaustion vulnerability in multiple products

Prism is a syntax highlighting library.

4.3
2021-06-28 CVE-2021-35298 Zammad Cross-site Scripting vulnerability in Zammad

Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.

4.3
2021-06-28 CVE-2021-35300 Zammad Improper Restriction of Rendered UI Layers or Frames vulnerability in Zammad

Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.

4.3
2021-06-28 CVE-2021-35303 Zammad Cross-site Scripting vulnerability in Zammad

Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.

4.3
2021-06-28 CVE-2020-22607 Limesurvey Cross-site Scripting vulnerability in Limesurvey 4.1.11+200316

Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php.

4.3
2021-06-28 CVE-2020-22608 Enhancesoft Cross-site Scripting vulnerability in Enhancesoft Osticket

Cross Site Scripting vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter to include/ajax.search.php.

4.3
2021-06-28 CVE-2020-22609 Enhancesoft Cross-site Scripting vulnerability in Enhancesoft Osticket

Cross Site Scripting (XSS) vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter in include/class.queue.php.

4.3
2021-06-28 CVE-2020-20640 Shopex Cross-site Scripting vulnerability in Shopex Ecshop 4.0

Cross Site Scripting (XSS) vulnerability in ECShop 4.0 due to security filtering issues, in the user.php file, we can use the html entity encoding to bypass the security policy of the safety.php file, triggering the xss vulnerability.

4.3
2021-06-28 CVE-2021-29775 IBM Cross-site Scripting vulnerability in IBM products

IBM Business Automation Workflow 19.0.03 and 20.0 and IBM Cloud Pak for Automation 20.0.3-IF002 and 21.0.1 are vulnerable to cross-site scripting.

4.3
2021-06-28 CVE-2021-28579 Adobe Unspecified vulnerability in Adobe Connect

Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges.

4.3
2021-06-28 CVE-2021-21084 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.

4.3
2021-06-28 CVE-2021-28573 Adobe Out-of-bounds Read vulnerability in Adobe Animate

Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-06-28 CVE-2021-28574 Adobe Out-of-bounds Read vulnerability in Adobe Animate

Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-06-28 CVE-2021-28575 Adobe Out-of-bounds Read vulnerability in Adobe Animate

Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-06-28 CVE-2021-28576 Adobe Out-of-bounds Read vulnerability in Adobe Animate

Adobe Animate version 21.0.5 (and earlier) is affected by an Out-of-bounds Read vulnerability when parsing a specially crafted file.

4.3
2021-06-28 CVE-2021-28583 Magento Violation of Secure Design Principles vulnerability in Magento

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats.

4.3
2021-06-28 CVE-2021-28587 Adobe Out-of-bounds Read vulnerability in Adobe After Effects

After Effects versions 18.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2021-06-28 CVE-2021-20750 EC Cube Cross-site Scripting vulnerability in Ec-Cube

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

4.3
2021-06-28 CVE-2021-20751 EC Cube Cross-site Scripting vulnerability in Ec-Cube

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

4.3
2021-07-02 CVE-2021-32738 Stellar Improper Verification of Cryptographic Signature vulnerability in Stellar Js-Stellar-Sdk

js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server.

4.0
2021-07-02 CVE-2021-36127 Mediawiki Insecure Storage of Sensitive Information vulnerability in Mediawiki

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36.

4.0
2021-07-02 CVE-2021-36129 Mediawiki Incorrect Permission Assignment for Critical Resource vulnerability in Mediawiki

An issue was discovered in the Translate extension in MediaWiki through 1.36.

4.0
2021-07-02 CVE-2021-26920 Apache Externally Controlled Reference to a Resource in Another Sphere vulnerability in Apache Druid

In the Druid ingestion system, the InputSource is used for reading data from a certain data source.

4.0
2021-07-01 CVE-2021-35337 Phone Shop Sales Management System Project Authorization Bypass Through User-Controlled Key vulnerability in Phone Shop Sales Management System Project Phone Shop Sales Management System 1.0

Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR).

4.0
2021-06-30 CVE-2021-21670 Jenkins Incorrect Authorization vulnerability in Jenkins

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

4.0
2021-06-30 CVE-2021-21672 Jenkins XXE vulnerability in Jenkins Selenium Html Report

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

4.0
2021-06-30 CVE-2021-21674 Jenkins Missing Authorization vulnerability in Jenkins Requests

A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

4.0
2021-06-30 CVE-2021-21676 Jenkins Missing Authorization vulnerability in Jenkins Requests

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address.

4.0
2021-06-30 CVE-2021-20461 IBM
Netapp
Exposure of Resource to Wrong Sphere vulnerability in multiple products

IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting.

4.0
2021-06-29 CVE-2021-22329 Huawei Unspecified vulnerability in Huawei products

There has a license management vulnerability in some Huawei products.

4.0
2021-06-29 CVE-2021-22341 Huawei Memory Leak vulnerability in Huawei products

There is a memory leak vulnerability in Huawei products.

4.0
2021-06-29 CVE-2021-29479 Ratpack Project Unspecified vulnerability in Ratpack Project Ratpack

Ratpack is a toolkit for creating web applications.

4.0
2021-06-29 CVE-2021-28690 XEN Unspecified vulnerability in XEN

x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability.

4.0
2021-06-28 CVE-2021-32722 Miraheze Resource Exhaustion vulnerability in Miraheze Globalnewfiles

GlobalNewFiles is a mediawiki extension.

4.0
2021-06-28 CVE-2021-20494 IBM Out-of-bounds Write vulnerability in IBM Security Identity Manager Adapter 6.0.0.0/7.0.0.0

IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap based buffer overflow, caused by improper bounds.

4.0
2021-06-28 CVE-2021-20572 IBM Out-of-bounds Write vulnerability in IBM Security Identity Manager Adapter 6.0.0.0/7.0.0.0

IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a stack-based buffer overflow, caused by improper bounds checking.

4.0
2021-06-28 CVE-2021-20573 IBM Out-of-bounds Write vulnerability in IBM Security Identity Manager Adapter 6.0.0.0/7.0.0.0

IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap-based buffer overflow, caused by improper bounds checking.

4.0
2021-06-28 CVE-2020-15303 Infoblox XML Entity Expansion vulnerability in Infoblox Nios

Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564.

4.0
2021-06-28 CVE-2020-28200 Dovecot
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

4.0

57 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-06-30 CVE-2021-34373 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

Trusty trusted Linux kernel (TLK) contains a vulnerability in the NVIDIA TLK kernel where a lack of heap hardening could cause heap overflows, which might lead to information disclosure and denial of service.

3.6
2021-07-02 CVE-2021-35208 Zimbra Cross-site Scripting vulnerability in Zimbra Collaboration

An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23.

3.5
2021-07-02 CVE-2020-23179 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion 9.03.50

A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field.

3.5
2021-07-02 CVE-2020-23181 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion 9.03.60

A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field.

3.5
2021-07-02 CVE-2020-23184 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion 9.03.60

A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field.

3.5
2021-07-02 CVE-2020-23185 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion 9.03.60

A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

3.5
2021-07-02 CVE-2020-23190 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.4

A stored cross site scripting (XSS) vulnerability in the "Import emails" module in phplist 3.5.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

3.5
2021-07-02 CVE-2020-23192 Phplist Cross-site Scripting vulnerability in PHPlist

A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the "admin" parameter under the "Manage administrators" module.

3.5
2021-07-02 CVE-2020-23194 Phplist Cross-site Scripting vulnerability in PHPlist

A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

3.5
2021-07-02 CVE-2020-36395 Lavalite Cross-site Scripting vulnerability in Lavalite 5.8.0

A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.

3.5
2021-07-02 CVE-2020-36396 Lavalite Cross-site Scripting vulnerability in Lavalite 5.8.0

A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.

3.5
2021-07-02 CVE-2020-36397 Lavalite Cross-site Scripting vulnerability in Lavalite 5.8.0

A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.

3.5
2021-07-02 CVE-2020-36398 Phplist Cross-site Scripting vulnerability in PHPlist

A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send a campaign" module.

3.5
2021-07-02 CVE-2020-36399 Phplist Cross-site Scripting vulnerability in PHPlist

A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Bounce Rules" module.

3.5
2021-07-02 CVE-2020-36408 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module.

3.5
2021-07-02 CVE-2020-36409 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module.

3.5
2021-07-02 CVE-2020-36410 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module.

3.5
2021-07-02 CVE-2020-36411 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" module.

3.5
2021-07-02 CVE-2020-36412 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.

3.5
2021-07-02 CVE-2020-36413 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode" module.

3.5
2021-07-02 CVE-2020-36414 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.

3.5
2021-07-02 CVE-2020-36415 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.

3.5
2021-07-02 CVE-2020-36416 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.

3.5
2021-07-02 CVE-2021-32737 Sulu Cross-site Scripting vulnerability in Sulu

Sulu is an open-source PHP content management system based on the Symfony framework.

3.5
2021-07-02 CVE-2021-32735 Getkirby Cross-site Scripting vulnerability in Getkirby Kirby

Kirby is a content management system.

3.5
2021-07-02 CVE-2021-36130 Mediawiki Cross-site Scripting vulnerability in Mediawiki

An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36.

3.5
2021-07-02 CVE-2021-36131 Mediawiki Cross-site Scripting vulnerability in Mediawiki

An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36.

3.5
2021-07-01 CVE-2020-23205 Monstra Cross-site Scripting vulnerability in Monstra CMS 3.0.4

A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module.

3.5
2021-07-01 CVE-2020-23207 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.3

A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module.

3.5
2021-07-01 CVE-2020-23208 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.3

A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Send test" field under the "Start or continue campaign" module.

3.5
2021-07-01 CVE-2020-23209 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.3

A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module.

3.5
2021-07-01 CVE-2020-23214 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.3

A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Configure categories" field under the "Categorise Lists" module.

3.5
2021-07-01 CVE-2020-23217 Phplist Cross-site Scripting vulnerability in PHPlist 3.5.3

A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.

3.5
2021-07-01 CVE-2020-4935 IBM Cross-site Scripting vulnerability in IBM Datacap Navigator 9.1.7

IBM Datacap Fastdoc Capture (IBM Datacap Navigator 9.1.7 ) is vulnerable to cross-site scripting.

3.5
2021-07-01 CVE-2021-28424 Teachers Record Management System Project Cross-site Scripting vulnerability in Teachers Record Management System Project Teachers Record Management System 1.0

A stored cross-site scripting (XSS) vulnerability in Teachers Record Management System 1.0 allows remote authenticated users to inject arbitrary web script or HTML via the 'email' POST parameter in adminprofile.php.

3.5
2021-07-01 CVE-2021-31813 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

3.5
2021-07-01 CVE-2021-28803 Qnap Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Qnap Q'Center

This issue affects: QNAP Systems Inc.

3.5
2021-06-30 CVE-2021-35956 Akcp Cross-site Scripting vulnerability in Akcp products

Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

3.5
2021-06-30 CVE-2021-35959 Plone Cross-site Scripting vulnerability in Plone

In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.

3.5
2021-06-29 CVE-2021-29480 Ratpack Project Use of Insufficiently Random Values vulnerability in Ratpack Project Ratpack

Ratpack is a toolkit for creating web applications.

3.5
2021-06-29 CVE-2021-20477 IBM Cross-site Scripting vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting.

3.5
2021-06-28 CVE-2020-23710 Limesurvey Cross-site Scripting vulnerability in Limesurvey 4.2.5

Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature.

3.5
2021-06-28 CVE-2021-29751 IBM Unspecified vulnerability in IBM products

IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could allow an authenticated user to obtain sensitive information about another user under nondefault configurations.

3.5
2021-06-28 CVE-2021-32719 Vmware Cross-site Scripting vulnerability in VMWare Rabbitmq

RabbitMQ is a multi-protocol messaging broker.

3.5
2021-06-28 CVE-2021-32718 Vmware Cross-site Scripting vulnerability in VMWare Rabbitmq

RabbitMQ is a multi-protocol messaging broker.

3.5
2021-06-28 CVE-2021-28556 Magento Cross-site Scripting vulnerability in Magento

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies.

3.5
2021-06-28 CVE-2021-32496 Sick Inadequate Encryption Strength vulnerability in Sick Visionary-S CX Firmware

SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned devices.

3.5
2021-06-28 CVE-2021-20746 Wordpress Popular Posts Project Cross-site Scripting vulnerability in Wordpress Popular Posts Project Wordpress Popular Posts

Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-06-28 CVE-2021-20749 Nendeb Cross-site Scripting vulnerability in Nendeb products

Cross-site scripting vulnerability in Fudousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

3.5
2021-07-01 CVE-2021-36084 Selinux Project
Fedoraproject
Use After Free vulnerability in multiple products

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).

2.1
2021-07-01 CVE-2021-36085 Selinux Project
Fedoraproject
Use After Free vulnerability in multiple products

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).

2.1
2021-07-01 CVE-2021-36086 Selinux Project
Fedoraproject
Use After Free vulnerability in multiple products

The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

2.1
2021-07-01 CVE-2021-36087 Selinux Project
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow).

2.1
2021-06-30 CVE-2021-28693 XEN Unspecified vulnerability in XEN

xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g.

2.1
2021-06-29 CVE-2021-20490 IBM Incorrect Default Permissions vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.0 through 10.1.8 could allow a local user to cause a denial of service due to insecure file permission settings.

2.1
2021-06-28 CVE-2021-29693 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user that is in the with elevated group privileges to cause a denial of service due to a vulnerability in the lpd daemon.

2.1
2021-06-28 CVE-2021-29157 Dovecot
Fedoraproject
Path Traversal vulnerability in multiple products

Dovecot before 2.3.15 allows ../ Path Traversal.

2.1