Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22663 | 2 Hornerautomation, Siemens | 2 Cscape, Cscape | 2021-02-12 | 6.8 MEDIUM | 7.8 HIGH |
| Cscape (All versions prior to 9.90 SP3.5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2020-24620 | 1 Unisys | 1 Stealth | 2021-02-12 | 2.1 LOW | 7.8 HIGH |
| Unisys Stealth(core) before 4.0.134 stores passwords in a recoverable format. Therefore, a search of Enterprise Manager can potentially reveal credentials. | |||||
| CVE-2021-20411 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2021-02-12 | 4.8 MEDIUM | 8.1 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to impersonate another user on the system due to incorrectly updating the session identifier. IBM X-Force ID: 198191. | |||||
| CVE-2021-20412 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 198192. | |||||
| CVE-2021-20409 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 198188. | |||||
| CVE-2021-20407 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 discloses sensitive information in source code that could be used in further attacks against the system. IBM X-Force ID: 198185. | |||||
| CVE-2021-0341 | 1 Google | 1 Android | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069 | |||||
| CVE-2021-0340 | 1 Google | 1 Android | 2021-02-12 | 9.3 HIGH | 8.8 HIGH |
| In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286 | |||||
| CVE-2021-0339 | 1 Google | 1 Android | 2021-02-12 | 9.3 HIGH | 7.8 HIGH |
| In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687 | |||||
| CVE-2021-0332 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In bootFinished of SurfaceFlinger.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-169256435 | |||||
| CVE-2021-0331 | 1 Google | 1 Android | 2021-02-12 | 6.9 MEDIUM | 7.3 HIGH |
| In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783 | |||||
| CVE-2021-0329 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-171400004 | |||||
| CVE-2021-0314 | 1 Google | 1 Android | 2021-02-12 | 6.9 MEDIUM | 7.3 HIGH |
| In onCreate of UninstallerActivity, there is a possible way to uninstall an all without informed user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-171221302 | |||||
| CVE-2021-0305 | 1 Google | 1 Android | 2021-02-12 | 9.3 HIGH | 7.8 HIGH |
| In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-154015447 | |||||
| CVE-2021-0302 | 1 Google | 1 Android | 2021-02-12 | 9.3 HIGH | 7.8 HIGH |
| In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-155287782 | |||||
| CVE-2020-27257 | 1 Omron | 4 Cx-one, Cx-position, Cx-protocol and 1 more | 2021-02-12 | 6.8 MEDIUM | 7.8 HIGH |
| This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices. | |||||
| CVE-2020-26194 | 1 Dell | 1 Emc Powerscale Onefs | 2021-02-12 | 4.6 MEDIUM | 7.8 HIGH |
| Dell EMC PowerScale OneFS versions 8.1.2 and 8.2.2 contain an Incorrect Permission Assignment for a Critical Resource vulnerability. This may allow a non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to exploit the vulnerability, leading to compromised cryptographic operations. Note: no non-admin users or roles have these privileges by default. | |||||
| CVE-2020-26193 | 1 Dell | 1 Emc Powerscale Onefs | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | |||||
| CVE-2020-26192 | 1 Dell | 1 Emc Powerscale Onefs | 2021-02-12 | 4.6 MEDIUM | 7.8 HIGH |
| Dell EMC PowerScale OneFS versions 8.2.0 - 9.1.0 contain a privilege escalation vulnerability. A non-admin user with either ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH may potentially exploit this vulnerability to read arbitrary data, tamper with system software or deny service to users. Note: no non-admin users or roles have these privileges by default. | |||||
| CVE-2021-0325 | 1 Google | 1 Android | 2021-02-12 | 9.3 HIGH | 8.8 HIGH |
| In ih264d_parse_pslice of ih264d_parse_pslice.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-174238784 | |||||
| CVE-2021-0327 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In getContentProviderImpl of ActivityManagerService.java, there is a possible permission bypass due to non-restored binder identities. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-172935267 | |||||
| CVE-2021-25903 | 1 Cache Project | 1 Cache | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the cache crate through 2021-01-01 for Rust. A raw pointer is dereferenced. | |||||
| CVE-2021-0330 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In add_user_ce and remove_user_ce of storaged.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in storaged with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-170732441 | |||||
| CVE-2021-0333 | 1 Google | 1 Android | 2021-02-12 | 6.9 MEDIUM | 7.3 HIGH |
| In onCreate of BluetoothPermissionActivity.java, there is a possible permissions bypass due to a tapjacking overlay that obscures the phonebook permissions dialog when a Bluetooth device is connecting. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-168504491 | |||||
| CVE-2021-0334 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-163358811 | |||||
| CVE-2021-20403 | 1 Ibm | 1 Security Verify Information Queue | 2021-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2021-0337 | 1 Google | 1 Android | 2021-02-12 | 7.2 HIGH | 7.8 HIGH |
| In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195 | |||||
| CVE-2021-20405 | 1 Ibm | 1 Security Verify Information Queue | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to perform unauthorized activities due to improper encoding of output. IBM X-Force ID: 196183. | |||||
| CVE-2021-22656 | 1 Advantech | 1 Iview | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files. | |||||
| CVE-2021-21240 | 1 Httplib2 Project | 1 Httplib2 | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. | |||||
| CVE-2021-26952 | 1 Ms3d Project | 1 Ms3d | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the ms3d crate before 0.1.3 for Rust. It might allow attackers to obtain sensitive information from uninitialized memory locations via IoReader::read. | |||||
| CVE-2021-25836 | 1 Chainsafe | 1 Ethermint | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. The bytecode set in a FAILED transaction wrongfully remains in memory(stateObject.code) and is further written to persistent store at the Endblock stage, which may be utilized to build honeypot contracts. | |||||
| CVE-2021-25835 | 1 Chainsafe | 1 Ethermint | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack. | |||||
| CVE-2021-25834 | 1 Chainsafe | 1 Ethermint | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Cosmos Network Ethermint <= v0.4.0 is affected by a transaction replay vulnerability in the EVM module. If the victim sends a very large nonce transaction, the attacker can replay the transaction through the application. | |||||
| CVE-2021-25837 | 1 Chainsafe | 1 Ethermint | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. Due to the inconsistency between the Storage caching cycle and the Tx processing cycle, Storage changes caused by a failed transaction are improperly reserved in memory. Although the bad storage cache data will be discarded at EndBlock, it is still valid in the current block, which enables many possible attacks such as an "arbitrary mint token". | |||||
| CVE-2021-22654 | 1 Advantech | 1 Iview | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information. | |||||
| CVE-2021-27140 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to find passwords and authentication cookies stored in cleartext in the web.log HTTP logs. | |||||
| CVE-2021-27178 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. Some passwords are stored in cleartext in nvram. | |||||
| CVE-2021-27179 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to crash the telnet daemon by sending a certain 0a 65 6e 61 62 6c 65 0a 02 0a 1a 0a string. | |||||
| CVE-2021-27139 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to extract information from the device without authentication by disabling JavaScript and visiting /info.asp. | |||||
| CVE-2021-27142 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. The web management is done over HTTPS, using a hardcoded private key that has 0777 permissions. | |||||
| CVE-2021-27174 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. wifi_custom.cfg has cleartext passwords and 0644 permissions. | |||||
| CVE-2021-27175 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions. | |||||
| CVE-2021-27176 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions. | |||||
| CVE-2021-20353 | 1 Ibm | 1 Websphere Application Server | 2021-02-11 | 6.4 MEDIUM | 8.2 HIGH |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882. | |||||
| CVE-2021-23874 | 1 Mcafee | 1 Total Protection | 2021-02-11 | 4.6 MEDIUM | 7.8 HIGH |
| Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense. | |||||
| CVE-2020-5023 | 1 Ibm | 1 Spectrum Protect Plus | 2021-02-11 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could allow a remote user to inject arbitrary data iwhich could cause the serivce to crash due to excess resource consumption. IBM X-Force ID: 193659. | |||||
| CVE-2021-21306 | 1 Marked Project | 1 Marked | 2021-02-11 | 5.0 MEDIUM | 7.5 HIGH |
| Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0. | |||||
| CVE-2021-21138 | 1 Google | 1 Chrome | 2021-02-11 | 6.8 MEDIUM | 8.6 HIGH |
| Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file. | |||||
| CVE-2021-21469 | 1 Sap | 1 Netweaver Master Data Management | 2021-02-11 | 5.0 MEDIUM | 7.5 HIGH |
| When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure. | |||||