Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-13751 | 2 Fedoraproject, Jasper Project | 2 Fedora, Jasper | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. | |||||
| CVE-2017-13752 | 2 Fedoraproject, Jasper Project | 2 Fedora, Jasper | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. | |||||
| CVE-2021-25310 | 1 Belkin | 2 Linksys Wrt160nl, Linksys Wrt160nl Firmware | 2021-02-05 | 9.0 HIGH | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2021-25909 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919. | |||||
| CVE-2021-25765 | 1 Jetbrains | 1 Youtrack | 2021-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. | |||||
| CVE-2021-25776 | 1 Jetbrains | 1 Teamcity | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters. | |||||
| CVE-2020-24335 | 3 Contiki-ng, Contiki-os, Uip Project | 3 Contiki-ng, Contiki, Uip | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG. Domain name parsing lacks bounds checks, allowing an attacker to corrupt memory with crafted DNS packets. | |||||
| CVE-2021-3283 | 1 Hashicorp | 1 Nomad | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3. | |||||
| CVE-2020-25036 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2021-02-04 | 9.0 HIGH | 8.8 HIGH |
| UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command. | |||||
| CVE-2020-25037 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2021-02-04 | 7.2 HIGH | 8.2 HIGH |
| UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command. | |||||
| CVE-2020-29163 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection. | |||||
| CVE-2020-20290 | 1 Yccms | 1 Yccms | 2021-02-04 | 6.4 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the yccms 3.3 project. The delete, deletesite, and deleteAll functions' improper judgment of the request parameters, triggers a directory traversal vulnerability. | |||||
| CVE-2020-14418 | 3 Cisco, Madshi, Morphisec | 3 Advanced Malware Protection, Madcodehook, Unified Threat Prevention Platform | 2021-02-04 | 6.9 MEDIUM | 7.0 HIGH |
| A TOCTOU vulnerability exists in madCodeHook before 2020-07-16 that allows local attackers to elevate their privileges to SYSTEM. This occurs because path redirection can occur via vectors involving directory junctions. | |||||
| CVE-2021-1070 | 1 Nvidia | 7 Jetson Agx Xavier, Jetson Nano, Jetson Nano 2gb and 4 more | 2021-02-04 | 3.6 LOW | 7.1 HIGH |
| NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an unprivileged user being able to modify system device tree files, leading to denial of service. | |||||
| CVE-2020-5427 | 1 Vmware | 1 Spring Cloud Data Flow | 2021-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution. | |||||
| CVE-2020-13857 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-02-04 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request. | |||||
| CVE-2020-13860 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password. | |||||
| CVE-2020-15832 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-02-04 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device. | |||||
| CVE-2021-25312 | 1 Wisc | 1 Htcondor | 2021-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method. | |||||
| CVE-2021-3341 | 1 Dh2i | 2 Dxenterprise, Dxodyssey | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A path traversal vulnerability in the DxWebEngine component of DH2i DxEnterprise and DxOdyssey for Windows, version 19.5 through 20.x before 20.0.219.0, allows an attacker to read any file on the host file system via an HTTP request. | |||||
| CVE-2021-22159 | 1 Proofpoint | 1 Insider Threat Management | 2021-02-04 | 7.2 HIGH | 7.8 HIGH |
| Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well as versions 7.3 and earlier is missing authentication for a critical function, which allows a local authenticated Windows user to run arbitrary commands with the privileges of the Windows SYSTEM user. Agents for MacOS, Linux, and ITM Cloud are not affected. | |||||
| CVE-2020-23352 | 1 Zblogcn | 1 Z-blogphp | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Z-BlogPHP 1.6.0 Valyria is affected by incorrect access control. PHP loose comparison and a magic hash can be used to bypass authentication. zb_user/plugin/passwordvisit/include.php:passwordvisit_input_password() uses loose comparison to authenticate, which can be bypassed via magic hash values. | |||||
| CVE-2021-3337 | 1 Hide Thread Content Project | 1 Hide Thread Content | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit. | |||||
| CVE-2020-28477 | 1 Immer Project | 1 Immer | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package immer. | |||||
| CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | |||||
| CVE-2019-11229 | 1 Gitea | 1 Gitea | 2021-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. | |||||
| CVE-2020-8570 | 1 Kubernetes | 1 Java | 2021-02-04 | 6.4 MEDIUM | 7.5 HIGH |
| Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code. | |||||
| CVE-2021-26026 | 1 Acdsee | 1 Photo Studio 2021 | 2021-02-03 | 6.8 MEDIUM | 7.8 HIGH |
| PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image. | |||||
| CVE-2021-26025 | 1 Acdsee | 1 Photo Studio 2021 | 2021-02-03 | 6.8 MEDIUM | 7.8 HIGH |
| PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image. | |||||
| CVE-2021-3297 | 1 Zyxel | 2 Nbg2105, Nbg2105 Firmware | 2021-02-03 | 7.2 HIGH | 7.8 HIGH |
| On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access. | |||||
| CVE-2019-20816 | 1 Foxitsoftware | 1 Phantompdf | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Foxit PhantomPDF before 8.3.12. It has a NULL pointer dereference during the parsing of file data. | |||||
| CVE-2019-20820 | 1 Foxitsoftware | 2 Phantompdf, Reader | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It has a NULL pointer dereference during the parsing of file data. | |||||
| CVE-2020-7384 | 1 Rapid7 | 1 Metasploit | 2021-02-03 | 9.3 HIGH | 7.8 HIGH |
| Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine. | |||||
| CVE-2021-26308 | 1 Marc Project | 1 Marc | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the marc crate before 2.0.0 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated memory, violating soundness. | |||||
| CVE-2021-26266 | 1 Cpanel | 1 Cpanel | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578). | |||||
| CVE-2020-29004 | 1 Mediawiki | 1 Mediawiki | 2021-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | |||||
| CVE-2021-1353 | 1 Cisco | 5 Asr 5000, Asr 5500, Asr 5700 and 2 more | 2021-02-03 | 5.0 MEDIUM | 8.6 HIGH |
| A vulnerability in the IPv4 protocol handling of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory leak that occurs during packet processing. An attacker could exploit this vulnerability by sending a series of crafted IPv4 packets through an affected device. A successful exploit could allow the attacker to exhaust the available memory and cause an unexpected restart of the npusim process, leading to a DoS condition on the affected device. | |||||
| CVE-2021-25247 | 2 Microsoft, Trendmicro | 2 Windows, Housecall For Home Networks | 2021-02-03 | 4.4 MEDIUM | 7.8 HIGH |
| A DLL hijacking vulnerability Trend Micro HouseCall for Home Networks version 5.3.1063 and below could allow an attacker to use a malicious DLL to escalate privileges and perform arbitrary code execution. An attacker must already have user privileges on the machine to exploit this vulnerability. | |||||
| CVE-2018-3848 | 2 Fedoraproject, Nasa | 2 Fedora, Cfitsio | 2021-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution. | |||||
| CVE-2018-3849 | 2 Fedoraproject, Nasa | 2 Fedora, Cfitsio | 2021-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution. | |||||
| CVE-2020-36213 | 1 Abi Stable Project | 1 Abi Stable | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the abi_stable crate before 0.9.1 for Rust. A retain call can create an invalid UTF-8 string, violating soundness. | |||||
| CVE-2020-27295 | 1 Honeywell | 1 Opc Ua Tunneller | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product has uncontrolled resource consumption issues, which may allow an attacker to cause a denial-of-service condition on the OPC UA Tunneller (versions prior to 6.3.0.8233). | |||||
| CVE-2020-27274 | 1 Honeywell | 1 Opc Ua Tunneller | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| Some parsing functions in the affected product do not check the return value of malloc and the thread handling the message is forced to close, which may lead to a denial-of-service condition on the OPC UA Tunneller (versions prior to 6.3.0.8233). | |||||
| CVE-2020-36209 | 1 Late-static Project | 1 Late-static | 2021-02-03 | 4.4 MEDIUM | 7.0 HIGH |
| An issue was discovered in the late-static crate before 0.4.0 for Rust. Because Sync is implemented for LateStatic with T: Send, a data race can occur. | |||||
| CVE-2019-19940 | 1 Swisscom | 2 Centro Grande, Centro Grande Firmware | 2021-02-03 | 9.0 HIGH | 7.2 HIGH |
| Incorrect input sanitation in text-oriented user interfaces (telnet, ssh) in Swisscom Centro Grande before 6.16.12 allows remote authenticated users to execute arbitrary commands via command injection. | |||||
| CVE-2020-36212 | 1 Abi Stable Project | 1 Abi Stable | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the abi_stable crate before 0.9.1 for Rust. DrainFilter lacks soundness because of a double drop. | |||||
| CVE-2020-23776 | 1 Winmail Project | 1 Winmail | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the request. | |||||
| CVE-2020-29000 | 1 Mygeeni | 2 Gnc-cw013, Gnc-cw013 Firmware | 2021-02-03 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered on Geeni GNC-CW013 doorbell 1.8.1 devices. A vulnerability exists in the RTSP service that allows a remote attacker to take full control of the device with a high-privileged account. By sending a crafted message, an attacker is able to remotely deliver a telnet session. Any attacker that has the ability to control DNS can exploit this vulnerability to remotely login to the device and gain access to the camera system. | |||||
| CVE-2020-10758 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | |||||
| CVE-2016-9396 | 1 Jasper Project | 1 Jasper | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause a denial of service (JPC_COX_RFT assertion failure) via unspecified vectors. | |||||