Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29956 | 1 Mozilla | 1 Thunderbird | 2021-06-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2. | |||||
| CVE-2021-29676 | 1 Ibm | 1 Security Verify | 2021-06-30 | 5.8 MEDIUM | 5.4 MEDIUM |
| IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to link injection. By persuading a victim to click on a specially-crafted URL link, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking | |||||
| CVE-2021-29677 | 1 Ibm | 1 Security Verify | 2021-06-30 | 3.5 LOW | 5.4 MEDIUM |
| IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2021-20477 | 1 Ibm | 1 Planning Analytics | 2021-06-30 | 3.5 LOW | 5.4 MEDIUM |
| IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196949. | |||||
| CVE-2021-20490 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-06-30 | 2.1 LOW | 5.5 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.8 could allow a local user to cause a denial of service due to insecure file permission settings. IBM X-Force ID: 197791. | |||||
| CVE-2021-20580 | 1 Ibm | 1 Planning Analytics | 2021-06-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 198241. | |||||
| CVE-2021-29945 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-06-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. | |||||
| CVE-2021-29957 | 1 Mozilla | 1 Thunderbird | 2021-06-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2. | |||||
| CVE-2021-29953 | 1 Mozilla | 1 Firefox | 2021-06-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.*. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3. | |||||
| CVE-2021-29955 | 1 Mozilla | 2 Firefox, Firefox Esr | 2021-06-30 | 2.6 LOW | 5.3 MEDIUM |
| A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87. | |||||
| CVE-2021-25655 | 1 Avaya | 1 Aura Experience Portal | 2021-06-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). | |||||
| CVE-2021-31412 | 1 Vaadin | 2 Flow, Vaadin | 2021-06-30 | 4.3 MEDIUM | 5.3 MEDIUM |
| Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided. | |||||
| CVE-2021-25656 | 1 Avaya | 1 Aura Experience Portal | 2021-06-30 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). | |||||
| CVE-2021-25652 | 1 Avaya | 1 Aura Appliance Virtualization Platform | 2021-06-30 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU). This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects versions 8.0.0.0 through 8.1.3.1 of AVPU. | |||||
| CVE-2021-32699 | 1 Pterodactyl | 1 Wings | 2021-06-30 | 2.1 LOW | 6.5 MEDIUM |
| Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding. Users should upgrade to `1.4.4` to mitigate the issue. There is no non-code based workaround for impacted versions of the software. Users running customized versions of this software can manually set a PID limit for containers created. | |||||
| CVE-2020-23710 | 1 Limesurvey | 1 Limesurvey | 2021-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature. | |||||
| CVE-2021-20413 | 1 Ibm | 1 Guardium Data Encryption | 2021-06-29 | 5.0 MEDIUM | 4.3 MEDIUM |
| IBM Guardium Data Encryption (GDE) 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196212. | |||||
| CVE-2021-20494 | 1 Ibm | 1 Security Identity Manager Adapter | 2021-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a heap based buffer overflow, caused by improper bounds. An authenticared user could overflow the buffer and cause the service to crash. IBM X-Force ID: 197882. | |||||
| CVE-2021-34393 | 1 Nvidia | 10 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 7 more | 2021-06-29 | 2.1 LOW | 4.4 MEDIUM |
| Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure. | |||||
| CVE-2021-34392 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-06-29 | 2.1 LOW | 5.5 MEDIUM |
| Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service. | |||||
| CVE-2021-35210 | 1 Contao | 1 Contao | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end. | |||||
| CVE-2021-22382 | 1 Huawei | 4 E3372, E3372 Firmware, E8372 and 1 more | 2021-06-29 | 4.4 MEDIUM | 6.5 MEDIUM |
| Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. Affected product versions include:E3372 E3372h-153TCPU-V200R002B333D01SP00C00. | |||||
| CVE-2021-22383 | 1 Huawei | 4 Ecns280 Td, Ecns280 Td Firmware, Ese620x Vess and 1 more | 2021-06-29 | 6.8 MEDIUM | 4.9 MEDIUM |
| There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by sending a specific message to the target device, which could cause a Denial of Service (DoS). | |||||
| CVE-2021-22378 | 1 Huawei | 2 Ecns280 Td, Ecns280 Td Firmware | 2021-06-29 | 3.5 LOW | 5.3 MEDIUM |
| There is a race condition vulnerability in eCNS280_TD V100R005C00 and V100R005C10. There is a timing window exists in which the database can be operated by another thread that is operating concurrently. Successful exploit may cause the affected device abnormal. | |||||
| CVE-2021-22342 | 1 Huawei | 8 Ips Module, Ips Module Firmware, Ngfw Module and 5 more | 2021-06-29 | 4.0 MEDIUM | 4.9 MEDIUM |
| There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V500R005C00, V500R005C10, V500R005C20; NGFW Module versions V500R005C00,V500R005C10, V500R005C20; SeMG9811 versions V500R005C00; USG9500 versions V500R001C00, V500R001C20, V500R001C30, V500R001C50, V500R001C60, V500R001C80, V500R005C00, V500R005C10, V500R005C20. | |||||
| CVE-2021-21439 | 1 Otrs | 1 Otrs | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. | |||||
| CVE-2020-18670 | 1 Roundcube | 1 Roundcube | 2021-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | |||||
| CVE-2020-18671 | 1 Roundcube | 1 Roundcube | 2021-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | |||||
| CVE-2021-25649 | 1 Avaya | 1 Aura Utility Services | 2021-06-29 | 2.1 LOW | 5.5 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects all 7.x versions of Avaya Aura Utility Services. | |||||
| CVE-2021-32644 | 1 Ampache | 1 Ampache | 2021-06-29 | 3.5 LOW | 5.4 MEDIUM |
| Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3. | |||||
| CVE-2021-22366 | 1 Huawei | 2 Ese620x Vess, Ese620x Vess Firmware | 2021-06-29 | 4.9 MEDIUM | 5.5 MEDIUM |
| There is an out-of-bounds read vulnerability in eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a function that handles an internal message contains an out-of-bounds read vulnerability. An attacker could crafted messages between system process, successful exploit could cause Denial of Service (DoS). | |||||
| CVE-2021-32684 | 1 Scandipwa | 1 Magento-scripts | 2021-06-29 | 5.0 MEDIUM | 5.5 MEDIUM |
| magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, and logs commands, effectively making them unusable. Version 1.5.3 contains patches for the problems. | |||||
| CVE-2019-19924 | 1 Sqlite | 1 Sqlite | 2021-06-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. | |||||
| CVE-2017-13733 | 1 Gnu | 1 Ncurses | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. | |||||
| CVE-2017-13732 | 1 Gnu | 1 Ncurses | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. | |||||
| CVE-2017-13731 | 1 Gnu | 1 Ncurses | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack. | |||||
| CVE-2017-13730 | 1 Gnu | 1 Ncurses | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack. | |||||
| CVE-2017-13729 | 1 Gnu | 1 Ncurses | 2021-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack. | |||||
| CVE-2021-32697 | 1 Neos | 1 Form | 2021-06-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567 | |||||
| CVE-2020-13799 | 2 Linaro, Westerndigital | 7 Op-tee, Inand Cl Em132, Inand Cl Em132 Firmware and 4 more | 2021-06-29 | 4.6 MEDIUM | 6.8 MEDIUM |
| Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards bodies and is implemented by storage devices from multiple vendors to assist host systems in securing trusted firmware. Several scenarios have been identified in which the RPMB state may be affected by an attacker without the knowledge of the trusted component that uses the RPMB feature. | |||||
| CVE-2018-12437 | 2 Libtom, Linaro | 2 Libtomcrypt, Op-tee | 2021-06-29 | 1.9 LOW | 4.9 MEDIUM |
| LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. | |||||
| CVE-2021-34387 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-06-29 | 7.2 HIGH | 6.7 MEDIUM |
| The ARM TrustZone Technology on which Trusty is based on contains a vulnerability in access permission settings where the portion of the DRAM reserved for TrustZone is identity-mapped by TLK with read, write, and execute permissions, which gives write access to kernel code and data that is otherwise mapped read only. | |||||
| CVE-2021-21422 | 1 Mongo-express Project | 1 Mongo-express | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible. | |||||
| CVE-2021-27612 | 1 Sap | 1 Gui For Windows | 2021-06-29 | 5.8 MEDIUM | 6.1 MEDIUM |
| In specific situations SAP GUI for Windows until and including 7.60 PL9, 7.70 PL0, forwards a user to specific malicious website which could contain malware or might lead to phishing attacks to steal credentials of the victim. | |||||
| CVE-2018-14683 | 1 Paessler | 1 Prtg Network Monitor | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| PRTG before 19.1.49.1966 has Cross Site Scripting (XSS) in the WEBGUI. | |||||
| CVE-2016-5078 | 1 Paessler | 1 Prtg Network Monitor | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Paessler PRTG before 16.2.24.4045 has XSS via SNMP. | |||||
| CVE-2021-34386 | 1 Nvidia | 2 Jetson Linux, Jetson Tx1 | 2021-06-29 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the calloc size calculation can cause the multiplication of count and size can overflow, which might lead to heap overflows. | |||||
| CVE-2021-20741 | 1 Hitachi | 1 Application Server V10 Manual | 2021-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Hitachi Application Server Help (Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier and Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier) allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-32698 | 1 Elabftw | 1 Elabftw | 2021-06-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0. | |||||
| CVE-2020-18661 | 1 Gnuboard | 1 Gnuboard5 | 2021-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the url parameter to bbs/login.php. | |||||