Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36316 | 1 Relic Project | 1 Relic | 2021-04-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| In RELIC before 2021-04-03, there is a buffer overflow in PKCS#1 v1.5 signature verification because garbage bytes can be present. | |||||
| CVE-2020-24135 | 1 Wcms | 1 Wcms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Wcms 0.3.2, which allows remote attackers to inject arbitrary web script and HTML via the type parameter to wex/cssjs.php. | |||||
| CVE-2020-24138 | 1 Wcms | 1 Wcms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in wcms 0.3.2 allows remote attackers to inject arbitrary web script and HTML via the pagename parameter to wex/html.php. | |||||
| CVE-2019-1799 | 1 Cisco | 2 Wireless Lan Controller, Wireless Lan Controller Software | 2021-04-15 | 6.1 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the handling of Inter-Access Point Protocol (IAPP) messages by Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability exist because the software improperly validates input on fields within IAPP messages. An attacker could exploit the vulnerability by sending malicious IAPP messages to an affected device. A successful exploit could allow the attacker to cause the Cisco WLC Software to reload, resulting in a DoS condition. Software versions prior to 8.2.170.0, 8.5.150.0, and 8.8.100.0 are affected. | |||||
| CVE-2019-1796 | 1 Cisco | 2 Wireless Lan Controller, Wireless Lan Controller Software | 2021-04-15 | 6.1 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the handling of Inter-Access Point Protocol (IAPP) messages by Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability exist because the software improperly validates input on fields within IAPP messages. An attacker could exploit the vulnerability by sending malicious IAPP messages to an affected device. A successful exploit could allow the attacker to cause the Cisco WLC Software to reload, resulting in a DoS condition. Software versions prior to 8.2.170.0, 8.5.150.0, and 8.8.100.0 are affected. | |||||
| CVE-2019-1800 | 1 Cisco | 2 Wireless Lan Controller, Wireless Lan Controller Software | 2021-04-15 | 6.1 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the handling of Inter-Access Point Protocol (IAPP) messages by Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability exist because the software improperly validates input on fields within IAPP messages. An attacker could exploit the vulnerability by sending malicious IAPP messages to an affected device. A successful exploit could allow the attacker to cause the Cisco WLC Software to reload, resulting in a DoS condition. Software versions prior to 8.2.170.0, 8.5.150.0, and 8.8.100.0 are affected. | |||||
| CVE-2020-15500 | 1 Tileserver | 1 Tileservergl | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS. | |||||
| CVE-2021-25894 | 1 Magnolia-cms | 1 Magnolia Cms | 2021-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the /magnoliaPublic/travel/members/login.html mgnlUserId parameter. | |||||
| CVE-2021-25893 | 1 Magnolia-cms | 1 Magnolia Cms | 2021-04-15 | 3.5 LOW | 5.4 MEDIUM |
| Magnolia CMS from 6.1.3 to 6.2.3 contains a stored cross-site scripting (XSS) vulnerability in the setText parameter of /magnoliaAuthor/.magnolia/. | |||||
| CVE-2021-28646 | 1 Trendmicro | 2 Apex One, Officescan | 2021-04-14 | 2.1 LOW | 5.5 MEDIUM |
| An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations. | |||||
| CVE-2021-3413 | 2 Redhat, Theforeman | 2 Satellite, Foreman Azurerm | 2021-04-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. A credential leak was identified which will expose Azure Resource Manager's secret key through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2021-26833 | 1 Timelybills | 1 Timelybills | 2021-04-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted. | |||||
| CVE-2021-27945 | 1 Squirro | 1 Squirro | 2021-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. | |||||
| CVE-2020-14103 | 1 Mi | 2 Mi 10, Miui | 2021-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | |||||
| CVE-2021-22513 | 1 Microfocus | 1 Application Automation Tools | 2021-04-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks. | |||||
| CVE-2021-22115 | 1 Cloudfoundry | 2 Capi-release, Cf-deployment | 2021-04-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller. | |||||
| CVE-2020-14106 | 1 Mi | 1 Miui | 2021-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | |||||
| CVE-2020-36287 | 1 Atlassian | 2 Data Center, Jira | 2021-04-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. | |||||
| CVE-2021-1420 | 1 Cisco | 1 Webex Meetings | 2021-04-14 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks. | |||||
| CVE-2021-24031 | 1 Facebook | 1 Zstandard | 2021-04-14 | 2.1 LOW | 5.5 MEDIUM |
| In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. | |||||
| CVE-2021-22511 | 1 Microfocus | 1 Application Automation Tools | 2021-04-14 | 6.4 MEDIUM | 6.5 MEDIUM |
| Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates. | |||||
| CVE-2021-28209 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Delete video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28208 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Get video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28207 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Get Help file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28206 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Record video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28205 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2021-04-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Delete SOL video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28202 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Service configuration-2 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-28201 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Service configuration-1 function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-28200 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| The CD media configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-22512 | 1 Microfocus | 1 Application Automation Tools | 2021-04-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks. | |||||
| CVE-2021-28166 | 1 Eclipse | 1 Mosquitto | 2021-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. | |||||
| CVE-2021-24200 | 1 Tms-outsource | 1 Wpdatatables | 2021-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | |||||
| CVE-2021-24199 | 1 Tms-outsource | 1 Wpdatatables | 2021-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | |||||
| CVE-2021-20519 | 1 Ibm | 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more | 2021-04-13 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198441. | |||||
| CVE-2021-28199 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2020-4964 | 1 Ibm | 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users. IBM X-Force ID: 192419. | |||||
| CVE-2020-4920 | 1 Ibm | 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more | 2021-04-13 | 4.3 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Team Server products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191396. | |||||
| CVE-2021-28198 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Firmware protocol configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2019-15809 | 5 Athena-scs, Cryptsoft, Microchip and 2 more | 5 Idprotect, S\/a Idflex V, Atmel Toolbox and 2 more | 2021-04-13 | 1.2 LOW | 4.7 MEDIUM |
| Smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, described as fast and secure, but the affected cards chose to use the fast version, which leaks the bit length of the random nonce via timing. This affects Athena IDProtect 010b.0352.0005, Athena IDProtect 010e.1245.0002, Athena IDProtect 0106.0130.0401, Athena IDProtect 010e.1245.0002, Valid S/A IDflex V 010b.0352.0005, SafeNet eToken 4300 010e.1245.0002, TecSec Armored Card 010e.0264.0001, and TecSec Armored Card 108.0264.0001. | |||||
| CVE-2021-28197 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Active Directory configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-28196 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Generate SSL certificate function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-21532 | 1 Dell | 1 Wyse Thinos | 2021-04-13 | 5.8 MEDIUM | 6.3 MEDIUM |
| Dell Wyse ThinOS 8.6 MR9 contains remediation for an improper management server validation vulnerability that could be potentially exploited to redirect a client to an attacker-controlled management server, thus allowing the attacker to change the device configuration or certificate file. | |||||
| CVE-2021-28195 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Radius configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-28176 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The DNS configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-28194 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Remote image configuration setting) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2020-36312 | 1 Linux | 1 Linux Kernel | 2021-04-13 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. | |||||
| CVE-2021-21639 | 1 Jenkins | 1 Jenkins | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. | |||||
| CVE-2021-28193 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The SMTP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||
| CVE-2021-21640 | 1 Jenkins | 1 Jenkins | 2021-04-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. | |||||
| CVE-2021-28192 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2021-04-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Remote video storage function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service. | |||||