Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20262 | 1 Redhat | 2 Keycloak, Single Sign-on | 2021-03-15 | 4.6 MEDIUM | 6.8 MEDIUM |
| A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
| CVE-2021-0461 | 1 Google | 1 Android | 2021-03-15 | 4.6 MEDIUM | 6.7 MEDIUM |
| In iaxxx_core_sensor_change_state of iaxxx-module.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175124074 | |||||
| CVE-2020-8356 | 1 Lenovo | 1 Xclarity Orchestrator | 2021-03-15 | 4.0 MEDIUM | 4.9 MEDIUM |
| An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file. | |||||
| CVE-2021-3417 | 1 Lenovo | 1 Xclarity Orchestrator | 2021-03-15 | 4.0 MEDIUM | 4.9 MEDIUM |
| An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file. | |||||
| CVE-2021-25313 | 1 Rancher | 1 Rancher | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. | |||||
| CVE-2021-28115 | 1 Ougc Feedback Project | 1 Ougc Feedback | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation. | |||||
| CVE-2020-6519 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2020-6516 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-27678 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27677 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27679 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-28088 | 1 Impresscms | 1 Impresscms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field. | |||||
| CVE-2020-4903 | 1 Ibm | 1 Api Connect | 2021-03-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105. | |||||
| CVE-2020-28150 | 1 Inetsoftware | 1 I-net Clear Reports | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| I-Net Software Clear Reports 20.10.136 web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a Redirect. | |||||
| CVE-2020-8357 | 1 Lenovo | 1 Pcmanager | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations. | |||||
| CVE-2020-23721 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english. | |||||
| CVE-2020-35451 | 1 Apache | 1 Oozie | 2021-03-12 | 1.9 LOW | 4.7 MEDIUM |
| There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation. | |||||
| CVE-2020-28705 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3. | |||||
| CVE-2021-0374 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-169572641 | |||||
| CVE-2021-0375 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484 | |||||
| CVE-2021-0378 | 1 Google | 1 Android | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154076193 | |||||
| CVE-2021-21510 | 1 Dell | 1 Idrac8 Firmware | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections. | |||||
| CVE-2021-0394 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172655291 | |||||
| CVE-2021-25347 | 1 Google | 1 Android | 2021-03-12 | 4.6 MEDIUM | 5.3 MEDIUM |
| Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed. | |||||
| CVE-2021-27907 | 1 Apache | 1 Superset | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code. | |||||
| CVE-2019-19813 | 4 Canonical, Debian, Linux and 1 more | 18 Ubuntu Linux, Debian Linux, Linux Kernel and 15 more | 2021-03-12 | 7.1 HIGH | 5.5 MEDIUM |
| In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. | |||||
| CVE-2021-21725 | 1 Zte | 2 Zxhn H196q, Zxhn H196q Firmware | 2021-03-12 | 2.7 LOW | 5.7 MEDIUM |
| A ZTE product has an information leak vulnerability. An attacker with higher authority can go beyond their authority to access files in other directories by performing specific operations, resulting in information leak. This affects: ZXHN H196Q V9.1.0C2. | |||||
| CVE-2021-21354 | 1 Mozilla | 1 Pollbot | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". An attacker can redirect anyone to malicious sites. To Reproduce type in this URL: "https://pollbot.services.mozilla.com//evil.com/". Affected versions will redirect to that website when you inject a payload like "//evil.com/". This is fixed in version 1.4.4. | |||||
| CVE-2020-29029 | 1 Secomea | 1 Gatemanager Firmware | 2021-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper Input Validation, Cross-site Scripting (XSS) vulnerability in Web GUI of Secomea GateManager allows an attacker to execute arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4. | |||||
| CVE-2021-21362 | 1 Minio | 1 Minio | 2021-03-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. | |||||
| CVE-2021-0379 | 1 Google | 1 Android | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154075955 | |||||
| CVE-2021-0381 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381 | |||||
| CVE-2021-0387 | 1 Google | 1 Android | 2021-03-12 | 6.9 MEDIUM | 6.4 MEDIUM |
| In FindQuotaDeviceForUuid of QuotaUtils.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-169421939 | |||||
| CVE-2021-0449 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117965 | |||||
| CVE-2021-0450 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117880 | |||||
| CVE-2021-0451 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117871 | |||||
| CVE-2021-0452 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117261 | |||||
| CVE-2021-0453 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan-M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117199 | |||||
| CVE-2021-0454 | 1 Google | 1 Android | 2021-03-12 | 7.2 HIGH | 6.7 MEDIUM |
| In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117047 | |||||
| CVE-2021-0455 | 1 Google | 1 Android | 2021-03-12 | 7.2 HIGH | 6.7 MEDIUM |
| In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175116439 | |||||
| CVE-2021-3224 | 1 Cszcms | 1 Csz Cms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter. | |||||
| CVE-2020-35594 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7066 allows XSS. | |||||
| CVE-2020-27576 | 1 Maxum | 1 Rumpus | 2021-03-11 | 3.5 LOW | 5.4 MEDIUM |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability. | |||||
| CVE-2020-29055 | 1 Cdatatec | 56 72408a, 72408a Firmware, 9008a and 53 more | 2021-03-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. By default, the appliance can be managed remotely only with HTTP, telnet, and SNMP. It doesn't support SSL/TLS for HTTP or SSH. An attacker can intercept passwords sent in cleartext and conduct man-in-the-middle attacks on the management of the appliance. | |||||
| CVE-2021-27222 | 1 Obss | 1 Time In Status | 2021-03-11 | 3.5 LOW | 5.4 MEDIUM |
| In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS. | |||||
| CVE-2017-17780 | 1 Mediaburst | 8 Booking Calendar Sms, Clockwork Sms Notfications, Contact Form 7 Sms and 5 more | 2021-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5. | |||||
| CVE-2021-25344 | 1 Google | 1 Android | 2021-03-11 | 2.1 LOW | 5.5 MEDIUM |
| Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission. | |||||
| CVE-2021-25345 | 2 Google, Samsung | 2 Android, Exynos | 2021-03-11 | 4.9 MEDIUM | 5.5 MEDIUM |
| Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format. | |||||
| CVE-2020-6538 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-03-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in WebView in Google Chrome on Android prior to 84.0.4147.105 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-15973 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2021-03-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in extensions in Google Chrome prior to 86.0.4240.75 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. | |||||