Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24918 | 1 Ambarella | 1 Oryx Rtsp Server | 2021-05-07 | 10.0 HIGH | 9.8 CRITICAL |
| A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example. | |||||
| CVE-2021-31791 | 1 Sentrysoftware | 1 Hardware Sentry Km For Bmc Patrol | 2021-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command. | |||||
| CVE-2021-29239 | 1 Codesys | 1 Development System | 2021-05-07 | 4.6 MEDIUM | 7.8 HIGH |
| CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. | |||||
| CVE-2020-28944 | 1 Open-xchange | 1 Ox Guard | 2021-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data. | |||||
| CVE-2020-28943 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| OX App Suite 7.10.4 and earlier allows SSRF via a snippet. | |||||
| CVE-2020-28945 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone. | |||||
| CVE-2021-31935 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. | |||||
| CVE-2020-7791 | 1 I18n Project | 1 I18n | 2021-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. | |||||
| CVE-2021-29476 | 1 Wordpress | 1 Requests | 2021-05-07 | 7.5 HIGH | 9.8 CRITICAL |
| Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. | |||||
| CVE-2021-25164 | 1 Arubanetworks | 1 Airwave | 2021-05-07 | 5.5 MEDIUM | 6.5 MEDIUM |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2021-25151 | 1 Arubanetworks | 1 Airwave | 2021-05-07 | 9.0 HIGH | 8.8 HIGH |
| A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2021-25165 | 1 Arubanetworks | 1 Airwave | 2021-05-07 | 5.5 MEDIUM | 8.1 HIGH |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2021-31423 | 1 Parallels | 1 Parallels Desktop | 2021-05-07 | 2.1 LOW | 6.0 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12528. | |||||
| CVE-2021-21365 | 1 Typo3 | 1 Typo3 | 2021-05-07 | 3.5 LOW | 5.4 MEDIUM |
| Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. Updated version are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/bootstrap_package/. | |||||
| CVE-2020-7037 | 1 Avaya | 1 Equinox Conferencing | 2021-05-07 | 5.5 MEDIUM | 8.1 HIGH |
| An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service. The affected versions of Avaya Equinox Conferencing includes all 9.x versions before 9.1.11. Equinox Conferencing is now offered as Avaya Meetings Server. | |||||
| CVE-2021-31856 | 1 Layer5 | 1 Meshery | 2021-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). | |||||
| CVE-2021-25839 | 1 Minthcm | 1 Minthcm | 2021-05-06 | 5.0 MEDIUM | 9.8 CRITICAL |
| A weak password requirement vulnerability exists in the Create New User function of MintHCM RELEASE 3.0.8, which could lead an attacker to easier password brute-forcing. | |||||
| CVE-2021-31803 | 1 Cpanel | 1 Cpanel | 2021-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581). | |||||
| CVE-2021-31802 | 1 Netgear | 2 R7000, R7000 Firmware | 2021-05-06 | 8.3 HIGH | 8.8 HIGH |
| NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication. The vulnerability exists within the handling of an HTTP request. An attacker can leverage this to execute code as root. The problem is that a user-provided length value is trusted during a backup.cgi file upload. The attacker must add a \n before the Content-Length header. | |||||
| CVE-2021-31726 | 1 Akuvox | 2 C315, C315 Firmware | 2021-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| Akuvox C315 115.116.2613 allows remote command Injection via the cfgd_server service. The attack vector is sending a payload to port 189 (default root 0.0.0.0). | |||||
| CVE-2021-21537 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 5.5 MEDIUM |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to view and exfiltrate sensitive information on the system. | |||||
| CVE-2021-21534 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 3.3 LOW |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain access to sensitive information via the local API. | |||||
| CVE-2021-21535 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 7.2 HIGH | 7.8 HIGH |
| Dell Hybrid Client versions prior to 1.5 contain a missing authentication for a critical function vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain root level access to the system. | |||||
| CVE-2021-21536 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 5.5 MEDIUM |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to register the client to a server in order to view sensitive information. | |||||
| CVE-2021-31419 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.5 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12136. | |||||
| CVE-2021-31420 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 4.6 MEDIUM | 8.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.0-48950. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12220. | |||||
| CVE-2021-31418 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.5 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12221. | |||||
| CVE-2021-31417 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.5 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12131. | |||||
| CVE-2021-31795 | 1 Pvrsrvkm.ko Project | 1 Pvrsrvkm.ko | 2021-05-06 | 6.9 MEDIUM | 7.0 HIGH |
| The PowerVR GPU kernel driver in pvrsrvkm.ko through 2021-04-24 for the Linux kernel, as used on Alcatel 1S phones, allows attackers to overwrite heap memory via PhysmemNewRamBackedPMR. | |||||
| CVE-2021-20714 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2021-05-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in WP Fastest Cache versions prior to 0.9.1.7 allows a remote attacker with administrator privileges to delete arbitrary files on the server via unspecified vectors. | |||||
| CVE-2020-35542 | 1 Unisys | 1 Data Exchange Management Studio | 2021-05-06 | 3.5 LOW | 5.4 MEDIUM |
| Unisys Data Exchange Management Studio through 5.0.34 doesn't sanitize the input to a HTML document field. This could be used for an XSS attack. | |||||
| CVE-2021-25898 | 1 Void | 1 Aural Rec Monitor | 2021-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. Passwords are stored in unencrypted source-code text files. This was noted when accessing the svc-login.php file. The value is used to authenticate a high-privileged user upon authenticating with the server. | |||||
| CVE-2021-25315 | 3 Opensuse, Saltstack, Suse | 3 Tumbleweed, Salt, Suse Linux Enterprise Server | 2021-05-06 | 4.6 MEDIUM | 7.8 HIGH |
| A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. | |||||
| CVE-2020-21998 | 1 Homeautomation Project | 1 Homeautomation | 2021-05-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. | |||||
| CVE-2017-9438 | 1 Virustotal | 1 Yara | 2021-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304. | |||||
| CVE-2019-19648 | 1 Virustotal | 1 Yara | 2021-05-06 | 6.8 MEDIUM | 7.8 HIGH |
| In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution. | |||||
| CVE-2020-21989 | 1 Homeautomation Project | 1 Homeautomation | 2021-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. | |||||
| CVE-2020-22000 | 1 Homeautomation Project | 1 Homeautomation | 2021-05-06 | 8.5 HIGH | 8.0 HIGH |
| HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function. | |||||
| CVE-2020-18084 | 1 Yzmcms | 1 Yzmcms | 2021-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in yzmCMS v5.2 allows remote attackers to execute arbitrary code by injecting commands into the "referer" field of a POST request to the component "/member/index/login.html" when logging in. | |||||
| CVE-2021-26797 | 1 Hametech | 2 Hame Sd1 Wi-fi, Hame Sd1 Wi-fi Firmware | 2021-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| An access control vulnerability in Hame SD1 Wi-Fi firmware <=V.20140224154640 allows an attacker to get system administrator through an open Telnet service. | |||||
| CVE-2021-31431 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.0 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13189. | |||||
| CVE-2021-31432 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.0 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13190. | |||||
| CVE-2021-31430 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 2.1 LOW | 6.0 MEDIUM |
| This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13188. | |||||
| CVE-2021-31429 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 4.6 MEDIUM | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13187. | |||||
| CVE-2021-31428 | 1 Parallels | 1 Parallels Desktop | 2021-05-06 | 4.6 MEDIUM | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the IDE virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13186. | |||||
| CVE-2021-3451 | 1 Lenovo | 1 Pcmanager | 2021-05-06 | 2.1 LOW | 5.5 MEDIUM |
| A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow configuration files to be written to non-standard locations. | |||||
| CVE-2021-3464 | 1 Lenovo | 1 Pcmanager | 2021-05-06 | 7.2 HIGH | 7.8 HIGH |
| A DLL search path vulnerability was reported in Lenovo PCManager, prior to version 3.0.400.3252, that could allow privilege escalation. | |||||
| CVE-2021-28399 | 1 Orangehrm | 1 Orangehrm | 2021-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | |||||
| CVE-2021-20680 | 1 Nec | 34 Aterm W1200ex, Aterm W1200ex-ms, Aterm W1200ex-ms Firmware and 31 more | 2021-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in NEC Aterm devices (Aterm WG1900HP2 firmware Ver.1.3.1 and earlier, Aterm WG1900HP firmware Ver.2.5.1 and earlier, Aterm WG1800HP4 firmware Ver.1.3.1 and earlier, Aterm WG1800HP3 firmware Ver.1.5.1 and earlier, Aterm WG1200HS2 firmware Ver.2.5.0 and earlier, Aterm WG1200HP3 firmware Ver.1.3.1 and earlier, Aterm WG1200HP2 firmware Ver.2.5.0 and earlier, Aterm W1200EX firmware Ver.1.3.1 and earlier, Aterm W1200EX-MS firmware Ver.1.3.1 and earlier, Aterm WG1200HS firmware all versions Aterm WG1200HP firmware all versions Aterm WF800HP firmware all versions Aterm WF300HP2 firmware all versions Aterm WR8165N firmware all versions Aterm W500P firmware all versions, and Aterm W300P firmware all versions) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||||