Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1386 | 1 Cisco | 3 Advanced Malware Protection For Endpoints, Clamav, Immunet | 2021-04-19 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the dynamic link library (DLL) loading mechanism in Cisco Advanced Malware Protection (AMP) for Endpoints Windows Connector, ClamAV for Windows, and Immunet could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected Windows system. To exploit this vulnerability, the attacker would need valid credentials on the system. The vulnerability is due to insufficient validation of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on an affected system. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges. | |||||
| CVE-2021-1467 | 1 Cisco | 1 Webex Meetings | 2021-04-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in Cisco Webex Meetings for Android could allow an authenticated, remote attacker to modify the avatar of another user. This vulnerability is due to improper authorization checks. An attacker could exploit this vulnerability by sending a crafted request to the Cisco Webex Meetings client of a targeted user of a meeting in which they are both participants. A successful exploit could allow the attacker to modify the avatar of the targeted user. | |||||
| CVE-2016-1133 | 1 Dena | 1 H2o | 2021-04-19 | 4.3 MEDIUM | 3.7 LOW |
| CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI. | |||||
| CVE-2016-4817 | 1 Dena | 1 H2o | 2021-04-19 | 5.0 MEDIUM | 7.5 HIGH |
| lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet. | |||||
| CVE-2016-7835 | 2 Dena, H2o Project | 2 H2o, H2o | 2021-04-19 | 6.4 MEDIUM | 9.1 CRITICAL |
| Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information. | |||||
| CVE-2017-10869 | 1 Dena | 1 H2o | 2021-04-19 | 5.0 MEDIUM | 7.5 HIGH |
| Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecified vectors. | |||||
| CVE-2017-10872 | 1 Dena | 1 H2o | 2021-04-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors. | |||||
| CVE-2017-10908 | 1 Dena | 1 H2o | 2021-04-19 | 5.0 MEDIUM | 7.5 HIGH |
| H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header. | |||||
| CVE-2018-0608 | 1 Dena | 1 H2o | 2021-04-19 | 7.5 HIGH | 9.8 CRITICAL |
| Buffer overflow in H2O version 2.2.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via unspecified vectors. | |||||
| CVE-2021-25692 | 1 Teradici | 1 Pcoip Connection Manager And Security Gateway | 2021-04-19 | 2.1 LOW | 4.6 MEDIUM |
| Sensitive smart card data is logged in default INFO logs by Teradici's PCoIP Connection Manager and Security Gateway prior to version 21.01.3. | |||||
| CVE-2007-0136 | 1 Drupal | 1 Drupal | 2021-04-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2007-0626 | 1 Drupal | 1 Drupal | 2021-04-19 | 6.5 MEDIUM | N/A |
| The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines." | |||||
| CVE-2019-6814 | 1 Schneider-electric | 14 Net5500, Net5500 Firmware, Net5501 and 11 more | 2021-04-19 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-287: Improper Authentication vulnerability exists in the NET55XX Encoder with firmware prior to version 2.1.9.7 which could cause impact to confidentiality, integrity, and availability when a remote attacker crafts a malicious request to the encoder webUI. | |||||
| CVE-2019-6848 | 1 Schneider-electric | 6 Modicon Bmenoc 0311, Modicon Bmenoc 0311 Firmware, Modicon Bmenoc 0321 and 3 more | 2021-04-19 | 5.0 MEDIUM | 8.6 HIGH |
| A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580 CPU (BMEx58*) and Modicon M580 communication module (BMENOC0311, BMENOC0321) (see notification for version info), which could cause a Denial of Service attack on the PLC when sending specific data on the REST API of the controller/communication module. | |||||
| CVE-2021-25381 | 2 Google, Samsung | 2 Android, Account | 2021-04-19 | 4.6 MEDIUM | 7.8 HIGH |
| Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | |||||
| CVE-2019-16935 | 1 Python | 1 Python | 2021-04-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. | |||||
| CVE-2019-6836 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2021-04-16 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file. | |||||
| CVE-2019-6838 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2021-04-16 | 5.5 MEDIUM | 6.5 MEDIUM |
| A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to delete a critical file. | |||||
| CVE-2020-16590 | 1 Gnu | 1 Binutils | 2021-04-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file. | |||||
| CVE-2020-16591 | 1 Gnu | 1 Binutils | 2021-04-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif. | |||||
| CVE-2020-16593 | 1 Gnu | 1 Binutils | 2021-04-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file. | |||||
| CVE-2020-16599 | 1 Gnu | 1 Binutils | 2021-04-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file. | |||||
| CVE-2020-21087 | 1 X2engine | 1 X2crm | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool. | |||||
| CVE-2020-36120 | 1 Libsixel Project | 1 Libsixel | 2021-04-16 | 5.0 MEDIUM | 7.5 HIGH |
| Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS). | |||||
| CVE-2021-24024 | 1 Fortinet | 2 Fortiadc, Fortiadc Manager | 2021-04-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker to read other local users' password in log files. | |||||
| CVE-2021-24226 | 1 Accessally | 1 Accessally | 2021-04-16 | 5.0 MEDIUM | 7.5 HIGH |
| In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. | |||||
| CVE-2021-1407 | 1 Cisco | 1 Unified Communications Manager | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-28686 | 1 Asus | 1 Gputweak Ii | 2021-04-16 | 2.1 LOW | 5.5 MEDIUM |
| AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl. | |||||
| CVE-2021-1409 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im \& Presence Service, Unity Connection | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-1408 | 1 Cisco | 1 Unified Communications Manager | 2021-04-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2021-27600 | 1 Sap | 1 Manufacturing Execution | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted. | |||||
| CVE-2021-27989 | 1 Appspace | 1 Appspace | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx. | |||||
| CVE-2021-30637 | 1 Htmly | 1 Htmly | 2021-04-16 | 3.5 LOW | 5.4 MEDIUM |
| htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. | |||||
| CVE-2021-29999 | 1 Windriver | 1 Vxworks | 2021-04-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Wind River VxWorks through 6.8. There is a possible stack overflow in dhcp server. | |||||
| CVE-2013-5957 | 1 Civicrm | 1 Civicrm | 2021-04-16 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty. | |||||
| CVE-2017-18279 | 1 Qualcomm | 78 Fsm9055, Fsm9055 Firmware, Fsm9955 and 75 more | 2021-04-16 | 7.2 HIGH | 7.8 HIGH |
| Lack of check of buffer length before copying can lead to buffer overflow in camera module in Small Cell SoC, Snapdragon Mobile, Snapdragon Wear in FSM9055, FSM9955, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDM630, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016. | |||||
| CVE-2015-0726 | 1 Cisco | 1 Wireless Lan Controller Software | 2021-04-16 | 6.8 MEDIUM | N/A |
| The web administration interface on Cisco Wireless LAN Controller (WLC) devices before 7.0.241, 7.1.x through 7.4.x before 7.4.122, and 7.5.x and 7.6.x before 7.6.120 allows remote authenticated users to cause a denial of service (device crash) via unspecified parameters, aka Bug IDs CSCum65159 and CSCum65252. | |||||
| CVE-2016-9219 | 1 Cisco | 3 Wireless Lan Controller, Wireless Lan Controller Firmware, Wireless Lan Controller Software | 2021-04-16 | 7.8 HIGH | 7.5 HIGH |
| A vulnerability with IPv6 UDP ingress packet processing in Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause an unexpected reload of the device. The vulnerability is due to incomplete IPv6 UDP header validation. An attacker could exploit this vulnerability by sending a crafted IPv6 UDP packet to a specific port on the targeted device. An exploit could allow the attacker to impact the availability of the device as it could unexpectedly reload. This vulnerability affects Cisco Wireless LAN Controller (WLC) running software version 8.2.121.0 or 8.3.102.0. Cisco Bug IDs: CSCva98592. | |||||
| CVE-2015-4215 | 1 Cisco | 1 Wireless Lan Controller Software | 2021-04-16 | 6.1 MEDIUM | N/A |
| Cisco Wireless LAN Controller (WLC) devices with software 7.5(102.0) and 7.6(1.62) allow remote attackers to cause a denial of service (device crash) by triggering an exception during attempted forwarding of unspecified IPv6 packets to a non-IPv6 device, aka Bug ID CSCuj01046. | |||||
| CVE-2015-6314 | 1 Cisco | 1 Wireless Lan Controller Software | 2021-04-16 | 10.0 HIGH | 9.8 CRITICAL |
| Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 before 8.0.121.0, and 8.1 before 8.1.131.0 allow remote attackers to change configuration settings via unspecified vectors, aka Bug ID CSCuw06153. | |||||
| CVE-2021-0426 | 1 Google | 1 Android | 2021-04-16 | 4.6 MEDIUM | 7.8 HIGH |
| In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174485572 | |||||
| CVE-2021-0427 | 1 Google | 1 Android | 2021-04-16 | 4.6 MEDIUM | 7.8 HIGH |
| In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174488848 | |||||
| CVE-2021-0429 | 1 Google | 1 Android | 2021-04-16 | 4.6 MEDIUM | 7.8 HIGH |
| In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175074139 | |||||
| CVE-2021-0431 | 1 Google | 1 Android | 2021-04-16 | 5.0 MEDIUM | 7.5 HIGH |
| In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901 | |||||
| CVE-2021-0432 | 1 Google | 1 Android | 2021-04-16 | 4.4 MEDIUM | 7.0 HIGH |
| In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173552790 | |||||
| CVE-2021-0433 | 1 Google | 1 Android | 2021-04-16 | 5.4 MEDIUM | 8.0 HIGH |
| In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090 | |||||
| CVE-2021-0435 | 1 Google | 1 Android | 2021-04-16 | 5.0 MEDIUM | 7.5 HIGH |
| In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451 | |||||
| CVE-2021-0436 | 1 Google | 1 Android | 2021-04-16 | 2.1 LOW | 5.5 MEDIUM |
| In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176496160 | |||||
| CVE-2021-0437 | 1 Google | 1 Android | 2021-04-16 | 4.6 MEDIUM | 7.8 HIGH |
| In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176168330 | |||||
| CVE-2021-0438 | 1 Google | 1 Android | 2021-04-16 | 4.4 MEDIUM | 7.8 HIGH |
| In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-152064592 | |||||