Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25915 | 1 Changeset Project | 1 Changeset | 2021-03-17 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2018-17254 | 1 Arkextensions | 1 Jck Editor | 2021-03-17 | 7.5 HIGH | 9.8 CRITICAL |
| The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. | |||||
| CVE-2021-20670 | 1 Weseek | 1 Growi | 2021-03-17 | 5.0 MEDIUM | 7.5 HIGH |
| Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors. | |||||
| CVE-2021-20669 | 1 Weseek | 1 Growi | 2021-03-17 | 6.5 MEDIUM | 4.7 MEDIUM |
| Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL. | |||||
| CVE-2021-21488 | 1 Sap | 1 Netweaver Knowledge Management | 2021-03-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. | |||||
| CVE-2021-20673 | 1 Weseek | 1 Growi | 2021-03-17 | 3.5 LOW | 4.8 MEDIUM |
| Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-5016 | 1 Ibm | 1 Websphere Application Server | 2021-03-17 | 3.5 LOW | 6.5 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When application security is disabled and JAX-RPC applications are present, an attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary xml files on the system. This does not occur if Application security is enabled. IBM X-Force ID: 193556. | |||||
| CVE-2021-3310 | 1 Westerndigital | 9 My Cloud Dl2100, My Cloud Dl4100, My Cloud Ex2100 and 6 more | 2021-03-17 | 4.6 MEDIUM | 7.8 HIGH |
| Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files). | |||||
| CVE-2021-20671 | 1 Weseek | 1 Growi | 2021-03-17 | 6.5 MEDIUM | 7.2 HIGH |
| Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution. | |||||
| CVE-2014-1520 | 3 Fedoraproject, Microsoft, Mozilla | 4 Fedora, Windows, Firefox and 1 more | 2021-03-17 | 6.9 MEDIUM | N/A |
| maintenservice_installer.exe in the Maintenance Service Installer in Mozilla Firefox before 29.0 and Firefox ESR 24.x before 24.5 on Windows allows local users to gain privileges by placing a Trojan horse DLL file into a temporary directory at an unspecified point in the update process. | |||||
| CVE-2020-17519 | 1 Apache | 1 Flink | 2021-03-17 | 5.0 MEDIUM | 7.5 HIGH |
| A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. | |||||
| CVE-2020-35231 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2021-03-17 | 8.3 HIGH | 8.8 HIGH |
| The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device. | |||||
| CVE-2021-20440 | 1 Ibm | 1 Api Connect | 2021-03-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536. | |||||
| CVE-2020-4184 | 1 Ibm | 1 Security Guardium | 2021-03-17 | 7.5 HIGH | 7.3 HIGH |
| IBM Security Guardium 11.2 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. IBM X-Force ID: 174802.. | |||||
| CVE-2020-15810 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2021-03-17 | 3.5 LOW | 6.5 MEDIUM |
| An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream. | |||||
| CVE-2020-14358 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2021-20200 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2020-29045 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2021-03-17 | 7.5 HIGH | 9.8 CRITICAL |
| The food-and-drink-menu plugin through 2.2.0 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the fdm_cart cookie in load_cart_from_cookie in includes/class-cart-manager.php. | |||||
| CVE-2020-8022 | 3 Apache, Opensuse, Suse | 6 Tomcat, Leap, Enterprise Storage and 3 more | 2021-03-17 | 7.2 HIGH | 7.8 HIGH |
| A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1. | |||||
| CVE-2021-0215 | 1 Juniper | 1 Junos | 2021-03-17 | 2.9 LOW | 6.5 MEDIUM |
| On Juniper Networks Junos EX series, QFX Series, MX Series and SRX branch series devices, a memory leak occurs every time the 802.1X authenticator port interface flaps which can lead to other processes, such as the pfex process, responsible for packet forwarding, to crash and restart. An administrator can use the following CLI command to monitor the status of memory consumption: user@device> show task memory detail Please refer to https://kb.juniper.net/KB31522 for details. This issue affects Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D54; 15.1X49 versions prior to 15.1X49-D240 ; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10 ; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2. This issue does not affect Juniper Networks Junos OS 12.3, 15.1. | |||||
| CVE-2020-15991 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2021-03-17 | 6.8 MEDIUM | 8.8 HIGH |
| Use after free in password manager in Google Chrome prior to 86.0.4240.75 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2021-21324 | 1 Glpi-project | 1 Glpi | 2021-03-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with "Users" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts. | |||||
| CVE-2021-27257 | 1 Netgear | 86 Br200, Br200 Firmware, Br500 and 83 more | 2021-03-17 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via FTP. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-12362. | |||||
| CVE-2021-20336 | 1 Ibm | 1 Tivoli Netcool\/omnibus Webgui | 2021-03-17 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2020-15281 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15282 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15285 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15286 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15287 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15288 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15289 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15290 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15291 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15295 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15296 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15298 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15728 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15736 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15737 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15738 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15740 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15741 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15743 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15745 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15746 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15747 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15748 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15749 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15750 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||
| CVE-2020-15751 | 2021-03-17 | N/A | N/A | ||
| ** REJECT ** Unused CVE for 2020. | |||||