Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26705 | 1 Squarebox | 1 Catdv | 2021-03-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the application, such as disclosing password hashes. | |||||
| CVE-2021-23352 | 1 Madge Project | 1 Madge | 2021-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function. | |||||
| CVE-2021-25313 | 1 Rancher | 1 Rancher | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. | |||||
| CVE-2021-28115 | 1 Ougc Feedback Project | 1 Ougc Feedback | 2021-03-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation. | |||||
| CVE-2020-6522 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Inappropriate implementation in external protocol handlers in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2020-6519 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2020-6516 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-27678 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27677 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-27679 | 1 Batflat | 1 Batflat | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Navigation in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name. | |||||
| CVE-2021-28088 | 1 Impresscms | 1 Impresscms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field. | |||||
| CVE-2021-26788 | 1 Oryx-embedded | 1 Cyclonetcp | 2021-03-12 | 5.0 MEDIUM | 7.5 HIGH |
| Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthenticated endpoint is sufficient to trigger the bug. | |||||
| CVE-2020-4903 | 1 Ibm | 1 Api Connect | 2021-03-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105. | |||||
| CVE-2020-28150 | 1 Inetsoftware | 1 I-net Clear Reports | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| I-Net Software Clear Reports 20.10.136 web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a Redirect. | |||||
| CVE-2020-8357 | 1 Lenovo | 1 Pcmanager | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| A denial of service vulnerability was reported in Lenovo PCManager, prior to version 3.0.200.2042, that could allow configuration files to be written to non-standard locations. | |||||
| CVE-2020-23721 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english. | |||||
| CVE-2020-24791 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | |||||
| CVE-2020-35451 | 1 Apache | 1 Oozie | 2021-03-12 | 1.9 LOW | 4.7 MEDIUM |
| There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation. | |||||
| CVE-2021-21506 | 1 Dell | 1 Emc Powerscale Onefs | 2021-03-12 | 6.5 MEDIUM | 8.8 HIGH |
| PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in its API handler. An un-authtenticated with ISI_PRIV_SYS_SUPPORT and ISI_PRIV_LOGIN_PAPI privileges could potentially exploit this vulnerability, leading to potential privileges escalation. | |||||
| CVE-2021-21503 | 1 Dell | 1 Emc Powerscale Onefs | 2021-03-12 | 4.6 MEDIUM | 7.8 HIGH |
| PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. The Compadmin user could potentially exploit this vulnerability, leading to potential privileges escalation. | |||||
| CVE-2020-28705 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3. | |||||
| CVE-2021-0374 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-169572641 | |||||
| CVE-2021-0375 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484 | |||||
| CVE-2021-0378 | 1 Google | 1 Android | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154076193 | |||||
| CVE-2021-21510 | 1 Dell | 1 Idrac8 Firmware | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections. | |||||
| CVE-2021-0392 | 1 Google | 1 Android | 2021-03-12 | 4.6 MEDIUM | 7.8 HIGH |
| In main of main.cpp, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-175124730 | |||||
| CVE-2021-0393 | 1 Google | 1 Android | 2021-03-12 | 6.8 MEDIUM | 7.8 HIGH |
| In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if an attacker can supply a malicious PAC file, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-168041375 | |||||
| CVE-2021-0394 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172655291 | |||||
| CVE-2021-0395 | 1 Google | 1 Android | 2021-03-12 | 4.6 MEDIUM | 7.8 HIGH |
| In StopServicesAndLogViolations of reboot.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-170315126 | |||||
| CVE-2021-25347 | 1 Google | 1 Android | 2021-03-12 | 4.6 MEDIUM | 5.3 MEDIUM |
| Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed. | |||||
| CVE-2021-27907 | 1 Apache | 1 Superset | 2021-03-12 | 3.5 LOW | 5.4 MEDIUM |
| Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code. | |||||
| CVE-2020-6517 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-03-12 | 9.3 HIGH | 8.8 HIGH |
| Heap buffer overflow in history in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2020-27574 | 1 Maxum | 1 Rumpus | 2021-03-12 | 6.8 MEDIUM | 8.8 HIGH |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user. | |||||
| CVE-2019-19813 | 4 Canonical, Debian, Linux and 1 more | 18 Ubuntu Linux, Debian Linux, Linux Kernel and 15 more | 2021-03-12 | 7.1 HIGH | 5.5 MEDIUM |
| In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. | |||||
| CVE-2020-29032 | 1 Secomea | 2 Gatemanager 8250, Gatemanager 8250 Firmware | 2021-03-12 | 6.5 MEDIUM | 7.2 HIGH |
| Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server. This issue affects: Secomea GateManager all versions prior to 9.4.621054022 | |||||
| CVE-2021-21725 | 1 Zte | 2 Zxhn H196q, Zxhn H196q Firmware | 2021-03-12 | 2.7 LOW | 5.7 MEDIUM |
| A ZTE product has an information leak vulnerability. An attacker with higher authority can go beyond their authority to access files in other directories by performing specific operations, resulting in information leak. This affects: ZXHN H196Q V9.1.0C2. | |||||
| CVE-2020-29020 | 1 Secomea | 2 Sitemanager, Sitemanager Firmware | 2021-03-12 | 6.5 MEDIUM | 7.2 HIGH |
| Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware. | |||||
| CVE-2021-21354 | 1 Mozilla | 1 Pollbot | 2021-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". An attacker can redirect anyone to malicious sites. To Reproduce type in this URL: "https://pollbot.services.mozilla.com//evil.com/". Affected versions will redirect to that website when you inject a payload like "//evil.com/". This is fixed in version 1.4.4. | |||||
| CVE-2020-29029 | 1 Secomea | 1 Gatemanager Firmware | 2021-03-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper Input Validation, Cross-site Scripting (XSS) vulnerability in Web GUI of Secomea GateManager allows an attacker to execute arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4. | |||||
| CVE-2020-29030 | 1 Secomea | 1 Gatemanager Firmware | 2021-03-12 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4. | |||||
| CVE-2021-21335 | 1 Spnego Http Authentication Module Project | 1 Spnego Http Authentication Module | 2021-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication. | |||||
| CVE-2021-26567 | 1 Synology | 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more | 2021-03-12 | 6.5 MEDIUM | 8.8 HIGH |
| Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. | |||||
| CVE-2021-21362 | 1 Minio | 1 Minio | 2021-03-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. | |||||
| CVE-2020-15049 | 2 Fedoraproject, Squid-cache | 2 Fedora, Squid | 2021-03-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value. | |||||
| CVE-2021-21329 | 1 Ratcf | 1 Ratcf | 2021-03-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events. In affected versions of RATCF users with multi factor authentication enabled are able to log in without a valid token. This is fixed in commit cebb67b. | |||||
| CVE-2020-13702 | 1 The Rolling Proximity Identifier Project | 1 The Rolling Proximity Identifier | 2021-03-12 | 6.4 MEDIUM | 10.0 CRITICAL |
| The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism. | |||||
| CVE-2021-0379 | 1 Google | 1 Android | 2021-03-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154075955 | |||||
| CVE-2021-0381 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381 | |||||
| CVE-2021-0387 | 1 Google | 1 Android | 2021-03-12 | 6.9 MEDIUM | 6.4 MEDIUM |
| In FindQuotaDeviceForUuid of QuotaUtils.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-169421939 | |||||
| CVE-2021-0449 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 4.4 MEDIUM |
| In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117965 | |||||