Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26681 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-03-01 | 9.0 HIGH | 7.2 HIGH |
| A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2021-26593 | 1 Rangerstudio | 1 Directus | 2021-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a lot of information about the user (such as email address, first name, and last name) but also the secret for 2FA if one exists. This secret can be regenerated. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-26594 | 1 Rangerstudio | 1 Directus | 2021-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-26595 | 1 Rangerstudio | 1 Directus | 2021-03-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-27583 | 1 Rangerstudio | 1 Directus | 2021-03-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2019-18946 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 3.8 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation. | |||||
| CVE-2021-20656 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| Exposure of information through directory listing in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to obtain the information inside the system, such as directories and/or file configurations via unspecified vectors. | |||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 5.2 MEDIUM | 8.0 HIGH |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | |||||
| CVE-2020-4931 | 1 Ibm | 1 Mq | 2021-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747. | |||||
| CVE-2021-20658 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 10.0 HIGH | 9.8 CRITICAL |
| SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to execute arbitrary OS commands with the web server privilege via unspecified vectors. | |||||
| CVE-2019-18942 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 2.3 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding. | |||||
| CVE-2019-18944 | 1 Microfocus | 1 Solutions Business Manager | 2021-03-01 | 2.3 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS. | |||||
| CVE-2021-21323 | 1 Brave | 1 Brave | 2021-03-01 | 4.3 MEDIUM | 5.3 MEDIUM |
| Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108 | |||||
| CVE-2021-20659 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to upload arbitrary files via unspecified vectors. If the file is PHP script, an attacker may execute arbitrary code. | |||||
| CVE-2020-11203 | 1 Qualcomm | 286 Apq8009w, Apq8009w Firmware, Apq8064au and 283 more | 2021-03-01 | 3.6 LOW | 7.1 HIGH |
| Stack overflow may occur if GSM/WCDMA broadcast config size received from user is larger than variable length array in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | |||||
| CVE-2021-20660 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2021-20661 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 5.5 MEDIUM | 8.1 HIGH |
| Directory traversal vulnerability in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors. | |||||
| CVE-2021-20662 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2021-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Missing authentication for critical function in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to alter the setting information without the access privileges via unspecified vectors. | |||||
| CVE-2021-27509 | 1 Visualware | 1 Myconnection Server | 2021-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. | |||||
| CVE-2020-24393 | 1 Tweetstream Project | 1 Tweetstream | 2021-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack. | |||||
| CVE-2021-22882 | 1 Ui | 4 Unifi Cloud Key Plus, Unifi Dream Machine Pro, Unifi Network Video Recorder and 1 more | 2021-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| UniFi Protect before v1.17.1 allows an attacker to use spoofed cameras to perform a denial-of-service attack that may cause the UniFi Protect controller to crash. | |||||
| CVE-2020-7846 | 1 Cnesty | 1 Helpcom | 2021-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page. | |||||
| CVE-2021-21616 | 1 Jenkins | 1 Active Choices | 2021-02-27 | 3.5 LOW | 4.6 MEDIUM |
| Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2021-21618 | 1 Jenkins | 1 Repository Connector | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2021-21619 | 1 Jenkins | 1 Claim | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. | |||||
| CVE-2021-21621 | 1 Jenkins | 1 Support Core | 2021-02-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations. | |||||
| CVE-2021-21622 | 1 Jenkins | 1 Artifact Repository Parameter | 2021-02-27 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2020-11223 | 1 Qualcomm | 404 Aqt1000, Aqt1000 Firmware, Pm3003a and 401 more | 2021-02-27 | 7.2 HIGH | 7.8 HIGH |
| Out of bound in camera driver due to lack of check of validation of array index before copying into array in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | |||||
| CVE-2021-26683 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-02-27 | 9.0 HIGH | 7.2 HIGH |
| A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2021-20252 | 1 Redhat | 1 3scale Api Management | 2021-02-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| A flaw was found in Red Hat 3scale API Management Platform 2. The 3scale backend does not perform preventive handling on user-requested date ranges in certain queries allowing a malicious authenticated user to submit a request with a sufficiently large date range to eventually yield an internal server error resulting in denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-20198 | 1 Redhat | 1 Openshift Installer | 2021-02-27 | 6.8 MEDIUM | 8.1 HIGH |
| A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-27782 | 1 Redhat | 3 Jboss Fuse, Openshift Application Runtimes, Undertow | 2021-02-27 | 7.8 HIGH | 7.5 HIGH |
| A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. | |||||
| CVE-2021-26684 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-02-27 | 9.0 HIGH | 7.2 HIGH |
| A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2021-3252 | 1 Kaco-newenergy | 2 Xp100u, Xp100u Firmware | 2021-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability. | |||||
| CVE-2021-25630 | 1 Collaboraoffice | 1 Online | 2021-02-27 | 7.2 HIGH | 7.8 HIGH |
| "loolforkit" is a privileged program that is supposed to be run by a special, non-privileged "lool" user. Before doing anything else "loolforkit" checks, if it was invoked by the "lool" user, and refuses to run with privileges, if it's not the case. In the vulnerable version of "loolforkit" this check was wrong, so a normal user could start "loolforkit" and eventually get local root privileges. | |||||
| CVE-2021-20256 | 1 Redhat | 1 Satellite | 2021-02-27 | 4.6 MEDIUM | 5.3 MEDIUM |
| A flaw was found in Red Hat Satellite. The BMC interface exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-7847 | 1 Iptime | 18 Nas-i, Nas-i Firmware, Nas-ii and 15 more | 2021-02-27 | 5.2 MEDIUM | 8.0 HIGH |
| The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36. | |||||
| CVE-2020-16243 | 1 We-con | 1 Levistudiou | 2021-02-27 | 6.8 MEDIUM | 7.8 HIGH |
| Multiple buffer overflow vulnerabilities exist when LeviStudioU (Version 2019-09-21 and prior) processes project files. Opening a specially crafted project file could allow an attacker to exploit and execute code under the privileges of the application. | |||||
| CVE-2020-25161 | 1 Advantech | 1 Webaccess\/scada | 2021-02-27 | 6.5 MEDIUM | 8.8 HIGH |
| The WADashboard component of WebAccess/SCADA Versions 9.0 and prior may allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator. | |||||
| CVE-2020-24175 | 1 Yz1 | 1 Yz1 | 2021-02-27 | 6.8 MEDIUM | 7.8 HIGH |
| Buffer overflow in Yz1 0.30 and 0.32, as used in IZArc 4.4, ZipGenius 6.3.2.3116, and Explzh (extension) 8.14, allows attackers to execute arbitrary code via a crafted archive file, related to filename handling. | |||||
| CVE-2014-2323 | 4 Debian, Lighttpd, Opensuse and 1 more | 5 Debian Linux, Lighttpd, Opensuse and 2 more | 2021-02-26 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. | |||||
| CVE-2020-8902 | 1 Google | 1 Rendertron | 2021-02-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain. | |||||
| CVE-2021-21617 | 1 Jenkins | 1 Configuration Slicing | 2021-02-26 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations. | |||||
| CVE-2021-21620 | 1 Jenkins | 1 Claim | 2021-02-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims. | |||||
| CVE-2020-35852 | 1 Getgist | 1 Chatbox | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chatbox is affected by cross-site scripting (XSS). An attacker has to upload any XSS payload with SVG, XML file in Chatbox. There is no restriction on file upload in Chatbox which leads to stored XSS. | |||||
| CVE-2014-6287 | 1 Rejetto | 1 Http File Server | 2021-02-26 | 10.0 HIGH | 9.8 CRITICAL |
| The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action. | |||||
| CVE-2020-22475 | 1 Tasks | 1 Tasks | 2021-02-26 | 4.6 MEDIUM | 6.8 MEDIUM |
| "Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions. | |||||
| CVE-2021-26682 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote reflected cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the guest portal interface of ClearPass could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the portal. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the guest portal interface. | |||||
| CVE-2020-13697 | 1 Nanohttpd | 1 Nanohttpd | 2021-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2.3.1. The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization. | |||||
| CVE-2021-26686 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-02-26 | 5.5 MEDIUM | 6.5 MEDIUM |
| A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database. | |||||