Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0356 | 1 Google | 1 Android | 2021-02-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05442014. | |||||
| CVE-2021-0357 | 1 Google | 1 Android | 2021-02-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05442002. | |||||
| CVE-2021-0358 | 1 Google | 1 Android | 2021-02-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05442022. | |||||
| CVE-2021-0359 | 1 Google | 1 Android | 2021-02-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05442011. | |||||
| CVE-2021-0360 | 1 Google | 1 Android | 2021-02-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In netdiag, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05442006. | |||||
| CVE-2021-0349 | 1 Google | 1 Android | 2021-02-23 | 7.2 HIGH | 6.7 MEDIUM |
| In display driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-9, Android-10, Android-11; Patch ID: ALPS05362646. | |||||
| CVE-2021-25779 | 1 Baby Care System Project | 1 Baby Care System | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 is vulnerable to SQL injection via the 'id' parameter on the contentsectionpage.php page. | |||||
| CVE-2021-1366 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2021-02-23 | 6.9 MEDIUM | 7.8 HIGH |
| A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. | |||||
| CVE-2021-1372 | 1 Cisco | 2 Webex Meetings, Webex Meetings Server | 2021-02-23 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. This vulnerability is due to the unsafe usage of shared memory by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens. Note: To exploit this vulnerability, an attacker must have valid credentials on a Microsoft Windows end-user system and must log in after another user has already authenticated with Webex on the same end-user system. | |||||
| CVE-2020-25605 | 1 Agora | 1 Video Software Development Kit | 2021-02-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic. | |||||
| CVE-2020-8027 | 2 Opensuse, Suse | 3 Leap, Openldap2, Linux Enterprise Server | 2021-02-23 | 4.6 MEDIUM | 6.6 MEDIUM |
| A Insecure Temporary File vulnerability in openldap2 of SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Leap 15.2 allows local attackers to overwrite arbitrary files and gain access to the openldap2 configuration This issue affects: SUSE Linux Enterprise Server 15-LTSS openldap2 versions prior to 2.4.46-9.37.1. SUSE Linux Enterprise Server for SAP 15 openldap2 versions prior to 2.4.46-9.37.1. openSUSE Leap 15.1 openldap2 versions prior to 2.4.46-lp151.10.18.1. openSUSE Leap 15.2 openldap2 versions prior to 2.4.46-lp152.14.9.1. | |||||
| CVE-2021-3375 | 1 Atomisystems | 1 Activepresenter | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| ActivePresenter 6.1.6 is affected by a memory corruption vulnerability that may result in a denial of service (DoS) or arbitrary code execution. | |||||
| CVE-2021-1416 | 1 Cisco | 1 Identity Services Engine | 2021-02-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| Multiple vulnerabilities in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information. These vulnerabilities are due to improper enforcement of administrator privilege levels for sensitive data. An attacker with read-only administrator access to the Admin portal could exploit these vulnerabilities by browsing to one of the pages that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-9307 | 1 Belden | 1 Hirschmann Hios | 2021-02-23 | 6.1 MEDIUM | 6.5 MEDIUM |
| Hirschmann OS2, RSP, and RSPE devices before HiOS 08.3.00 allow a denial of service. An unauthenticated, adjacent attacker can cause an infinite loop on one of the HSR ring ports of the device. This effectively breaks the redundancy of the HSR ring. If the attacker can perform the same attack on a second device, the ring is broken into two parts (thus disrupting communication between devices in the different parts). | |||||
| CVE-2021-26697 | 1 Apache | 1 Airflow | 2021-02-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. | |||||
| CVE-2021-26559 | 1 Apache | 1 Airflow | 2021-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. | |||||
| CVE-2021-27368 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. | |||||
| CVE-2021-27369 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. | |||||
| CVE-2021-27371 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Description field. | |||||
| CVE-2021-27559 | 1 Monicahq | 1 Monica | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. | |||||
| CVE-2021-27367 | 1 Boltcms | 1 Bolt | 2021-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. | |||||
| CVE-2021-1351 | 1 Cisco | 1 Webex Meetings | 2021-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2021-26913 | 1 Netmotionsoftware | 1 Netmotion Mobility | 2021-02-23 | 9.3 HIGH | 8.1 HIGH |
| NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet. | |||||
| CVE-2019-8943 | 1 Wordpress | 1 Wordpress | 2021-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. | |||||
| CVE-2021-26912 | 1 Netmotionsoftware | 1 Netmotion Mobility | 2021-02-23 | 9.3 HIGH | 8.1 HIGH |
| NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet. | |||||
| CVE-2014-0364 | 1 Igniterealtime | 1 Smack | 2021-02-23 | 5.0 MEDIUM | N/A |
| The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. | |||||
| CVE-2016-10027 | 2 Fedoraproject, Igniterealtime | 2 Fedora, Smack | 2021-02-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response. | |||||
| CVE-2014-0363 | 1 Igniterealtime | 1 Smack | 2021-02-23 | 5.8 MEDIUM | N/A |
| The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. | |||||
| CVE-2020-35376 | 2 Fedoraproject, Xpdfreader | 2 Fedora, Xpdf | 2021-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function. | |||||
| CVE-2021-22553 | 1 Google | 1 Gerrit | 2021-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above. | |||||
| CVE-2019-14923 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. | |||||
| CVE-2017-13780 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows directory traversal attacks for reading arbitrary files via the module/admin_conf/download.php file parameter. | |||||
| CVE-2017-14118 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\interface.php does not properly restrict exec calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in the host_list parameter to module/tool_all/select_tool.php. | |||||
| CVE-2017-14119 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\snmpwalk.php does not properly restrict popen calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in a parameter. | |||||
| CVE-2017-14247 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060. | |||||
| CVE-2017-14252 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php. | |||||
| CVE-2017-14401 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section. | |||||
| CVE-2017-14402 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php. | |||||
| CVE-2017-14403 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php. | |||||
| CVE-2017-14404 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file inclusion via the tool_list parameter (aka the url_tool variable) to module/tool_all/select_tool.php, as demonstrated by a tool_list=php://filter/ substring. | |||||
| CVE-2017-14405 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 7.2 HIGH |
| The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote command execution via shell metacharacters in a hosts_cacti array parameter to module/admin_device/index.php. | |||||
| CVE-2017-14753 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the filter parameter to module/module_filters/index.php. | |||||
| CVE-2017-14983 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the object parameter to module/admin_conf/index.php. | |||||
| CVE-2017-14984 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the bp_name parameter to /module/admin_bp/add_services.php. | |||||
| CVE-2017-14985 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated users to inject arbitrary web script or HTML via the url parameter to module/module_frame/index.php. | |||||
| CVE-2017-15188 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 3.5 LOW | 4.8 MEDIUM |
| A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php. | |||||
| CVE-2017-15880 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the group_name parameter to module/admin_group/add_modify_group.php (for insert_group and update_group). | |||||
| CVE-2017-15933 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the host parameter to module/capacity_per_device/index.php. | |||||
| CVE-2017-16000 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-23 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php. | |||||
| CVE-2020-24481 | 1 Intel | 1 Quartus | 2021-02-23 | 4.6 MEDIUM | 7.8 HIGH |
| Insecure inherited permissions for the Intel(R) Quartus Prime Pro and Standard edition software may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||