Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14210 | 1 Monitorapp | 2 Application Insight Web Application, Web Application Firewall | 2021-02-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in MONITORAPP WAF in which script can be executed when responding to Request URL information. It provides a function to response to Request URL information when blocking. | |||||
| CVE-2021-22973 | 1 F5 | 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more | 2021-02-18 | 5.0 MEDIUM | 7.5 HIGH |
| On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-22504 | 1 Microfocus | 1 Operations Bridge Manager | 2021-02-18 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product, affecting versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. The vulnerability could allow remote attackers to execute arbitrary code on an OBM server. | |||||
| CVE-2021-20650 | 1 Elecom | 2 Ncc-ewf100rmwh2, Ncc-ewf100rmwh2 Firmware | 2021-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started. | |||||
| CVE-2020-16144 | 1 Owncloud | 1 Files Antivirus | 2021-02-18 | 3.5 LOW | 5.7 MEDIUM |
| When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud. | |||||
| CVE-2021-22983 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2021-02-18 | 3.5 LOW | 5.4 MEDIUM |
| On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if they attempt to access a maliciously-crafted URL. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2021-22977 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2021-02-18 | 5.0 MEDIUM | 7.5 HIGH |
| On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2020-29142 | 1 Open-emr | 1 Openemr | 2021-02-18 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. | |||||
| CVE-2020-29027 | 1 Secomea | 18 Sitemanager 1129, Sitemanager 1129 Firmware, Sitemanager 1139 and 15 more | 2021-02-18 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in GUI of Secomea SiteManager could allow an attacker to cause an XSS Attack. This issue affects: Secomea SiteManager all versions prior to 9.3. | |||||
| CVE-2021-20651 | 1 Elecom | 1 File Manager | 2021-02-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges via unspecified vectors. | |||||
| CVE-2021-22984 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2021-02-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2020-7848 | 1 Iptime | 2 C200, C200 Firmware | 2021-02-18 | 7.7 HIGH | 8.0 HIGH |
| The EFM ipTIME C200 IP Camera is affected by a Command Injection vulnerability in /login.cgi?logout=1 script. To exploit this vulnerability, an attacker can send a GET request that executes arbitrary OS commands via cookie value. | |||||
| CVE-2020-36003 | 1 Online Book Store Project | 1 Online Book Store | 2021-02-18 | 5.0 MEDIUM | 7.5 HIGH |
| The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases. | |||||
| CVE-2021-26955 | 1 Xcb Project | 1 Xcb | 2021-02-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because xcb::xproto::GetAtomNameReply::name() calls std::str::from_utf8_unchecked() on unvalidated bytes from an X server. | |||||
| CVE-2020-27994 | 1 Solarwinds | 1 Serv-u | 2021-02-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal. | |||||
| CVE-2021-26956 | 1 Xcb Project | 1 Xcb | 2021-02-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because bytes from an X server can be interpreted as any data type returned by xcb::xproto::GetPropertyReply::value. | |||||
| CVE-2018-18508 | 2 Mozilla, Siemens | 17 Network Security Services, Ruggedcom Rox Mx5000, Ruggedcom Rox Mx5000 Firmware and 14 more | 2021-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service. | |||||
| CVE-2021-26957 | 1 Xcb Project | 1 Xcb | 2021-02-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because there is an out-of-bounds read in xcb::xproto::change_property(), as demonstrated by a format=32 T=u8 situation where out-of-bounds bytes are sent to an X server. | |||||
| CVE-2021-26958 | 1 Xcb Project | 1 Xcb | 2021-02-18 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because transmutation to the wrong type can happen after xcb::base::cast_event uses std::mem::transmute to return a reference to an arbitrary type. | |||||
| CVE-2016-2147 | 3 Busybox, Canonical, Debian | 3 Busybox, Ubuntu Linux, Debian Linux | 2021-02-18 | 5.0 MEDIUM | 7.5 HIGH |
| Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. | |||||
| CVE-2017-15873 | 3 Busybox, Canonical, Debian | 3 Busybox, Ubuntu Linux, Debian Linux | 2021-02-18 | 4.3 MEDIUM | 5.5 MEDIUM |
| The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. | |||||
| CVE-2018-1000517 | 3 Busybox, Canonical, Debian | 3 Busybox, Ubuntu Linux, Debian Linux | 2021-02-18 | 7.5 HIGH | 9.8 CRITICAL |
| BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. | |||||
| CVE-2020-35729 | 1 Klogserver | 1 Klog Server | 2021-02-18 | 10.0 HIGH | 9.8 CRITICAL |
| KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter. | |||||
| CVE-2020-11947 | 1 Qemu | 1 Qemu | 2021-02-18 | 2.1 LOW | 3.8 LOW |
| iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. | |||||
| CVE-2020-26233 | 1 Microsoft | 1 Git Credential Manager Core | 2021-02-18 | 3.6 LOW | 7.3 HIGH |
| Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project's GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option. | |||||
| CVE-2021-26551 | 1 Smartfoxserver | 1 Smartfoxserver | 2021-02-18 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in SmartFoxServer 2.17.0. An attacker can execute arbitrary Python code, and bypass the javashell.py protection mechanism, by creating /config/ConsoleModuleUnlock.txt and editing /config/admin/admintool.xml to enable the Console module. | |||||
| CVE-2020-36234 | 1 Atlassian | 2 Data Center, Jira | 2021-02-18 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | |||||
| CVE-2021-27213 | 1 Pystemon Project | 1 Pystemon | 2021-02-18 | 7.5 HIGH | 9.8 CRITICAL |
| config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used. | |||||
| CVE-2021-25688 | 1 Teradici | 2 Pcoip Graphics Agent, Pcoip Standard Agent | 2021-02-17 | 2.1 LOW | 5.5 MEDIUM |
| Under certain conditions, Teradici PCoIP Agents for Windows prior to version 20.10.0 and Teradici PCoIP Agents for Linux prior to version 21.01.0 may log parts of a user's password in the application logs. | |||||
| CVE-2021-27184 | 1 Pelco | 1 Digital Sentry Server | 2021-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed. | |||||
| CVE-2020-35765 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-02-17 | 6.5 MEDIUM | 8.8 HIGH |
| doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. | |||||
| CVE-2020-12663 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2021-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. | |||||
| CVE-2021-21976 | 1 Vmware | 1 Vsphere Replication | 2021-02-17 | 6.5 MEDIUM | 7.2 HIGH |
| vSphere Replication 8.3.x prior to 8.3.1.2, 8.2.x prior to 8.2.1.1, 8.1.x prior to 8.1.2.3 and 6.5.x prior to 6.5.1.5 contain a post-authentication command injection vulnerability which may allow an authenticated admin user to perform a remote code execution. | |||||
| CVE-2021-27237 | 1 Blackcat-cms | 1 Blackcat Cms | 2021-02-17 | 3.5 LOW | 4.8 MEDIUM |
| The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php. | |||||
| CVE-2021-3294 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-02-17 | 3.5 LOW | 5.4 MEDIUM |
| CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website. | |||||
| CVE-2020-22840 | 1 B2evolution | 1 B2evolution | 2021-02-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php. | |||||
| CVE-2020-22841 | 1 B2evolution | 1 B2evolution | 2021-02-17 | 3.5 LOW | 4.8 MEDIUM |
| Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module. | |||||
| CVE-2021-20188 | 2 Podman Project, Redhat | 3 Podman, Enterprise Linux, Openshift Container Platform | 2021-02-17 | 6.9 MEDIUM | 7.0 HIGH |
| A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-1717 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2021-02-17 | 4.0 MEDIUM | 2.7 LOW |
| A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | |||||
| CVE-2021-27103 | 1 Accellion | 1 Fta | 2021-02-17 | 7.5 HIGH | 9.8 CRITICAL |
| Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later. | |||||
| CVE-2021-27104 | 1 Accellion | 1 Fta | 2021-02-17 | 10.0 HIGH | 9.8 CRITICAL |
| Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later. | |||||
| CVE-2021-25689 | 1 Teradici | 1 Pcoip Soft Client | 2021-02-17 | 7.5 HIGH | 9.8 CRITICAL |
| An out of bounds write in Teradici PCoIP soft client versions prior to version 20.10.1 could allow an attacker to remotely execute code. | |||||
| CVE-2021-25690 | 1 Teradici | 1 Pcoip Soft Client | 2021-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| A null pointer dereference in Teradici PCoIP Soft Client versions prior to 20.07.3 could allow an attacker to crash the software. | |||||
| CVE-2021-22982 | 1 F5 | 2 Big-ip Domain Name System, Big-ip Global Traffic Manager | 2021-02-17 | 6.5 MEDIUM | 7.2 HIGH |
| On BIG-IP DNS and GTM version 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x, big3d does not securely handle and parse certain payloads resulting in a buffer overflow. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2020-4954 | 1 Ibm | 1 Spectrum Protect Operations Center | 2021-02-17 | 4.8 MEDIUM | 5.4 MEDIUM |
| IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation . By using the configuration panel to obtain a valid session using an attacker controlled IBM Spectrum Protect server, an attacker could exploit this vulnerability to bypass authentication and gain access to a limited number of debug functions, such as logging levels. IBM X-Force ID: 192153. | |||||
| CVE-2020-4955 | 1 Ibm | 1 Spectrum Protect Operations Center | 2021-02-17 | 5.2 MEDIUM | 8.0 HIGH |
| IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155. | |||||
| CVE-2020-4956 | 1 Ibm | 1 Spectrum Protect Operations Center | 2021-02-17 | 2.3 LOW | 4.8 MEDIUM |
| IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a denial of service, caused by a RPC that allows certain cache values to be set and dumped to a file. By setting a grossly large cache value and dumping that cached value to a file multiple times, a remote attacker could exploit this vulnerability to cause the consumption of all memory resources. IBM X-Force ID: 192156. | |||||
| CVE-2020-8031 | 1 Opensuse | 1 Open Build Service | 2021-02-17 | 3.5 LOW | 5.4 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8. | |||||
| CVE-2021-23335 | 1 Is-user-valid Project | 1 Is-user-valid | 2021-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure. | |||||
| CVE-2021-21052 | 2 Adobe, Microsoft | 2 Animate, Windows | 2021-02-17 | 9.3 HIGH | 7.8 HIGH |
| Adobe Animate version 21.0.2 (and earlier) is affected by an Out-of-bounds Write vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||