Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-13750 | 2 Fedoraproject, Jasper Project | 2 Fedora, Jasper | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable assertion abort in the function jpc_dec_process_siz() in jpc/jpc_dec.c:1296 in JasPer 2.0.12 that will lead to a remote denial of service attack. | |||||
| CVE-2017-13751 | 2 Fedoraproject, Jasper Project | 2 Fedora, Jasper | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable assertion abort in the function calcstepsizes() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. | |||||
| CVE-2017-13752 | 2 Fedoraproject, Jasper Project | 2 Fedora, Jasper | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| There is a reachable assertion abort in the function jpc_dequantize() in jpc/jpc_dec.c in JasPer 2.0.12 that will lead to a remote denial of service attack. | |||||
| CVE-2021-25910 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2021-02-05 | 3.3 LOW | 6.5 MEDIUM |
| Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user. | |||||
| CVE-2020-35124 | 1 Acquia | 1 Mautic | 2021-02-05 | 6.8 MEDIUM | 9.6 CRITICAL |
| A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads. | |||||
| CVE-2020-18715 | 2021-02-05 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. | |||||
| CVE-2021-25310 | 1 Belkin | 2 Linksys Wrt160nl, Linksys Wrt160nl Firmware | 2021-02-05 | 9.0 HIGH | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2021-25909 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2021-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919. | |||||
| CVE-2021-25756 | 1 Jetbrains | 1 Intellij Idea | 2021-02-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. | |||||
| CVE-2021-0343 | 1 Google | 1 Android | 2021-02-05 | 7.2 HIGH | 6.7 MEDIUM |
| In kisd, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05449962. | |||||
| CVE-2021-25757 | 1 Jetbrains | 1 Hub | 2021-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| In JetBrains Hub before 2020.1.12629, an open redirect was possible. | |||||
| CVE-2021-25760 | 1 Jetbrains | 1 Hub | 2021-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible. | |||||
| CVE-2021-25765 | 1 Jetbrains | 1 Youtrack | 2021-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. | |||||
| CVE-2020-4640 | 1 Ibm | 1 Api Connect | 2021-02-04 | 3.8 LOW | 4.1 MEDIUM |
| Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510. | |||||
| CVE-2020-4828 | 1 Ibm | 1 Api Connect | 2021-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. IBM X-Force ID: 189842. | |||||
| CVE-2020-4827 | 1 Ibm | 1 Api Connect | 2021-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 189841. | |||||
| CVE-2020-4826 | 1 Ibm | 1 Api Connect | 2021-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 189840. | |||||
| CVE-2020-4825 | 1 Ibm | 1 Api Connect | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 189839. | |||||
| CVE-2020-5032 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2021-02-04 | 3.3 LOW | 4.3 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 in some configurations may be vulnerable to a temporary denial of service attack when sent particular payloads. IBM X-Force ID: 194178. | |||||
| CVE-2021-25772 | 1 Jetbrains | 1 Teamcity | 2021-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2020.2.2, TeamCity server DoS was possible via server integration. | |||||
| CVE-2021-25776 | 1 Jetbrains | 1 Teamcity | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters. | |||||
| CVE-2021-25777 | 1 Jetbrains | 1 Teamcity | 2021-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly. | |||||
| CVE-2020-4934 | 3 Ibm, Linux, Microsoft | 4 Aix, Content Navigator, Linux Kernel and 1 more | 2021-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Content Navigator 3.0.CD could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 191752. | |||||
| CVE-2021-25771 | 1 Jetbrains | 1 Youtrack | 2021-02-04 | 5.0 MEDIUM | 4.3 MEDIUM |
| In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed. | |||||
| CVE-2020-24335 | 3 Contiki-ng, Contiki-os, Uip Project | 3 Contiki-ng, Contiki, Uip | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG. Domain name parsing lacks bounds checks, allowing an attacker to corrupt memory with crafted DNS packets. | |||||
| CVE-2020-25035 | 1 Ucopia | 1 Express Wireless Appliance | 2021-02-04 | 7.2 HIGH | 6.7 MEDIUM |
| UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with root privileges using chroothole_client's PHP call, a related issue to CVE-2017-11322. | |||||
| CVE-2021-3283 | 1 Hashicorp | 1 Nomad | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3. | |||||
| CVE-2021-25773 | 1 Jetbrains | 1 Teamcity | 2021-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains TeamCity before 2020.2 was vulnerable to reflected XSS on several pages. | |||||
| CVE-2020-14192 | 1 Atlassian | 2 Crucible, Fisheye | 2021-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. | |||||
| CVE-2020-35652 | 1 Digium | 1 Asterisk | 2021-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.x before 18.1.0. A crash can occur when a SIP message is received with a History-Info header that contains a tel-uri, or when a SIP 181 response is received that contains a tel-uri in the Diversion header. | |||||
| CVE-2020-35482 | 1 Solarwinds | 1 Serv-u | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS. | |||||
| CVE-2021-3395 | 1 Pryaniki | 1 Pryaniki | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment. | |||||
| CVE-2020-25036 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2021-02-04 | 9.0 HIGH | 8.8 HIGH |
| UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command. | |||||
| CVE-2020-25037 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2021-02-04 | 7.2 HIGH | 8.2 HIGH |
| UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command. | |||||
| CVE-2020-26272 | 1 Electronjs | 1 Electron | 2021-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue. | |||||
| CVE-2020-1723 | 1 Redhat | 1 Mobile Application Platform | 2021-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| The logout endpoint /oauth/logout?redirect=url can be abused to redirect logged in users to arbitrary web pages. This vulnerability could be used in phishing attacks. Versions shipped with Red Hat Mobile Aplication Platform 4 are believed to be vulnerable. | |||||
| CVE-2021-20185 | 1 Moodle | 1 Moodle | 2021-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |||||
| CVE-2020-29163 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection. | |||||
| CVE-2021-23328 | 1 Iniparserjs Project | 1 Iniparserjs | 2021-02-04 | 6.8 MEDIUM | 5.6 MEDIUM |
| This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | |||||
| CVE-2020-29164 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS). | |||||
| CVE-2020-24666 | 1 Hitachi | 1 Vantara Pentaho | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1 | |||||
| CVE-2021-23330 | 1 Bitovi | 1 Launchpad | 2021-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package launchpad are vulnerable to Command Injection via stop. | |||||
| CVE-2020-24664 | 1 Hitachi | 1 Vantara Pentaho | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA. | |||||
| CVE-2021-3160 | 1 Aca | 1 Assuweb | 2021-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of untrusted data in the login page of ASSUWEB 359.3 build 1 subcomponent of ACA ASSUREX RENTES product allows a remote attacker to inject unsecure serialized Java object using a specially crafted HTTP request, resulting in an unauthenticated remote code execution on the server. | |||||
| CVE-2021-3340 | 1 Wikindx Project | 1 Wikindx | 2021-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in many forms of Wikindx before 5.7.0 and 6.x through 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter to index.php?action=initLogon or modules/admin/DELETEIMAGES.php. | |||||
| CVE-2021-26305 | 1 Cdr Project | 1 Cdr | 2021-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Deserializer::read_vec in the cdr crate before 0.2.4 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness. | |||||
| CVE-2020-24665 | 1 Hitachi | 1 Vantara Pentaho | 2021-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA | |||||
| CVE-2020-20290 | 1 Yccms | 1 Yccms | 2021-02-04 | 6.4 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the yccms 3.3 project. The delete, deletesite, and deleteAll functions' improper judgment of the request parameters, triggers a directory traversal vulnerability. | |||||
| CVE-2021-21278 | 1 Rsshub | 1 Rsshub | 2021-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint. | |||||
| CVE-2020-24669 | 1 Hitachi | 1 Vantara Pentaho | 2021-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About this Report' section. Remediated in >= 8.3.0.9, >= 9.0.0.1, and >= 9.1.0.0 GA. | |||||