Lista CVE - 2021 / Gennaio
Visualizzazione 801 - 900 di 1514 CVE per Gennaio 2021 (Pagina 9 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-23837 | 2021-01-15 | An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected... |
| CVE-2021-23838 | 2021-01-15 | An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter... |
| CVE-2019-16961 | 2021-01-15 | SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. |
| CVE-2020-35733 | 2021-01-15 | An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority. |
| CVE-2021-22168 | 2021-01-15 | A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8. |
| CVE-2021-22171 | 2021-01-15 | Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link |
| CVE-2021-22167 | 2021-01-15 | An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private... |
| CVE-2021-22166 | 2021-01-15 | An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method |
| CVE-2020-26414 | 2021-01-15 | An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic... |
| CVE-2020-35748 | 2021-01-15 | Cross-site scripting (XSS) vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the... |
| CVE-2020-35749 | 2021-01-15 | Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php. |
| CVE-2020-16255 | 2021-01-15 | ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.' |
| CVE-2021-0202 | 2021-01-15 | Junos OS: MX Series, EX9200 Series: Trio-based MPC memory leak when Integrated Routing and Bridging (IRB) interface is mapped to a VPLS instance or a Bridge-Domain |
| CVE-2021-0203 | 2021-01-15 | Junos OS: EX and QFX5K Series: Storm Control does not work as expected when Redundant Trunk Group is configured |
| CVE-2021-0204 | 2021-01-15 | Junos OS: dexp Local Privilege Escalation vulnerabilities in SUID binaries |
| CVE-2021-0205 | 2021-01-15 | Junos OS: MX Series: Dynamic filter fails to match IPv6 prefix |
| CVE-2021-0206 | 2021-01-15 | Junos OS: NFX Series, SRX Series: PFE may crash upon receipt of specific packet when SSL Proxy is configured. |
| CVE-2021-0207 | 2021-01-15 | NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series: Certain genuine traffic received by the Junos OS device will be discarded instead of forwarded. |
| CVE-2021-0208 | 2021-01-15 | Junos OS and Junos OS Evolved: In bidirectional LSP configurations, on MPLS egress router RPD may core upon receipt of specific malformed RSVP packet. |
| CVE-2021-0209 | 2021-01-15 | Junos OS Evolved: Receipt of certain valid BGP update packets from BGP peers may cause RPD to core when using REGEX. |
| CVE-2021-0210 | 2021-01-15 | Junos OS: Privilege escalation in J-Web due to arbitrary command and code execution via information disclosure from another users active session |
| CVE-2021-0211 | 2021-01-15 | Junos OS and Junos OS Evolved: Upon receipt of a specific BGP FlowSpec message network traffic may be disrupted. |
| CVE-2021-0212 | 2021-01-15 | Contrail Networking: Administrator credentials are exposed in a plaintext file |
| CVE-2021-0215 | 2021-01-15 | Junos OS: EX Series, QFX Series, SRX Branch Series, MX Series: Memory leak in packet forwarding engine due to 802.1X authenticator port interface flaps |
| CVE-2021-0217 | 2021-01-15 | Junos OS: EX Series and QFX Series: Memory leak issue processing specific DHCP packets |
| CVE-2021-0218 | 2021-01-15 | Junos OS: Command injection vulnerability in license-check daemon |
| CVE-2021-0219 | 2021-01-15 | Junos OS: Command injection vulnerability in 'request system software' CLI command |
| CVE-2021-0220 | 2021-01-15 | Junos Space: Shared secrets stored in recoverable format and directly exposed through the UI |
| CVE-2021-0221 | 2021-01-15 | Junos OS: QFX Series: Traffic loop Denial of Service (DoS) upon receipt of specific IP multicast traffic |
| CVE-2021-0222 | 2021-01-15 | Junos OS: Upon receipt of certain protocol packets with invalid payloads a self-propagating Denial of Service may occur. |
| CVE-2021-0223 | 2021-01-15 | Junos OS: telnetd.real Local Privilege Escalation vulnerabilities in SUID binaries |
| CVE-2021-21237 | 2021-01-15 | Git LFS can execute a Git binary from the current directory on Windows |
| CVE-2020-24641 | 2021-01-15 | In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can... |
| CVE-2020-24638 | 2021-01-15 | Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root... |
| CVE-2020-24639 | 2021-01-15 | There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete... |
| CVE-2020-24640 | 2021-01-15 | There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete... |
| CVE-2021-21244 | 2021-01-15 | Pre-Auth SSTI via Bean validation message tampering |
| CVE-2021-21243 | 2021-01-15 | Pre-Auth Unsafe Deserialization on KubernetesResource |
| CVE-2021-21242 | 2021-01-15 | Pre-Auth Unsafe Deserialization on AttachmentUploadServet |
| CVE-2021-21251 | 2021-01-15 | ZipSlip Arbitrary File Upload |
| CVE-2021-21250 | 2021-01-15 | Post-Auth External Entity Expansion (XXE) |
| CVE-2021-21248 | 2021-01-15 | Post-Auth Arbitrary Code execution via Groovy script injection |
| CVE-2021-21249 | 2021-01-15 | Post-Auth Unsafe Yaml deserialization |
| CVE-2021-21247 | 2021-01-15 | Post-Auth Unsafe Deserialization on BasePage (AJAX) |
| CVE-2021-21246 | 2021-01-15 | Pre-Auth Access token leak |
| CVE-2021-21245 | 2021-01-15 | Pre-Auth Arbitrary File Upload |
| CVE-2021-3162 | 2021-01-15 | Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. |
| CVE-2020-25533 | 2021-01-15 | An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated... |
| CVE-2021-3113 | 2021-01-17 | Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin... |
| CVE-2020-15864 | 2021-01-17 | An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field,... |
| CVE-2020-29446 | 2021-01-18 | Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are... |
| CVE-2021-3166 | 2021-01-18 | An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is... |
| CVE-2021-25295 | 2021-01-18 | OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues. |
| CVE-2021-25294 | 2021-01-18 | OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage... |
| CVE-2021-25178 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files.... |
| CVE-2021-25177 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause... |
| CVE-2021-25176 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause... |
| CVE-2021-25175 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause... |
| CVE-2021-25174 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash,... |
| CVE-2021-25173 | 2021-01-18 | An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause... |
| CVE-2020-28473 | 2021-01-18 | Web Cache Poisoning |
| CVE-2020-7343 | 2021-01-18 | Improper Authorization vulnerability in MA |
| CVE-2020-36192 | 2021-01-18 | An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or... |
| CVE-2020-36193 | 2021-01-18 | Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. |
| CVE-2020-14409 | 2021-01-19 | SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file. |
| CVE-2020-14410 | 2021-01-19 | SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP file. |
| CVE-2021-3177 | 2021-01-19 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input,... |
| CVE-2020-29450 | 2021-01-19 | Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The... |
| CVE-2021-20619 | 2021-01-19 | Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors. |
| CVE-2021-3178 | 2021-01-19 | fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem... |
| CVE-2021-22850 | 2021-01-19 | HGiga OAKloud Portal - Security Misconfiguration |
| CVE-2021-22851 | 2021-01-19 | HGiga OAKloud Portal - SQL injection -1 |
| CVE-2021-22852 | 2021-01-19 | HGiga OAKloud Portal - SQL injection -2 |
| CVE-2020-28477 | 2021-01-19 | Prototype Pollution |
| CVE-2020-28478 | 2021-01-19 | Prototype Pollution |
| CVE-2020-28472 | 2021-01-19 | Prototype Pollution |
| CVE-2020-23522 | 2021-01-19 | Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter. |
| CVE-2020-20950 | 2021-01-19 | Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to... |
| CVE-2020-35129 | 2021-01-19 | Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load... |
| CVE-2020-35128 | 2021-01-19 | Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally... |
| CVE-2020-23342 | 2021-01-19 | A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users. |
| CVE-2021-3181 | 2021-01-19 | rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka... |
| CVE-2021-3182 | 2021-01-19 | D-Link DCS-5220 devices have a buffer overflow. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |
| CVE-2020-28481 | 2021-01-19 | Insecure Defaults |
| CVE-2020-28480 | 2021-01-19 | Prototype Pollution |
| CVE-2020-28479 | 2021-01-19 | Denial of Service (DoS) |
| CVE-2020-28482 | 2021-01-19 | Cross-site Request Forgery (CSRF) |
| CVE-2021-3183 | 2021-01-19 | Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile. |
| CVE-2020-4871 | 2021-01-19 | IBM Planning Analytics 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 190834. |
| CVE-2020-4873 | 2021-01-19 | IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836. |
| CVE-2020-4881 | 2021-01-19 | IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an... |
| CVE-2021-25325 | 2021-01-19 | MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. |
| CVE-2021-25324 | 2021-01-19 | MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. |
| CVE-2021-25323 | 2021-01-19 | The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. |
| CVE-2020-27733 | 2021-01-19 | Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. |
| CVE-2021-22498 | 2021-01-19 | XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2... |
| CVE-2021-3184 | 2021-01-19 | MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. |
| CVE-2020-27270 | 2021-01-19 | SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically... |
| CVE-2020-27272 | 2021-01-19 | SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows... |
| CVE-2020-27276 | 2021-01-19 | SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn't use adequate measures to authenticate the communicating entities... |