Lista CVE - 2021 / Gennaio
Visualizzazione 1501 - 1514 di 1514 CVE per Gennaio 2021 (Pagina 16 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-24669 | 2021-01-29 | The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically,... |
| CVE-2021-25136 | 2021-01-29 | The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server... |
| CVE-2020-24670 | 2021-01-29 | The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the... |
| CVE-2020-24664 | 2021-01-29 | The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the... |
| CVE-2020-24666 | 2021-01-29 | The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the... |
| CVE-2021-25646 | 2021-01-29 | Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. |
| CVE-2020-29557 | 2021-01-29 | An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution. |
| CVE-2021-21254 | 2021-01-29 | Regular expression Denial of Service in Markdown plugin |
| CVE-2020-15568 | 2021-01-30 | TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can... |
| CVE-2020-15690 | 2021-01-30 | In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character. |
| CVE-2020-14418 | 2021-01-30 | A TOCTOU vulnerability exists in madCodeHook before 2020-07-16 that allows local attackers to elevate their privileges to SYSTEM. This occurs because path redirection can occur via vectors involving directory junctions. |
| CVE-2020-17380 | 2021-01-30 | A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine... |
| CVE-2021-23329 | 2021-01-31 | Prototype Pollution |
| CVE-2021-21276 | 2021-02-01 | Privilege escalation in Polr |
| CVE-2020-26547 | 2021-02-01 | Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject... |
| CVE-2020-13857 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request. |
| CVE-2020-13856 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes. |
| CVE-2020-13859 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the... |
| CVE-2020-13860 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password. |
| CVE-2020-15832 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private... |
| CVE-2020-15833 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root... |
| CVE-2020-15834 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management... |
| CVE-2020-15835 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password.... |
| CVE-2020-15836 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to... |
| CVE-2020-13858 | 2021-02-01 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password... |
| CVE-2021-3348 | 2021-02-01 | nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request... |
| CVE-2021-3349 | 2021-02-01 | GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE:... |
| CVE-2021-3350 | 2021-02-01 | deleteaccount.php in the Delete Account plugin 1.4 for MyBB allows XSS via the deletereason parameter. |
| CVE-2020-28194 | 2021-02-01 | Variable underflow exists in accel-ppp radius/packet.c when receiving a RADIUS vendor-specific attribute with length field is less than 2. It has an impact only when the attacker controls the RADIUS... |
| CVE-2020-36109 | 2021-02-01 | ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious... |
| CVE-2020-24271 | 2021-02-01 | A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. |
| CVE-2021-21266 | 2021-02-01 | XXE vulnerability in OpenHAB |
| CVE-2020-13562 | 2021-02-01 | A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL... |
| CVE-2021-23330 | 2021-02-01 | Command Injection |
| CVE-2021-21277 | 2021-02-01 | Angular Expressions - Remote Code Execution |
| CVE-2020-13563 | 2021-02-01 | A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL... |
| CVE-2020-13564 | 2021-02-01 | A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL... |
| CVE-2021-21286 | 2021-02-01 | Authorization Bypass in AVideo Platform |
| CVE-2020-28426 | 2021-02-01 | Command Injection |
| CVE-2021-3283 | 2021-02-01 | HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3. |
| CVE-2021-3282 | 2021-02-01 | HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. |
| CVE-2020-25594 | 2021-02-01 | HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. |
| CVE-2021-3024 | 2021-02-01 | HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. |
| CVE-2021-21287 | 2021-02-01 | Server-Side Request Forgery in MinIO Browser API |
| CVE-2020-21176 | 2021-02-01 | SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter. |
| CVE-2020-21179 | 2021-02-01 | Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page. |
| CVE-2020-21180 | 2021-02-01 | Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page. |
| CVE-2020-20294 | 2021-02-01 | An issue was found in CMSWing project version 1.3.8. Because the log function does not check the log parameter, malicious parameters can execute arbitrary commands. |
| CVE-2020-20295 | 2021-02-01 | An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands. |
| CVE-2020-20296 | 2021-02-01 | An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands. |
| CVE-2020-20290 | 2021-02-01 | Directory traversal vulnerability in the yccms 3.3 project. The delete, deletesite, and deleteAll functions' improper judgment of the request parameters, triggers a directory traversal vulnerability. |
| CVE-2020-20289 | 2021-02-01 | Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability. |
| CVE-2020-20287 | 2021-02-01 | Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution. |
| CVE-2020-28493 | 2021-02-01 | Regular Expression Denial of Service (ReDoS) |
| CVE-2019-20470 | 2021-02-01 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication... |
| CVE-2019-20471 | 2021-02-01 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is... |
| CVE-2019-20473 | 2021-02-01 | An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the... |
| CVE-2019-20468 | 2021-02-01 | An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS. |
| CVE-2021-3340 | 2021-02-01 | A cross-site scripting (XSS) vulnerability in many forms of Wikindx before 5.7.0 and 6.x through 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter... |
| CVE-2021-3378 | 2021-02-01 | FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp. |
| CVE-2020-36231 | 2021-02-01 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References... |
| CVE-2020-14192 | 2021-02-01 | Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected... |
| CVE-2020-25037 | 2021-02-02 | UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with admin user privileges via an escape from a restricted command. |
| CVE-2020-25036 | 2021-02-02 | UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command. |
| CVE-2020-25035 | 2021-02-02 | UCOPIA Wi-Fi appliances 6.0.5 allow arbitrary code execution with root privileges using chroothole_client's PHP call, a related issue to CVE-2017-11322. |
| CVE-2020-24335 | 2021-02-02 | An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG. Domain name parsing lacks bounds checks, allowing an attacker to corrupt memory with crafted DNS packets. |
| CVE-2021-3281 | 2021-02-02 | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute... |
| CVE-2020-1896 | 2021-02-02 | A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable... |
| CVE-2020-28495 | 2021-02-02 | Prototype Pollution |
| CVE-2020-28494 | 2021-02-02 | Command Injection |
| CVE-2020-8101 | 2021-02-02 | Command execution due to unsanitized input in LifeShield DIY HD Video Doorbell |
| CVE-2020-25506 | 2021-02-02 | D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. |
| CVE-2020-18568 | 2021-02-02 | The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution. |
| CVE-2021-25310 | 2021-02-02 | The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to... |
| CVE-2020-4934 | 2021-02-02 | IBM Content Navigator 3.0.CD could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view... |
| CVE-2019-25018 | 2021-02-02 | In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282.... |
| CVE-2019-25017 | 2021-02-02 | An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the... |
| CVE-2020-15097 | 2021-02-02 | Path Traversal in loklak |
| CVE-2021-21285 | 2021-02-02 | Docker daemon crash during image pull of malicious image |
| CVE-2021-21284 | 2021-02-02 | privilege escalation in Moby |
| CVE-2021-20199 | 2021-02-02 | Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default... |
| CVE-2020-7775 | 2021-02-02 | Command Injection |
| CVE-2021-23271 | 2021-02-02 | TIBCO EBX Cross Site Scripting (XSS) |
| CVE-2021-25912 | 2021-02-02 | Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution. |
| CVE-2021-21289 | 2021-02-02 | Command Injection Vulnerability in Mechanize |
| CVE-2020-28498 | 2021-02-02 | Cryptographic Issues |
| CVE-2021-21291 | 2021-02-02 | Subdomain checking of whitelisted domains could allow unintended redirects |
| CVE-2020-14221 | 2021-02-02 | HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. |
| CVE-2021-21292 | 2021-02-02 | Unquoted Windows binary path in Traccar |
| CVE-2020-14255 | 2021-02-02 | HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. |
| CVE-2020-1910 | 2021-02-02 | A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied... |
| CVE-2020-4081 | 2021-02-02 | In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). |
| CVE-2020-8734 | 2021-02-02 | Improper input validation in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access. |
| CVE-2021-3395 | 2021-02-02 | A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment. |
| CVE-2020-29662 | 2021-02-02 | In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path. |
| CVE-2020-8672 | 2021-02-02 | Out of bound read in BIOS firmware for 8th, 9th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 Series Processors may allow an unauthenticated user to potentially enable elevation of privilege... |
| CVE-2020-24490 | 2021-02-02 | Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ. |
| CVE-2021-21293 | 2021-02-02 | Unbounded connection acceptance leads to file handle exhaustion |
| CVE-2021-21294 | 2021-02-02 | Unbounded connection acceptance in http4s-blaze-server |
| CVE-2021-21043 | 2021-02-02 | Reflected Cross-site Scripting (XSS) on version-compare and page-compare tools |