Lista CVE - 2021 / Gennaio
Visualizzazione 101 - 200 di 1514 CVE per Gennaio 2021 (Pagina 2 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-36159 | 2021-01-05 | Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operational information on the backup processing status through a URL that did not require authentication. |
| CVE-2020-29437 | 2021-01-05 | SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. |
| CVE-2020-36067 | 2021-01-05 | GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call. |
| CVE-2020-36066 | 2021-01-05 | GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. |
| CVE-2019-20483 | 2021-01-05 | An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login... |
| CVE-2019-20484 | 2021-01-05 | An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser... |
| CVE-2020-36052 | 2021-01-05 | Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. |
| CVE-2020-36051 | 2021-01-05 | Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter. |
| CVE-2020-26181 | 2021-01-05 | Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability on a SmartLock Compliance mode cluster. The compadmin user connecting... |
| CVE-2020-26199 | 2021-01-05 | Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in... |
| CVE-2020-29489 | 2021-01-05 | Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in... |
| CVE-2020-29490 | 2021-01-05 | Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a Denial of Service vulnerability on NAS Servers with NFS exports. A remote authenticated attacker could potentially exploit... |
| CVE-2020-29500 | 2021-01-05 | Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure... |
| CVE-2020-29501 | 2021-01-05 | Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to... |
| CVE-2020-29502 | 2021-01-05 | Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to... |
| CVE-2020-35170 | 2021-01-05 | Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting... |
| CVE-2020-23250 | 2021-01-05 | GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in internal database. |
| CVE-2020-23249 | 2021-01-05 | GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext. |
| CVE-2021-3026 | 2021-01-05 | Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. |
| CVE-2020-7336 | 2021-01-05 | Network Security Management (NSM) - Cross Site Request Forgery vulnerability |
| CVE-2020-8287 | 2021-01-06 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the... |
| CVE-2020-36169 | 2021-01-06 | An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCenter through 8.3.0.1. Processes using OpenSSL attempt to load and execute libraries from paths that do not exist by default... |
| CVE-2020-36168 | 2021-01-06 | An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It leverages OpenSSL on Windows systems when using the Managed Host addon. On start-up, it loads the OpenSSL library.... |
| CVE-2020-36167 | 2021-01-06 | An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from... |
| CVE-2020-36166 | 2021-01-06 | An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka... |
| CVE-2020-36165 | 2021-01-06 | An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. On start-up, it loads the OpenSSL library from /ReleaseX64/ssl. This library attempts to load the /ReleaseX64/ssl/openssl.cnf configuration... |
| CVE-2020-36164 | 2021-01-06 | An issue was discovered in Veritas Enterprise Vault through 14.0. On start-up, it loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file (which does... |
| CVE-2020-36163 | 2021-01-06 | An issue was discovered in Veritas NetBackup and OpsCenter through 8.3.0.1. NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default... |
| CVE-2020-36162 | 2021-01-06 | An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. The CloudPoint Windows Agent leverages OpenSSL. This OpenSSL library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which does not exist. By... |
| CVE-2020-36161 | 2021-01-06 | An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. By default, on Windows systems, users can create directories under C:\. A low privileged user can... |
| CVE-2020-36160 | 2021-01-06 | An issue was discovered in Veritas System Recovery before 21.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the from \usr\local\ssl\openssl.cnf configuration file, which... |
| CVE-2021-21235 | 2021-01-06 | Infinite loop in parsing PNG files in |
| CVE-2020-26759 | 2021-01-06 | clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. |
| CVE-2020-4336 | 2021-01-06 | IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header... |
| CVE-2020-10655 | 2021-01-06 | The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouse API. The vulnerability allows an anonymous remote attacker to execute... |
| CVE-2020-10656 | 2021-01-06 | The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouseWithChunksV2 API. The vulnerability allows an anonymous remote attacker to execute... |
| CVE-2020-10657 | 2021-01-06 | The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM web console's ImportAlertRules feature. The vulnerability allows a remote attacker (with admin or... |
| CVE-2020-10658 | 2021-01-06 | The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteImage API. The vulnerability allows an anonymous remote attacker to execute... |
| CVE-2020-8884 | 2021-01-06 | rcdsvc in the Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) before 7.9 allows remote authenticated users to execute arbitrary code as SYSTEM because of improper deserialization over... |
| CVE-2020-36170 | 2021-01-06 | The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms. |
| CVE-2020-8160 | 2021-01-06 | MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection... |
| CVE-2020-36171 | 2021-01-06 | The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. |
| CVE-2020-36172 | 2021-01-06 | The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. |
| CVE-2020-36174 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. |
| CVE-2020-36175 | 2021-01-06 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. |
| CVE-2020-36173 | 2021-01-06 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. |
| CVE-2012-10001 | 2021-01-06 | The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts. |
| CVE-2020-36176 | 2021-01-06 | The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. |
| CVE-2020-13544 | 2021-01-06 | An exploitable sign extension vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. A specially crafted document can cause the document parser to sign-extend a... |
| CVE-2020-13545 | 2021-01-06 | An exploitable signed conversion vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. A specially crafted document can cause the document parser to miscalculate a... |
| CVE-2020-27285 | 2021-01-06 | The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. |
| CVE-2020-27279 | 2021-01-06 | A NULL pointer deference vulnerability has been identified in the protocol converter. An attacker could send a specially crafted packet that could reboot the device running Crimson 3.1 (Build versions... |
| CVE-2020-27283 | 2021-01-06 | An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. |
| CVE-2020-36177 | 2021-01-06 | RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. |
| CVE-2019-16954 | 2021-01-06 | SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. |
| CVE-2019-16962 | 2021-01-06 | Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. |
| CVE-2021-21236 | 2021-01-06 | Regular Expression Denial of Service in CairoSVG |
| CVE-2020-29041 | 2021-01-06 | A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in... |
| CVE-2020-36178 | 2021-01-06 | oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to... |
| CVE-2020-8281 | 2021-01-06 | A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. |
| CVE-2020-8275 | 2021-01-06 | Citrix Secure Mail for Android before 20.11.0 suffers from improper access control allowing unauthenticated access to read limited calendar related data stored within Secure Mail. Note that a malicious app... |
| CVE-2020-8274 | 2021-01-06 | Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that... |
| CVE-2020-8280 | 2021-01-06 | A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. |
| CVE-2020-8265 | 2021-01-06 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly... |
| CVE-2020-8264 | 2021-01-06 | In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially... |
| CVE-2020-35262 | 2021-01-06 | Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. |
| CVE-2020-25498 | 2021-01-06 | Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. |
| CVE-2020-36181 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. |
| CVE-2020-36189 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. |
| CVE-2020-36188 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. |
| CVE-2020-36187 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. |
| CVE-2020-36186 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. |
| CVE-2020-36185 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. |
| CVE-2020-36184 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. |
| CVE-2020-36183 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. |
| CVE-2020-36182 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. |
| CVE-2020-36180 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. |
| CVE-2020-36179 | 2021-01-06 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. |
| CVE-2020-26085 | 2021-01-06 | Cisco Jabber Desktop and Mobile Client Software Vulnerabilities |
| CVE-2020-26768 | 2021-01-07 | Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit... |
| CVE-2020-24900 | 2021-01-07 | The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. |
| CVE-2020-24901 | 2021-01-07 | The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. |
| CVE-2020-24902 | 2021-01-07 | Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to... |
| CVE-2020-24903 | 2021-01-07 | Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially... |
| CVE-2020-35114 | 2021-01-07 | Mozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could... |
| CVE-2020-35113 | 2021-01-07 | Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort... |
| CVE-2020-35112 | 2021-01-07 | If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with... |
| CVE-2020-35111 | 2021-01-07 | When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user... |
| CVE-2020-26979 | 2021-01-07 | When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect... |
| CVE-2020-26978 | 2021-01-07 | Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This... |
| CVE-2020-26977 | 2021-01-07 | By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This... |
| CVE-2020-26976 | 2021-01-07 | When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the... |
| CVE-2020-26975 | 2021-01-07 | When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority... |
| CVE-2020-26974 | 2021-01-07 | When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a... |
| CVE-2020-26973 | 2021-01-07 | Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird... |
| CVE-2020-26972 | 2021-01-07 | The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have... |
| CVE-2020-26971 | 2021-01-07 | Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6,... |
| CVE-2021-3029 | 2021-01-07 | EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has an OS Command Injection vulnerability via shell metacharacters and an IFS manipulation. The parameter "file" on the webpage /showfile.php can be exploited... |
| CVE-2020-26773 | 2021-01-07 | Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. |
| CVE-2020-28672 | 2021-01-07 | MonoCMS Blog 1.0 is affected by incorrect access control that can lead to remote arbitrary code execution. At monofiles/category.php:27, user input can be saved to category/[foldername]/index.php causing RCE. |