Lista CVE - 2021 / Febbraio
Visualizzazione 1401 - 1455 di 1455 CVE per Febbraio 2021 (Pagina 15 di 15)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-22661 | 2021-02-26 | Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external... |
| CVE-2020-28646 | 2021-02-26 | ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present. |
| CVE-2020-28199 | 2021-02-26 | best it Amazon Pay Plugin before 9.4.2 for Shopware exposes Sensitive Information to an Unauthorized Actor. |
| CVE-2019-11684 | 2021-02-26 | Improper Access Control in Bosch Video Recording Manager |
| CVE-2020-24686 | 2021-02-26 | AC500 V2 webserver denial of service vulnerability |
| CVE-2021-23978 | 2021-02-26 | Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort... |
| CVE-2021-23979 | 2021-02-26 | Mozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could... |
| CVE-2021-23965 | 2021-02-26 | Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could... |
| CVE-2021-23964 | 2021-02-26 | Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort... |
| CVE-2021-21297 | 2021-02-26 | Prototype Pollution in Node-Red |
| CVE-2021-21298 | 2021-02-26 | Path traversal in Node-Red |
| CVE-2021-23345 | 2021-02-26 | Server-side Request Forgery (SSRF) |
| CVE-2021-21274 | 2021-02-26 | Denial of service attack via .well-known lookups |
| CVE-2021-21273 | 2021-02-26 | Open redirects on some federation and push requests |
| CVE-2021-21302 | 2021-02-26 | CSV Injection via csv export |
| CVE-2021-21308 | 2021-02-26 | Improper session management for soft logout |
| CVE-2021-0406 | 2021-02-26 | In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User... |
| CVE-2021-0405 | 2021-02-26 | In performance driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed.... |
| CVE-2021-0404 | 2021-02-26 | In mobile_log_d, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed... |
| CVE-2021-0403 | 2021-02-26 | In netdiag, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not... |
| CVE-2021-0402 | 2021-02-26 | In jpeg, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction... |
| CVE-2021-0401 | 2021-02-26 | In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed... |
| CVE-2021-0367 | 2021-02-26 | In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not... |
| CVE-2021-0366 | 2021-02-26 | In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not... |
| CVE-2021-27799 | 2021-02-26 | ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library... |
| CVE-2021-26560 | 2021-02-26 | Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. |
| CVE-2021-26561 | 2021-02-26 | Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. |
| CVE-2021-26562 | 2021-02-26 | Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. |
| CVE-2021-26563 | 2021-02-26 | Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. |
| CVE-2021-26564 | 2021-02-26 | Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. |
| CVE-2021-26565 | 2021-02-26 | Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session. |
| CVE-2021-26566 | 2021-02-26 | Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic. |
| CVE-2021-26567 | 2021-02-26 | Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. |
| CVE-2021-21309 | 2021-02-26 | Integer overflow on 32-bit systems |
| CVE-2020-27223 | 2021-02-26 | In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server... |
| CVE-2021-27803 | 2021-02-26 | A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution... |
| CVE-2020-36079 | 2021-02-26 | Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag... |
| CVE-2021-27198 | 2021-02-26 | An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This... |
| CVE-2020-28243 | 2021-02-27 | An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by... |
| CVE-2020-28972 | 2021-02-27 | In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. |
| CVE-2020-35662 | 2021-02-27 | In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. |
| CVE-2021-25281 | 2021-02-27 | An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on... |
| CVE-2021-25282 | 2021-02-27 | An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. |
| CVE-2021-25283 | 2021-02-27 | An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. |
| CVE-2021-25284 | 2021-02-27 | An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. |
| CVE-2021-3144 | 2021-02-27 | In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) |
| CVE-2021-3148 | 2021-02-27 | An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus... |
| CVE-2021-3197 | 2021-02-27 | An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in... |
| CVE-2021-3151 | 2021-02-27 | i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS,... |
| CVE-2019-25022 | 2021-02-27 | An issue was discovered in Scytl sVote 2.1. An attacker can inject code that gets executed by creating an election-event and injecting a payload over an event alias, because the... |
| CVE-2019-25023 | 2021-02-27 | An issue was discovered in Scytl sVote 2.1. Because the IP address from an X-Forwarded-For header (which can be manipulated client-side) is used for the internal application logs, an attacker... |
| CVE-2019-25021 | 2021-02-27 | An issue was discovered in Scytl sVote 2.1. Due to the implementation of the database manager, an attacker can access the OrientDB by providing admin as the admin password. A... |
| CVE-2019-25020 | 2021-02-27 | An issue was discovered in Scytl sVote 2.1. Because the sdm-ws-rest API does not require authentication, an attacker can retrieve the administrative configuration by sending a POST request to the... |
| CVE-2021-27132 | 2021-02-27 | SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header. |
| CVE-2021-27225 | 2021-03-01 | In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not... |
| CVE-2021-25122 | 2021-03-01 | Apache Tomcat h2c request mix-up |
| CVE-2021-25329 | 2021-03-01 | Incomplete fix for CVE-2020-9484 |
| CVE-2021-25829 | 2021-03-01 | An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service... |
| CVE-2021-25830 | 2021-03-01 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using... |
| CVE-2021-25831 | 2021-03-01 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using... |
| CVE-2021-25832 | 2021-03-01 | A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code... |
| CVE-2021-25833 | 2021-03-01 | A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary... |
| CVE-2020-9479 | 2021-03-01 | unzip directory traversal |
| CVE-2020-7929 | 2021-03-01 | Specially crafted regex query can cause DoS |
| CVE-2018-25004 | 2021-03-01 | Invariant failure when explaining a find with a UUID |
| CVE-2020-36240 | 2021-03-01 | The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect... |
| CVE-2021-25914 | 2021-03-01 | Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2021-22114 | 2021-03-01 | Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as... |
| CVE-2021-27318 | 2021-03-01 | Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter. |
| CVE-2021-27317 | 2021-03-01 | Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter. |
| CVE-2021-3332 | 2021-03-01 | WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password. |
| CVE-2021-21515 | 2021-03-01 | Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability. A remote low privileged attacker may potentially exploit this vulnerability, to hijack user sessions or to trick... |
| CVE-2021-21517 | 2021-03-01 | SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote... |
| CVE-2021-26702 | 2021-03-01 | EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI. |
| CVE-2021-26476 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI. |
| CVE-2021-26475 | 2021-03-01 | EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI. |
| CVE-2021-3342 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI. |
| CVE-2021-26703 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. |
| CVE-2021-26704 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI. |
| CVE-2021-27876 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication.... |
| CVE-2021-27878 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication.... |
| CVE-2021-27877 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current... |
| CVE-2021-27884 | 2021-03-01 | Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. |
| CVE-2021-27886 | 2021-03-01 | rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product. |
| CVE-2021-27888 | 2021-03-02 | ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. |
| CVE-2021-27804 | 2021-03-02 | JPEG XL (aka jpeg-xl) through 0.3.2 allows writable memory corruption. |
| CVE-2021-25306 | 2021-03-02 | A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands. |
| CVE-2021-25309 | 2021-03-02 | The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that... |
| CVE-2021-27731 | 2021-03-02 | Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later. |
| CVE-2021-27730 | 2021-03-02 | Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later. |
| CVE-2021-21320 | 2021-03-02 | User content sandbox can be confused into opening arbitrary documents |
| CVE-2021-21322 | 2021-03-02 | Prefix escape |
| CVE-2021-21321 | 2021-03-02 | Prefix escape |
| CVE-2021-27901 | 2021-03-02 | An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination.... |
| CVE-2021-27904 | 2021-03-02 | An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. |
| CVE-2020-1936 | 2021-03-02 | Stored XSS in Apache Ambari |
| CVE-2020-25902 | 2021-03-02 | Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join... |
| CVE-2021-21513 | 2021-03-02 | Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit... |
| CVE-2021-21514 | 2021-03-02 | Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files... |
| CVE-2020-23518 | 2021-03-02 | Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML. |