Lista CVE - 2021 / Aprile
Visualizzazione 1801 - 1817 di 1817 CVE per Aprile 2021 (Pagina 19 di 19)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2021-31933 | 2021-04-30 | A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g.,... |
| CVE-2021-21539 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to gain elevated privileges when a... |
| CVE-2021-21540 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to overwrite configuration information by injecting arbitrarily large payload. |
| CVE-2021-21541 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a DOM-based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply... |
| CVE-2021-21542 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.10.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML... |
| CVE-2021-21543 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.00.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML... |
| CVE-2021-21544 | 2021-04-30 | Dell EMC iDRAC9 versions prior to 4.40.00.00 contain an improper authentication vulnerability. A remote authenticated malicious user with high privileges could potentially exploit this vulnerability to manipulate the username field... |
| CVE-2020-28943 | 2021-04-30 | OX App Suite 7.10.4 and earlier allows SSRF via a snippet. |
| CVE-2020-28944 | 2021-04-30 | OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data. |
| CVE-2021-21507 | 2021-04-30 | Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated... |
| CVE-2021-21530 | 2021-04-30 | Dell OpenManage Enterprise-Modular (OME-M) versions prior to 1.30.00 contain a security bypass vulnerability. An authenticated malicious user with low privileges may potentially exploit the vulnerability to escape from the restricted... |
| CVE-2021-21531 | 2021-04-30 | Dell Unisphere for PowerMax versions prior to 9.2.1.6 contain an Authorization Bypass Vulnerability. A local authenticated malicious user with monitor role may exploit this vulnerability to perform unauthorized actions. |
| CVE-2021-21547 | 2021-04-30 | Dell EMC Unity, UnityVSA, and Unity XT versions prior to 5.0.7.0.5.008 contain a plain-text password storage vulnerability when the Dell Upgrade Readiness Utility is run on the system. The credentials... |
| CVE-2021-31935 | 2021-04-30 | OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. |
| CVE-2021-31934 | 2021-04-30 | OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a... |
| CVE-2021-31792 | 2021-04-30 | XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field |
| CVE-2021-28359 | 2021-05-02 | Apache Airflow Reflected XSS via Origin Query Argument in URL |
| CVE-2021-31996 | 2021-05-03 | An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. There is a double free in merge_sort::merge(). |
| CVE-2021-25631 | 2021-05-03 | denylist of executable filename extensions possible to bypass under windows |
| CVE-2021-29369 | 2021-05-03 | The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. |
| CVE-2021-28860 | 2021-05-03 | In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly... |
| CVE-2021-29241 | 2021-05-03 | CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS). |
| CVE-2021-29238 | 2021-05-03 | CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF). |
| CVE-2021-29239 | 2021-05-03 | CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. |
| CVE-2021-29242 | 2021-05-03 | CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router's addressing scheme and may re-route, add, remove or change low... |
| CVE-2020-20247 | 2021-05-03 | Mikrotik RouterOs before 6.46.5 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. An authenticated remote attacker can cause a Denial of Service due via the loop... |
| CVE-2020-20218 | 2021-05-03 | Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/traceroute process. An authenticated remote attacker can cause a Denial of Service due via the loop counter... |
| CVE-2021-21264 | 2021-05-03 | Bypass of fix for CVE-2020-26231, Twig sandbox escape |
| CVE-2020-28945 | 2021-05-03 | OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item. |
| CVE-2020-35755 | 2021-05-03 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a luci_service Read_ NVRAM Direct Access Information Leak. The luci_service deamon running on port 7777 provides a sub-category... |
| CVE-2020-35756 | 2021-05-03 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a luci_service GETPASS Configuration Password Information Leak. The luci_service daemon running on port 7777 does not require authentication... |
| CVE-2020-35757 | 2021-05-03 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is Unauthenticated Root ADB Access Over TCP. The LS9 web interface provides functionality to access ADB over TCP. This... |
| CVE-2020-35758 | 2021-05-03 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a Authentication Bypass in the Web Interface. This interface does not properly restrict access to internal functionality. Despite... |
| CVE-2020-23083 | 2021-05-03 | Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload". |
| CVE-2021-32020 | 2021-05-03 | The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory. |
| CVE-2020-23015 | 2021-05-03 | An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website. |
| CVE-2021-31164 | 2021-05-04 | Apache Unomi log injection |
| CVE-2021-23343 | 2021-05-04 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-23383 | 2021-05-04 | Prototype Pollution |
| CVE-2021-29240 | 2021-05-04 | The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content. |
| CVE-2021-3154 | 2021-05-04 | An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481. |
| CVE-2021-22547 | 2021-05-04 | Buffer overrun in Google Cloud IoT Device SDK for Embedded C |
| CVE-2020-27518 | 2021-05-04 | All versions of Windscribe VPN for Mac and Windows <= v2.02.10 contain a local privilege escalation vulnerability in the WindscribeService component. A low privilege user could leverage several openvpn options... |
| CVE-2021-29477 | 2021-05-04 | Vulnerability in the STRALGO LCS command |
| CVE-2021-21551 | 2021-05-04 | Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required. |
| CVE-2020-21999 | 2021-05-04 | iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as... |
| CVE-2020-4987 | 2021-05-04 | The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting in code versions 1.5.2.8 and prior and 1.6.1.2 and prior. This vulnerability allows users to embed arbitrary... |
| CVE-2021-29478 | 2021-05-04 | Vulnerability in the COPY command for large intsets |
| CVE-2021-26804 | 2021-05-04 | Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/... |
| CVE-2021-31542 | 2021-05-05 | In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. |
| CVE-2021-25179 | 2021-05-05 | SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. |
| CVE-2020-22428 | 2021-05-05 | SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload. |
| CVE-2020-36334 | 2021-05-05 | themegrill-demo-importer before 1.6.3 allows CSRF, as demonstrated by wiping the database. |
| CVE-2020-36333 | 2021-05-05 | themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. |
| CVE-2021-25319 | 2021-05-05 | virtualbox: missing sticky bit for /etc/vbox allows local root exploit for members of vboxusers group |
| CVE-2021-25317 | 2021-05-05 | cups: ownership of /var/log/cups allows the lp user to create files as root |
| CVE-2021-31800 | 2021-05-05 | Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory... |
| CVE-2021-29245 | 2021-05-05 | BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key. |
| CVE-2021-29246 | 2021-05-05 | BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters... |
| CVE-2021-29247 | 2021-05-05 | BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie. |
| CVE-2021-29248 | 2021-05-05 | BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie. |
| CVE-2021-29250 | 2021-05-05 | BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing. |
| CVE-2021-20254 | 2021-05-05 | A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw... |
| CVE-2016-20010 | 2021-05-05 | EWWW Image Optimizer before 2.8.5 allows remote command execution because it relies on a protection mechanism involving boolval, which is unavailable before PHP 5.5. |
| CVE-2020-13666 | 2021-05-05 | Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to... |
| CVE-2020-13665 | 2021-05-05 | Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue... |
| CVE-2020-13662 | 2021-05-05 | Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects:... |
| CVE-2020-13664 | 2021-05-05 | Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named... |
| CVE-2021-31517 | 2021-05-05 | Trend Micro Home Network Security 6.5.599 and earlier is vulnerable to a file-parsing vulnerability which could allow an attacker to exploit the vulnerability and cause a denial-of-service to the device.... |
| CVE-2021-31518 | 2021-05-05 | Trend Micro Home Network Security 6.5.599 and earlier is vulnerable to a file-parsing vulnerability which could allow an attacker to exploit the vulnerability and cause a denial-of-service to the device.... |
| CVE-2021-32055 | 2021-05-05 | Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends... |
| CVE-2021-29100 | 2021-05-05 | ArcGIS Earth has a File Parsing Directory Traversal Vulnerability |
| CVE-2021-29489 | 2021-05-05 | Options structure open to XSS if passed unfiltered |
| CVE-2020-4883 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 could disclose sensitive information about other domains which could be used in further attacks against the system. IBM X-Force ID: 190907. |
| CVE-2020-4929 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4932 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or... |
| CVE-2020-4979 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary... |
| CVE-2020-4993 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. IBM X-Force ID:... |
| CVE-2020-5013 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive... |
| CVE-2021-20397 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2021-20401 | 2021-05-05 | IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or... |
| CVE-2021-31411 | 2021-05-05 | Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 |
| CVE-2021-29101 | 2021-05-05 | ArcGIS GeoEvent Server has a Directory Traversal security vulnerability. |
| CVE-2021-29490 | 2021-05-05 | Unauthenticated GET requests through Remote Image endpoints |
| CVE-2021-24255 | 2021-05-05 | Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS) |
| CVE-2021-24256 | 2021-05-05 | Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS |
| CVE-2021-24257 | 2021-05-05 | Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS) |
| CVE-2021-24258 | 2021-05-05 | ElementsKit and ElementsKit Pro < 2.2.0 - Contributor+ Stored XSS |
| CVE-2021-24259 | 2021-05-05 | Elementor Addon Elements < 1.11.2 - Contributor+ Stored XSS |
| CVE-2021-24260 | 2021-05-05 | Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS |
| CVE-2021-24261 | 2021-05-05 | HT Mega - Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS |
| CVE-2021-24262 | 2021-05-05 | WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS |
| CVE-2021-24263 | 2021-05-05 | PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS |
| CVE-2021-24264 | 2021-05-05 | Image Hover Effects - Elementor Addon < 1.3.4 - Contributor+ Stored XSS |
| CVE-2021-24265 | 2021-05-05 | Rife Elementor Extensions & Templates < 1.1.6 - Contributor+ Stored XSS |
| CVE-2021-24266 | 2021-05-05 | The Plus Addons for Elementor Page Builder Lite < 2.0.6 - Contributor+ Stored XSS |
| CVE-2021-24267 | 2021-05-05 | All-in-One Addons for Elementor - WidgetKit < 2.3.10 - Contributor+ Stored XSS |
| CVE-2021-24268 | 2021-05-05 | JetWidgets For Elementor < 1.0.9 - Contributor+ Stored XSS |
| CVE-2021-24269 | 2021-05-05 | Sina Extension for Elementor < 3.3.12 - Contributor+ Stored XSS |
| CVE-2021-24270 | 2021-05-05 | DethemeKit For Elementor < 1.5.5.5 - Contributor+ Stored XSS |