The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-0610 | In memory management driver, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05411456. | MEDIUM | Oct 1, 2021 |
| CVE-2021-0598 | In onCreate of ConfirmConnectActivity.java, there is a possible pairing of untrusted Bluetooth devices due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-180422108 | MEDIUM | Oct 8, 2021 |
| CVE-2021-0595 | In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-177457096 | MEDIUM | Oct 8, 2021 |
| CVE-2020-28119 | Cross site scripting vulnerability in 53KF < 2.0.0.2 that allows for arbitrary code to be executed via crafted HTML statement inserted into chat window. | MEDIUM | Oct 8, 2021 |
| CVE-2020-24930 | Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21658 | A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21654 | emlog v6.0 contains a vulnerability in the component admin\\template.php, which allows attackers to getshell via a crafted Zip file. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21653 | Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \\controller\\index.php, which can be exploited via the sj() method. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21650 | Myucms v2.2.1 contains a remote code execution (RCE) vulnerability in the component \\controller\\Config.php, which can be exploited via the add() method. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21649 | Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \\controller\\index.php, which can be exploited via the sql() method. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21648 | WDJA CMS v1.5.2 contains an arbitrary file deletion vulnerability in the component admin/cache/manage.php. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21506 | waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?m=Config&a=add. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21505 | waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php/Link/addsave. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21504 | waimai Super Cms 20150505 contains a cross-site scripting (XSS) vulnerability in the component /admin.php?&m=Public&a=login. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21503 | waimai Super Cms 20150505 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. By setting the index.php?m=gift&a=addsave credit parameter to -1, the product is sold for free. | MEDIUM | Oct 6, 2021 |
| CVE-2020-21496 | A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitebrief parameter. | MEDIUM | Oct 5, 2021 |
| CVE-2020-21495 | A cross-site scripting (XSS) vulnerability in the component /admin/?setting-base.htm of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via the sitename parameter. | MEDIUM | Oct 5, 2021 |
| CVE-2020-21494 | A cross-site scripting (XSS) vulnerability in the component install\\install.sql of Xiuno BBS 4.0.4 allows attackers to execute arbitrary web scripts or HTML via changing the doctype value to 0. | MEDIUM | Oct 5, 2021 |
| CVE-2020-21493 | An issue in the component route\\user.php of Xiuno BBS v4.0.4 allows attackers to enumerate usernames. | MEDIUM | Oct 5, 2021 |
| CVE-2020-21431 | HongCMS v3.0 contains an arbitrary file read and write vulnerability in the component /admin/index.php/template/edit. | MEDIUM | Oct 5, 2021 |
| CVE-2020-21387 | A cross-site scripting (XSS) vulnerability in the parameter type_en of Maccms 10 allows attackers to obtain the administrator cookie and escalate privileges via a crafted payload. | MEDIUM | Oct 7, 2021 |
| CVE-2020-21386 | A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges. | MEDIUM | Oct 7, 2021 |
| CVE-2020-21228 | JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie. | MEDIUM | Oct 7, 2021 |
| CVE-2020-21014 | emlog v6.0.0 contains an arbitrary file deletion vulnerability in admin/plugin.php. | MEDIUM | Oct 8, 2021 |
| CVE-2020-21013 | emlog v6.0.0 contains a SQL injection via /admin/comment.php. | MEDIUM | Oct 8, 2021 |
| CVE-2020-20746 | A stack-based buffer overflow in the httpd server on Tenda AC9 V15.03.06.60_EN allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via a crafted POST request to /goform/SetStaticRouteCfg. | MEDIUM | Oct 7, 2021 |
| CVE-2020-20693 | A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts. | MEDIUM | Oct 1, 2021 |
| CVE-2020-20692 | GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php. | MEDIUM | Oct 1, 2021 |
| CVE-2020-20691 | An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files. | MEDIUM | Oct 8, 2021 |
| CVE-2020-20665 | rudp v0.6 was discovered to contain a memory leak in the component main.c. | MEDIUM | Oct 4, 2021 |
| CVE-2020-20664 | libiec_iccp_mod v1.5 contains a segmentation violation in the component server_example1.c. | MEDIUM | Oct 4, 2021 |
| CVE-2020-20663 | libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_connection.c. | MEDIUM | Oct 4, 2021 |
| CVE-2020-20662 | libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_example1.c. | MEDIUM | Oct 4, 2021 |
| CVE-2020-20128 | LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers. | MEDIUM | Oct 3, 2021 |
| CVE-2020-20125 | EARCLINK ESPCMS-P8 contains a cross-site scripting (XSS) vulnerability in espcms_web\\espcms_load.php. | MEDIUM | Oct 6, 2021 |
| CVE-2020-20124 | Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \\attachment\\admin\\index.php. | MEDIUM | Oct 6, 2021 |
| CVE-2020-19003 | An issue in Gate One 1.2.0 allows attackers to bypass to the verification check done by the origins list and connect to Gate One instances used by hosts not on the origins list. | MEDIUM | Oct 6, 2021 |
| CVE-2020-15941 | A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages. | MEDIUM | Oct 6, 2021 |
| CVE-2020-12030 | There is a flaw in the code used to configure the internal gateway firewall when the gateway\'s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway. | MEDIUM | Oct 8, 2021 |
| CVE-2020-4654 | IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090. | MEDIUM | Oct 9, 2021 |
| CVE-2021-41617 | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. | MEDIUM | Sep 26, 2021 |
| CVE-2021-41588 | In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys. | MEDIUM | Sep 24, 2021 |
| CVE-2021-41587 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. | MEDIUM | Sep 24, 2021 |
| CVE-2021-41586 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. | MEDIUM | Sep 24, 2021 |
| CVE-2021-41584 | Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header. | MEDIUM | Sep 24, 2021 |
| CVE-2021-41581 | x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks \'\\0\' termination. | MEDIUM | Sep 24, 2021 |
| CVE-2021-41531 | NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation. | MEDIUM | Sep 21, 2021 |
| CVE-2021-41504 | An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Sep 26, 2021 |
| CVE-2021-41503 | DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Sep 26, 2021 |
| CVE-2021-41395 | Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username. | MEDIUM | Sep 20, 2021 |
