The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-3341 | A path traversal vulnerability in the DxWebEngine component of DH2i DxEnterprise and DxOdyssey for Windows, version 19.5 through 20.x before 20.0.219.0, allows an attacker to read any file on the host file system via an HTTP request. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4524 | IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182434. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-4628 | IBM Cloud Pak for Security (CP4S) 1.3.0.1 and 1.4.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 185369. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-22875 | Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the `setPerPage` parameter. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4815 | IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote user to obtain sensitive information from HTTP response headers that could be used in further attacks against the system. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-26307 | An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It allows __cpuid_count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash. | LOW | Jan 29, 2021 | 22.03 (VxWorks 7) |
| CVE-2021-25123 | The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server BMC firmware has a local buffer overlfow in spx_restservice addlicense_func function. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-21275 | The MediaWiki Report extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-26306 | An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods. | MEDIUM | Jan 29, 2021 | 22.03 (VxWorks 7) |
| CVE-2020-35547 | A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-29536 | Archer before 6.8 P2 (6.8.0.2) is affected by a path exposure vulnerability. A remote authenticated malicious attacker with access to service files may obtain sensitive information to use it in further attacks. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4949 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-29005 | The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-8585 | OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink). | LOW | Jan 29, 2021 | n/a |
| CVE-2020-29537 | Archer before 6.8 P2 (6.8.0.2) is affected by an open redirect vulnerability. A remote privileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims\' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-3176 | The chat window of the Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.15 and 7.x before 7.1.2 could allow an attacker to gain access to user information by sending certain code, due to improper input validation of http links. A successful exploit could allow an attacker to view user information and application data. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-36228 | An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-28403 | A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-3337 | The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-24669 | The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the \'Analysis Report Description\' field in \'About this Report\' section. Remediated in >= 8.3.0.9, >= 9.0.0.1, and >= 9.1.0.0 GA. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-4967 | IBM Cloud Pak for Security (CP4S) 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-28406 | An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via the Audit Trail Feature. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-16236 | FPWIN Pro is vulnerable to an out-of-bounds read vulnerability when a user opens a maliciously crafted project file, which may allow an attacker to remotely execute arbitrary code. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-3336 | DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. | HIGH | Jan 29, 2021 | n/a |
| CVE-2019-25016 | In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-26304 | PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-23160 | Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices. | HIGH | Jan 29, 2021 | n/a |
| CVE-2020-36230 | A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-28404 | An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access the Billing page without the appropriate privileges. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-29535 | Archer before 6.8 P4 (6.8.0.4) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-23014 | APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-28405 | An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to change the privileges of any user of the application. This can be used to grant himself the administrative role or remove all administrative accounts of the application. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2021-22655 | Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0). | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-17532 | When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5 | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4547 | IBM Jazz Foundation products could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim\'s click actions and possibly launch further attacks against the victim. IBM X-Force ID: 183315. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-24666 | The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the \'Display Name\' parameter. Remediated in >= 9.1.0.1 | LOW | Jan 29, 2021 | n/a |
| CVE-2021-22874 | Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset` parameter. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2019-25015 | LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. | LOW | Jan 29, 2021 | n/a |
| CVE-2021-20586 | Resource management errors vulnerability in a robot controller of MELFA FR Series(controller CR800-*V*D of RV-*FR***-D-* all versions, controller CR800-*HD of RH-*FRH***-D-* all versions, controller CR800-*HRD of RH-*FRHR***-D-* all versions, controller CR800-*V*R with R16RTCPU of RV-*FR***-R-* all versions, controller CR800-*HR with R16RTCPU of RH-*FRH***-R-* all versions, controller CR800-*HRR with R16RTCPU of RH-*FRHR***-R-* all versions, controller CR800-*V*Q with Q172DSRCPU of RV-*FR***-Q-* all versions, controller CR800-*HQ with Q172DSRCPU of RH-*FRH***-Q-* all versions, controller CR800-*HRQ with Q172DSRCPU of RH-*FRHR***-Q-* all versions) and a robot controller of MELFA CR Series(controller CR800-CVD of RV-8CRL-D-* all versions, controller CR800-CHD of RH-*CRH**-D-* all versions) as well as a cooperative robot ASSISTA(controller CR800-05VD of RV-5AS-D-* all versions) allows a remote unauthenticated attacker to cause a DoS of the execution of the robot program and the Ethernet communication by sending a large amount of packets in burst over a short period of time. As a result of DoS, an error may occur. A reset is required to recover it if the error occurs. | HIGH | Jan 29, 2021 | n/a |
| CVE-2020-29557 | An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution. | HIGH | Jan 29, 2021 | n/a |
| CVE-2020-35844 | FastStone Image Viewer 7.5 has an out-of-bounds write (via a crafted image file) at FSViewer.exe+0xbe9c4. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-29538 | Archer before 6.9 P1 (6.9.0.1) contains an improper access control vulnerability in an API. A remote authenticated malicious administrative user can potentially exploit this vulnerability to gather information about the system, and may use this information in subsequent attacks. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-35843 | FastStone Image Viewer 7.5 has an out-of-bounds write (via a crafted image file) at FSViewer.exe+0x956e. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-35145 | Acronis True Image for Windows prior to 2021 Update 3 allowed local privilege escalation due to a DLL hijacking vulnerability in multiple components, aka an Untrusted Search Path issue. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4855 | IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190457. | LOW | Jan 29, 2021 | n/a |
| CVE-2021-3318 | attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-35754 | OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-27288 | An untrusted pointer dereference has been identified in the way TPEditor(v1.98 and prior) processes project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-4189 | IBM Security Guardium 11.2 discloses sensitive information in the response headers that could be used in further attacks against the system. IBM X-Force ID: 174850. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-29004 | The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | MEDIUM | Jan 29, 2021 | n/a |
