The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2021-27803 | A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | -- | Feb 27, 2021 |
CVE-2021-27799 | ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.19.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code. | -- | Feb 27, 2021 |
CVE-2021-27671 | An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack. | -- | Feb 25, 2021 |
CVE-2021-27670 | Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. | -- | Feb 25, 2021 |
CVE-2021-27645 | The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. | MEDIUM | Feb 27, 2021 |
CVE-2021-27583 | ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | -- | Feb 23, 2021 |
CVE-2021-27582 | org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest. | -- | Feb 23, 2021 |
CVE-2021-27579 | Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. A privilege-escalation vulnerability exists if CPUID is enabled, and thus it should be disabled via configuration settings. | MEDIUM | Feb 27, 2021 |
CVE-2021-27568 | An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information. | -- | Feb 23, 2021 |
CVE-2021-27564 | A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes. | LOW | Feb 26, 2021 |
CVE-2021-27559 | The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. | LOW | Feb 23, 2021 |
CVE-2021-27550 | Polaris Office v9.102.66 is affected by a divide-by-zero error in PolarisOffice.exe and EngineDLL.dll that may cause a local denial of service. To exploit the vulnerability, someone must open a crafted PDF file. | MEDIUM | Feb 26, 2021 |
CVE-2021-27549 | ** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host\'s clipboard data to the Android application by default. NOTE: the vendor\'s position is that this is intended behavior that can be changed through the Settings > Device screen. | MEDIUM | Feb 26, 2021 |
CVE-2021-27516 | URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path. | MEDIUM | Feb 22, 2021 |
CVE-2021-27515 | url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path. | MEDIUM | Feb 22, 2021 |
CVE-2021-27514 | EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). | HIGH | Feb 22, 2021 |
CVE-2021-27513 | The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on le filtre userside. | MEDIUM | Feb 22, 2021 |
CVE-2021-27509 | In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. | -- | Feb 19, 2021 |
CVE-2021-27405 | A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. | MEDIUM | Feb 19, 2021 |
CVE-2021-27404 | Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header. | MEDIUM | Feb 19, 2021 |
CVE-2021-27403 | Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS. | MEDIUM | Feb 19, 2021 |
CVE-2021-27379 | An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565. | MEDIUM | Feb 18, 2021 |
CVE-2021-27378 | An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. | HIGH | Feb 18, 2021 |
CVE-2021-27377 | An issue was discovered in the yottadb crate before 1.2.0 for Rust. For some memory-allocation patterns, ydb_subscript_next_st and ydb_subscript_prev_st have a use-after-free. | HIGH | Feb 18, 2021 |
CVE-2021-27376 | An issue was discovered in the nb-connect crate before 1.0.3 for Rust. It may have invalid memory access for certain versions of the standard library because it relies on a direct cast of std::net::SocketAddrV4 and std::net::SocketAddrV6 data structures. | HIGH | Feb 18, 2021 |
CVE-2021-27375 | Traefik before 2.4.5 allows the loading of IFRAME elements from other domains. | MEDIUM | Feb 19, 2021 |
CVE-2021-27374 | VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve Zugriff auf Inhalte der WebOffice Applikation. | MEDIUM | Feb 18, 2021 |
CVE-2021-27371 | The Contact page in Monica 2.19.1 allows stored XSS via the Description field. | LOW | Feb 23, 2021 |
CVE-2021-27370 | The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. | LOW | Feb 25, 2021 |
CVE-2021-27369 | The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. | LOW | Feb 23, 2021 |
CVE-2021-27368 | The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. | LOW | Feb 23, 2021 |
CVE-2021-27367 | Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. | MEDIUM | Feb 18, 2021 |
CVE-2021-27362 | The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133, which might allow remote attackers to execute arbitrary code. | HIGH | Feb 17, 2021 |
CVE-2021-27351 | The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. | MEDIUM | Feb 19, 2021 |
CVE-2021-27335 | KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter. | HIGH | Feb 18, 2021 |
CVE-2021-27330 | Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents. | -- | Feb 26, 2021 |
CVE-2021-27329 | Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. | HIGH | Feb 18, 2021 |
CVE-2021-27328 | Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. | MEDIUM | Feb 19, 2021 |
CVE-2021-27279 | MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode). | LOW | Feb 26, 2021 |
CVE-2021-27237 | The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php. | LOW | Feb 17, 2021 |
CVE-2021-27236 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution. | HIGH | Feb 16, 2021 |
CVE-2021-27235 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, there is a functionality at diagzip.asp that allows anyone to export tables of a database. | MEDIUM | Feb 16, 2021 |
CVE-2021-27234 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. The web application suffers from SQL injection on Adminlog.asp, Archivemsgs.asp, Deletelog.asp, Eventlog.asp, and Evmlog.asp. | HIGH | Feb 16, 2021 |
CVE-2021-27233 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, password information for external systems is visible in cleartext. The Settings.asp page is affected by this issue. | MEDIUM | Feb 16, 2021 |
CVE-2021-27232 | The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Server 7.18.72.11464 has a SetCameraConnectionParameter stack-based buffer overflow. This can be exploited by a remote attacker to potentially execute arbitrary attacker-supplied code. The victim would have to visit a malicious webpage using Internet Explorer where the exploit could be triggered. | MEDIUM | Feb 16, 2021 |
CVE-2021-27231 | Hestia Control Panel through 1.3.3, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer\'s domain name, leading to spoofing of services or email messages. | MEDIUM | Feb 16, 2021 |
CVE-2021-27229 | Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text. | MEDIUM | Feb 18, 2021 |
CVE-2021-27228 | An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI. | HIGH | Feb 26, 2021 |
CVE-2021-27224 | The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code. | MEDIUM | Feb 17, 2021 |
CVE-2021-27219 | An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. | MEDIUM | Feb 16, 2021 |