Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

of 123975 entries
IDDescriptionPriorityModified date
CVE-2021-27803 A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. -- Feb 27, 2021
CVE-2021-27799 ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.19.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code. -- Feb 27, 2021
CVE-2021-27671 An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack. -- Feb 25, 2021
CVE-2021-27670 Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. -- Feb 25, 2021
CVE-2021-27645 The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. MEDIUM Feb 27, 2021
CVE-2021-27583 ** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. -- Feb 23, 2021
CVE-2021-27582 org/mitre/oauth2/web/ in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest. -- Feb 23, 2021
CVE-2021-27579 Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. A privilege-escalation vulnerability exists if CPUID is enabled, and thus it should be disabled via configuration settings. MEDIUM Feb 27, 2021
CVE-2021-27568 An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information. -- Feb 23, 2021
CVE-2021-27564 A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes. LOW Feb 26, 2021
CVE-2021-27559 The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. LOW Feb 23, 2021
CVE-2021-27550 Polaris Office v9.102.66 is affected by a divide-by-zero error in PolarisOffice.exe and EngineDLL.dll that may cause a local denial of service. To exploit the vulnerability, someone must open a crafted PDF file. MEDIUM Feb 26, 2021
CVE-2021-27549 ** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host\'s clipboard data to the Android application by default. NOTE: the vendor\'s position is that this is intended behavior that can be changed through the Settings > Device screen. MEDIUM Feb 26, 2021
CVE-2021-27516 URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path. MEDIUM Feb 22, 2021
CVE-2021-27515 url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path. MEDIUM Feb 22, 2021
CVE-2021-27514 EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). HIGH Feb 22, 2021
CVE-2021-27513 The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on le filtre userside. MEDIUM Feb 22, 2021
CVE-2021-27509 In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. -- Feb 19, 2021
CVE-2021-27405 A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. MEDIUM Feb 19, 2021
CVE-2021-27404 Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header. MEDIUM Feb 19, 2021
CVE-2021-27403 Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS. MEDIUM Feb 19, 2021
CVE-2021-27379 An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565. MEDIUM Feb 18, 2021
CVE-2021-27378 An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. HIGH Feb 18, 2021
CVE-2021-27377 An issue was discovered in the yottadb crate before 1.2.0 for Rust. For some memory-allocation patterns, ydb_subscript_next_st and ydb_subscript_prev_st have a use-after-free. HIGH Feb 18, 2021
CVE-2021-27376 An issue was discovered in the nb-connect crate before 1.0.3 for Rust. It may have invalid memory access for certain versions of the standard library because it relies on a direct cast of std::net::SocketAddrV4 and std::net::SocketAddrV6 data structures. HIGH Feb 18, 2021
CVE-2021-27375 Traefik before 2.4.5 allows the loading of IFRAME elements from other domains. MEDIUM Feb 19, 2021
CVE-2021-27374 VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve Zugriff auf Inhalte der WebOffice Applikation. MEDIUM Feb 18, 2021
CVE-2021-27371 The Contact page in Monica 2.19.1 allows stored XSS via the Description field. LOW Feb 23, 2021
CVE-2021-27370 The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. LOW Feb 25, 2021
CVE-2021-27369 The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. LOW Feb 23, 2021
CVE-2021-27368 The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. LOW Feb 23, 2021
CVE-2021-27367 Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. MEDIUM Feb 18, 2021
CVE-2021-27362 The WPG plugin before for IrfanView 4.57 has a Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133, which might allow remote attackers to execute arbitrary code. HIGH Feb 17, 2021
CVE-2021-27351 The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. MEDIUM Feb 19, 2021
CVE-2021-27335 KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter. HIGH Feb 18, 2021
CVE-2021-27330 Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents. -- Feb 26, 2021
CVE-2021-27329 Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. HIGH Feb 18, 2021
CVE-2021-27328 Yeastar NeoGate TG400 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. MEDIUM Feb 19, 2021
CVE-2021-27279 MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode). LOW Feb 26, 2021
CVE-2021-27237 The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php. LOW Feb 17, 2021
CVE-2021-27236 An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution. HIGH Feb 16, 2021
CVE-2021-27235 An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, there is a functionality at diagzip.asp that allows anyone to export tables of a database. MEDIUM Feb 16, 2021
CVE-2021-27234 An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. The web application suffers from SQL injection on Adminlog.asp, Archivemsgs.asp, Deletelog.asp, Eventlog.asp, and Evmlog.asp. HIGH Feb 16, 2021
CVE-2021-27233 An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, password information for external systems is visible in cleartext. The Settings.asp page is affected by this issue. MEDIUM Feb 16, 2021
CVE-2021-27232 The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Server has a SetCameraConnectionParameter stack-based buffer overflow. This can be exploited by a remote attacker to potentially execute arbitrary attacker-supplied code. The victim would have to visit a malicious webpage using Internet Explorer where the exploit could be triggered. MEDIUM Feb 16, 2021
CVE-2021-27231 Hestia Control Panel through 1.3.3, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer\'s domain name, leading to spoofing of services or email messages. MEDIUM Feb 16, 2021
CVE-2021-27229 Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text. MEDIUM Feb 18, 2021
CVE-2021-27228 An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI. HIGH Feb 26, 2021
CVE-2021-27224 The WPG plugin before for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code. MEDIUM Feb 17, 2021
CVE-2021-27219 An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. MEDIUM Feb 16, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat