CVE List - 2021 / January
Showing 1201 - 1300 of 1514 CVEs for January 2021 (Page 13 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-21238 | 2021-01-21 | SAML XML Signature wrapping |
| CVE-2021-21253 | 2021-01-21 | Use of a One-Way Hash without a Salt in OnlineVotingSystem |
| CVE-2020-26941 | 2021-01-21 | A local (authenticated) low-privileged user can exploit a behavior in an ESET installer to achieve arbitrary file overwrite (deletion) of any file via a symlink, due to insecure permissions. The... |
| CVE-2020-29241 | 2021-01-21 | Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the "Title" parameter. |
| CVE-2020-35309 | 2021-01-21 | Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories". |
| CVE-2020-28874 | 2021-01-21 | reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). |
| CVE-2021-3152 | 2021-01-21 | Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is... |
| CVE-2020-22643 | 2021-01-21 | Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially... |
| CVE-2020-8554 | 2021-01-21 | Kubernetes man in the middle using LoadBalancer or ExternalIPs |
| CVE-2020-8567 | 2021-01-21 | Kubernetes Secrets Store CSI Driver plugin directory traversals |
| CVE-2020-8568 | 2021-01-21 | Kubernetes Secrets Store CSI Driver sync/rotate directory traversal |
| CVE-2020-8569 | 2021-01-21 | Kubernetes CSI snapshot-controller DoS |
| CVE-2020-8570 | 2021-01-21 | Kubernetes Java client libraries unvalidated path traversal in Copy implementation |
| CVE-2021-21723 | 2021-01-21 | Some ZTE products have a DoS vulnerability. Due to the improper handling of memory release in some specific scenarios, a remote attacker can trigger the vulnerability by performing a series... |
| CVE-2020-8288 | 2021-01-21 | The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter. |
| CVE-2020-8292 | 2021-01-21 | Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes. |
| CVE-2021-22873 | 2021-01-21 | Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available... |
| CVE-2021-22872 | 2021-01-21 | Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. While this issue was previously addressed in modern browsers as... |
| CVE-2021-22871 | 2021-01-21 | Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag... |
| CVE-2019-25015 | 2021-01-21 | LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. |
| CVE-2020-36201 | 2021-01-21 | An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970,... |
| CVE-2020-21146 | 2021-01-21 | Feehi CMS 2.0.8 is affected by a cross-site scripting (XSS) vulnerability. When the user name is inserted as JavaScript code, browsing the post will trigger the XSS. |
| CVE-2020-21147 | 2021-01-21 | RockOA V1.9.8 is affected by a cross-site scripting (XSS) vulnerability which allows remote attackers to send malicious code to the administrator and execute JavaScript code, because webmain/flow/input/mode_emailmAction.php does not perform... |
| CVE-2020-36199 | 2021-01-21 | TinyCheck before commits 9fd360d and ea53de8 was vulnerable to command injection due to insufficient checks of input parameters in several places. |
| CVE-2020-36200 | 2021-01-21 | TinyCheck before commits 9fd360d and ea53de8 allowed an authenticated attacker to send an HTTP GET request to the crafted URLs. |
| CVE-2021-3199 | 2021-01-22 | Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter. |
| CVE-2020-35753 | 2021-01-22 | The job posting recommendation form in Persis Human Resource Management Portal (Versions 17.2.00 through 17.2.35 and 19.0.00 through 19.0.20), when the "Recommend job posting" function is enabled, allows XSS via... |
| CVE-2021-3193 | 2021-01-22 | Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the... |
| CVE-2020-29443 | 2021-01-22 | ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. |
| CVE-2021-22847 | 2021-01-22 | Hyweb HyCMS-J1 - SQL Injection |
| CVE-2021-22849 | 2021-01-22 | Hyweb HyCMS-J1 - Stored XSS |
| CVE-2021-25908 | 2021-01-22 | An issue was discovered in the fil-ocl crate through 2021-01-04 for Rust. From<EventList> can lead to a double free. |
| CVE-2021-25907 | 2021-01-22 | An issue was discovered in the containers crate before 0.9.11 for Rust. When a panic occurs, a util::{mutate,mutate2} double drop can be performed. |
| CVE-2021-25906 | 2021-01-22 | An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. When a TransformContent panic occurs, a double drop can be performed. |
| CVE-2021-25905 | 2021-01-22 | An issue was discovered in the bra crate before 0.1.1 for Rust. It lacks soundness because it can read uninitialized memory. |
| CVE-2021-25904 | 2021-01-22 | An issue was discovered in the av-data crate before 0.3.0 for Rust. A raw pointer is dereferenced, leading to a read of an arbitrary memory address, sometimes causing a segfault. |
| CVE-2021-25903 | 2021-01-22 | An issue was discovered in the cache crate through 2021-01-01 for Rust. A raw pointer is dereferenced. |
| CVE-2021-25902 | 2021-01-22 | An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. When a panic occurs, map_array can perform a double drop. |
| CVE-2021-25901 | 2021-01-22 | An issue was discovered in the lazy-init crate through 2021-01-17 for Rust. Lazy lacks a Send bound, leading to a data race. |
| CVE-2021-25900 | 2021-01-22 | An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many. |
| CVE-2020-36220 | 2021-01-22 | An issue was discovered in the va-ts crate before 0.0.4 for Rust. Because Demuxer<T> omits a required T: Send bound, a data race and memory corruption can occur. |
| CVE-2020-36219 | 2021-01-22 | An issue was discovered in the atomic-option crate through 2020-10-31 for Rust. Because AtomicOption<T> implements Sync unconditionally, a data race can occur. |
| CVE-2020-36218 | 2021-01-22 | An issue was discovered in the buttplug crate before 1.0.4 for Rust. ButtplugFutureStateShared does not properly consider (!Send|!Sync) objects, leading to a data race. |
| CVE-2020-36217 | 2021-01-22 | An issue was discovered in the may_queue crate through 2020-11-10 for Rust. Because Queue does not have bounds on its Send trait or Sync trait, memory corruption can occur. |
| CVE-2020-36216 | 2021-01-22 | An issue was discovered in Input<R> in the eventio crate before 0.5.1 for Rust. Because a non-Send type can be sent to a different thread, a data race and memory... |
| CVE-2020-36215 | 2021-01-22 | An issue was discovered in the hashconsing crate before 1.1.0 for Rust. Because HConsed does not have bounds on its Send trait or Sync trait, memory corruption can occur. |
| CVE-2020-36214 | 2021-01-22 | An issue was discovered in the multiqueue2 crate before 0.1.7 for Rust. Because a non-Send type can be sent to a different thread, a data race can occur. |
| CVE-2020-36213 | 2021-01-22 | An issue was discovered in the abi_stable crate before 0.9.1 for Rust. A retain call can create an invalid UTF-8 string, violating soundness. |
| CVE-2020-36212 | 2021-01-22 | An issue was discovered in the abi_stable crate before 0.9.1 for Rust. DrainFilter lacks soundness because of a double drop. |
| CVE-2020-36211 | 2021-01-22 | An issue was discovered in the gfwx crate before 0.3.0 for Rust. Because ImageChunkMut does not have bounds on its Send trait or Sync trait, a data race and memory... |
| CVE-2020-36210 | 2021-01-22 | An issue was discovered in the autorand crate before 0.2.3 for Rust. Because of impl Random on arrays, uninitialized memory can be dropped when a panic occurs, leading to memory... |
| CVE-2020-36209 | 2021-01-22 | An issue was discovered in the late-static crate before 0.4.0 for Rust. Because Sync is implemented for LateStatic with T: Send, a data race can occur. |
| CVE-2020-36208 | 2021-01-22 | An issue was discovered in the conquer-once crate before 0.3.2 for Rust. Thread crossing can occur for a non-Send but Sync type, leading to memory corruption. |
| CVE-2020-36207 | 2021-01-22 | An issue was discovered in the aovec crate through 2020-12-10 for Rust. Because Aovec<T> does not have bounds on its Send trait or Sync trait, a data race and memory... |
| CVE-2020-36206 | 2021-01-22 | An issue was discovered in the rusb crate before 0.7.0 for Rust. Because of a lack of Send and Sync bounds, a data race and memory corruption can occur. |
| CVE-2020-36205 | 2021-01-22 | An issue was discovered in the xcb crate through 2020-12-10 for Rust. base::Error does not have soundness. Because of the public ptr field, a use-after-free or double-free can occur. |
| CVE-2020-36204 | 2021-01-22 | An issue was discovered in the im crate through 2020-11-09 for Rust. Because TreeFocus does not have bounds on its Send trait or Sync trait, a data race can occur. |
| CVE-2020-36203 | 2021-01-22 | An issue was discovered in the reffers crate through 2020-12-01 for Rust. ARefss can contain a !Send,!Sync object, leading to a data race and memory corruption. |
| CVE-2020-36202 | 2021-01-22 | An issue was discovered in the async-h1 crate before 2.3.0 for Rust. Request smuggling can occur when used behind a reverse proxy. |
| CVE-2020-23160 | 2021-01-22 | Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices. |
| CVE-2020-23161 | 2021-01-22 | Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating... |
| CVE-2020-23162 | 2021-01-22 | Sensitive information disclosure and weak encryption in Pyrescom Termod4 time management devices before 10.04k allows remote attackers to read a session-file and obtain plain-text user credentials. |
| CVE-2020-23262 | 2021-01-22 | An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do. |
| CVE-2020-4766 | 2021-01-22 | IBM MQ Internet Pass-Thru 2.1 and 9.2 could allow a remote user to cause a denial of service by sending malformed MQ data requests which would consume all available resources.... |
| CVE-2021-3271 | 2021-01-22 | PressBooks 5.17.3 contains a cross-site scripting (XSS). Stored XSS can be submitted via the Book Info's Long Description Body, and all actions to open or preview the books page will... |
| CVE-2021-21259 | 2021-01-22 | Stored XSS in slide mode |
| CVE-2020-28487 | 2021-01-22 | Cross-site Scripting (XSS) |
| CVE-2021-21260 | 2021-01-22 | XSS in description field |
| CVE-2021-21270 | 2021-01-22 | Cleartext Storage of Sensitive Information |
| CVE-2020-20269 | 2021-01-22 | A specially crafted Markdown document could cause the execution of malicious JavaScript code in Caret Editor before 4.0.0-rc22. |
| CVE-2020-12511 | 2021-01-22 | Pepper+Fuchs Comtrol IO-Link Master Cross-Site Request Forgery |
| CVE-2020-12512 | 2021-01-22 | Pepper+Fuchs Comtrol IO-Link Master Cross-Site Scripting |
| CVE-2020-12513 | 2021-01-22 | Pepper+Fuchs Comtrol IO-Link Master OS Command Injection |
| CVE-2020-12514 | 2021-01-22 | Pepper+Fuchs Comtrol IO-Link Master NULL Pointer Dereference |
| CVE-2020-12525 | 2021-01-22 | WAGO/M&M Software Deserialization of untrusted data in fdtCONTAINER component |
| CVE-2020-23826 | 2021-01-22 | The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176 |
| CVE-2020-27097 | 2021-01-22 | In checkGrantUriPermission of UriGrantsManagerService.java, there is a possible permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:... |
| CVE-2020-27098 | 2021-01-22 | In checkGrantUriPermission of UriGrantsManagerService.java, there is a possible way to access contacts due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed.... |
| CVE-2020-23014 | 2021-01-22 | APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to... |
| CVE-2021-3285 | 2021-01-23 | jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS. |
| CVE-2021-3286 | 2021-01-24 | SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete... |
| CVE-2021-3186 | 2021-01-24 | A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the Wifi Name... |
| CVE-2020-35576 | 2021-01-25 | A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell... |
| CVE-2021-26026 | 2021-01-25 | PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image. |
| CVE-2021-26025 | 2021-01-25 | PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image. |
| CVE-2020-17532 | 2021-01-25 | Apache ServiceComb Yaml remote deserialization vulnerability |
| CVE-2021-23901 | 2021-01-25 | An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser |
| CVE-2020-36223 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). |
| CVE-2020-36227 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. |
| CVE-2020-36230 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. |
| CVE-2020-36229 | 2021-01-25 | A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. |
| CVE-2020-36228 | 2021-01-25 | An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service. |
| CVE-2020-36226 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. |
| CVE-2020-36225 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. |
| CVE-2020-36224 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. |
| CVE-2020-36222 | 2021-01-25 | A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. |
| CVE-2020-36221 | 2021-01-25 | An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). |
| CVE-2020-35270 | 2021-01-25 | Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result. |
| CVE-2020-35853 | 2021-01-25 | 4images Image Gallery Management System 1.7.11 is affected by cross-site scripting (XSS) in the Image URL. This vulnerability can result in an attacker to inject the XSS payload into the... |
| CVE-2020-35854 | 2021-01-25 | Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter. |