CVE List - 2021 / February
Showing 1001 - 1100 of 1455 CVEs for February 2021 (Page 11 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-22174 | 2021-02-17 | Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file |
| CVE-2021-22173 | 2021-02-17 | Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file |
| CVE-2020-35339 | 2021-02-17 | In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server. |
| CVE-2020-36002 | 2021-02-17 | Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information. |
| CVE-2020-36003 | 2021-02-17 | The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases. |
| CVE-2021-25779 | 2021-02-17 | Baby Care System v1.0 is vulnerable to SQL injection via the 'id' parameter on the contentsectionpage.php page. |
| CVE-2021-25780 | 2021-02-17 | An arbitrary file upload vulnerability has been identified in posts.php in Baby Care System 1.0. The vulnerability could be exploited by an remote attacker to upload content to the server,... |
| CVE-2021-26809 | 2021-02-17 | PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php. |
| CVE-2021-27362 | 2021-02-17 | The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133, which might allow remote attackers to execute arbitrary code. |
| CVE-2021-27224 | 2021-02-17 | The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code. |
| CVE-2021-1416 | 2021-02-17 | Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
| CVE-2021-1412 | 2021-02-17 | Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
| CVE-2021-1378 | 2021-02-17 | Cisco StarOS Denial of Service Vulnerability |
| CVE-2021-1372 | 2021-02-17 | Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability |
| CVE-2021-1366 | 2021-02-17 | Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability |
| CVE-2021-1351 | 2021-02-17 | Cisco Webex Meetings Cross-Site Scripting Vulnerability |
| CVE-2020-13550 | 2021-02-17 | A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP... |
| CVE-2020-13552 | 2021-02-17 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via multiple service executables in installation folder of WebAccess, an... |
| CVE-2020-13551 | 2021-02-17 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via PostgreSQL executable, an attacker can either replace binary or... |
| CVE-2020-13553 | 2021-02-17 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker... |
| CVE-2020-13555 | 2021-02-17 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In COM Server Application Privilege Escalation, an attacker can either replace binary or... |
| CVE-2021-3396 | 2021-02-17 | OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote... |
| CVE-2020-25605 | 2021-02-17 | Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through... |
| CVE-2021-27367 | 2021-02-17 | Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. |
| CVE-2021-26911 | 2021-02-17 | core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode. |
| CVE-2021-26720 | 2021-02-17 | avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files... |
| CVE-2020-36245 | 2021-02-17 | GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being... |
| CVE-2021-27374 | 2021-02-17 | VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve "Zugriff auf Inhalte der WebOffice Applikation." |
| CVE-2021-27097 | 2021-02-17 | The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT. |
| CVE-2021-27138 | 2021-02-17 | The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT. |
| CVE-2020-8625 | 2021-02-17 | A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack |
| CVE-2020-12878 | 2021-02-17 | Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh... |
| CVE-2020-9306 | 2021-02-17 | Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python... |
| CVE-2021-27375 | 2021-02-18 | Traefik before 2.4.5 allows the loading of IFRAME elements from other domains. |
| CVE-2021-27124 | 2021-02-18 | SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0 allows an authenticated patient user to dump the database credentials via a SQL injection attack. |
| CVE-2021-27378 | 2021-02-18 | An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little... |
| CVE-2021-27377 | 2021-02-18 | An issue was discovered in the yottadb crate before 1.2.0 for Rust. For some memory-allocation patterns, ydb_subscript_next_st and ydb_subscript_prev_st have a use-after-free. |
| CVE-2021-27376 | 2021-02-18 | An issue was discovered in the nb-connect crate before 1.0.3 for Rust. It may have invalid memory access for certain versions of the standard library because it relies on a... |
| CVE-2020-29664 | 2021-02-18 | A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. |
| CVE-2020-35577 | 2021-02-18 | In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the... |
| CVE-2020-28490 | 2021-02-18 | Command Injection |
| CVE-2020-28496 | 2021-02-18 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-23340 | 2021-02-18 | Local File Inclusion |
| CVE-2019-18255 | 2021-02-18 | HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation. |
| CVE-2019-18243 | 2021-02-18 | HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry. This may allow privilege escalation. |
| CVE-2021-27379 | 2021-02-18 | An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS... |
| CVE-2020-29448 | 2021-02-18 | The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files... |
| CVE-2020-29453 | 2021-02-18 | The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files... |
| CVE-2020-4933 | 2021-02-18 | IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the... |
| CVE-2021-20354 | 2021-02-18 | IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to... |
| CVE-2021-20443 | 2021-02-18 | IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619. |
| CVE-2021-20444 | 2021-02-18 | IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2021-20445 | 2021-02-18 | IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials. IBM X-Force ID: 196621. |
| CVE-2021-20446 | 2021-02-18 | IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-36233 | 2021-02-18 | The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because... |
| CVE-2021-26068 | 2021-02-18 | An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability. |
| CVE-2020-28491 | 2021-02-18 | Denial of Service (DoS) |
| CVE-2020-28463 | 2021-02-18 | Server-side Request Forgery (SSRF) |
| CVE-2021-23341 | 2021-02-18 | Regular Expression Denial of Service (ReDoS) |
| CVE-2020-28499 | 2021-02-18 | Prototype Pollution |
| CVE-2021-21318 | 2021-02-18 | Removing access may not effect published series |
| CVE-2021-27329 | 2021-02-18 | Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. |
| CVE-2021-27335 | 2021-02-18 | KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter. |
| CVE-2020-35591 | 2021-02-18 | Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create... |
| CVE-2020-35592 | 2021-02-18 | Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect... |
| CVE-2021-26717 | 2021-02-18 | An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote... |
| CVE-2021-26906 | 2021-02-18 | An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through 16.8-cert5. An... |
| CVE-2020-35776 | 2021-02-18 | A buffer overflow in res_pjsip_diversion.c in Sangoma Asterisk versions 13.38.1, 16.15.1, 17.9.1, and 18.1.1 allows remote attacker to crash Asterisk by deliberately misusing SIP 181 responses. |
| CVE-2021-26712 | 2021-02-18 | Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP... |
| CVE-2021-26747 | 2021-02-18 | Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution. |
| CVE-2020-19513 | 2021-02-18 | Buffer overflow in FinalWire Ltd AIDA64 Engineer 6.00.5100 allows attackers to execute arbitrary code by creating a crafted input that will overwrite the SEH handler. |
| CVE-2019-25024 | 2021-02-19 | OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter. |
| CVE-2021-27404 | 2021-02-19 | Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header. |
| CVE-2021-27403 | 2021-02-19 | Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS. |
| CVE-2021-27405 | 2021-02-19 | A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. |
| CVE-2021-26746 | 2021-02-19 | Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. |
| CVE-2020-36246 | 2021-02-19 | Amaze File Manager before 3.5.1 allows attackers to obtain root privileges via shell metacharacters in a symbolic link. |
| CVE-2020-24908 | 2021-02-19 | Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\checkmk\agent\local directory. |
| CVE-2020-36247 | 2021-02-19 | Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF. |
| CVE-2020-10254 | 2021-02-19 | An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview. |
| CVE-2020-10252 | 2021-02-19 | An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF)... |
| CVE-2020-36252 | 2021-02-19 | ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable... |
| CVE-2020-36251 | 2021-02-19 | ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share. |
| CVE-2020-36250 | 2021-02-19 | In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past. |
| CVE-2020-36249 | 2021-02-19 | The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares. |
| CVE-2020-36248 | 2021-02-19 | The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by... |
| CVE-2021-3339 | 2021-02-19 | ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen. |
| CVE-2021-26296 | 2021-02-19 | Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces |
| CVE-2021-3210 | 2021-02-19 | components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter. |
| CVE-2021-3204 | 2021-02-19 | SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server. |
| CVE-2021-22702 | 2021-02-19 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of... |
| CVE-2021-22703 | 2021-02-19 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user... |
| CVE-2021-22701 | 2021-02-19 | A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an... |
| CVE-2020-12374 | 2021-02-19 | Buffer overflow in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47 may allow a privileged user to potentially enable escalation of privilege... |
| CVE-2021-21512 | 2021-02-19 | Dell EMC PowerProtect Cyber Recovery, version 19.7.0.1, contains an Information Disclosure vulnerability. A locally authenticated high privileged Cyber Recovery user may potentially exploit this vulnerability leading to the takeover of... |
| CVE-2021-23342 | 2021-02-19 | Cross-site Scripting (XSS) |
| CVE-2020-13549 | 2021-02-19 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory. Depending on the vector chosen, an attacker can overwrite service executables... |
| CVE-2020-25171 | 2021-02-19 | Fuji Electric V-Server Lite |
| CVE-2020-9050 | 2021-02-19 | Metasys Reporting Engine (MRE) Web Services - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CVE-2021-27328 | 2021-02-19 | Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. |