CVE List - 2021 / February
Showing 801 - 900 of 1455 CVEs for February 2021 (Page 9 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-20409 | 2021-02-12 | IBM Security Verify Information Queue information disclosure |
| CVE-2021-20410 | 2021-02-12 | IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM... |
| CVE-2021-20411 | 2021-02-12 | IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to impersonate another user on the system due to incorrectly updating the session identifier. IBM X-Force ID: 198191. |
| CVE-2021-20412 | 2021-02-12 | IBM Security Verify Information Queue 1.0.6 and 1.0.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external... |
| CVE-2021-22976 | 2021-02-12 | On BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket... |
| CVE-2021-22982 | 2021-02-12 | On BIG-IP DNS and GTM version 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x, big3d does not securely handle and parse certain payloads resulting in a buffer overflow.... |
| CVE-2021-22985 | 2021-02-12 | On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions, when processing VPN traffic with APM, TMM consumes excessive memory. A malicious, authenticated VPN user may abuse this to perform... |
| CVE-2021-22981 | 2021-02-12 | On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension... |
| CVE-2021-22980 | 2021-02-12 | In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could... |
| CVE-2021-22979 | 2021-02-12 | On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page... |
| CVE-2021-22983 | 2021-02-12 | On BIG-IP AFM version 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.5, authenticated users accessing the Configuration utility for AFM are vulnerable to a cross-site scripting attack if... |
| CVE-2021-22978 | 2021-02-12 | On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected... |
| CVE-2021-22984 | 2021-02-12 | On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated... |
| CVE-2021-22977 | 2021-02-12 | On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which... |
| CVE-2020-13949 | 2021-02-12 | In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. |
| CVE-2021-22504 | 2021-02-12 | Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product, affecting versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. The vulnerability could allow remote attackers to execute arbitrary... |
| CVE-2021-26753 | 2021-02-12 | NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to... |
| CVE-2021-26752 | 2021-02-12 | NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows... |
| CVE-2021-26751 | 2021-02-12 | NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker... |
| CVE-2021-27210 | 2021-02-13 | TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI. |
| CVE-2021-27209 | 2021-02-13 | In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP. |
| CVE-2021-27212 | 2021-02-14 | In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon... |
| CVE-2021-27213 | 2021-02-14 | config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used. |
| CVE-2019-25019 | 2021-02-14 | LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model. |
| CVE-2021-26929 | 2021-02-14 | An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with... |
| CVE-2020-36235 | 2021-02-14 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site... |
| CVE-2020-36236 | 2021-02-14 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints.... |
| CVE-2020-36237 | 2021-02-14 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions... |
| CVE-2021-25296 | 2021-02-15 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request,... |
| CVE-2021-25297 | 2021-02-15 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request,... |
| CVE-2021-25298 | 2021-02-15 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request,... |
| CVE-2020-36234 | 2021-02-15 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The... |
| CVE-2020-29451 | 2021-02-15 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected... |
| CVE-2020-7071 | 2021-02-15 | FILTER_VALIDATE_URL accepts URLs with invalid userinfo |
| CVE-2021-21702 | 2021-02-15 | Null Dereference in SoapClient |
| CVE-2020-28500 | 2021-02-15 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-23337 | 2021-02-15 | Command Injection |
| CVE-2021-23336 | 2021-02-15 | Web Cache Poisoning |
| CVE-2021-25299 | 2021-02-15 | Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked... |
| CVE-2020-35775 | 2021-02-15 | CITSmart before 9.1.2.23 allows LDAP Injection. |
| CVE-2020-4954 | 2021-02-15 | IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation . By using the configuration panel to obtain... |
| CVE-2020-4955 | 2021-02-15 | IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request... |
| CVE-2020-4956 | 2021-02-15 | IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a denial of service, caused by a RPC that allows certain cache values to be set and dumped to... |
| CVE-2020-29026 | 2021-02-15 | A directory traversal vulnerability exists in the file upload function of the GateManager that allows an authenticated attacker with administrative permissions to read and write arbitrary files in the Linux... |
| CVE-2021-23338 | 2021-02-15 | Deserialization of Untrusted Data |
| CVE-2020-29031 | 2021-02-15 | Insecure Direct Object Reference in GateManager WebUI can cause privilege escalation |
| CVE-2020-35512 | 2021-02-15 | A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing... |
| CVE-2021-27218 | 2021-02-15 | An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length... |
| CVE-2021-27219 | 2021-02-15 | An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64... |
| CVE-2020-22425 | 2021-02-15 | Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, where an authorized user is able to inject additional SQL queries to perform remote command execution. |
| CVE-2020-22427 | 2021-02-15 | NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and... |
| CVE-2020-24899 | 2021-02-15 | Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query. |
| CVE-2021-3375 | 2021-02-15 | ActivePresenter 6.1.6 is affected by a memory corruption vulnerability that may result in a denial of service (DoS) or arbitrary code execution. |
| CVE-2021-27201 | 2021-02-15 | Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment. |
| CVE-2021-27211 | 2021-02-15 | steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data. |
| CVE-2020-28337 | 2021-02-15 | A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability,... |
| CVE-2020-29142 | 2021-02-15 | A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. |
| CVE-2020-29140 | 2021-02-15 | A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. |
| CVE-2020-29139 | 2021-02-15 | A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter. |
| CVE-2020-29143 | 2021-02-15 | A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter. |
| CVE-2021-3239 | 2021-02-15 | E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell. |
| CVE-2021-26200 | 2021-02-15 | The user area for Library System 1.0 is vulnerable to SQL injection where a user can bypass the authentication and login as the admin user. |
| CVE-2021-26201 | 2021-02-15 | The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query... |
| CVE-2020-35734 | 2021-02-15 | Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must... |
| CVE-2021-26822 | 2021-02-15 | Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak... |
| CVE-2021-21511 | 2021-02-15 | Dell EMC Avamar Server, versions 19.3 and 19.4 contain an Improper Authorization vulnerability in the web UI. A remote low privileged attacker could potentially exploit this vulnerability, to gain unauthorized... |
| CVE-2021-27229 | 2021-02-16 | Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text. |
| CVE-2021-27231 | 2021-02-16 | Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services... |
| CVE-2021-27236 | 2021-02-16 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution. |
| CVE-2021-27235 | 2021-02-16 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, there is a functionality at diagzip.asp that allows anyone to export... |
| CVE-2021-27234 | 2021-02-16 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. The web application suffers from SQL injection on Adminlog.asp, Archivemsgs.asp, Deletelog.asp, Eventlog.asp, and Evmlog.asp. |
| CVE-2021-27233 | 2021-02-16 | An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, password information for external systems is visible in cleartext. The Settings.asp... |
| CVE-2020-24841 | 2021-02-16 | PNPSCADA 2.200816204020 allows SQL injection via parameter 'interf' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in... |
| CVE-2020-25340 | 2021-02-16 | An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it... |
| CVE-2021-27232 | 2021-02-16 | The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Server 7.18.72.11464 has a SetCameraConnectionParameter stack-based buffer overflow. This can be exploited by a remote attacker to potentially execute arbitrary attacker-supplied code.... |
| CVE-2021-25648 | 2021-02-16 | Mobile application "Testes de Codigo" 11.4 and prior allows an attacker to gain access to the administrative interface and premium features by tampering the boolean value of parameters "isAdmin" and... |
| CVE-2020-29024 | 2021-02-16 | Missing HtppOnly and Secure flags |
| CVE-2020-29022 | 2021-02-16 | Host Header Injection allowing web cache poisoning attacks |
| CVE-2020-29023 | 2021-02-16 | CSV Formula Injection possible due to improper fields escaping in GateManager |
| CVE-2020-35557 | 2021-02-16 | Improper Access Validation in products of MB connect line and Helmholz |
| CVE-2020-35570 | 2021-02-16 | Foreced Browsing vulnerability in products of MB connect line and Helmholz |
| CVE-2020-35558 | 2021-02-16 | SSRF in products of MB connect line and Helmholz |
| CVE-2020-35560 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php. |
| CVE-2020-35563 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page. |
| CVE-2020-35564 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code. |
| CVE-2020-35569 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page. |
| CVE-2020-35566 | 2021-02-16 | Local file inclusion vulnerability in products of MB connect line and Helmholz |
| CVE-2020-35559 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of... |
| CVE-2020-35568 | 2021-02-16 | Sensitive Information Exposure in products of MB connect line and Helmholz |
| CVE-2020-29025 | 2021-02-16 | DOM-based Javascript injection |
| CVE-2020-35567 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances. |
| CVE-2020-35565 | 2021-02-16 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default. |
| CVE-2020-29027 | 2021-02-16 | Reflected Cross Site Scripting |
| CVE-2020-35561 | 2021-02-16 | SSRF in variuos products of MB connect line and Helmholz |
| CVE-2021-20986 | 2021-02-16 | Hilscher: Denial of Service vulnerability in PROFINET IO Device |
| CVE-2021-20987 | 2021-02-16 | Hilscher: EtherNet/IP stack crash for specific CIP service |
| CVE-2021-23839 | 2021-02-16 | Incorrect SSLv2 rollback protection |
| CVE-2021-23840 | 2021-02-16 | Integer overflow in CipherUpdate |
| CVE-2021-23841 | 2021-02-16 | Null pointer deref in X509_issuer_and_serial_hash() |
| CVE-2021-21315 | 2021-02-16 | Command Injection Vulnerability |