CVE List - 2021 / March
Showing 1 - 100 of 1447 CVEs for March 2021 (Page 1 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-25122 | 2021-03-01 | Apache Tomcat h2c request mix-up |
| CVE-2021-25329 | 2021-03-01 | Incomplete fix for CVE-2020-9484 |
| CVE-2021-25829 | 2021-03-01 | An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service... |
| CVE-2021-25830 | 2021-03-01 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using... |
| CVE-2021-25831 | 2021-03-01 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using... |
| CVE-2021-25832 | 2021-03-01 | A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code... |
| CVE-2021-25833 | 2021-03-01 | A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary... |
| CVE-2020-9479 | 2021-03-01 | unzip directory traversal |
| CVE-2020-7929 | 2021-03-01 | Specially crafted regex query can cause DoS |
| CVE-2018-25004 | 2021-03-01 | Invariant failure when explaining a find with a UUID |
| CVE-2020-36240 | 2021-03-01 | The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect... |
| CVE-2021-25914 | 2021-03-01 | Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2021-22114 | 2021-03-01 | Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as... |
| CVE-2021-27318 | 2021-03-01 | Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter. |
| CVE-2021-27317 | 2021-03-01 | Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter. |
| CVE-2021-3332 | 2021-03-01 | WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password. |
| CVE-2021-21515 | 2021-03-01 | Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability. A remote low privileged attacker may potentially exploit this vulnerability, to hijack user sessions or to trick... |
| CVE-2021-21517 | 2021-03-01 | SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote... |
| CVE-2021-26702 | 2021-03-01 | EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI. |
| CVE-2021-26476 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI. |
| CVE-2021-26475 | 2021-03-01 | EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI. |
| CVE-2021-3342 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI. |
| CVE-2021-26703 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. |
| CVE-2021-26704 | 2021-03-01 | EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI. |
| CVE-2021-27876 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication.... |
| CVE-2021-27878 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication.... |
| CVE-2021-27877 | 2021-03-01 | An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current... |
| CVE-2021-27884 | 2021-03-01 | Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. |
| CVE-2021-27886 | 2021-03-01 | rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product. |
| CVE-2021-27888 | 2021-03-02 | ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters. |
| CVE-2021-27804 | 2021-03-02 | JPEG XL (aka jpeg-xl) through 0.3.2 allows writable memory corruption. |
| CVE-2021-25306 | 2021-03-02 | A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands. |
| CVE-2021-25309 | 2021-03-02 | The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that... |
| CVE-2021-27731 | 2021-03-02 | Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later. |
| CVE-2021-27730 | 2021-03-02 | Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later. |
| CVE-2021-21320 | 2021-03-02 | User content sandbox can be confused into opening arbitrary documents |
| CVE-2021-21322 | 2021-03-02 | Prefix escape |
| CVE-2021-21321 | 2021-03-02 | Prefix escape |
| CVE-2021-27901 | 2021-03-02 | An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination.... |
| CVE-2021-27904 | 2021-03-02 | An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors. |
| CVE-2020-1936 | 2021-03-02 | Stored XSS in Apache Ambari |
| CVE-2020-25902 | 2021-03-02 | Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join... |
| CVE-2021-21513 | 2021-03-02 | Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit... |
| CVE-2021-21514 | 2021-03-02 | Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files... |
| CVE-2020-23518 | 2021-03-02 | Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML. |
| CVE-2020-4719 | 2021-03-02 | The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated... |
| CVE-2020-4725 | 2021-03-02 | IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead... |
| CVE-2020-4726 | 2021-03-02 | The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID:... |
| CVE-2021-3384 | 2021-03-02 | A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts via... |
| CVE-2021-25330 | 2021-03-02 | Calling of non-existent provider in MobileWips application prior to SMR Feb-2021 Release 1 allows unauthorized actions including denial of service attack by hijacking the provider. |
| CVE-2021-22296 | 2021-03-02 | A component of HarmonyOS 2.0 has a DoS vulnerability. Local attackers may exploit this vulnerability to mount a file system to the target device, causing DoS of the file system. |
| CVE-2020-28657 | 2021-03-02 | In bPanel 2.0, the administrative ajax endpoints (aka ajax/aj_*.php) are accessible without authentication and allow SQL injections, which could lead to platform compromise. |
| CVE-2021-22294 | 2021-03-02 | A component API of the HarmonyOS 2.0 has a permission bypass vulnerability. Local attackers may exploit this vulnerability to issue commands repeatedly, exhausting system service resources. |
| CVE-2021-22187 | 2021-03-02 | An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after... |
| CVE-2021-27885 | 2021-03-02 | usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. |
| CVE-2021-21255 | 2021-03-02 | entities switch IDOR |
| CVE-2021-21258 | 2021-03-02 | XSS injection in ajax/kanban |
| CVE-2020-12527 | 2021-03-02 | Improper Access Validation in products of MB connect line and Helmholz |
| CVE-2020-12528 | 2021-03-02 | An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go... |
| CVE-2020-12529 | 2021-03-02 | An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to... |
| CVE-2020-12530 | 2021-03-02 | An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject... |
| CVE-2021-26412 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-26854 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-26855 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-26857 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-26858 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-27078 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-27065 | 2021-03-02 | Microsoft Exchange Server Remote Code Execution Vulnerability |
| CVE-2021-27927 | 2021-03-03 | In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls... |
| CVE-2021-21352 | 2021-03-03 | Predictable tokens used for password resets |
| CVE-2021-21353 | 2021-03-03 | Remote code execution in pug |
| CVE-2020-10519 | 2021-03-03 | Unsafe configuration options in GitHub Pages leading to remote code execution on GitHub Enterprise Server |
| CVE-2021-22861 | 2021-03-03 | Improper access control in GitHub Enterprise Server leading to unauthorized write access to forkable repositories |
| CVE-2021-22862 | 2021-03-03 | Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks |
| CVE-2021-22863 | 2021-03-03 | Improper access control in GitHub Enterprise Server leading to unauthorized changes to maintainer permissions on pull requests |
| CVE-2021-2138 | 2021-03-03 | Vulnerability in the Oracle Cloud Infrastructure Data Science Notebook Sessions. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the... |
| CVE-2021-27923 | 2021-03-03 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and... |
| CVE-2021-27922 | 2021-03-03 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and... |
| CVE-2021-27921 | 2021-03-03 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and... |
| CVE-2021-25315 | 2021-03-03 | salt-api unauthenticated remote code execution |
| CVE-2021-23347 | 2021-03-03 | Cross-site Scripting (XSS) |
| CVE-2020-35296 | 2021-03-03 | ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. |
| CVE-2021-26813 | 2021-03-03 | markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed... |
| CVE-2021-25252 | 2021-03-03 | Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited... |
| CVE-2021-27215 | 2021-03-03 | An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use... |
| CVE-2020-15937 | 2021-03-03 | An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS)... |
| CVE-2021-22662 | 2021-03-03 | A use after free issue has been identified in Fatek FvDesigner Version 1.5.76 and prior in the way the application processes project files, allowing an attacker to craft a special... |
| CVE-2021-22670 | 2021-03-03 | An uninitialized pointer may be exploited in Fatek FvDesigner Version 1.5.76 and prior while the application is processing project files, allowing an attacker to craft a special project file that... |
| CVE-2021-22666 | 2021-03-03 | Fatek FvDesigner Version 1.5.76 and prior is vulnerable to a stack-based buffer overflow while project files are being processed, allowing an attacker to craft a special project file that may... |
| CVE-2021-22683 | 2021-03-03 | Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code... |
| CVE-2021-22638 | 2021-03-03 | Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds read while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code... |
| CVE-2020-13554 | 2021-03-03 | An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker... |
| CVE-2021-21979 | 2021-03-03 | In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time... |
| CVE-2021-20076 | 2021-03-03 | Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the Tenable.sc... |
| CVE-2020-27779 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory... |
| CVE-2020-27749 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack... |
| CVE-2020-14372 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an... |
| CVE-2020-25647 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing... |
| CVE-2020-25632 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent... |
| CVE-2021-20225 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands... |