CVE List - 2021 / March
Showing 1201 - 1300 of 1447 CVEs for March 2021 (Page 13 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-28249 | 2021-03-26 | CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library... |
| CVE-2021-28248 | 2021-03-26 | CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different... |
| CVE-2021-28250 | 2021-03-26 | CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the... |
| CVE-2021-20677 | 2021-03-26 | UNIVERGE Aspire series PBX (UNIVERGE Aspire WX from 1.00 to 3.51, UNIVERGE Aspire UX from 1.00 to 9.70, UNIVERGE SV9100 from 1.00 to 10.70, and SL2100 from 1.00 to 3.00)... |
| CVE-2021-20681 | 2021-03-26 | Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. |
| CVE-2021-20682 | 2021-03-26 | baserCMS versions prior to 4.4.5 allows a remote attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors. |
| CVE-2021-20683 | 2021-03-26 | Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. |
| CVE-2021-23889 | 2021-03-26 | McAfee ePO Cross-site Scripting vulnerability |
| CVE-2021-23888 | 2021-03-26 | McAfee ePO unvalidated URL redirect vulnerability |
| CVE-2021-23890 | 2021-03-26 | McAfee ePO Information Leak vulnerability |
| CVE-2021-3275 | 2021-03-26 | Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5,... |
| CVE-2021-22506 | 2021-03-26 | Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage. |
| CVE-2020-25840 | 2021-03-26 | Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction. |
| CVE-2020-19626 | 2021-03-26 | Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new. |
| CVE-2020-19625 | 2021-03-26 | Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter. |
| CVE-2021-3109 | 2021-03-26 | The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account. |
| CVE-2020-35856 | 2021-03-26 | SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page. |
| CVE-2021-1626 | 2021-03-26 | MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x and... |
| CVE-2021-1627 | 2021-03-26 | MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.x,3.9.x,4.x... |
| CVE-2021-1628 | 2021-03-26 | MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x... |
| CVE-2021-1629 | 2021-03-26 | Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users. |
| CVE-2021-20289 | 2021-03-26 | A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy... |
| CVE-2021-20285 | 2021-03-26 | A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or... |
| CVE-2021-20284 | 2021-03-26 | A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest... |
| CVE-2021-20193 | 2021-03-26 | A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption... |
| CVE-2020-35518 | 2021-03-26 | When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check... |
| CVE-2020-35508 | 2021-03-26 | A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker... |
| CVE-2021-20197 | 2021-03-26 | There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a... |
| CVE-2020-27829 | 2021-03-26 | A heap based buffer overflow in coders/tiff.c may result in program crash and denial of service in ImageMagick before 7.0.10-45. |
| CVE-2020-28695 | 2021-03-26 | Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 devices allow Remote Code Execution and retrieval of admin credentials to log into the Dashboard or login via SSH, leading to code execution as root. |
| CVE-2021-21403 | 2021-03-26 | Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server |
| CVE-2021-29255 | 2021-03-26 | MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007. An attacker on the same network as the device can capture these credentials. |
| CVE-2021-22886 | 2021-03-26 | Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw... |
| CVE-2021-25369 | 2021-03-26 | An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. |
| CVE-2021-25370 | 2021-03-26 | An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic. |
| CVE-2021-25371 | 2021-03-26 | A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP. |
| CVE-2021-25372 | 2021-03-26 | An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access. |
| CVE-2021-22172 | 2021-03-26 | Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page |
| CVE-2021-22194 | 2021-03-26 | In all versions of GitLab, marshalled session keys were being stored in Redis. |
| CVE-2021-22180 | 2021-03-26 | An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. |
| CVE-2021-22184 | 2021-03-26 | An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted. |
| CVE-2021-21332 | 2021-03-26 | Cross-site scripting (XSS) vulnerability in the password reset endpoint |
| CVE-2021-21333 | 2021-03-26 | HTML injection in email and account expiry notifications |
| CVE-2021-21389 | 2021-03-26 | BuddyPress privilege escalation via REST API |
| CVE-2020-7467 | 2021-03-26 | In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a number of AMD virtualization instructions operate on host physical addresses, are... |
| CVE-2020-7468 | 2021-03-26 | In FreeBSD 12.2-STABLE before r365772, 11.4-STABLE before r365773, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a ftpd(8) bug in the implementation of the file system sandbox, combined... |
| CVE-2020-25580 | 2021-03-26 | In FreeBSD 12.2-STABLE before r369346, 11.4-STABLE before r369345, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 a regression in the login.access(5) rule processor has the effect of causing rules to fail... |
| CVE-2020-25581 | 2021-03-26 | In FreeBSD 12.2-STABLE before r369312, 11.4-STABLE before r369313, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 due to a race condition in the jail_remove(2) implementation, it may fail to kill some... |
| CVE-2020-25582 | 2021-03-26 | In FreeBSD 12.2-STABLE before r369334, 11.4-STABLE before r369335, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 when a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the... |
| CVE-2020-25578 | 2021-03-26 | In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the... |
| CVE-2020-25579 | 2021-03-26 | In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the... |
| CVE-2020-7462 | 2021-03-26 | In 11.4-PRERELEASE before r360733 and 11.3-RELEASE before p13, improper mbuf handling in the kernel causes a use-after-free bug by sending IPv6 Hop-by-Hop options over the loopback interface. The use-after-free situation... |
| CVE-2020-7463 | 2021-03-26 | In FreeBSD 12.1-STABLE before r364644, 11.4-STABLE before r364651, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, improper handling in the kernel causes a use-after-free bug by sending large... |
| CVE-2020-7461 | 2021-03-26 | In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP... |
| CVE-2021-21411 | 2021-03-26 | Incorrect authorization in OAuth2-Proxy |
| CVE-2020-7464 | 2021-03-26 | In FreeBSD 12.2-STABLE before r365730, 11.4-STABLE before r365738, 12.1-RELEASE before p10, 11.4-RELEASE before p4, and 11.3-RELEASE before p14, a programming error in the ure(4) device driver caused some Realtek USB... |
| CVE-2021-21372 | 2021-03-26 | Nimble arbitrary code execution for specially crafted package metadata |
| CVE-2021-21374 | 2021-03-26 | Nimble fails to validate certificates due to insecure httpClient defaults |
| CVE-2021-21373 | 2021-03-26 | Nimble falls back to insecure http url when fetching packages |
| CVE-2021-20206 | 2021-03-26 | An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it... |
| CVE-2021-29266 | 2021-03-26 | An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0. |
| CVE-2021-29265 | 2021-03-26 | An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during... |
| CVE-2021-29264 | 2021-03-26 | An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is... |
| CVE-2021-21396 | 2021-03-26 | Bulk list client endpoint exposes too much metadata about a client |
| CVE-2021-29249 | 2021-03-26 | BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability. |
| CVE-2021-29271 | 2021-03-27 | remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go. |
| CVE-2021-29272 | 2021-03-27 | bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. |
| CVE-2020-35137 | 2021-03-29 | The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The... |
| CVE-2021-29274 | 2021-03-29 | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. |
| CVE-2021-28937 | 2021-03-29 | The /password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) contains the administrator account password in plaintext. The page can be intercepted on... |
| CVE-2021-28936 | 2021-03-29 | The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known... |
| CVE-2021-23358 | 2021-03-29 | Arbitrary Code Injection |
| CVE-2021-29267 | 2021-03-29 | Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature. |
| CVE-2021-27352 | 2021-03-29 | An open redirect vulnerability in Ilch CMS version 2.1.42 allows attackers to redirect users to an attacker's site after a successful login. |
| CVE-2021-21727 | 2021-03-29 | A ZTE product has a DoS vulnerability. A remote attacker can amplify traffic by sending carefully constructed IPv6 packets to the affected devices, which eventually leads to device denial of... |
| CVE-2020-7850 | 2021-03-29 | Douzone ActiveX File Download and Execution Vulnerability |
| CVE-2019-5317 | 2021-03-29 | A local authentication bypass vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.15 and below; Aruba... |
| CVE-2020-25218 | 2021-03-29 | Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface. |
| CVE-2020-25217 | 2021-03-29 | Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface. |
| CVE-2021-28670 | 2021-03-29 | Xerox AltaLink B8045/B8090 before 103.008.030.32000, C8030/C8035 before 103.001.030.32000, C8045/C8055 before 103.002.030.32000 and C8070 before 103.003.030.32000 allow unauthorized users, by leveraging the Scan To Mailbox feature, to delete arbitrary files from... |
| CVE-2021-29416 | 2021-03-29 | An issue was discovered in PortSwigger Burp Suite before 2021.2. During viewing of a malicious request, it can be manipulated into issuing a request that does not respect its upstream... |
| CVE-2021-29417 | 2021-03-29 | gitjacker before 0.1.0 allows remote attackers to execute arbitrary code via a crafted .git directory because of directory traversal. |
| CVE-2021-28673 | 2021-03-29 | Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 6515 before 65.61.23 and 65.59.11 (Bridge), VersaLink B400 before 37.61.23 and 37.59.01 (Bridge), B405 before 38.61.23 and 38.59.01 (Bridge), B600/B610 before... |
| CVE-2021-25143 | 2021-03-29 | A remote denial of service (dos) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.9 and... |
| CVE-2020-24635 | 2021-03-29 | A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and... |
| CVE-2021-25144 | 2021-03-29 | A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba... |
| CVE-2020-24636 | 2021-03-29 | A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and... |
| CVE-2021-26714 | 2021-03-29 | The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit... |
| CVE-2021-28669 | 2021-03-29 | Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights. |
| CVE-2021-28668 | 2021-03-29 | Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities. |
| CVE-2020-35138 | 2021-03-29 | The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work... |
| CVE-2021-3391 | 2021-03-29 | MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message |
| CVE-2020-25577 | 2021-03-29 | In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 rtsold(8) does not verify that the RDNSS option does not extend past... |
| CVE-2020-25583 | 2021-03-29 | In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 when processing a DNSSL option, rtsold(8) decodes domain name labels per an... |
| CVE-2021-28672 | 2021-03-29 | Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before... |
| CVE-2021-28671 | 2021-03-29 | Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before... |
| CVE-2021-27272 | 2021-03-29 | This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication... |
| CVE-2021-27273 | 2021-03-29 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication... |
| CVE-2021-27274 | 2021-03-29 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw... |
| CVE-2021-27275 | 2021-03-29 | This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this... |