CVE List - 2021 / March
Showing 101 - 200 of 1447 CVEs for March 2021 (Page 2 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-20233 | 2021-03-03 | A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote... |
| CVE-2021-20441 | 2021-03-03 | IBM Security Verify Bridge uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196617. |
| CVE-2021-20442 | 2021-03-03 | IBM Security Verify Bridge contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of... |
| CVE-2020-29047 | 2021-03-03 | The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php. |
| CVE-2021-22884 | 2021-03-03 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary... |
| CVE-2021-22883 | 2021-03-03 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak... |
| CVE-2021-22877 | 2021-03-03 | A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. |
| CVE-2021-22878 | 2021-03-03 | Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. |
| CVE-2020-8296 | 2021-03-03 | Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. |
| CVE-2021-21978 | 2021-03-03 | VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload... |
| CVE-2020-28597 | 2021-03-03 | A predictable seed vulnerability exists in the password reset functionality of Epignosis EfrontPro 5.2.21. By predicting the seed it is possible to generate the correct password reset 1-time token. An... |
| CVE-2020-28591 | 2021-03-03 | An out-of-bounds read vulnerability exists in the AMF File AMFParserContext::endElement() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted AMF file can lead to information disclosure. An... |
| CVE-2020-13558 | 2021-03-03 | A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2.30.1. A specially crafted web page can lead to a use after free. |
| CVE-2021-22188 | 2021-03-03 | An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs. |
| CVE-2021-22182 | 2021-03-03 | An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request. |
| CVE-2021-22681 | 2021-03-03 | Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix... |
| CVE-2021-27839 | 2021-03-03 | A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful... |
| CVE-2021-21313 | 2021-03-03 | XSS on tabs |
| CVE-2021-21312 | 2021-03-03 | Stored XSS on documents |
| CVE-2021-21314 | 2021-03-03 | XSS injection on ticket update |
| CVE-2021-27935 | 2021-03-03 | An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is... |
| CVE-2021-27931 | 2021-03-03 | LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes... |
| CVE-2021-27940 | 2021-03-03 | resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter. |
| CVE-2021-21331 | 2021-03-03 | DataDog API Client contains a Local Information Disclosure Vulnerability |
| CVE-2020-28601 | 2021-03-04 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious... |
| CVE-2020-28636 | 2021-03-04 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to... |
| CVE-2020-35628 | 2021-03-04 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to... |
| CVE-2020-35636 | 2021-03-04 | A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1 in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume() OOB read. A specially crafted malformed file can lead to an out-of-bounds... |
| CVE-2019-18628 | 2021-03-04 | Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open... |
| CVE-2019-18629 | 2021-03-04 | Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone... |
| CVE-2020-24036 | 2021-03-04 | PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. |
| CVE-2020-24912 | 2021-03-04 | A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. |
| CVE-2020-24913 | 2021-03-04 | A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a... |
| CVE-2020-24914 | 2021-03-04 | A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via... |
| CVE-2021-22189 | 2021-03-04 | Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication... |
| CVE-2021-22183 | 2021-03-04 | An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user... |
| CVE-2020-35327 | 2021-03-04 | SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php |
| CVE-2020-35328 | 2021-03-04 | Courier Management System 1.0 - 'First Name' Stored XSS |
| CVE-2020-35329 | 2021-03-04 | Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '. |
| CVE-2021-23344 | 2021-03-04 | Remote Code Execution (RCE) |
| CVE-2021-23346 | 2021-03-04 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-22128 | 2021-03-04 | An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell... |
| CVE-2020-15938 | 2021-03-04 | When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate in version below 6.2.5 and below 6.4.2 on port 80/443, it is not redirected to the transparent proxy... |
| CVE-2021-23126 | 2021-03-04 | [20210301] - Core - Insecure randomness within 2FA secret generation |
| CVE-2021-23127 | 2021-03-04 | [20210301] - Core - Insecure randomness within 2FA secret generation |
| CVE-2021-23128 | 2021-03-04 | [20210302] - Core - Potential Insecure FOFEncryptRandval |
| CVE-2021-23129 | 2021-03-04 | [20210303] - Core - XSS within alert messages showed to users |
| CVE-2021-23130 | 2021-03-04 | [20210304] - Core - XSS within the feed parser library |
| CVE-2021-23131 | 2021-03-04 | [20210305] - Core - Input validation within the template manager |
| CVE-2021-23132 | 2021-03-04 | [20210306] - Core - com_media allowed paths that are not intended for image uploads |
| CVE-2021-26027 | 2021-03-04 | [20210307] - Core - ACL violation within com_content frontend editing |
| CVE-2021-26028 | 2021-03-04 | [20210308] - Core - Path Traversal within joomla/archive zip class |
| CVE-2021-26029 | 2021-03-04 | [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field |
| CVE-2021-27217 | 2021-03-04 | An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the... |
| CVE-2020-4856 | 2021-03-04 | IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2020-4857 | 2021-03-04 | IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2020-4863 | 2021-03-04 | IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2020-4866 | 2021-03-04 | IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2020-4975 | 2021-03-04 | IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2021-20340 | 2021-03-04 | IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2021-20350 | 2021-03-04 | IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2021-20351 | 2021-03-04 | IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2020-8298 | 2021-03-04 | fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods. |
| CVE-2021-24031 | 2021-03-04 | In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files... |
| CVE-2021-24032 | 2021-03-04 | Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards.... |
| CVE-2021-26293 | 2021-03-04 | An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable... |
| CVE-2021-26988 | 2021-03-04 | Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 and 9.8 are susceptible to a vulnerability which could allow unauthorized tenant users to discover information related to converting a... |
| CVE-2021-26989 | 2021-03-04 | Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P9 and 9.8 are susceptible to a vulnerability which could allow a remote authenticated attacker to cause a Denial of Service... |
| CVE-2021-25331 | 2021-03-04 | Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition. |
| CVE-2021-25332 | 2021-03-04 | Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition. |
| CVE-2021-25333 | 2021-03-04 | Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen via scanning specific QR code. |
| CVE-2021-25334 | 2021-03-04 | Improper input check in wallpaper service in Samsung mobile devices prior to SMR Feb-2021 Release 1 allows untrusted application to cause permanent denial of service. |
| CVE-2021-25335 | 2021-03-04 | Improper lockscreen status check in cocktailbar service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows unauthenticated users to access hidden notification contents over the lockscreen in specific... |
| CVE-2021-25336 | 2021-03-04 | Improper access control in NotificationManagerService in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to acquire notification access via sending a crafted malicious intent. |
| CVE-2021-25337 | 2021-03-04 | Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files. |
| CVE-2021-25338 | 2021-03-04 | Improper memory access control in RKP in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to write certain part of RKP EL2... |
| CVE-2021-25339 | 2021-03-04 | Improper address validation in HArx in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to corrupt EL2 memory. |
| CVE-2021-25340 | 2021-03-04 | Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows physically proximate attackers to change in arbitrary settings during Initialization State. |
| CVE-2021-25341 | 2021-03-04 | Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider. |
| CVE-2021-25342 | 2021-03-04 | Calling of non-existent provider in SMP sdk prior to version 3.0.9 allows unauthorized actions including denial of service attack by hijacking the provider. |
| CVE-2021-25343 | 2021-03-04 | Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service... |
| CVE-2021-25344 | 2021-03-04 | Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission. |
| CVE-2021-25345 | 2021-03-04 | Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format. |
| CVE-2021-25347 | 2021-03-04 | Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed. |
| CVE-2021-25346 | 2021-03-04 | A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution. |
| CVE-2021-25348 | 2021-03-04 | Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission. |
| CVE-2021-3403 | 2021-03-04 | In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a... |
| CVE-2021-3404 | 2021-03-04 | In ytnef 1.9.3, the SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via... |
| CVE-2020-25639 | 2021-03-04 | A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw... |
| CVE-2019-18630 | 2021-03-04 | On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic... |
| CVE-2021-27314 | 2021-03-04 | SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page. |
| CVE-2021-28038 | 2021-03-05 | An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed... |
| CVE-2021-28039 | 2021-03-05 | An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or... |
| CVE-2021-27964 | 2021-03-05 | SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for... |
| CVE-2021-27963 | 2021-03-05 | SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session... |
| CVE-2021-27965 | 2021-03-05 | The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2.0.98.0 has a buffer overflow that allows privilege escalation via a crafted 0x80102040, 0x80102044, 0x80102050, or 0x80102054 IOCTL request. |
| CVE-2020-36255 | 2021-03-05 | An issue was discovered in IdentityModel (aka ScottBrady.IdentityModel) before 1.3.0. The Branca implementation allows an attacker to modify and forge authentication tokens. |
| CVE-2020-5148 | 2021-03-05 | SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged... |
| CVE-2019-25025 | 2021-03-05 | The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is... |
| CVE-2021-25313 | 2021-03-05 | Rancher: XSS on /v3/cluster/ |