CVE List - 2021 / April
Showing 901 - 1000 of 1817 CVEs for April 2021 (Page 10 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-28856 | 2021-04-14 | In Deark before v1.5.8, a specially crafted input file can cause a division by zero in (src/fmtutil.c) because of the value of pixelsize. |
| CVE-2021-28855 | 2021-04-14 | In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c). |
| CVE-2020-35419 | 2021-04-14 | Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter. |
| CVE-2020-35418 | 2021-04-14 | Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file. |
| CVE-2021-28060 | 2021-04-14 | A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php. |
| CVE-2021-28825 | 2021-04-14 | TIBCO Messaging - Eclipse Mosquitto Distribution - Core Windows Platform Installation vulnerability |
| CVE-2021-28826 | 2021-04-14 | TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge Windows Platform Installation vulnerability |
| CVE-2020-28124 | 2021-04-14 | Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field. |
| CVE-2020-35660 | 2021-04-14 | Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. |
| CVE-2021-27710 | 2021-04-14 | Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request.... |
| CVE-2021-28484 | 2021-04-14 | An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which... |
| CVE-2021-3017 | 2021-04-14 | The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the def_wirelesspassword line in the HTML source code. |
| CVE-2021-30459 | 2021-04-14 | A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing... |
| CVE-2021-26030 | 2021-04-14 | [20210401] - Core - Escape xss in logo parameter error pages |
| CVE-2021-26031 | 2021-04-14 | [20210402] - Core - Inadequate filters on module layout settings |
| CVE-2021-29654 | 2021-04-14 | AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution. |
| CVE-2021-28048 | 2021-04-14 | An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page. |
| CVE-2021-28157 | 2021-04-14 | An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete. |
| CVE-2021-29449 | 2021-04-14 | Multiple Privilege Escalation Vulnerabilities Pihole |
| CVE-2021-27180 | 2021-04-14 | An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with... |
| CVE-2021-27181 | 2021-04-14 | An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has... |
| CVE-2021-27182 | 2021-04-14 | An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker... |
| CVE-2021-27183 | 2021-04-14 | An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any... |
| CVE-2021-30487 | 2021-04-14 | In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. |
| CVE-2021-30477 | 2021-04-14 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook... |
| CVE-2020-36288 | 2021-04-14 | The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote... |
| CVE-2021-26075 | 2021-04-14 | The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated... |
| CVE-2021-26076 | 2021-04-14 | The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version... |
| CVE-2021-30478 | 2021-04-14 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send... |
| CVE-2021-30479 | 2021-04-14 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to... |
| CVE-2021-20288 | 2021-04-15 | An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a... |
| CVE-2021-23884 | 2021-04-15 | Clear text exposure of password in McAfee CSR ePO extension |
| CVE-2021-27850 | 2021-04-15 | Bypass of the fix for CVE-2019-0195 |
| CVE-2020-7308 | 2021-04-15 | Transmission of data in clear text by McAfee ENS |
| CVE-2021-23886 | 2021-04-15 | Local Denial of Service in McAfee DLP Endpoint for Windows |
| CVE-2021-23887 | 2021-04-15 | Privilege escalation in McAfee DLP Endpoint for Windows |
| CVE-2020-7269 | 2021-04-15 | Sensitive Information Exposure in McAfee ATD |
| CVE-2020-7270 | 2021-04-15 | Sensitive Information Exposure in McAfee ATD |
| CVE-2021-27129 | 2021-04-15 | CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter. |
| CVE-2021-27544 | 2021-04-15 | Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter. |
| CVE-2021-27545 | 2021-04-15 | SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter. |
| CVE-2021-0488 | 2021-04-15 | In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2021-30209 | 2021-04-15 | Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions. |
| CVE-2020-27237 | 2021-04-15 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL... |
| CVE-2020-27238 | 2021-04-15 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make... |
| CVE-2020-27239 | 2021-04-15 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make... |
| CVE-2020-28592 | 2021-04-15 | A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to remote code... |
| CVE-2020-28593 | 2021-04-15 | A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can... |
| CVE-2021-21094 | 2021-04-15 | Adobe Bridge PDF File Parsing Out-Of-Bounds Write vulnerability could lead to arbitrary code execution |
| CVE-2021-21096 | 2021-04-15 | Adobe Bridge Genuine Software Service Incorrect Permission Assignment could lead to Denial-of-Service |
| CVE-2021-28242 | 2021-04-15 | SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter... |
| CVE-2021-21100 | 2021-04-15 | Adobe Digital Editions Arbitrary file system write vulnerability |
| CVE-2021-27672 | 2021-04-15 | SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating... |
| CVE-2021-27673 | 2021-04-15 | Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when... |
| CVE-2021-21093 | 2021-04-15 | Adobe Bridge SGI File Parsing Memory Corruption vulnerability could lead to arbitrary code execution |
| CVE-2021-21095 | 2021-04-15 | Adobe Bridge TTF Font Parsing Out-Of-Bounds Write vulnerability could lead to arbitrary code execution |
| CVE-2021-28549 | 2021-04-15 | Adobe Photoshop parsing JS buffer overflow vulnerability could lead to arbitrary code execution |
| CVE-2021-21091 | 2021-04-15 | Adobe Bridge HEIC File Parsing Out-Of-Bounds Read vulnerability could lead to information disclosure |
| CVE-2021-21092 | 2021-04-15 | Adobe Bridge DCM File Parsing Memory Corruption could lead to arbitrary code execution |
| CVE-2021-21087 | 2021-04-15 | ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser |
| CVE-2021-28548 | 2021-04-15 | Adobe Photoshop parsing JS buffer overflow vulnerability could lead to arbitrary code execution |
| CVE-2021-31229 | 2021-04-15 | An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one... |
| CVE-2021-27112 | 2021-04-15 | LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images. |
| CVE-2021-29448 | 2021-04-15 | Stored DOM XSS in Pi-hole Admin Web Interface |
| CVE-2021-3243 | 2021-04-15 | Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its... |
| CVE-2021-26582 | 2021-04-15 | A security vulnerability in HPE IceWall SSO Domain Gateway Option (Dgfw) module version 10.0 on RHEL 5/6/7, version 10.0 on HP-UX 11i v3, version 10.0 on Windows and 11.0 on... |
| CVE-2021-29433 | 2021-04-15 | Denial of service (via resource exhaustion) due to improper input validation |
| CVE-2020-28898 | 2021-04-15 | In QED ResourceXpress through 4.9k, a large numeric or alphanumeric value submitted in specific URL parameters causes a server error in script execution due to insufficient input validation. |
| CVE-2021-31402 | 2021-04-15 | The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. |
| CVE-2021-28055 | 2021-04-15 | An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user. |
| CVE-2021-30245 | 2021-04-15 | Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks |
| CVE-2021-29430 | 2021-04-15 | Denial of service attack via memory exhaustion |
| CVE-2021-29432 | 2021-04-15 | Malicious users could control the content of invitation emails |
| CVE-2021-29431 | 2021-04-15 | SSRF in Sydent due to missing validation of hostnames |
| CVE-2021-29447 | 2021-04-15 | WordPress Authenticated XXE attack when installation is running PHP 8 |
| CVE-2021-29450 | 2021-04-15 | WordPress Authenticated disclosure of password-protected posts and pages |
| CVE-2021-21405 | 2021-04-15 | BLS Signature "Malleability" |
| CVE-2021-27692 | 2021-04-15 | Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because... |
| CVE-2021-27691 | 2021-04-15 | Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute... |
| CVE-2018-19942 | 2021-04-16 | Cross-site Scripting Vulnerability in File Station |
| CVE-2021-26073 | 2021-04-16 | Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and... |
| CVE-2021-26074 | 2021-04-16 | Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication... |
| CVE-2021-31414 | 2021-04-16 | The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration. |
| CVE-2021-22539 | 2021-04-16 | Code execution in VSCode-bazel via malicious Bazel config files |
| CVE-2021-20491 | 2021-04-16 | IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with... |
| CVE-2020-9667 | 2021-04-16 | Uncontrolled Search Path Element in AGSService.exe |
| CVE-2020-9668 | 2021-04-16 | AGSService program mishandling symbolic links |
| CVE-2020-9681 | 2021-04-16 | Adobe Genuine Service privilege escalation vulnerability |
| CVE-2021-26830 | 2021-04-16 | SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the... |
| CVE-2021-31347 | 2021-04-16 | An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (writing outside a memory region created by mmap). |
| CVE-2021-29443 | 2021-04-16 | Padding Oracle Attack due to Observable Timing Discrepancy in jose |
| CVE-2021-31348 | 2021-04-16 | An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (out-of-bounds read after a certain strcspn failure). |
| CVE-2021-27394 | 2021-04-16 | A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12)... |
| CVE-2021-29452 | 2021-04-16 | Any logged in user could edit any other logged in user. |
| CVE-2021-29451 | 2021-04-16 | Missing validation of JWT signature in `ManyDesigns/Portofino` |
| CVE-2021-29444 | 2021-04-16 | Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime |
| CVE-2021-29445 | 2021-04-16 | Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime |
| CVE-2021-29446 | 2021-04-16 | Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime |
| CVE-2020-2509 | 2021-04-17 | Command Injection Vulnerability in QTS and QuTS hero |
| CVE-2020-36195 | 2021-04-17 | SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On |