CVE List - 2021 / April
Showing 1601 - 1700 of 1817 CVEs for April 2021 (Page 17 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-31856 | 2021-04-28 | A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). |
| CVE-2021-31866 | 2021-04-28 | Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. |
| CVE-2021-31865 | 2021-04-28 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. |
| CVE-2021-31864 | 2021-04-28 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. |
| CVE-2021-31863 | 2021-04-28 | Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the... |
| CVE-2021-31778 | 2021-04-28 | The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account. |
| CVE-2021-31779 | 2021-04-28 | The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. |
| CVE-2021-31777 | 2021-04-28 | The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account. |
| CVE-2021-27933 | 2021-04-28 | pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. |
| CVE-2021-27648 | 2021-04-28 | Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors. |
| CVE-2021-30166 | 2021-04-28 | MERIT LILIN ENT.CO.,LTD. P2/Z2/P3/Z3 IP camera - Command Injection |
| CVE-2021-30167 | 2021-04-28 | MERIT LILIN ENT.CO.,LTD. P2/Z2/P3/Z3 IP camera - Broken Authentication |
| CVE-2021-30168 | 2021-04-28 | MERIT LILIN ENT.CO.,LTD. P2/Z2/P3/Z3 IP camera - Sensitive Data Exposure-1 |
| CVE-2021-30169 | 2021-04-28 | MERIT LILIN ENT.CO.,LTD. P2/Z2/P3/Z3 IP camera - Sensitive Data Exposure-2 |
| CVE-2021-22514 | 2021-04-28 | An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected... |
| CVE-2021-22327 | 2021-04-28 | There is an arbitrary memory write vulnerability in Huawei smart phone when processing file parsing. Due to insufficient validation of the input files, successful exploit could cause certain service abnormal.... |
| CVE-2021-22393 | 2021-04-28 | There is a denial of service vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. The affected product cannot deal with some messages because of... |
| CVE-2021-22330 | 2021-04-28 | There is an out of bounds write vulnerability in Huawei Smartphone HUAWEI P30 versions 9.1.0.131(C00E130R1P21) when processing a message. An unauthenticated attacker can exploit this vulnerability by sending specific message... |
| CVE-2021-22332 | 2021-04-28 | There is a pointer double free vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. When a function is called, the same memory pointer is... |
| CVE-2021-22331 | 2021-04-28 | There is a JavaScript injection vulnerability in certain Huawei smartphones. A module does not verify some inputs sufficiently. Attackers can exploit this vulnerability by sending a malicious application request to... |
| CVE-2021-29159 | 2021-04-28 | A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed... |
| CVE-2021-29387 | 2021-04-28 | Multiple stored cross-site scripting (XSS) vulnerabilities in Sourcecodester Equipment Inventory System 1.0 allow remote attackers to inject arbitrary javascript via any "Add" sections, such as Add Item , Employee and... |
| CVE-2020-18020 | 2021-04-28 | SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php"... |
| CVE-2020-18019 | 2021-04-28 | SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the "typeid" variable of the "createfolderAjax" function in the "mode_worcAction.php" component. |
| CVE-2021-29388 | 2021-04-28 | A stored cross-site scripting (XSS) vulnerability in SourceCodester Budget Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php via vulnerable field 'Budget Title'. |
| CVE-2021-3508 | 2021-04-28 | A flaw was found in PDFResurrect in version 0.22b. There is an infinite loop in get_xref_linear_skipped() in pdf.c via a crafted PDF file. |
| CVE-2020-21991 | 2021-04-28 | AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1... |
| CVE-2020-7123 | 2021-04-28 | A local escalation of privilege vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address... |
| CVE-2021-25147 | 2021-04-28 | A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2020-21993 | 2021-04-28 | In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary... |
| CVE-2020-21994 | 2021-04-28 | AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain... |
| CVE-2020-21996 | 2021-04-28 | AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. |
| CVE-2020-18022 | 2021-04-28 | Cross Site Scripting (XSS) in Qibosoft QiboCMS v7 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information by injecting arbitrary commands in a HTTP request to... |
| CVE-2020-17999 | 2021-04-28 | Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php". |
| CVE-2021-23364 | 2021-04-28 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-29482 | 2021-04-28 | denial of service in github.com/ulikunitz/xz |
| CVE-2021-25151 | 2021-04-28 | A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25154 | 2021-04-28 | A remote escalation of privilege vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25153 | 2021-04-28 | A remote SQL injection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25152 | 2021-04-28 | A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25164 | 2021-04-28 | A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25165 | 2021-04-28 | A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2020-22785 | 2021-04-28 | Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads... |
| CVE-2020-22784 | 2021-04-28 | In Etherpad UeberDB < 0.4.4, due to MySQL omitting trailing spaces on char / varchar columns during comparisons, retrieving database records using UeberDB's MySQL connector could allow bypassing access controls... |
| CVE-2020-22783 | 2021-04-28 | Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad. |
| CVE-2020-22782 | 2021-04-28 | Etherpad < 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance. |
| CVE-2020-22781 | 2021-04-28 | In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash the instance). |
| CVE-2020-22790 | 2021-04-28 | Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the... |
| CVE-2020-22789 | 2021-04-28 | Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page.... |
| CVE-2021-2321 | 2021-04-28 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows high privileged attacker with... |
| CVE-2021-29483 | 2021-04-28 | wikiconfig API leaked private config variables set through ManageWiki |
| CVE-2020-7037 | 2021-04-28 | Avaya Equinox Conferencing XXE vulnerability |
| CVE-2020-7038 | 2021-04-28 | Avaya Meetings Server Information Disclosure vulnerability |
| CVE-2020-15225 | 2021-04-29 | Denial of Service vulnerability in django-filter |
| CVE-2021-20294 | 2021-04-29 | A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer... |
| CVE-2021-31875 | 2021-04-29 | In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow.... |
| CVE-2021-20090 | 2021-04-29 | A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. |
| CVE-2021-31776 | 2021-04-29 | Aviatrix VPN Client before 2.14.14 on Windows has an unquoted search path that enables local privilege escalation to the SYSTEM user, if the machine is misconfigured to allow unprivileged users... |
| CVE-2021-21391 | 2021-04-29 | Regular expression Denial of Service in multiple packages |
| CVE-2021-21414 | 2021-04-29 | Command injection vulnerability in @prisma/sdk in getPackedPackage function |
| CVE-2021-25214 | 2021-04-29 | A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly |
| CVE-2021-25215 | 2021-04-29 | An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself |
| CVE-2021-25216 | 2021-04-29 | A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack |
| CVE-2020-36327 | 2021-04-29 | Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public... |
| CVE-2021-31879 | 2021-04-29 | GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. |
| CVE-2021-25163 | 2021-04-29 | A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25166 | 2021-04-29 | A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-25167 | 2021-04-29 | A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-29137 | 2021-04-29 | A remote URL redirection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. |
| CVE-2021-29146 | 2021-04-29 | A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address... |
| CVE-2021-29145 | 2021-04-29 | A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba... |
| CVE-2021-29144 | 2021-04-29 | A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that... |
| CVE-2021-29147 | 2021-04-29 | A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address... |
| CVE-2021-29142 | 2021-04-29 | A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address... |
| CVE-2021-29140 | 2021-04-29 | A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that... |
| CVE-2021-29138 | 2021-04-29 | A remote disclosure of privileged information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that... |
| CVE-2021-29139 | 2021-04-29 | A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address... |
| CVE-2021-29141 | 2021-04-29 | A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that... |
| CVE-2020-21990 | 2021-04-29 | Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit... |
| CVE-2020-21992 | 2021-04-29 | Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability. The issue exist due to the 'par' POST parameter not being sanitized when called with the 'testemail'... |
| CVE-2021-28899 | 2021-04-29 | Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16. |
| CVE-2020-21995 | 2021-04-29 | Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials. An attacker could exploit this to gain Telnet, SSH and FTP access to the system. |
| CVE-2020-21997 | 2021-04-29 | Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text information resulting in authentication bypass, session hijacking... |
| CVE-2020-22002 | 2021-04-29 | An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to... |
| CVE-2021-20091 | 2021-04-29 | The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability... |
| CVE-2021-20092 | 2021-04-29 | The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor. |
| CVE-2021-30027 | 2021-04-29 | md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. |
| CVE-2021-30218 | 2021-04-29 | samurai 1.2 has a NULL pointer dereference in writefile() in util.c via a crafted build file. |
| CVE-2021-30219 | 2021-04-29 | samurai 1.2 has a NULL pointer dereference in printstatus() function in build.c via a crafted build file. |
| CVE-2021-27651 | 2021-04-29 | In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. |
| CVE-2021-30224 | 2021-04-29 | Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. |
| CVE-2021-28280 | 2021-04-29 | CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML |
| CVE-2021-30227 | 2021-04-29 | Cross Site Scripting (XSS) vulnerability in the article comments feature in emlog 6.0. |
| CVE-2021-29350 | 2021-04-29 | SQL injection in the getip function in conn/function.php in 发货100-设计素材下载系统 1.1 allows remote attackers to inject arbitrary SQL commands via the X-Forwarded-For header to admin/product_add.php. |
| CVE-2021-20228 | 2021-04-29 | A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature... |
| CVE-2021-25810 | 2021-04-29 | Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters. |
| CVE-2021-25811 | 2021-04-29 | MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listen_http_lan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will... |
| CVE-2021-25812 | 2021-04-29 | Command injection vulnerability in China Mobile An Lianbao WF-1 1.01 via the 'ip' parameter with a POST request to /api/ZRQos/set_online_client. |
| CVE-2021-30228 | 2021-04-29 | The api/ZRAndlink/set_ZRAndlink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iandlink_proc_enable parameter. |
| CVE-2021-30229 | 2021-04-29 | The api/zrDm/set_zrDm interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the dm_enable, AppKey, or Pwd parameter. |