CVE List - 2021 / April
Showing 501 - 600 of 1817 CVEs for April 2021 (Page 6 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-23426 | 2021-04-08 | zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. |
| CVE-2021-27522 | 2021-04-08 | Learnsite 1.2.5.0 contains a remote privilege escalation vulnerability in /Manager/index.aspx through the JudgIsAdmin() function. By modifying the initial letter of the key of a user cookie, the key of the... |
| CVE-2020-23539 | 2021-04-08 | An issue was discovered in Realtek rtl8723de BLE Stack <= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message. |
| CVE-2021-27945 | 2021-04-08 | The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious... |
| CVE-2021-3328 | 2021-04-08 | An issue was discovered in Aprelium Abyss Web Server X1 2.12.1 and 2.14. A crafted HTTP request can lead to an out-of-bounds read that crashes the application. |
| CVE-2021-22115 | 2021-04-08 | Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain... |
| CVE-2021-22507 | 2021-04-08 | Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access. |
| CVE-2020-14104 | 2021-04-08 | A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50. |
| CVE-2020-14099 | 2021-04-08 | On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information... |
| CVE-2021-22312 | 2021-04-08 | There is a memory leak vulnerability in some Huawei products. An authenticated remote attacker may exploit this vulnerability by sending specific message to the affected product. Due to not release... |
| CVE-2021-3146 | 2021-04-08 | The Dolby Audio X2 (DAX2) API service before 0.8.8.90 on Windows allows local users to gain privileges. |
| CVE-2020-14103 | 2021-04-08 | The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. |
| CVE-2020-14106 | 2021-04-08 | The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. |
| CVE-2021-22513 | 2021-04-08 | Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks. |
| CVE-2021-22510 | 2021-04-08 | Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions. |
| CVE-2021-22511 | 2021-04-08 | Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS... |
| CVE-2021-22512 | 2021-04-08 | Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without... |
| CVE-2020-6590 | 2021-04-08 | Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure. |
| CVE-2021-3482 | 2021-04-08 | A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow... |
| CVE-2021-3448 | 2021-04-08 | A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries.... |
| CVE-2021-3413 | 2021-04-08 | A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. A credential leak was identified which will expose Azure Resource Manager's secret key through JSON of... |
| CVE-2020-36287 | 2021-04-09 | The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote... |
| CVE-2021-30458 | 2021-04-09 | An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization... |
| CVE-2021-30152 | 2021-04-09 | An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect... |
| CVE-2021-30155 | 2021-04-09 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content... |
| CVE-2021-30156 | 2021-04-09 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists. |
| CVE-2021-30159 | 2021-04-09 | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses... |
| CVE-2020-21883 | 2021-04-09 | Unibox U-50 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a OS command injection vulnerability in /tools/ping, which can leads to complete device takeover. |
| CVE-2020-21884 | 2021-04-09 | Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially... |
| CVE-2021-25326 | 2021-04-09 | Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web... |
| CVE-2021-25327 | 2021-04-09 | Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are... |
| CVE-2021-25328 | 2021-04-09 | Skyworth Digital Technology RN510 V.3.1.0.4 RN510 V.3.1.0.4 contains a buffer overflow vulnerability in /cgi-bin/app-staticIP.asp. An authenticated attacker can send a specially crafted request to endpoint which can lead to a... |
| CVE-2021-29221 | 2021-04-09 | A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users... |
| CVE-2021-21431 | 2021-04-09 | Improper Input Validation in sopel-plugins.channelmgnt |
| CVE-2021-29671 | 2021-04-09 | IBM Spectrum Scale 5.1.0.1 could allow a local attacker to bypass the filesystem audit logging mechanism when file audit logging is enabled. IBM X-Force ID: 199478. |
| CVE-2021-20080 | 2021-04-09 | Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading... |
| CVE-2021-21728 | 2021-04-09 | A ZTE product has a configuration error vulnerability. Because a certain port is open by default, an attacker can consume system processing resources by flushing a large number of packets... |
| CVE-2021-25356 | 2021-04-09 | An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed... |
| CVE-2021-25357 | 2021-04-09 | A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications... |
| CVE-2021-25358 | 2021-04-09 | A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications. |
| CVE-2021-25359 | 2021-04-09 | An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications. |
| CVE-2021-25360 | 2021-04-09 | An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process. |
| CVE-2021-25361 | 2021-04-09 | An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1 allows local attackers to read or write arbitrary files of system process via untrusted applications. |
| CVE-2021-25362 | 2021-04-09 | An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files. |
| CVE-2021-25363 | 2021-04-09 | An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processesdelete some local files. |
| CVE-2021-25364 | 2021-04-09 | A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information. |
| CVE-2021-25365 | 2021-04-09 | An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd. |
| CVE-2021-25373 | 2021-04-09 | Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to... |
| CVE-2021-25374 | 2021-04-09 | An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to... |
| CVE-2021-25375 | 2021-04-09 | Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. |
| CVE-2021-25376 | 2021-04-09 | An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed. |
| CVE-2021-25377 | 2021-04-09 | Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action. |
| CVE-2021-25378 | 2021-04-09 | Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service. |
| CVE-2021-25379 | 2021-04-09 | Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action. |
| CVE-2021-25380 | 2021-04-09 | Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user. |
| CVE-2021-25381 | 2021-04-09 | Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission... |
| CVE-2020-13591 | 2021-04-09 | An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can... |
| CVE-2020-13587 | 2021-04-09 | An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can... |
| CVE-2020-13592 | 2021-04-09 | An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make... |
| CVE-2020-23761 | 2021-04-09 | Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab. |
| CVE-2020-13534 | 2021-04-09 | A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead... |
| CVE-2020-13533 | 2021-04-09 | A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to... |
| CVE-2020-23762 | 2021-04-09 | Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage... |
| CVE-2020-13532 | 2021-04-09 | A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT... |
| CVE-2021-20021 | 2021-04-09 | A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. |
| CVE-2021-20022 | 2021-04-09 | SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. |
| CVE-2020-23763 | 2021-04-09 | SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication. |
| CVE-2021-21433 | 2021-04-09 | Remote code execution on discord-recon .dirsearch and .arjun commands due to improper input validation |
| CVE-2021-21432 | 2021-04-09 | Reject unauthorized access with GitHub PATs |
| CVE-2021-21194 | 2021-04-09 | Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21195 | 2021-04-09 | Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21196 | 2021-04-09 | Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21197 | 2021-04-09 | Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21198 | 2021-04-09 | Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a... |
| CVE-2021-21199 | 2021-04-09 | Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a... |
| CVE-2021-30480 | 2021-04-09 | Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an... |
| CVE-2021-20020 | 2021-04-10 | A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root. |
| CVE-2021-30481 | 2021-04-10 | Valve Steam before 2021-04-17, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite... |
| CVE-2021-28875 | 2021-04-11 | In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow. |
| CVE-2021-28876 | 2021-04-11 | In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator... |
| CVE-2021-28877 | 2021-04-11 | In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety... |
| CVE-2021-28878 | 2021-04-11 | In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together.... |
| CVE-2021-28879 | 2021-04-11 | In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when... |
| CVE-2021-30485 | 2021-04-11 | An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running... |
| CVE-2020-36318 | 2021-04-11 | In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free... |
| CVE-2020-36317 | 2021-04-11 | In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug... |
| CVE-2015-20001 | 2021-04-11 | In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or... |
| CVE-2021-29379 | 2021-04-12 | An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by... |
| CVE-2020-24285 | 2021-04-12 | INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx. |
| CVE-2021-23371 | 2021-04-12 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-23369 | 2021-04-12 | Remote Code Execution (RCE) |
| CVE-2021-23370 | 2021-04-12 | Prototype Pollution |
| CVE-2020-28872 | 2021-04-12 | An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials. |
| CVE-2021-25926 | 2021-04-12 | In SiCKRAGE, versions 9.3.54.dev1 to 10.0.11.dev1 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly in the `quicksearch` feature. Therefore, an attacker can steal a... |
| CVE-2021-25925 | 2021-04-12 | in SiCKRAGE, versions 4.2.0 to 10.0.11.dev1 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly when processed by the server. Therefore, an attacker can inject... |
| CVE-2021-23368 | 2021-04-12 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-24197 | 2021-04-12 | wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover |
| CVE-2021-24198 | 2021-04-12 | wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion |
| CVE-2021-24199 | 2021-04-12 | wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter |
| CVE-2021-24200 | 2021-04-12 | wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter |