CVE List - 2021 / April
Showing 601 - 700 of 1817 CVEs for April 2021 (Page 7 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-24213 | 2021-04-12 | GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS) |
| CVE-2021-24215 | 2021-04-12 | Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation |
| CVE-2021-24217 | 2021-04-12 | Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain |
| CVE-2021-24218 | 2021-04-12 | Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion |
| CVE-2021-24219 | 2021-04-12 | All Thrive Themes and Plugins - Unauthenticated Option Update |
| CVE-2021-24220 | 2021-04-12 | All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion |
| CVE-2021-24221 | 2021-04-12 | Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode |
| CVE-2021-24222 | 2021-04-12 | WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE |
| CVE-2021-24223 | 2021-04-12 | N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE |
| CVE-2021-24224 | 2021-04-12 | Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload |
| CVE-2021-24225 | 2021-04-12 | Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24226 | 2021-04-12 | AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage |
| CVE-2021-24227 | 2021-04-12 | Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure |
| CVE-2021-24228 | 2021-04-12 | Patreon WordPress < 1.7.2 - Reflected XSS on Login Form |
| CVE-2021-24229 | 2021-04-12 | Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action |
| CVE-2021-24230 | 2021-04-12 | Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta |
| CVE-2021-24231 | 2021-04-12 | Patreon WordPress < 1.7.0 - CSRF to Disconnect Sites From Patreon |
| CVE-2020-15942 | 2021-04-12 | An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the... |
| CVE-2021-24024 | 2021-04-12 | A clear text storage of sensitive information into log file vulnerability in FortiADCManager 5.3.0 and below, 5.2.1 and below and FortiADC 5.3.7 and below may allow a remote authenticated attacker... |
| CVE-2019-17656 | 2021-04-12 | A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an... |
| CVE-2021-22190 | 2021-04-12 | A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token |
| CVE-2021-27486 | 2021-04-12 | FATEK Automation WinProladder Versions 3.30 and prior is vulnerable to an integer underflow, which may cause an out-of-bounds write and allow an attacker to execute arbitrary code. |
| CVE-2020-7924 | 2021-04-12 | Specific command line parameter might result in accepting invalid certificate |
| CVE-2020-15734 | 2021-04-12 | Same-origin policy vulnerability in Bitdefender Safepay |
| CVE-2021-23270 | 2021-04-12 | In Gargoyle OS 1.12.0, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when... |
| CVE-2021-3125 | 2021-04-12 | In TP-Link TL-XDR3230 < 1.0.12, TL-XDR1850 < 1.0.9, TL-XDR1860 < 1.0.14, TL-XDR3250 < 1.0.2, TL-XDR6060 Turbo < 1.1.8, TL-XDR5430 < 1.0.11, and possibly others, when IPv6 is used, a routing... |
| CVE-2021-3128 | 2021-04-12 | In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6 is used, a routing loop can occur that generates excessive... |
| CVE-2021-29302 | 2021-04-12 | TP-Link TL-WR802N(US), Archer_C50v5_US v4_200 <= 2020.06 contains a buffer overflow vulnerability in the httpd process in the body message. The attack vector is: The attacker can get shell of the... |
| CVE-2020-4920 | 2021-04-12 | IBM Jazz Team Server products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4964 | 2021-04-12 | IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other... |
| CVE-2020-4965 | 2021-04-12 | IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422. |
| CVE-2021-20519 | 2021-04-12 | IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-15390 | 2021-04-12 | pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo. |
| CVE-2021-29357 | 2021-04-12 | The ECT Provider component in OutSystems Platform Server 10 before 10.0.1104.0 and 11 before 11.9.0 (and LifeTime management console before 11.7.0) allows SSRF for arbitrary outbound HTTP requests. |
| CVE-2019-15059 | 2021-04-12 | In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts,... |
| CVE-2021-21524 | 2021-04-12 | Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary... |
| CVE-2021-21545 | 2021-04-12 | Dell Peripheral Manager 1.3.1 or greater contains remediation for a local privilege escalation vulnerability that could be potentially exploited to gain arbitrary code execution on the system with privileges of... |
| CVE-2021-3163 | 2021-04-12 | A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element)... |
| CVE-2021-21394 | 2021-04-12 | Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints |
| CVE-2021-22497 | 2021-04-12 | Advanced Authentication Improper Session Management |
| CVE-2021-29429 | 2021-04-12 | Information disclosure through temporary directory permissions |
| CVE-2021-21393 | 2021-04-12 | Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints |
| CVE-2021-21392 | 2021-04-12 | Open redirect via transitional IPv6 addresses on dual-stack networks |
| CVE-2021-30039 | 2021-04-12 | Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php. |
| CVE-2021-30042 | 2021-04-12 | Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on clinics/register.php |
| CVE-2021-30044 | 2021-04-12 | Cross Site Scripting (XSS) in Remote Clinic v2.0 via the First Name or Last Name field on staff/register.php. |
| CVE-2021-30034 | 2021-04-12 | Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php. |
| CVE-2021-30030 | 2021-04-12 | Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php. |
| CVE-2021-30503 | 2021-04-13 | The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration. |
| CVE-2021-30637 | 2021-04-13 | htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. |
| CVE-2021-29054 | 2021-04-13 | Certain Papoo products are affected by: Cross Site Request Forgery (CSRF) in the admin interface. This affects Papoo CMS Light through 21.02 and Papoo CMS Pro through 6.0.1. The impact... |
| CVE-2021-29003 | 2021-04-13 | Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI. |
| CVE-2021-28938 | 2021-04-13 | Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts. This occurs... |
| CVE-2021-27905 | 2021-04-13 | SSRF vulnerability with the Replication handler |
| CVE-2021-29262 | 2021-04-13 | Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings |
| CVE-2021-29943 | 2021-04-13 | Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections |
| CVE-2021-29425 | 2021-04-13 | Possible limited path traversal vulnerabily in Apache Commons IO |
| CVE-2021-25250 | 2021-04-13 | An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker... |
| CVE-2021-25253 | 2021-04-13 | An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow... |
| CVE-2021-28645 | 2021-04-13 | An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations.... |
| CVE-2021-28646 | 2021-04-13 | An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific... |
| CVE-2021-28647 | 2021-04-13 | Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and... |
| CVE-2021-30175 | 2021-04-13 | ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. |
| CVE-2021-30176 | 2021-04-13 | The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint. |
| CVE-2021-22505 | 2021-04-13 | Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. The vulnerability could be exploited to escalate privileges and execute code under... |
| CVE-2020-27233 | 2021-04-13 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
| CVE-2020-27234 | 2021-04-13 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
| CVE-2020-27235 | 2021-04-13 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
| CVE-2020-27236 | 2021-04-13 | An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
| CVE-2020-27228 | 2021-04-13 | An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. Overwriting the binary can result in privilege escalation. An attacker can replace a file to exploit... |
| CVE-2020-27227 | 2021-04-13 | An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web... |
| CVE-2020-13566 | 2021-04-13 | SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In... |
| CVE-2020-13568 | 2021-04-13 | SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in... |
| CVE-2021-21731 | 2021-04-13 | A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted... |
| CVE-2021-21730 | 2021-04-13 | A ZTE product is impacted by improper access control vulnerability. The attacker could exploit this vulnerability to access CLI by brute force attacks.This affects: ZXHN H168N V3.5.0_TY.T6 |
| CVE-2021-21729 | 2021-04-13 | Some ZTE products have CSRF vulnerability. Because some pages lack CSRF random value verification, attackers could perform illegal authorization operations by constructing messages.This affects: ZXHN H168N V3.5.0_EG1T5_TE, V2.5.5, ZXHN H108N... |
| CVE-2021-23372 | 2021-04-13 | Denial of Service (DoS) |
| CVE-2021-29998 | 2021-04-13 | An issue was discovered in Wind River VxWorks before 6.5. There is a possible heap overflow in dhcp client. |
| CVE-2021-29999 | 2021-04-13 | An issue was discovered in Wind River VxWorks through 6.8. There is a possible stack overflow in dhcp server. |
| CVE-2021-29997 | 2021-04-13 | An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE. |
| CVE-2021-28973 | 2021-04-13 | The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE... |
| CVE-2021-29435 | 2021-04-13 | Cross-Site Request Forgery (CSRF) in trestle-auth |
| CVE-2021-29436 | 2021-04-13 | Cross site request forgery vulnerability |
| CVE-2021-21399 | 2021-04-13 | Unauthenticated SubSonic backend access in Ampache |
| CVE-2021-29428 | 2021-04-13 | Local privilege escalation through system temporary directory |
| CVE-2021-29427 | 2021-04-13 | Repository content filters do not work in Settings pluginManagement |
| CVE-2021-23278 | 2021-04-13 | Arbitrary File delete |
| CVE-2021-23276 | 2021-04-13 | Improper Neutralization of Special Elements used in an SQL Command |
| CVE-2021-23279 | 2021-04-13 | Arbitrary File delete |
| CVE-2021-23281 | 2021-04-13 | Remote Code execution |
| CVE-2021-23277 | 2021-04-13 | Improper Neutralization of Directives in Dynamically Evaluated Code |
| CVE-2021-23280 | 2021-04-13 | Arbitrary File upload |
| CVE-2020-28590 | 2021-04-13 | An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted obj file could lead to information disclosure. An... |
| CVE-2021-21784 | 2021-04-13 | An out-of-bounds write vulnerability exists in the JPG format SOF marker processing of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide... |
| CVE-2021-0438 | 2021-04-13 | In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local escalation of privilege with... |
| CVE-2021-0443 | 2021-04-13 | In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. This could lead to local information disclosure across user profiles... |
| CVE-2021-0433 | 2021-04-13 | In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of... |
| CVE-2021-0446 | 2021-04-13 | In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User... |
| CVE-2021-0445 | 2021-04-13 | In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User... |
| CVE-2021-0428 | 2021-04-13 | In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution... |