CVE List - 2021 / May
Showing 1401 - 1494 of 1494 CVEs for May 2021 (Page 15 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-1761 | 2021-05-27 | A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access... |
| CVE-2020-15180 | 2021-05-27 | A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute... |
| CVE-2020-10145 | 2021-05-27 | The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory... |
| CVE-2021-27852 | 2021-05-27 | Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7. |
| CVE-2021-33408 | 2021-05-27 | Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1. |
| CVE-2021-33587 | 2021-05-28 | The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. |
| CVE-2021-33620 | 2021-05-28 | Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a... |
| CVE-2021-33623 | 2021-05-28 | The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. |
| CVE-2021-3514 | 2021-05-28 | When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash. |
| CVE-2021-32539 | 2021-05-28 | Hundred Plus 101EIP - Stored XSS-1 |
| CVE-2021-32540 | 2021-05-28 | Hundred Plus 101EIP - Stored XSS-2 |
| CVE-2021-32541 | 2021-05-28 | SysJust CTS Web - Broken Access Control |
| CVE-2021-32542 | 2021-05-28 | SysJust CTS Web - Reflected XSS |
| CVE-2021-32543 | 2021-05-28 | SysJust CTS Web - Broken Authentication |
| CVE-2020-25710 | 2021-05-28 | A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23().... |
| CVE-2020-25715 | 2021-05-28 | A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query... |
| CVE-2020-27826 | 2021-05-28 | A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change... |
| CVE-2020-27847 | 2021-05-28 | A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from... |
| CVE-2020-35504 | 2021-05-28 | A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process... |
| CVE-2020-35505 | 2021-05-28 | A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command.... |
| CVE-2020-35506 | 2021-05-28 | A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw... |
| CVE-2021-20195 | 2021-05-28 | A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not... |
| CVE-2021-20201 | 2021-05-28 | A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing... |
| CVE-2021-20236 | 2021-05-28 | A flaw was found in the ZeroMQ server in versions before 4.3.3. This flaw allows a malicious client to cause a stack buffer overflow on the server by sending crafted... |
| CVE-2021-20237 | 2021-05-28 | An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume... |
| CVE-2021-20239 | 2021-05-28 | A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel... |
| CVE-2021-20240 | 2021-05-28 | A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An... |
| CVE-2021-20278 | 2021-05-28 | An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token... |
| CVE-2021-20292 | 2021-05-28 | There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the... |
| CVE-2021-33591 | 2021-05-28 | An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
| CVE-2021-27032 | 2021-05-28 | Autodesk Licensing Installer was found to be vulnerable to privilege escalation issues. A malicious user with limited privileges could run any number of tools on a system to identify services... |
| CVE-2021-21734 | 2021-05-28 | Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command. This affects: ZTE PON MDU device ZXA10 F821... |
| CVE-2010-3843 | 2021-05-28 | The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. When parsing this file for settings in gtkui_conf_read() (src/interfacesgtk/ec_gtk_conf.c), an... |
| CVE-2020-1716 | 2021-05-28 | A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this... |
| CVE-2020-1729 | 2021-05-28 | A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks... |
| CVE-2021-29628 | 2021-05-28 | In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the... |
| CVE-2021-29629 | 2021-05-28 | In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing message validation in libradius(3) could allow malicious clients... |
| CVE-2020-15782 | 2021-05-28 | A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP... |
| CVE-2021-32642 | 2021-05-28 | Missing input validation in dynamic discovery example scripts. |
| CVE-2013-4536 | 2021-05-28 | An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the... |
| CVE-2021-32637 | 2021-05-28 | Authentication bypassed with malformed request URI |
| CVE-2021-32646 | 2021-05-28 | Escalation of permissions in roomer |
| CVE-2021-20267 | 2021-05-28 | A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate... |
| CVE-2021-22519 | 2021-05-28 | Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). The vulnerability could allow remote attackers to execute... |
| CVE-2020-26642 | 2021-05-28 | A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML. |
| CVE-2020-26641 | 2021-05-28 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. |
| CVE-2021-32635 | 2021-05-28 | Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint |
| CVE-2021-32616 | 2021-05-28 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in 1CDN |
| CVE-2020-18395 | 2021-05-28 | A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs. |
| CVE-2020-36366 | 2021-05-28 | Stack overflow vulnerability in parse_value Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36371 | 2021-05-28 | Stack overflow vulnerability in parse_mul_div_rem Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-18392 | 2021-05-28 | Stack overflow vulnerability in parse_array Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36370 | 2021-05-28 | Stack overflow vulnerability in parse_unary Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36368 | 2021-05-28 | Stack overflow vulnerability in parse_statement Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36367 | 2021-05-28 | Stack overflow vulnerability in parse_block Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36372 | 2021-05-28 | Stack overflow vulnerability in parse_plus_minus Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36369 | 2021-05-28 | Stack overflow vulnerability in parse_statement_list Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36374 | 2021-05-28 | Stack overflow vulnerability in parse_comparison Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36373 | 2021-05-28 | Stack overflow vulnerability in parse_shifts Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2020-36375 | 2021-05-28 | Stack overflow vulnerability in parse_equality Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file. |
| CVE-2021-32619 | 2021-05-28 | Static imports inside dynamically imported modules do not adhere to permission checks |
| CVE-2021-29507 | 2021-05-28 | dlt-daemon could crash if there is special character in dlt.conf |
| CVE-2021-29505 | 2021-05-28 | XStream is vulnerable to a Remote Command Execution attack |
| CVE-2021-29492 | 2021-05-28 | Bypass of path matching rules using escaped slash characters |
| CVE-2021-32621 | 2021-05-28 | Script injection without script or programming rights through Gadget titles |
| CVE-2021-32620 | 2021-05-28 | Users registered with email verification can self re-activate their disabled accounts |
| CVE-2021-32647 | 2021-05-28 | Post-authentication Remote Code Execution (RCE) in emissary:emissary |
| CVE-2021-25641 | 2021-05-29 | Dubbo Zookeeper does not check serialization id |
| CVE-2021-30181 | 2021-05-29 | Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection) |
| CVE-2021-30461 | 2021-05-29 | A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code)... |
| CVE-2021-31702 | 2021-05-29 | Frontier ichris through 5.18 mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS. |
| CVE-2021-31703 | 2021-05-29 | Frontier ichris through 5.18 allows users to upload malicious executable files that might later be downloaded and run by any client user. |
| CVE-2021-33564 | 2021-05-29 | An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option... |
| CVE-2021-33790 | 2021-05-31 | The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with... |
| CVE-2021-25640 | 2021-05-31 | Open Redirect or SSRF vulnerability usage of parseURL |
| CVE-2021-30179 | 2021-05-31 | Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter |
| CVE-2021-30180 | 2021-05-31 | Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling) |
| CVE-2020-10666 | 2021-05-31 | The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allows remote code execution via a URL variable to an AMI command. |
| CVE-2021-23388 | 2021-05-31 | Regular Expression Denial of Service (ReDoS) |
| CVE-2021-20575 | 2021-05-31 | IBM Security Verify Access 20.07 allows web pages to be stored locally which can be read by another user on the system. X-Force ID: 199278. |
| CVE-2021-20576 | 2021-05-31 | IBM Security Verify Access 20.07 could allow a remote attacker to send a specially crafted HTTP GET request that could cause the application to crash. |
| CVE-2021-20585 | 2021-05-31 | IBM Security Verify Access 20.07 could disclose sensitive information in HTTP server headers that could be used in further attacks against the system. IBM X-Force ID: 199398. |
| CVE-2021-29665 | 2021-05-31 | IBM Security Verify Access 20.07 is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the... |
| CVE-2019-4471 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an... |
| CVE-2019-4653 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2019-4722 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information via a stack trace due to mishandling of certain error conditions. IBM X-Force ID: 172128. |
| CVE-2019-4723 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force... |
| CVE-2019-4724 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID:... |
| CVE-2019-4730 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive... |
| CVE-2020-4300 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive... |
| CVE-2020-4354 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4520 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. IBM X-Force ID:... |
| CVE-2020-4561 | 2021-05-31 | IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to... |
| CVE-2021-31684 | 2021-06-01 | A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. |
| CVE-2021-32027 | 2021-06-01 | A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated... |
| CVE-2021-33180 | 2021-06-01 | Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands... |
| CVE-2021-29092 | 2021-06-01 | Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors. |
| CVE-2021-29088 | 2021-06-01 | Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified... |
| CVE-2021-33183 | 2021-06-01 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or write arbitrary files... |
| CVE-2021-33184 | 2021-06-01 | Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15-3563 allows remote authenticated users to read arbitrary files via unspecified vectors. |