CVE List - 2021 / May
Showing 601 - 700 of 1494 CVEs for May 2021 (Page 7 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-3528 | 2021-05-13 | A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with... |
| CVE-2020-21342 | 2021-05-13 | Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php. |
| CVE-2021-20025 | 2021-05-13 | SonicWall Email Security Virtual Appliance version 10.0.9 and earlier versions contain a default username and a password that is used at initial setup. An attacker could exploit this transitional/temporary user... |
| CVE-2021-32917 | 2021-05-13 | An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server,... |
| CVE-2021-32918 | 2021-05-13 | An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. |
| CVE-2021-32919 | 2021-05-13 | An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing... |
| CVE-2021-32920 | 2021-05-13 | Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. |
| CVE-2021-32921 | 2021-05-13 | An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially... |
| CVE-2021-20181 | 2021-05-13 | A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error,... |
| CVE-2021-20535 | 2021-05-13 | IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially... |
| CVE-2021-20221 | 2021-05-13 | An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while... |
| CVE-2021-22135 | 2021-05-13 | Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester... |
| CVE-2021-22136 | 2021-05-13 | In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities... |
| CVE-2021-22137 | 2021-05-13 | In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when... |
| CVE-2021-22138 | 2021-05-13 | In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would... |
| CVE-2021-22139 | 2021-05-13 | Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An... |
| CVE-2021-22140 | 2021-05-13 | Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker... |
| CVE-2021-32925 | 2021-05-13 | admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. |
| CVE-2021-29506 | 2021-05-13 | Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service. |
| CVE-2021-29510 | 2021-05-13 | Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic |
| CVE-2021-23906 | 2021-05-13 | An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to... |
| CVE-2021-27413 | 2021-05-13 | Omron CX-One Versions 4.60 and prior, including CX-Server Versions 5.0.29.0 and prior, are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. |
| CVE-2021-23907 | 2021-05-13 | An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The count in MultiSvGet, GetAttributes, and MultiSvSet is not checked in the... |
| CVE-2021-23908 | 2021-05-13 | An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to... |
| CVE-2021-23909 | 2021-05-13 | An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution. |
| CVE-2021-23910 | 2021-05-13 | An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. There is an out-of-bounds array access in RemoteDiagnosisApp. |
| CVE-2020-23995 | 2021-05-13 | An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload. |
| CVE-2020-23996 | 2021-05-13 | A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data. |
| CVE-2019-10062 | 2021-05-13 | The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it... |
| CVE-2021-31876 | 2021-05-13 | Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial... |
| CVE-2021-32615 | 2021-05-13 | Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. |
| CVE-2021-33026 | 2021-05-13 | The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache... |
| CVE-2020-27769 | 2021-05-14 | In ImageMagick versions before 7.0.9-0, there are outside the range of representable values of type 'float' at MagickCore/quantize.c. |
| CVE-2021-32819 | 2021-05-14 | Remote code execution in squirrelly |
| CVE-2021-32051 | 2021-05-14 | Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter. |
| CVE-2021-31922 | 2021-05-14 | An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved... |
| CVE-2021-30183 | 2021-05-14 | Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values... |
| CVE-2020-27020 | 2021-05-14 | Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know... |
| CVE-2020-27149 | 2021-05-14 | By exploiting a vulnerability in NPort IA5150A/IA5250A Series before version 1.5, a user with “Read Only” privilege level can send requests via the web console to have the device’s configuration... |
| CVE-2020-27150 | 2021-05-14 | In multiple versions of NPort IA5000A Series, the result of exporting a device’s configuration contains the passwords of all users on the system and other sensitive data in the original... |
| CVE-2021-24188 | 2021-05-14 | WP Content Copy Protection & No Right Click < 3.1.5 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24189 | 2021-05-14 | Captchinoo, Google recaptcha for admin login page < 2.4 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24190 | 2021-05-14 | WooCommerce Conditional Marketing Mailer < 1.5.2 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24191 | 2021-05-14 | WP Maintenance Mode & Site Under Construction < 1.8.2 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24192 | 2021-05-14 | Tree Sitemap < 2.9 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24193 | 2021-05-14 | Visitor Traffic Real Time Statistics < 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24194 | 2021-05-14 | Login Protection - Limit Failed Login Attempts < 2.9 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24195 | 2021-05-14 | Login as User or Customer (User Switching) < 1.9 - Arbitrary Plugin Installation/Activation via Low Privilege User |
| CVE-2021-24277 | 2021-05-14 | RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24278 | 2021-05-14 | Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation |
| CVE-2021-24279 | 2021-05-14 | Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation |
| CVE-2021-24280 | 2021-05-14 | Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection |
| CVE-2021-24281 | 2021-05-14 | Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion |
| CVE-2021-24282 | 2021-05-14 | Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions |
| CVE-2021-24283 | 2021-05-14 | Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24284 | 2021-05-14 | Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload |
| CVE-2021-24285 | 2021-05-14 | Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection |
| CVE-2021-24286 | 2021-05-14 | Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24287 | 2021-05-14 | Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24291 | 2021-05-14 | Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS) |
| CVE-2020-27184 | 2021-05-14 | The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks. |
| CVE-2020-27185 | 2021-05-14 | Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive... |
| CVE-2021-32613 | 2021-05-14 | In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS. |
| CVE-2020-18166 | 2021-05-14 | Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc". |
| CVE-2020-18167 | 2021-05-14 | Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu". |
| CVE-2021-25943 | 2021-05-14 | Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2021-25941 | 2021-05-14 | Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2020-23689 | 2021-05-14 | In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page. |
| CVE-2020-23691 | 2021-05-14 | YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php. |
| CVE-2020-4811 | 2021-05-14 | IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a privileged user to inject inject malicious data using a specially crafted HTTP request due to... |
| CVE-2020-4985 | 2021-05-14 | IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642. |
| CVE-2021-20391 | 2021-05-14 | IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 195999. |
| CVE-2021-20392 | 2021-05-14 | IBM QRadar User Behavior Analytics 1.0.0 through 4.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended... |
| CVE-2021-20393 | 2021-05-14 | IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information... |
| CVE-2021-20429 | 2021-05-14 | IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could disclose sensitive information due an overly permissive cross-domain policy. IBM X-Force ID: 196334. |
| CVE-2021-20564 | 2021-05-14 | IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict... |
| CVE-2021-20565 | 2021-05-14 | IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 uses a protection mechanism that relies on the existence or values of an input, but the input can... |
| CVE-2021-32816 | 2021-05-14 | Regular expression Denial of Service in ProtonMail |
| CVE-2021-32817 | 2021-05-14 | File disclosure in express-hbs |
| CVE-2021-32818 | 2021-05-14 | Remote code execution and Reflected cross site scripting in haml-coffee |
| CVE-2021-32820 | 2021-05-14 | File disclosure in Express Handlebars |
| CVE-2021-29512 | 2021-05-14 | Heap buffer overflow in `RaggedBinCount` |
| CVE-2021-29554 | 2021-05-14 | Division by 0 in `DenseCountSparseOutput` |
| CVE-2021-29553 | 2021-05-14 | Heap OOB in `QuantizeAndDequantizeV3` |
| CVE-2021-29552 | 2021-05-14 | CHECK-failure in `UnsortedSegmentJoin` |
| CVE-2021-29551 | 2021-05-14 | OOB read in `MatrixTriangularSolve` |
| CVE-2021-29550 | 2021-05-14 | Division by 0 in `FractionalAvgPool` |
| CVE-2021-29549 | 2021-05-14 | Division by 0 in `QuantizedAdd` |
| CVE-2021-29548 | 2021-05-14 | Division by 0 in `QuantizedBatchNormWithGlobalNormalization` |
| CVE-2021-29547 | 2021-05-14 | Heap out of bounds in `QuantizedBatchNormWithGlobalNormalization` |
| CVE-2021-29546 | 2021-05-14 | Division by 0 in `QuantizedBiasAdd` |
| CVE-2021-29545 | 2021-05-14 | Heap buffer overflow in `SparseTensorToCSRSparseMatrix` |
| CVE-2021-29544 | 2021-05-14 | CHECK-fail in `QuantizeAndDequantizeV4Grad` |
| CVE-2021-29543 | 2021-05-14 | CHECK-fail in `CTCGreedyDecoder` |
| CVE-2021-29542 | 2021-05-14 | Heap buffer overflow in `StringNGrams` |
| CVE-2021-29541 | 2021-05-14 | Null pointer dereference in `StringNGrams` |
| CVE-2021-29540 | 2021-05-14 | Heap buffer overflow in `Conv2DBackpropFilter` |
| CVE-2021-29539 | 2021-05-14 | Segfault in tf.raw_ops.ImmutableConst |
| CVE-2021-29538 | 2021-05-14 | Division by zero in `Conv2DBackpropFilter` |
| CVE-2021-29537 | 2021-05-14 | Heap buffer overflow in `QuantizedResizeBilinear` |