CVE List - 2021 / May
Showing 1001 - 1100 of 1494 CVEs for May 2021 (Page 11 of 15)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-21345 | 2021-05-20 | Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code. |
| CVE-2021-27956 | 2021-05-20 | Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. |
| CVE-2021-28902 | 2021-05-20 | In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of... |
| CVE-2021-28903 | 2021-05-20 | A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to... |
| CVE-2021-28904 | 2021-05-20 | In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a... |
| CVE-2021-28905 | 2021-05-20 | In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion... |
| CVE-2021-28906 | 2021-05-20 | In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of... |
| CVE-2021-22409 | 2021-05-20 | There is a denial of service vulnerability in some versions of ManageOne. There is a logic error in the implementation of a function of a module. When the service pressure... |
| CVE-2021-33477 | 2021-05-20 | rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by... |
| CVE-2021-22339 | 2021-05-20 | There is a denial of service vulnerability in some versions of ManageOne. In specific scenarios, due to the insufficient verification of the parameter, an attacker may craft some specific parameter.... |
| CVE-2020-18220 | 2021-05-20 | Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes... |
| CVE-2020-27209 | 2021-05-20 | The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key. |
| CVE-2021-31439 | 2021-05-21 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the... |
| CVE-2021-28798 | 2021-05-21 | Relative Path Traversal Vulnerability in QTS and QuTS hero |
| CVE-2021-32032 | 2021-05-21 | In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic... |
| CVE-2020-12061 | 2021-05-21 | An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the... |
| CVE-2020-27208 | 2021-05-21 | The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary... |
| CVE-2021-29415 | 2021-05-21 | The elliptic curve cryptography (ECC) hardware accelerator, part of the ARM® TrustZone® CryptoCell 310, contained in the NordicSemiconductor nRF52840 through 2021-03-29 has a non-constant time ECDSA implemenation. This allows an... |
| CVE-2021-29414 | 2021-05-21 | STMicroelectronics STM32L4 devices through 2021-03-29 have incorrect physical access control. |
| CVE-2020-27212 | 2021-05-21 | STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. The flash read-out protection (RDP) can be degraded from RDP level 2 (no access via debug interface) to level 1 (limited... |
| CVE-2020-27211 | 2021-05-21 | Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. The flash read-out protection (APPROTECT) can be bypassed by injecting a fault during the boot phase. |
| CVE-2021-32633 | 2021-05-21 | Remote Code Execution via traversal in TAL expressions |
| CVE-2021-31440 | 2021-05-21 | This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system... |
| CVE-2021-31473 | 2021-05-21 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit... |
| CVE-2021-31474 | 2021-05-21 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists... |
| CVE-2021-31475 | 2021-05-21 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw... |
| CVE-2020-36328 | 2021-05-21 | A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat... |
| CVE-2020-36329 | 2021-05-21 | A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to... |
| CVE-2020-36330 | 2021-05-21 | A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to... |
| CVE-2020-36331 | 2021-05-21 | A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to... |
| CVE-2020-36332 | 2021-05-21 | A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the... |
| CVE-2018-25009 | 2021-05-21 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16(). |
| CVE-2018-25010 | 2021-05-21 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter(). |
| CVE-2018-25011 | 2021-05-21 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16(). |
| CVE-2018-25012 | 2021-05-21 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24(). |
| CVE-2018-25013 | 2021-05-21 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes(). |
| CVE-2018-25014 | 2021-05-21 | A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol(). |
| CVE-2020-23765 | 2021-05-21 | A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use... |
| CVE-2020-23766 | 2021-05-21 | An arbitrary file deletion vulnerability was discovered on htmly v2.7.5 which allows remote attackers to use any absolute path to delete any file in the server should they gain Administrator... |
| CVE-2020-23768 | 2021-05-21 | An information disclosure vulnerability was discovered in alipay_function.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1. If exploited, this vulnerability will allow attackers to... |
| CVE-2021-27811 | 2021-05-21 | A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1 v1.0. An attacker is able execute arbitrary PHP code via exploitation of client_upgrade_edition.php and Upgrade.php. |
| CVE-2021-32634 | 2021-05-21 | Deserialization of Untrusted Data in Emissary |
| CVE-2021-29681 | 2021-05-21 | IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information by injecting parameters into an HTML query. This information could be used in further attacks against the... |
| CVE-2008-3280 | 2021-05-21 | It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with... |
| CVE-2021-33500 | 2021-05-21 | PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed,... |
| CVE-2021-21549 | 2021-05-21 | Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS. A non-privileged attacker could potentially exploit this vulnerability, leading to a privileged victim application user... |
| CVE-2021-21552 | 2021-05-21 | Dell Wyse Windows Embedded System versions WIE10 LTSC 2019 and earlier contain an improper authorization vulnerability. A local authenticated malicious user with low privileges may potentially exploit this vulnerability to... |
| CVE-2021-33513 | 2021-05-21 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. |
| CVE-2021-33512 | 2021-05-21 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. |
| CVE-2021-33511 | 2021-05-21 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. |
| CVE-2021-33510 | 2021-05-21 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. |
| CVE-2021-33509 | 2021-05-21 | Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. |
| CVE-2021-33508 | 2021-05-21 | Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. |
| CVE-2021-33507 | 2021-05-21 | Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. |
| CVE-2021-33514 | 2021-05-21 | Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command... |
| CVE-2021-1306 | 2021-05-22 | Cisco ADE-OS Local File Inclusion Vulnerability |
| CVE-2021-1254 | 2021-05-22 | Cisco Finesse Cross-Site Scripting Vulnerabilities |
| CVE-2021-1550 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1551 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1552 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1553 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1554 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1555 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1557 | 2021-05-22 | Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities |
| CVE-2021-1558 | 2021-05-22 | Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities |
| CVE-2021-1559 | 2021-05-22 | Cisco DNA Spaces Connector Command Injection Vulnerabilities |
| CVE-2021-1560 | 2021-05-22 | Cisco DNA Spaces Connector Command Injection Vulnerabilities |
| CVE-2021-1549 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1548 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1547 | 2021-05-22 | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities |
| CVE-2021-1531 | 2021-05-22 | Cisco Modeling Labs Web UI Command Injection Vulnerability |
| CVE-2021-1487 | 2021-05-22 | Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Command Injection Vulnerability |
| CVE-2021-1358 | 2021-05-22 | Cisco Finesse Open Redirect Vulnerability |
| CVE-2021-20713 | 2021-05-24 | Privilege escalation vulnerability in QND Advance/Premium/Standard Ver.11.0.4i and earlier allows an attacker who can log in to the PC where the product's Windows client is installed to gain administrative privileges... |
| CVE-2021-20722 | 2021-05-24 | Untrusted search path vulnerability in the installers of ScanSnap Manager prior to versions V7.0L20 and the Software Download Installer prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe allows an attacker to gain privileges... |
| CVE-2021-20723 | 2021-05-24 | Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to... |
| CVE-2021-20724 | 2021-05-24 | Reflected cross-site scripting vulnerability in the admin page of [Telop01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. |
| CVE-2021-20725 | 2021-05-24 | Reflected cross-site scripting vulnerability in the admin page of [Calendar01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. |
| CVE-2021-20726 | 2021-05-24 | Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the... |
| CVE-2021-33496 | 2021-05-24 | Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. |
| CVE-2021-33497 | 2021-05-24 | Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files. |
| CVE-2021-25938 | 2021-05-24 | In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip... |
| CVE-2021-24294 | 2021-05-24 | DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24296 | 2021-05-24 | WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24297 | 2021-05-24 | Goto < 2.1 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24298 | 2021-05-24 | Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24300 | 2021-05-24 | PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24301 | 2021-05-24 | Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24302 | 2021-05-24 | Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-24305 | 2021-05-24 | Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key |
| CVE-2021-24306 | 2021-05-24 | Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-24307 | 2021-05-24 | All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize |
| CVE-2021-24308 | 2021-05-24 | LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile |
| CVE-2021-24332 | 2021-05-24 | Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS) |
| CVE-2021-21000 | 2021-05-24 | WAGO: PFC200 Denial of Service due to the number of connections to the runtime |
| CVE-2021-21001 | 2021-05-24 | WAGO: PFC200 Access to files outside the home directory |
| CVE-2021-21987 | 2021-05-24 | VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). A malicious actor with... |
| CVE-2021-21988 | 2021-05-24 | VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser). A malicious actor with... |
| CVE-2021-21989 | 2021-05-24 | VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). A malicious actor with... |
| CVE-2021-3559 | 2021-05-24 | A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID... |