Total
29527 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-7168 | 1 Phpbb | 1 Phpbb | 2021-03-29 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||||
| CVE-2020-35782 | 1 Netgear | 8 Gs116e, Gs116e Firmware, Jgs516pe and 5 more | 2021-03-26 | 7.8 HIGH | 8.1 HIGH |
| Certain NETGEAR devices are affected by lack of access control at the function level. This affects JGS516PE before 2.6.0.48, JGS524Ev2 before 2.6.0.48, JGS524PE before 2.6.0.48, and GS116Ev2 before 2.6.0.48. The TFTP firmware update mechanism does not properly implement firmware validations, allowing remote attackers to write arbitrary data to internal memory. | |||||
| CVE-2020-28503 | 1 Gulpjs | 1 Copy-props | 2021-03-26 | 7.5 HIGH | 9.8 CRITICAL |
| The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2020-28501 | 1 Crawlerdetect Project | 1 Crawlerdetect | 2021-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators. | |||||
| CVE-2021-27292 | 1 Ua-parser-js Project | 1 Ua-parser-js | 2021-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. | |||||
| CVE-2021-22645 | 2 Luxion, Siemens | 8 Keyshot, Keyshot Network Rendering, Keyshot Viewer and 5 more | 2021-03-23 | 6.8 MEDIUM | 7.8 HIGH |
| Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an attack because the .bip documents display a “load” command, which can be pointed to a .dll from a remote network share. As a result, the .dll entry point can be executed without sufficient UI warning. | |||||
| CVE-2021-22887 | 2 Pulsesecure, Supermicro | 24 Psa-5000, Psa-5000 Firmware, Psa-7000 and 21 more | 2021-03-22 | 2.1 LOW | 2.3 LOW |
| A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | |||||
| CVE-2015-2296 | 3 Canonical, Mageia Project, Python | 3 Ubuntu Linux, Mageia, Requests | 2021-03-18 | 6.8 MEDIUM | N/A |
| The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. | |||||
| CVE-2021-0398 | 1 Google | 1 Android | 2021-03-15 | 4.6 MEDIUM | 7.8 HIGH |
| In bindServiceLocked of ActiveServices.java, there is a possible foreground service launch due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173516292 | |||||
| CVE-2019-25025 | 1 Rubyonrails | 1 Active Record Session Store | 2021-03-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782. | |||||
| CVE-2021-21331 | 1 Datadoghq | 1 Datadog-api-client-java | 2021-03-10 | 4.3 MEDIUM | 3.3 LOW |
| The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`. | |||||
| CVE-2020-9963 | 1 Apple | 3 Ipados, Iphone Os, Mac Os X | 2021-03-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved handling of icon caches. This issue is fixed in macOS Big Sur 11.0.1, iOS 14.0 and iPadOS 14.0. A malicious app may be able to determine the existence of files on the computer. | |||||
| CVE-2021-28032 | 1 Nano Arena Project | 1 Nano Arena | 2021-03-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the nano_arena crate before 0.5.2 for Rust. There is an aliasing violation in split_at because two mutable references can exist for the same element, if Borrow<Idx> behaves in certain ways. This can have a resultant out-of-bounds write or use-after-free. | |||||
| CVE-2021-23346 | 1 Html-parse-stringify Project | 1 Html-parse-stringify | 2021-03-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process. | |||||
| CVE-2020-4725 | 1 Ibm | 1 Cloud Application Performance Management | 2021-03-08 | 3.5 LOW | 3.5 LOW |
| IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user. IBM X-Force ID: 187974. | |||||
| CVE-2021-25348 | 1 Samsung | 1 Internet | 2021-03-05 | 2.1 LOW | 2.4 LOW |
| Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission. | |||||
| CVE-2021-22661 | 1 Prosoft-technology | 4 Icx35-hwc-a, Icx35-hwc-a Firmware, Icx35-hwc-e and 1 more | 2021-03-05 | 5.0 MEDIUM | 7.5 HIGH |
| Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external process without knowledge of the current password on the ICX35-HWC-A and ICX35-HWC-E (Versions 1.9.62 and prior). | |||||
| CVE-2020-0518 | 1 Intel | 1 Graphics Drivers | 2021-03-04 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control in the Intel(R) HD Graphics Control Panel before version 15.40.46.5144 and 15.36.39.5143 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2019-19680 | 1 Proofpoint | 1 Enterprise Protection | 2021-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| A file-extension filtering vulnerability in Proofpoint Enterprise Protection (PPS / PoD), in the unpatched versions of PPS through 8.9.22 and 8.14.2 respectively, allows attackers to bypass protection mechanisms (related to extensions, MIME types, virus detection, and journal entries for transmitted files) by sending malformed (not RFC compliant) multipart email. | |||||
| CVE-2011-4362 | 2 Debian, Lighttpd | 2 Debian Linux, Lighttpd | 2021-03-04 | 5.0 MEDIUM | N/A |
| Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. | |||||