Les dernières vulnérabilités publiées sur la National Vulnerability Database (NVD)

CVE-2019-10881 - Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2019-10881
Partager : LinkedIn / Twitter / Facebook

CVE-2020-13566 - SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-13566
Partager : LinkedIn / Twitter / Facebook

CVE-2020-13568 - SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-13568
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27227 - An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27227
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27228 - An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. Overwriting the binary can result in privilege escalation. An attacker can replace a file to exploit this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27228
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27233 - An exploitable SQL injection vulnerability exists in ‘getAssets.jsp' page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27233
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27234 - An exploitable SQL injection vulnerability exists in ‘getAssets.jsp' page of OpenClinic GA 5.173.3 in the serviceUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27234
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27235 - An exploitable SQL injection vulnerability exists in ‘getAssets.jsp' page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27235
Partager : LinkedIn / Twitter / Facebook

CVE-2020-27236 - An exploitable SQL injection vulnerability exists in ‘getAssets.jsp' page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-27236
Partager : LinkedIn / Twitter / Facebook

CVE-2020-28590 - An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted obj file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-28590
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0400 - In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. This could lead to incorrect reporting of location data to emergency services with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-177561690
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0400
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0426 - In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174485572
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0426
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0427 - In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174488848
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0427
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0428 - In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-173421434
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0428
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0429 - In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175074139
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0429
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0430 - In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution via a malicious NFC packet with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-178725766
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0430
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0431 - In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0431
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0432 - In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173552790
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0432
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0433 - In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0433
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0435 - In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0435
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0436 - In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176496160
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0436
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0437 - In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176168330
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0437
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0438 - In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-152064592
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0438
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0439 - In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174243830
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0439
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0442 - In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174768985
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0442
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0443 - In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. This could lead to local information disclosure across user profiles with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-170474245
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0443
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0444 - In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent. This could lead to local information disclosure of contact data with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-178825358
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0444
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0445 - In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9Android ID: A-172322502
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0445
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0446 - In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172252122
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0446
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0468 - In LK, there is a possible escalation of privilege due to an insecure default value. This could lead to local escalation of privilege for an attacker who has physical access to the device with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-180427272
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0468
Partager : LinkedIn / Twitter / Facebook

CVE-2021-0471 - In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444786
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-0471
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21399 - Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the site to bypass the auth checks. For more details and workaround guidance see the referenced GitHub security advisory.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21399
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21482 - SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21482
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21483 - Under certain conditions SAP Solution Manager, version - 720, allows a high privileged attacker to get access to sensitive information which has a direct serious impact beyond the exploitable component thereby affecting the confidentiality in the application.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21483
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21485 - An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21485
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21492 - SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21492
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21729 - Some ZTE products have CSRF vulnerability. Because some pages lack CSRF random value verification, attackers could perform illegal authorization operations by constructing messages.This affects: ZXHN H168N V3.5.0_EG1T5_TE, V2.5.5, ZXHN H108N V2.5.5_BTMT1
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21729
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21730 - A ZTE product is impacted by improper access control vulnerability. The attacker could exploit this vulnerability to access CLI by brute force attacks.This affects: ZXHN H168N V3.5.0_TY.T6
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21730
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21731 - A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21731
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21784 - An out-of-bounds write vulnerability exists in the JPG format SOF marker processing of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21784
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22505 - Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. The vulnerability could be exploited to escalate privileges and execute code under the account of the Operations Agent.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22505
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22716 - A CWE-269: Improper Privilege Management vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when an unprivileged user modifies a file.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22716
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22717 - A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when processing config files.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22717
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22718 - A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring project files.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22718
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22719 - A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when a file is uploaded.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22719
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22720 - A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when restoring a project.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22720
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23276 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23276
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23277 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23277
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23278 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23278
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23279 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23279
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23280 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM's maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23280
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23281 - Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23281
Partager : LinkedIn / Twitter / Facebook

CVE-2021-23372 - All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-23372
Partager : LinkedIn / Twitter / Facebook

CVE-2021-25250 - An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-25250
Partager : LinkedIn / Twitter / Facebook

CVE-2021-25253 - An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-25253
Partager : LinkedIn / Twitter / Facebook

CVE-2021-26413 - Windows Installer Spoofing Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-26413
Partager : LinkedIn / Twitter / Facebook

CVE-2021-26415 - Windows Installer Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28440.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-26415
Partager : LinkedIn / Twitter / Facebook

CVE-2021-26416 - Windows Hyper-V Denial of Service Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-26416
Partager : LinkedIn / Twitter / Facebook

CVE-2021-26417 - Windows Overlay Filter Information Disclosure Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-26417
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27064 - Visual Studio Installer Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27064
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27067 - Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27067
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27072 - Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28310.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27072
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27079 - Windows Media Photo Codec Information Disclosure Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27079
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27086 - Windows Services and Controller App Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27086
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27088 - Windows Event Tracing Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27088
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27089 - Microsoft Internet Messaging API Remote Code Execution Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27089
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27090 - Windows Secure Kernel Mode Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27090
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27091
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27092 - Azure AD Web Sign-in Security Feature Bypass Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27092
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27093 - Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28309.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27093
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27094 - Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-28447.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27094
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27095 - Windows Media Video Decoder Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28315.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27095
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27096 - NTFS Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27096
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27598 - SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27598
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27600 - SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server cannot be impacted.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27600
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27601 - SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27601
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27602 - SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27602
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27603 - An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27603
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27605 - SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27605
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27609 - SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27609
Partager : LinkedIn / Twitter / Facebook

CVE-2021-27905 - The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-27905
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28309 - Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-27093.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28309
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28310
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28311 - Windows Application Compatibility Cache Denial of Service Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28311
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28312
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28313 - Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28321, CVE-2021-28322.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28313
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28314 - Windows Hyper-V Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28314
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28315 - Windows Media Video Decoder Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-27095.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28315
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28316 - Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28316
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28317 - Microsoft Windows Codecs Library Information Disclosure Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28317
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28318 - Windows GDI+ Information Disclosure Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28318
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28319 - Windows TCP/IP Driver Denial of Service Vulnerability This CVE ID is unique from CVE-2021-28439.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28319
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28320 - Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28320
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28321 - Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28313, CVE-2021-28322.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28321
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28322 - Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28313, CVE-2021-28321.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28322
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28323 - Windows DNS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28328.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28323
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28324 - Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28325.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28324
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28325 - Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28324.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28325
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28326 - Windows AppX Deployment Server Denial of Service Vulnerability
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28326
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28327 - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28327
Partager : LinkedIn / Twitter / Facebook

Les annonces ayant été modifiées dernièrement

CVE-2020-13587 - An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-13587
Partager : LinkedIn / Twitter / Facebook

CVE-2020-13591 - An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-13591
Partager : LinkedIn / Twitter / Facebook

CVE-2020-13592 - An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-13592
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23761 - Cross Site Scripting (XSS) vulnerability in subrion CMS Version
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23761
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23762 - Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23762
Partager : LinkedIn / Twitter / Facebook

CVE-2020-23763 - SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-23763
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24135 - A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Wcms 0.3.2, which allows remote attackers to inject arbitrary web script and HTML via the type parameter to wex/cssjs.php.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24135
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24136 - Directory traversal in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the pagename parameter to wex/html.php.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24136
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24137 - Directory traversal vulnerability in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the path parameter to wex/cssjs.php.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24137
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24138 - Cross Site Scripting (XSS) vulnerability in wcms 0.3.2 allows remote attackers to inject arbitrary web script and HTML via the pagename parameter to wex/html.php.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24138
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24139 - Server-side request forgery in Wcms 0.3.2 lets an attacker send crafted requests from the back-end server of a vulnerable web application via the path parameter to wex/cssjs.php. It can help identify open ports, local network hosts and execute command on local services.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24139
Partager : LinkedIn / Twitter / Facebook

CVE-2020-24140 - Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. It can help identify open ports, local network hosts and execute command on local services.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-24140
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36309 - ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36309
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36310 - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36310
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36311 - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36311
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36312 - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36312
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36313 - An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36313
Partager : LinkedIn / Twitter / Facebook

CVE-2020-36314 - fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-36314
Partager : LinkedIn / Twitter / Facebook

CVE-2020-4920 - IBM Jazz Team Server products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191396.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-4920
Partager : LinkedIn / Twitter / Facebook

CVE-2020-4964 - IBM Jazz Team Server products contain an undisclosed vulnerability that could allow an authenticated user to present a customized message on the application which could be used to phish other users. IBM X-Force ID: 192419.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-4964
Partager : LinkedIn / Twitter / Facebook

CVE-2020-4965 - IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2020-4965
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1380 - Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1380
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1399 - A vulnerability in the Self Care Portal of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to modify data on an affected system without proper authorization. The vulnerability is due to insufficient validation of user-supplied data to the Self Care Portal. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify information without proper authorization.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1399
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1404 - A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) Software versions 0.103.0 and 0.103.1 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper buffer size tracking that may result in a heap buffer over-read. An attacker could exploit this vulnerability by sending a crafted PDF file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1404
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1405 - A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1405
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1463 - A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1463
Partager : LinkedIn / Twitter / Facebook

CVE-2021-1472 - Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-1472
Partager : LinkedIn / Twitter / Facebook

CVE-2021-20480 - IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197502.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-20480
Partager : LinkedIn / Twitter / Facebook

CVE-2021-20519 - IBM Jazz Team Server products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198441.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-20519
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21194 - Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21194
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21195 - Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21195
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21196 - Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21196
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21197 - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21197
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21198 - Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21198
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21199 - Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21199
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21392 - Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21392
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21393 - Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21393
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21394 - Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21394
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21639 - Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21639
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21640 - Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21640
Partager : LinkedIn / Twitter / Facebook

CVE-2021-21641 - A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-21641
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22497 - Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22497
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22510 - Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22510
Partager : LinkedIn / Twitter / Facebook

CVE-2021-22512 - Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-22512
Partager : LinkedIn / Twitter / Facebook

CVE-2021-24150 - The LikeBtn WordPress Like Button Rating â™¥ LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF).
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-24150
Partager : LinkedIn / Twitter / Facebook

CVE-2021-24197 - The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-24197
Partager : LinkedIn / Twitter / Facebook

CVE-2021-24198 - The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-24198
Partager : LinkedIn / Twitter / Facebook

CVE-2021-24199 - The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-24199
Partager : LinkedIn / Twitter / Facebook

CVE-2021-24200 - The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-24200
Partager : LinkedIn / Twitter / Facebook

CVE-2021-28166 - In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.
13/04/2021 | https://nvd.nist.gov/vuln/detail/CVE-2021-28166
Partager : LinkedIn / Twitter / Facebook