CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2021(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-29647 +Info 2021-03-30 2021-06-23
2.1
None Local Low Not required Partial None None
An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.
2 CVE-2021-29082 200 +Info 2021-03-23 2021-03-24
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBW30 before 2.6.1.4, RBS40V before 2.6.1.4, RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBK754 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBK854 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.
3 CVE-2021-28133 200 +Info 2021-03-18 2021-03-26
4.3
None Remote Medium Not required Partial None None
Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can, of course, use a separate screen-recorder application, unsupported by Zoom, to save all such contents for later replays and analysis.) Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue.
4 CVE-2021-27244 125 Exec Code +Info 2021-03-29 2021-04-27
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-11925.
5 CVE-2021-26966 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
6 CVE-2021-26965 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
7 CVE-2021-26923 287 +Info 2021-03-15 2021-03-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.
8 CVE-2021-26884 200 +Info 2021-03-11 2021-03-13
2.1
None Local Low Not required Partial None None
Windows Media Photo Codec Information Disclosure Vulnerability
9 CVE-2021-26869 200 +Info 2021-03-11 2021-03-15
2.1
None Local Low Not required Partial None None
Windows ActiveX Installer Service Information Disclosure Vulnerability
10 CVE-2021-25333 200 +Info 2021-03-04 2021-03-11
1.9
None Local Medium Not required Partial None None
Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen via scanning specific QR code.
11 CVE-2021-25332 200 +Info 2021-03-04 2021-03-11
1.9
None Local Medium Not required Partial None None
Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition.
12 CVE-2021-25331 200 +Info 2021-03-04 2021-03-11
1.9
None Local Medium Not required Partial None None
Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to balance information over the lockscreen in specific condition.
13 CVE-2021-23981 119 Overflow Mem. Corr. +Info 2021-03-31 2021-08-06
5.8
None Remote Medium Not required Partial None Partial
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
14 CVE-2021-23890 200 +Info 2021-03-26 2021-07-02
5.8
None Remote Medium Not required Partial Partial None
Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.
15 CVE-2021-22860 287 +Info 2021-03-17 2021-03-23
7.5
None Remote Low Not required Partial Partial Partial
EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users’ credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends.
16 CVE-2021-22506 200 +Info 2021-03-26 2021-04-01
5.0
None Remote Low Not required Partial None None
Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.
17 CVE-2021-22496 287 Bypass +Info 2021-03-25 2021-03-25
5.0
None Remote Low Not required Partial None None
Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3. The vulnerability could cause information leakage.
18 CVE-2021-22310 532 +Info 2021-03-22 2021-03-26
2.1
None Local Low Not required Partial None None
There is an information leakage vulnerability in some huawei products. Due to the properly storage of specific information in the log file, the attacker can obtain the information when a user logs in to the device. Successful exploit may cause an information leak. Affected product versions include: NIP6300 versions V500R001C00,V500R001C20,V500R001C30;NIP6600 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6300 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6500 versions V500R001C00,V500R001C20,V500R001C30;Secospace USG6600 versions V500R001C00,V500R001C20,V500R001C30,V500R001C50,V500R001C60,V500R001C80;USG9500 versions V500R005C00,V500R005C10.
19 CVE-2021-22309 327 +Info 2021-03-22 2021-03-26
5.0
None Remote Low Not required Partial None None
There is insecure algorithm vulnerability in Huawei products. A module uses less random input in a secure mechanism. Attackers can exploit this vulnerability by brute forcing to obtain sensitive message. This can lead to information leak. Affected product versions include:USG9500 versions V500R001C30SPC200, V500R001C60SPC500,V500R005C00SPC200;USG9520 versions V500R005C00;USG9560 versions V500R005C00;USG9580 versions V500R005C00.
20 CVE-2021-22184 200 +Info 2021-03-26 2021-03-30
2.1
None Local Low Not required Partial None None
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
21 CVE-2021-22169 200 +Info 2021-03-24 2021-03-25
4.0
None Remote Low ??? Partial None None
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.
22 CVE-2021-22134 200 +Info 2021-03-08 2021-04-30
4.0
None Remote Low ??? Partial None None
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
23 CVE-2021-21725 863 +Info 2021-03-05 2021-03-12
2.7
None Local Network Low ??? Partial None None
A ZTE product has an information leak vulnerability. An attacker with higher authority can go beyond their authority to access files in other directories by performing specific operations, resulting in information leak. This affects: ZXHN H196Q V9.1.0C2.
24 CVE-2021-21396 200 +Info 2021-03-26 2021-08-27
4.0
None Remote Low ??? Partial None None
wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.
25 CVE-2021-21376 200 +Info 2021-03-23 2021-03-27
5.0
None Remote Low Not required Partial None None
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.
26 CVE-2021-21364 200 +Info 2021-03-11 2021-03-19
2.1
None Local Low Not required Partial None None
swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used. Because this vulnerability impacts generated code, the generated code will remain vulnerable until fixed manually! This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21363.
27 CVE-2021-21360 200 +Info 2021-03-09 2022-01-01
5.0
None Remote Low Not required Partial None None
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.
28 CVE-2021-21336 200 +Info 2021-03-08 2021-05-22
4.0
None Remote Low ??? Partial None None
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`.
29 CVE-2021-21190 908 +Info 2021-03-09 2021-12-03
6.8
None Remote Medium Not required Partial Partial Partial
Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.
30 CVE-2021-21185 +Info 2021-03-09 2021-12-03
4.3
None Remote Medium Not required Partial None None
Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome Extension.
31 CVE-2021-21181 203 +Info 2021-03-09 2021-12-03
4.3
None Remote Medium Not required Partial None None
Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
32 CVE-2021-21177 287 +Info 2021-03-09 2021-12-03
4.3
None Remote Medium Not required Partial None None
Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
33 CVE-2021-21173 203 +Info 2021-03-09 2021-12-03
4.3
None Remote Medium Not required Partial None None
Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
34 CVE-2021-21168 +Info 2021-03-09 2021-12-03
4.3
None Remote Medium Not required Partial None None
Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
35 CVE-2021-20281 200 +Info 2021-03-15 2021-03-23
5.0
None Remote Low Not required Partial None None
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
36 CVE-2021-3167 200 +Info 2021-03-15 2021-03-18
4.0
None Remote Low ??? Partial None None
In Cloudera Data Engineering (CDE) 1.3.0, JWT authentication tokens are exposed to administrators in virtual cluster server logs.
37 CVE-2021-3027 20 +Info 2021-03-26 2021-12-24
4.0
None Remote Low ??? Partial None None
app/views_mod/user/user.py in LibrIT PaSSHport through 2.5 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided search filter because user input gets no sanitization.
38 CVE-2021-1442 532 Exec Code +Info 2021-03-24 2021-03-30
6.9
None Local Medium Not required Complete Complete Complete
A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user (level 15) on an affected device. The vulnerability is due to insufficient protection of sensitive information. An attacker with low privileges could exploit this vulnerability by issuing the diagnostic CLI show pnp profile when a specific PnP listener is enabled on the device. A successful exploit could allow the attacker to obtain a privileged authentication token. This token can be used to send crafted PnP messages and execute privileged commands on the targeted system.
39 CVE-2021-1437 275 +Info 2021-03-24 2021-03-31
5.0
None Remote Low Not required Partial None None
A vulnerability in the FlexConnect Upgrade feature of Cisco Aironet Series Access Points Software could allow an unauthenticated, remote attacker to obtain confidential information from an affected device. This vulnerability is due to an unrestricted Trivial File Transfer Protocol (TFTP) configuration. An attacker could exploit this vulnerability by sending a specific TFTP request to an affected device. A successful exploit could allow the attacker to download any file from the filesystem of the affected access point (AP).
40 CVE-2021-1417 200 DoS +Info 2021-03-24 2021-03-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
41 CVE-2020-36240 200 +Info 2021-03-01 2021-07-21
5.0
None Remote Low Not required Partial None None
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
42 CVE-2020-36144 74 +Info 2021-03-18 2021-03-24
4.3
None Remote Medium Not required Partial None None
Redash 8.0.0 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided template since the username included in the search filter lacks sanitization.
43 CVE-2020-35518 200 +Info 2021-03-26 2021-04-01
5.0
None Remote Low Not required Partial None None
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
44 CVE-2020-29238 190 Overflow +Info 2021-03-10 2021-04-13
5.0
None Remote Low Not required Partial None None
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.
45 CVE-2020-27290 200 +Info 2021-03-15 2021-03-22
2.1
None Local Low Not required Partial None None
In Hamilton Medical AG,T1-Ventillator versions 2.2.3 and prior, an information disclosure vulnerability in the ventilator allows attackers with physical access to the configuration interface's logs to get valid checksums for tampered configuration files.
46 CVE-2020-27171 193 +Info 2021-03-20 2021-04-08
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
47 CVE-2020-27170 203 +Info 2021-03-20 2021-04-08
1.9
None Local Medium Not required Partial None None
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.
48 CVE-2020-25579 200 +Info 2021-03-26 2021-06-03
5.0
None Remote Low Not required Partial None None
In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
49 CVE-2020-25578 200 +Info 2021-03-26 2021-06-03
5.0
None Remote Low Not required Partial None None
In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
50 CVE-2020-19419 287 +Info 2021-03-10 2021-03-18
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.
Total number of vulnerabilities : 55   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.