CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2021-27249 78 Exec Code 2021-04-14 2021-04-22
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11369.
602 CVE-2021-27248 121 Exec Code 2021-04-14 2021-04-22
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the getpage parameter, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10932.
603 CVE-2021-27247 125 Exec Code 2021-04-14 2021-04-22
4.3
None Remote Medium Not required Partial None None
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat 2.9.5 desktop version. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-11907.
604 CVE-2021-27246 121 Exec Code 2021-04-14 2021-04-22
7.9
None Local Network Medium Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 1.0.15 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of MAC addresses by the tdpServer endpoint. A crafted TCP message can write stack pointers to the stack. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-12306.
605 CVE-2021-27183 610 Exec Code 2021-04-14 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead to Remote Code Execution.
606 CVE-2021-27182 74 2021-04-14 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
607 CVE-2021-27181 352 CSRF 2021-04-14 2021-04-21
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the value of the anti-CSRF token, the attacker may trick the user into visiting his malicious page and performing any request with the privileges of attacked user.
608 CVE-2021-27180 79 XSS 2021-04-14 2021-04-21
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
609 CVE-2021-27130 89 Sql Bypass 2021-04-14 2021-04-19
7.5
None Remote Low Not required Partial Partial Partial
Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.
610 CVE-2021-27129 79 XSS 2021-04-15 2021-04-19
3.5
None Remote Medium ??? None Partial None
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
611 CVE-2021-27114 787 Overflow 2021-04-14 2021-04-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /goform/addassignment route, a very long text entry for the"'s_ip" and "s_mac" fields could lead to a Stack-Based Buffer Overflow and overwrite the return address.
612 CVE-2021-27113 78 2021-04-14 2021-04-20
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/addRouting route. This could lead to Command Injection via Shell Metacharacters.
613 CVE-2021-27112 Exec Code 2021-04-15 2021-04-19
7.5
None Remote Low Not required Partial Partial Partial
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
614 CVE-2021-27096 269 2021-04-13 2021-04-16
4.6
None Local Low Not required Partial Partial Partial
NTFS Elevation of Privilege Vulnerability
615 CVE-2021-27095 Exec Code 2021-04-13 2021-04-16
6.8
None Remote Medium Not required Partial Partial Partial
Windows Media Video Decoder Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28315.
616 CVE-2021-27094 Bypass 2021-04-13 2021-09-14
2.1
None Local Low Not required None Partial None
Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-28447.
617 CVE-2021-27093 200 +Info 2021-04-13 2021-04-16
2.1
None Local Low Not required Partial None None
Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28309.
618 CVE-2021-27092 Bypass 2021-04-13 2021-04-16
7.5
None Remote Low Not required Partial Partial Partial
Azure AD Web Sign-in Security Feature Bypass Vulnerability
619 CVE-2021-27091 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
620 CVE-2021-27090 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
Windows Secure Kernel Mode Elevation of Privilege Vulnerability
621 CVE-2021-27089 Exec Code 2021-04-13 2021-04-15
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Internet Messaging API Remote Code Execution Vulnerability
622 CVE-2021-27088 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
Windows Event Tracing Elevation of Privilege Vulnerability
623 CVE-2021-27086 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
Windows Services and Controller App Elevation of Privilege Vulnerability
624 CVE-2021-27079 200 +Info 2021-04-13 2021-04-15
6.3
None Remote Medium ??? Complete None None
Windows Media Photo Codec Information Disclosure Vulnerability
625 CVE-2021-27072 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28310.
626 CVE-2021-27067 200 +Info 2021-04-13 2021-04-15
4.0
None Remote Low ??? Partial None None
Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
627 CVE-2021-27064 269 2021-04-13 2021-04-15
4.6
None Local Low Not required Partial Partial Partial
Visual Studio Installer Elevation of Privilege Vulnerability
628 CVE-2021-27031 416 2021-04-19 2021-09-16
9.3
None Remote Medium Not required Complete Complete Complete
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.
629 CVE-2021-27030 22 Exec Code Dir. Trav. 2021-04-19 2021-09-16
9.3
None Remote Medium Not required Complete Complete Complete
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
630 CVE-2021-27029 476 DoS 2021-04-19 2021-09-16
4.3
None Remote Medium Not required None None Partial
The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's Review version 1.5.0 and prior causing the application to crash leading to a denial of service.
631 CVE-2021-27028 787 Exec Code Mem. Corr. 2021-04-19 2021-09-16
6.8
None Remote Medium Not required Partial Partial Partial
A Memory Corruption Vulnerability in Autodesk FBX Review version 1.5.0 and prior may lead to remote code execution through maliciously crafted DLL files.
632 CVE-2021-27027 125 Exec Code 2021-04-19 2021-09-16
6.8
None Remote Medium Not required Partial Partial Partial
An Out-Of-Bounds Read Vulnerability in Autodesk FBX Review version 1.5.0 and prior may lead to code execution through maliciously crafted DLL files or information disclosure.
633 CVE-2021-26909 2021-04-23 2021-04-23
0.0
None ??? ??? ??? ??? ??? ???
Automox Agent prior to version 31 uses an insufficiently protected S3 bucket endpoint for storing sensitive files, which could be brute-forced by an attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
634 CVE-2021-26908 2021-04-23 2021-04-23
0.0
None ??? ??? ??? ??? ??? ???
Automox Agent prior to version 31 logs potentially sensitive information in local log files, which could be used by a locally-authenticated attacker to subvert an organization's security program. The issue has since been fixed in version 31 of the Automox Agent.
635 CVE-2021-26833 312 2021-04-06 2021-04-14
4.3
None Remote Medium Not required Partial None None
Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.
636 CVE-2021-26832 79 XSS 2021-04-14 2021-04-19
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.
637 CVE-2021-26830 89 Sql 2021-04-16 2021-04-19
6.4
None Remote Low Not required Partial Partial None
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
638 CVE-2021-26827 120 Overflow 2021-04-14 2021-04-21
7.8
None Remote Low Not required None None Complete
Buffer Overflow in TP-Link WR2041 v1 firmware for the TL-WR2041+ router allows remote attackers to cause a Denial-of-Service (DoS) by sending an HTTP request with a very long "ssid" parameter to the "/userRpm/popupSiteSurveyRpm.html" webpage, which crashes the router.
639 CVE-2021-26812 79 XSS 2021-04-14 2021-04-21
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application.
640 CVE-2021-26807 426 2021-04-30 2021-05-12
4.4
None Local Medium Not required Partial Partial Partial
GalaxyClient version 2.0.28.9 loads unsigned DLLs such as zlib1.dll, libgcc_s_dw2-1.dll and libwinpthread-1.dll from PATH, which allows an attacker to potentially run code locally through unsigned DLL loading.
641 CVE-2021-26805 120 DoS Overflow 2021-04-14 2021-04-19
4.3
None Remote Medium Not required None None Partial
Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a malicious WAV file.
642 CVE-2021-26797 2021-04-26 2021-04-26
0.0
None ??? ??? ??? ??? ??? ???
An access control vulnerability in Hame SD1 Wi-Fi firmware <=V.20140224154640 allows an attacker to get system administrator through an open Telnet service.
643 CVE-2021-26758 269 Exec Code +Priv 2021-04-07 2021-04-12
9.0
None Remote Low ??? Complete Complete Complete
Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.
644 CVE-2021-26718 863 Bypass 2021-04-01 2021-04-07
2.1
None Local Low Not required None Partial None
KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection.
645 CVE-2021-26709 787 Overflow 2021-04-07 2021-04-20
10.0
None Remote Low Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
646 CVE-2021-26582 79 XSS 2021-04-15 2021-04-22
4.3
None Remote Medium Not required None Partial None
A security vulnerability in HPE IceWall SSO Domain Gateway Option (Dgfw) module version 10.0 on RHEL 5/6/7, version 10.0 on HP-UX 11i v3, version 10.0 on Windows and 11.0 on Windows could be exploited remotely to allow cross-site scripting (XSS).
647 CVE-2021-26581 DoS 2021-04-01 2021-04-06
4.0
None Remote Low ??? None None Partial
A potential security vulnerability has been identified in HPE Superdome Flex server. A denial of service attack can be remotely exploited leaving hung connections to the BMC web interface. The monarch BMC must be rebooted to recover from this situation. Other BMC management is not impacted. HPE has made the following software update to resolve the vulnerability in HPE Superdome Flex Server: Superdome Flex Server Firmware 3.30.142 or later.
648 CVE-2021-26580 79 XSS 2021-04-01 2021-09-14
4.3
None Remote Medium Not required None Partial None
A potential security vulnerability has been identified in HPE iLO Amplifier Pack. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). HPE has provided the following software update to resolve the vulnerability in HPE iLO Amplifier Pack: HPE iLO Amplifier Pack 1.95 or later.
649 CVE-2021-26417 200 +Info 2021-04-13 2021-04-15
2.1
None Local Low Not required Partial None None
Windows Overlay Filter Information Disclosure Vulnerability
650 CVE-2021-26416 DoS 2021-04-13 2021-04-16
7.8
None Remote Low Not required None None Complete
Windows Hyper-V Denial of Service Vulnerability
Total number of vulnerabilities : 1821   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.