CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
851 CVE-2021-22716 269 Exec Code 2021-04-13 2021-06-02
4.6
None Local Low Not required Partial Partial Partial
A CWE-269: Improper Privilege Management vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when an unprivileged user modifies a file.
852 CVE-2021-22696 918 2021-04-02 2021-12-10
5.0
None Remote Low Not required None None Partial
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
853 CVE-2021-22682 284 2021-04-23 2021-04-30
4.6
None Local Low Not required Partial Partial Partial
Cscape (All versions prior to 9.90 SP4) is configured by default to be installed for all users, which allows full permissions, including read/write access. This may allow unprivileged users to modify the binaries and configuration files and lead to local privilege escalation.
854 CVE-2021-22678 20 Exec Code Mem. Corr. 2021-04-23 2021-04-30
6.8
None Remote Medium Not required Partial Partial Partial
Cscape (All versions prior to 9.90 SP4) lacks proper validation of user-supplied data when parsing project files. This could lead to memory corruption. An attacker could leverage this vulnerability to execute code in the context of the current process.
855 CVE-2021-22669 732 2021-04-26 2021-04-26
0.0
None ??? ??? ??? ??? ??? ???
Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password and login as an administrator to escalate privileges on the system.
856 CVE-2021-22664 787 Exec Code 2021-04-27 2021-04-30
6.8
None Remote Medium Not required Partial Partial Partial
CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code.
857 CVE-2021-22660 125 Exec Code 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.
858 CVE-2021-22540 79 XSS 2021-04-22 2021-04-26
4.3
None Remote Medium Not required None Partial None
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
859 CVE-2021-22539 668 Exec Code 2021-04-16 2021-04-22
6.8
None Remote Medium Not required Partial Partial Partial
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.
860 CVE-2021-22514 Exec Code 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM.
861 CVE-2021-22513 862 2021-04-08 2021-04-14
4.0
None Remote Low ??? None Partial None
Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks.
862 CVE-2021-22512 352 CSRF 2021-04-08 2021-04-13
4.3
None Remote Medium Not required None Partial None
Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks.
863 CVE-2021-22511 295 2021-04-08 2021-04-14
6.4
None Remote Low Not required Partial Partial None
Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates.
864 CVE-2021-22510 79 XSS 2021-04-08 2021-04-13
4.3
None Remote Medium Not required None Partial None
Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions.
865 CVE-2021-22507 287 Bypass 2021-04-08 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access.
866 CVE-2021-22505 269 Exec Code 2021-04-13 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. The vulnerability could be exploited to escalate privileges and execute code under the account of the Operations Agent.
867 CVE-2021-22497 287 2021-04-12 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
868 CVE-2021-22393 DoS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
There is a denial of service vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. The affected product cannot deal with some messages because of module design weakness . Attackers can exploit this vulnerability by sending a large amount of specific messages to cause denial of service. This can compromise normal service.
869 CVE-2021-22332 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
There is a pointer double free vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. When a function is called, the same memory pointer is copied to two functional modules. Attackers can exploit this vulnerability by performing a malicious operation to cause the pointer double free. This may lead to module crash, compromising normal service.
870 CVE-2021-22331 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
There is a JavaScript injection vulnerability in certain Huawei smartphones. A module does not verify some inputs sufficiently. Attackers can exploit this vulnerability by sending a malicious application request to launch JavaScript injection. This may compromise normal service. Affected product versions include HUAWEI P30 versions earlier than 10.1.0.165(C01E165R2P11), 11.0.0.118(C635E2R1P3), 11.0.0.120(C00E120R2P5), 11.0.0.138(C10E4R5P3), 11.0.0.138(C185E4R7P3), 11.0.0.138(C432E8R2P3), 11.0.0.138(C461E4R3P3), 11.0.0.138(C605E4R1P3), and 11.0.0.138(C636E4R3P3).
871 CVE-2021-22330 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
There is an out of bounds write vulnerability in Huawei Smartphone HUAWEI P30 versions 9.1.0.131(C00E130R1P21) when processing a message. An unauthenticated attacker can exploit this vulnerability by sending specific message to the target device. Due to insufficient validation of the input parameter, successful exploit can cause the process and the service to be abnormal.
872 CVE-2021-22327 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
There is an arbitrary memory write vulnerability in Huawei smart phone when processing file parsing. Due to insufficient validation of the input files, successful exploit could cause certain service abnormal. Affected product versions include:HUAWEI P30 versions 10.0.0.186(C10E7R5P1), 10.0.0.186(C461E4R3P1), 10.0.0.188(C00E85R2P11), 10.0.0.188(C01E88R2P11),10.0.0.188(C605E19R1P3), 10.0.0.190(C185E4R7P1), 10.0.0.190(C431E22R2P5), 10.0.0.190(C432E22R2P5),10.0.0.190(C605E19R1P3), 10.0.0.190(C636E4R3P4), 10.0.0.192(C635E3R2P4).
873 CVE-2021-22312 401 2021-04-08 2021-04-20
4.0
None Remote Low ??? None None Partial
There is a memory leak vulnerability in some Huawei products. An authenticated remote attacker may exploit this vulnerability by sending specific message to the affected product. Due to not release the allocated memory properly, successful exploit may cause some service abnormal. Affected product include some versions of IPS Module, NGFW Module, Secospace USG6300, Secospace USG6500, Secospace USG6600 and USG9500.
874 CVE-2021-22207 89 DoS Sql 2021-04-23 2021-12-26
5.0
None Remote Low Not required None None Partial
Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file
875 CVE-2021-22205 20 Exec Code 2021-04-23 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
876 CVE-2021-22204 74 Exec Code 2021-04-23 2021-11-29
6.8
None Remote Medium Not required Partial Partial Partial
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
877 CVE-2021-22203 2021-04-02 2021-04-07
5.0
None Remote Low Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
878 CVE-2021-22202 352 CSRF 2021-04-02 2021-04-07
4.3
None Remote Medium Not required None Partial None
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
879 CVE-2021-22201 2021-04-02 2021-04-07
4.0
None Remote Low ??? Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
880 CVE-2021-22200 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
881 CVE-2021-22199 79 XSS 2021-04-22 2021-04-30
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
882 CVE-2021-22198 2021-04-02 2021-04-07
4.0
None Remote Low ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
883 CVE-2021-22197 835 2021-04-02 2021-04-07
4.0
None Remote Low ??? None None Partial
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
884 CVE-2021-22196 79 XSS 2021-04-02 2021-04-07
3.5
None Remote Medium ??? None Partial None
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
885 CVE-2021-22195 77 Exec Code 2021-04-01 2021-04-07
6.8
None Remote Medium Not required Partial Partial Partial
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system
886 CVE-2021-22190 22 Dir. Trav. 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
887 CVE-2021-22177 400 2021-04-01 2021-04-05
4.0
None Remote Low ??? None None Partial
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
888 CVE-2021-22158 611 2021-04-06 2021-04-12
6.5
None Remote Low ??? Partial Partial Partial
The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected.
889 CVE-2021-22157 79 XSS 2021-04-06 2021-04-12
4.3
None Remote Medium Not required None Partial None
Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.11.1 allows stored XSS.
890 CVE-2021-22115 522 2021-04-08 2021-04-14
4.0
None Remote Low ??? Partial None None
Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.
891 CVE-2021-21982 287 Bypass 2021-04-01 2021-04-06
6.4
None Remote Low Not required Partial Partial None
VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.
892 CVE-2021-21981 269 2021-04-19 2021-04-22
4.6
None Local Low Not required Partial Partial Partial
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
893 CVE-2021-21784 787 Mem. Corr. 2021-04-13 2021-04-22
6.8
None Remote Medium Not required Partial Partial Partial
An out-of-bounds write vulnerability exists in the JPG format SOF marker processing of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
894 CVE-2021-21731 352 CSRF 2021-04-13 2021-04-20
5.8
None Remote Medium Not required None Partial Partial
A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04
895 CVE-2021-21730 863 2021-04-13 2021-04-22
5.0
None Remote Low Not required Partial None None
A ZTE product is impacted by improper access control vulnerability. The attacker could exploit this vulnerability to access CLI by brute force attacks.This affects: ZXHN H168N V3.5.0_TY.T6
896 CVE-2021-21729 352 CSRF 2021-04-13 2021-04-21
4.3
None Remote Medium Not required None Partial None
Some ZTE products have CSRF vulnerability. Because some pages lack CSRF random value verification, attackers could perform illegal authorization operations by constructing messages.This affects: ZXHN H168N V3.5.0_EG1T5_TE, V2.5.5, ZXHN H108N V2.5.5_BTMT1
897 CVE-2021-21728 400 2021-04-09 2021-04-20
5.0
None Remote Low Not required None None Partial
A ZTE product has a configuration error vulnerability. Because a certain port is open by default, an attacker can consume system processing resources by flushing a large number of packets to the port, and successfully exploiting this vulnerability could reduce system processing capabilities. This affects: ZXA10 C300M all versions up to V4.3P8.
898 CVE-2021-21647 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? None Partial None
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
899 CVE-2021-21646 693 Exec Code 2021-04-21 2021-04-26
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
900 CVE-2021-21645 862 2021-04-21 2021-04-26
4.0
None Remote Low ??? Partial None None
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs.
Total number of vulnerabilities : 1821   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (This Page)19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.