CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2021-31258 476 DoS 2021-04-19 2021-04-21
4.3
None Remote Medium Not required None None Partial
The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
102 CVE-2021-31257 476 DoS 2021-04-19 2021-04-21
4.3
None Remote Medium Not required None None Partial
The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
103 CVE-2021-31256 119 Overflow 2021-04-19 2021-04-21
4.3
None Remote Medium Not required Partial None None
Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.
104 CVE-2021-31255 120 DoS Exec Code Overflow 2021-04-19 2021-04-21
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
105 CVE-2021-31254 787 DoS Exec Code Overflow 2021-04-19 2021-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes.
106 CVE-2021-31232 20 2021-04-30 2021-05-11
2.1
None Local Low Not required Partial None None
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
107 CVE-2021-31231 20 2021-04-30 2021-06-11
2.1
None Local Low Not required Partial None None
The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
108 CVE-2021-31229 787 2021-04-15 2021-07-08
4.3
None Remote Medium Not required None None Partial
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
109 CVE-2021-31162 415 2021-04-14 2021-06-02
7.5
None Remote Low Not required Partial Partial Partial
In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
110 CVE-2021-31152 352 CSRF 2021-04-14 2021-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entries, and headers.
111 CVE-2021-30642 Exec Code 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges.
112 CVE-2021-30638 200 +Info 2021-04-27 2021-05-28
5.0
None Remote Low Not required Partial None None
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
113 CVE-2021-30637 79 XSS 2021-04-13 2021-04-16
3.5
None Remote Medium ??? None Partial None
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php.
114 CVE-2021-30635 22 Dir. Trav. 2021-04-27 2021-05-04
5.0
None Remote Low Not required Partial None None
Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed).
115 CVE-2021-30503 863 Exec Code 2021-04-13 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration.
116 CVE-2021-30502 Exec Code 2021-04-25 2021-04-26
0.0
None ??? ??? ??? ??? ??? ???
The unofficial vscode-ghc-simple (aka Simple Glasgow Haskell Compiler) extension before 0.2.3 for Visual Studio Code allows remote code execution via a crafted workspace configuration with replCommand.
117 CVE-2021-30496 DoS 2021-04-20 2021-04-24
3.5
None Remote Medium ??? None None Partial
The Telegram app 7.6.2 for iOS allows remote authenticated users to cause a denial of service (application crash) if the victim pastes an attacker-supplied message (e.g., in the Persian language) into a channel or group. The crash occurs in MtProtoKitFramework.
118 CVE-2021-30494 276 2021-04-14 2021-04-22
4.9
None Local Low Not required None None Complete
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other words, an attacker can create a file in an unintended directory (with some limitations).
119 CVE-2021-30493 276 2021-04-14 2021-04-22
4.9
None Local Low Not required None None Complete
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other words, an attacker can create a file in an unintended directory (with some limitations).
120 CVE-2021-30487 732 2021-04-15 2021-04-19
4.0
None Remote Low ??? None Partial None
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
121 CVE-2021-30485 476 2021-04-11 2021-07-08
4.3
None Remote Medium Not required None None Partial
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running strcmp() on a NULL pointer.
122 CVE-2021-30481 120 Exec Code Overflow 2021-04-10 2021-04-21
6.0
None Remote Medium ??? Partial Partial Partial
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
123 CVE-2021-30480 Exec Code 2021-04-09 2021-09-21
9.0
None Remote Low ??? Complete Complete Complete
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software.
124 CVE-2021-30479 732 2021-04-15 2021-04-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
125 CVE-2021-30478 732 2021-04-15 2021-04-20
4.0
None Remote Low ??? None Partial None
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.
126 CVE-2021-30477 732 2021-04-15 2021-04-20
4.0
None Remote Low ??? None Partial None
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
127 CVE-2021-30476 2021-04-22 2021-04-29
7.5
None Remote Low Not required Partial Partial Partial
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
128 CVE-2021-30464 400 DoS 2021-04-20 2021-04-23
5.0
None Remote Low Not required None None Partial
OMICRON StationGuard before 1.10 allows remote attackers to cause a denial of service (connectivity outage) via crafted tcp/20499 packets to the CTRL Ethernet port.
129 CVE-2021-30463 59 +Priv 2021-04-08 2021-04-14
7.2
None Local Low Not required Complete Complete Complete
VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.
130 CVE-2021-30462 269 2021-04-08 2021-04-14
9.0
None Remote Low ??? Complete Complete Complete
VestaCP through 0.9.8-24 allows the admin user to escalate privileges to root because the Sudo configuration does not require a password to run /usr/local/vesta/bin scripts.
131 CVE-2021-30459 89 Sql 2021-04-14 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form.
132 CVE-2021-30458 79 XSS Bypass 2021-04-09 2021-12-08
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS.
133 CVE-2021-30457 415 2021-04-07 2021-04-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the id-map crate through 2021-02-26 for Rust. A double free can occur in remove_set upon a panic in a Drop impl.
134 CVE-2021-30456 415 2021-04-07 2021-04-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the id-map crate through 2021-02-26 for Rust. A double free can occur in get_or_insert upon a panic of a user-provided f function.
135 CVE-2021-30455 415 2021-04-07 2021-04-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the id-map crate through 2021-02-26 for Rust. A double free can occur in IdMap::clone_from upon a .clone panic.
136 CVE-2021-30454 119 Overflow 2021-04-07 2021-04-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the outer_cgi crate before 0.2.1 for Rust. A user-provided Read instance receives an uninitialized memory buffer from KeyValueReader.
137 CVE-2021-30356 DoS 2021-04-22 2021-04-27
5.5
None Remote Low ??? None Partial Partial
A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files.
138 CVE-2021-30246 347 2021-04-07 2021-04-14
6.4
None Remote Low Not required Partial Partial None
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.
139 CVE-2021-30245 610 Exec Code 2021-04-15 2021-04-23
6.8
None Remote Medium Not required Partial Partial Partial
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
140 CVE-2021-30234 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/ZRIGMP/set_MLD_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the MLD_PROXY_WAN_CONNECT parameter.
141 CVE-2021-30233 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/ZRIptv/setIptvInfo interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iptv_vlan parameter.
142 CVE-2021-30232 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/ZRIGMP/set_IGMP_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the IGMP_PROXY_WAN_CONNECT parameter.
143 CVE-2021-30231 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/zrDm/set_ZRElink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the bssaddr, abiaddr, devtoken, devid, elinksync, or elink_proc_enable parameter.
144 CVE-2021-30230 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/ZRFirmware/set_time_zone interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the zonename parameter.
145 CVE-2021-30229 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/zrDm/set_zrDm interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the dm_enable, AppKey, or Pwd parameter.
146 CVE-2021-30228 Exec Code 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
The api/ZRAndlink/set_ZRAndlink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iandlink_proc_enable parameter.
147 CVE-2021-30227 79 XSS 2021-04-29 2021-05-03
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability in the article comments feature in emlog 6.0.
148 CVE-2021-30224 352 CSRF 2021-04-29 2021-05-03
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
149 CVE-2021-30219 476 2021-04-29 2021-05-03
4.3
None Remote Medium Not required None None Partial
samurai 1.2 has a NULL pointer dereference in printstatus() function in build.c via a crafted build file.
150 CVE-2021-30218 476 2021-04-29 2021-05-03
4.3
None Remote Medium Not required None None Partial
samurai 1.2 has a NULL pointer dereference in writefile() in util.c via a crafted build file.
Total number of vulnerabilities : 1821   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.