CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1601 CVE-2020-27736 170 2021-04-22 2022-01-11
5.8
None Remote Medium Not required Partial None Partial
A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). The DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory.
1602 CVE-2020-27600 78 Exec Code 2021-04-02 2021-04-09
10.0
None Remote Low Not required Complete Complete Complete
HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter.
1603 CVE-2020-27569 276 2021-04-21 2021-04-29
5.0
None Remote Low Not required None Partial None
Arbitrary File Write exists in Aviatrix VPN Client 2.8.2 and earlier. The VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system.
1604 CVE-2020-27568 276 2021-04-21 2021-04-29
5.0
None Remote Low Not required None Partial None
Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra layer of security.
1605 CVE-2020-27519 269 Exec Code 2021-04-30 2021-05-11
7.2
None Local Low Not required Complete Complete Complete
Pritunl Client v1.2.2550.20 contains a local privilege escalation vulnerability in the pritunl-service component. The attack vector is: malicious openvpn config. A local attacker could leverage the log and log-append along with log injection to create or append to privileged script files and execute code as root/SYSTEM.
1606 CVE-2020-27241 77 Sql 2021-04-19 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1607 CVE-2020-27240 77 Sql 2021-04-19 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this vulnerability.
1608 CVE-2020-27239 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this vulnerability.
1609 CVE-2020-27238 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1610 CVE-2020-27237 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1611 CVE-2020-27236 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1612 CVE-2020-27235 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1613 CVE-2020-27234 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1614 CVE-2020-27233 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
1615 CVE-2020-27228 276 2021-04-13 2021-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. Overwriting the binary can result in privilege escalation. An attacker can replace a file to exploit this vulnerability.
1616 CVE-2020-27227 77 Exec Code 2021-04-13 2021-04-20
10.0
None Remote Low Not required Complete Complete Complete
An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system.
1617 CVE-2020-27009 823 Exec Code 2021-04-22 2022-01-11
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus Source Code (Versions including affected DNS modules). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.
1618 CVE-2020-26997 119 Exec Code Overflow 2021-04-22 2021-06-08
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability has been identified in Solid Edge SE2020 (All versions < SE2020MP13), Solid Edge SE2020 (All versions < SE2020MP14), Solid Edge SE2021 (All Versions < SE2021MP4). Affected applications lack proper validation of user-supplied data when parsing PAR files. This could lead to pointer dereferences of a value obtained from untrusted source. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-11919)
1619 CVE-2020-26197 326 2021-04-20 2021-04-29
6.4
None Remote Low Not required Partial Partial None
Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.
1620 CVE-2020-25864 79 XSS 2021-04-20 2021-04-23
4.3
None Remote Medium Not required None Partial None
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
1621 CVE-2020-25584 362 2021-04-07 2021-06-03
6.2
None Local High Not required Complete Complete Complete
In FreeBSD 13.0-STABLE before n245118, 12.2-STABLE before r369552, 11.4-STABLE before r369560, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, a superuser inside a FreeBSD jail configured with the non-default allow.mount permission could cause a race condition between the lookup of ".." and remounting a filesystem, allowing access to filesystem hierarchy outside of the jail.
1622 CVE-2020-25244 427 2021-04-22 2021-04-30
7.2
None Local Low Not required Complete Complete Complete
A vulnerability has been identified in LOGO! Soft Comfort (All versions). The software insecurely loads libraries which makes it vulnerable to DLL hijacking. Successful exploitation by a local attacker could lead to a takeover of the system where the software is installed.
1623 CVE-2020-25243 22 Dir. Trav. 2021-04-22 2021-04-30
7.2
None Local Low Not required Complete Complete Complete
A vulnerability has been identified in LOGO! Soft Comfort (All versions). A zip slip vulnerability could be triggered while importing a compromised project file to the affected software. Chained with other vulnerabilities this vulnerability could ultimately lead to a system takeover by an attacker.
1624 CVE-2020-24918 Exec Code Overflow 2021-04-30 2021-04-30
0.0
None ??? ??? ??? ??? ??? ???
A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1 in rtsp_svc (or cause a crash). This allows remote takeover of a Furbo Dog Camera, for example.
1625 CVE-2020-24285 +Info 2021-04-12 2021-09-09
5.0
None Remote Low Not required Partial None None
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
1626 CVE-2020-24140 918 Exec Code 2021-04-07 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. It can help identify open ports, local network hosts and execute command on local services.
1627 CVE-2020-24139 918 Exec Code 2021-04-07 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
Server-side request forgery in Wcms 0.3.2 lets an attacker send crafted requests from the back-end server of a vulnerable web application via the path parameter to wex/cssjs.php. It can help identify open ports, local network hosts and execute command on local services.
1628 CVE-2020-24138 79 XSS 2021-04-07 2021-04-15
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability in wcms 0.3.2 allows remote attackers to inject arbitrary web script and HTML via the pagename parameter to wex/html.php.
1629 CVE-2020-24137 22 Dir. Trav. 2021-04-07 2021-04-13
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the path parameter to wex/cssjs.php.
1630 CVE-2020-24136 22 Dir. Trav. 2021-04-07 2021-04-19
7.8
None Remote Low Not required Complete None None
Directory traversal in Wcms 0.3.2 allows an attacker to read arbitrary files on the server that is running an application via the pagename parameter to wex/html.php.
1631 CVE-2020-24135 79 XSS 2021-04-07 2021-04-15
4.3
None Remote Medium Not required None Partial None
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Wcms 0.3.2, which allows remote attackers to inject arbitrary web script and HTML via the type parameter to wex/cssjs.php.
1632 CVE-2020-23932 476 DoS 2021-04-21 2021-04-22
4.3
None Remote Medium Not required None None Partial
An issue was discovered in gpac before 1.0.1. A NULL pointer dereference exists in the function dump_isom_sdp located in filedump.c. It allows an attacker to cause Denial of Service.
1633 CVE-2020-23931 125 2021-04-21 2021-04-22
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.
1634 CVE-2020-23930 476 DoS 2021-04-21 2021-04-22
4.3
None Remote Medium Not required None None Partial
An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function nhmldump_send_header located in write_nhml.c. It allows an attacker to cause Denial of Service.
1635 CVE-2020-23928 125 2021-04-21 2021-04-22
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.
1636 CVE-2020-23922 125 2021-04-21 2021-06-29
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read.
1637 CVE-2020-23921 125 2021-04-21 2021-04-28
5.8
None Remote Medium Not required Partial None Partial
An issue was discovered in fast_ber through v0.4. yy::yylex() in asn_compiler.hpp has a heap-based buffer over-read.
1638 CVE-2020-23915 125 2021-04-21 2021-04-26
4.3
None Remote Medium Not required None None Partial
An issue was discovered in cpp-peglib through v0.1.12. peg::resolve_escape_sequence() in peglib.h has a heap-based buffer over-read.
1639 CVE-2020-23914 476 DoS 2021-04-21 2021-04-26
4.3
None Remote Medium Not required None None Partial
An issue was discovered in cpp-peglib through v0.1.12. A NULL pointer dereference exists in the peg::AstOptimizer::optimize() located in peglib.h. It allows an attacker to cause Denial of Service.
1640 CVE-2020-23912 476 DoS 2021-04-21 2021-04-26
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Bento4 through v1.6.0-637. A NULL pointer dereference exists in the function AP4_StszAtom::GetSampleSize() located in Ap4StszAtom.cpp. It allows an attacker to cause Denial of Service.
1641 CVE-2020-23907 787 Exec Code Overflow 2021-04-21 2021-04-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in retdec v3.3. In function canSplitFunctionOn() of ir_modifications.cpp, there is a possible out of bounds read due to a heap buffer overflow. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution.
1642 CVE-2020-23763 89 Exec Code Sql Bypass 2021-04-09 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
1643 CVE-2020-23762 79 XSS 2021-04-09 2021-04-13
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage hinzufugen" tab.
1644 CVE-2020-23761 79 XSS 2021-04-09 2021-04-13
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab.
1645 CVE-2020-23539 476 DoS 2021-04-08 2021-04-14
7.8
None Remote Low Not required None None Complete
An issue was discovered in Realtek rtl8723de BLE Stack <= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message.
1646 CVE-2020-23533 347 2021-04-06 2021-04-09
5.0
None Remote Low Not required None Partial None
Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.
1647 CVE-2020-23426 269 CSRF 2021-04-08 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF.
1648 CVE-2020-22808 XSS 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
An issue was found in yii2_fecshop 2.x. There is a reflected XSS vulnerability in the check cart page.
1649 CVE-2020-22807 89 Sql 2021-04-29 2021-05-19
7.5
None Remote Low Not required Partial Partial Partial
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
1650 CVE-2020-22790 79 Exec Code XSS 2021-04-28 2021-06-17
3.5
None Remote Medium ??? None Partial None
Authenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to execute codeby injecting arbitrary web script or HTML via modifying the name of the users. The XSS is executed when an administrator access the logs.
Total number of vulnerabilities : 1821   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 (This Page)34 35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.