CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1651 CVE-2020-22789 79 +Priv XSS 2021-04-28 2021-06-17
4.3
None Remote Medium Not required None Partial None
Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.
1652 CVE-2020-22785 DoS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check.
1653 CVE-2020-22784 Bypass 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
In Etherpad UeberDB < 0.4.4, due to MySQL omitting trailing spaces on char / varchar columns during comparisons, retrieving database records using UeberDB's MySQL connector could allow bypassing access controls enforced on key names.
1654 CVE-2020-22783 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad.
1655 CVE-2020-22782 DoS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
Etherpad < 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance.
1656 CVE-2020-22781 DoS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash the instance).
1657 CVE-2020-22002 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
1658 CVE-2020-22001 Bypass 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution.
1659 CVE-2020-22000 Exec Code CSRF 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function.
1660 CVE-2020-21998 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
1661 CVE-2020-21997 Bypass 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text information resulting in authentication bypass, session hijacking and full system control.
1662 CVE-2020-21996 77 DoS Exec Code 2021-04-28 2021-05-19
5.0
None Remote Low Not required None None Partial
AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
1663 CVE-2020-21995 798 2021-04-29 2021-06-15
7.5
None Remote Low Not required Partial Partial Partial
Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials. An attacker could exploit this to gain Telnet, SSH and FTP access to the system.
1664 CVE-2020-21994 522 Bypass +Info 2021-04-28 2021-05-19
7.5
None Remote Low Not required Partial Partial Partial
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.
1665 CVE-2020-21993 Exec Code 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.
1666 CVE-2020-21992 78 Exec Code Bypass 2021-04-29 2021-05-12
9.0
None Remote Low ??? Complete Complete Complete
Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability. The issue exist due to the 'par' POST parameter not being sanitized when called with the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit LSB executable, ARM) is calling the 'sh' executable via the system() function to issue a command using the mailx service and its vulnerable string format parameter allowing for OS command injection with root privileges. An attacker can remotely execute system commands as the root user using default credentials and bypass access controls in place.
1667 CVE-2020-21991 287 Bypass 2021-04-28 2021-05-19
7.5
None Remote Low Not required Partial Partial Partial
AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
1668 CVE-2020-21990 2021-04-29 2021-04-29
0.0
None ??? ??? ??? ??? ??? ???
Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
1669 CVE-2020-21989 CSRF 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
1670 CVE-2020-21987 79 Exec Code XSS 2021-04-27 2021-05-10
4.3
None Remote Medium Not required None Partial None
HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS). XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session.
1671 CVE-2020-21884 352 CSRF 2021-04-09 2021-04-14
9.3
None Remote Medium Not required Complete Complete Complete
Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.
1672 CVE-2020-21883 78 2021-04-09 2021-04-14
9.0
None Remote Low ??? Complete Complete Complete
Unibox U-50 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a OS command injection vulnerability in /tools/ping, which can leads to complete device takeover.
1673 CVE-2020-21590 22 Dir. Trav. 2021-04-02 2021-04-08
4.0
None Remote Low ??? Partial None None
Directory traversal in coreframe/app/template/admin/index.php in WUZHI CMS 4.1.0 allows attackers to list files in arbitrary directories via the dir parameter.
1674 CVE-2020-21588 120 Overflow 2021-04-02 2021-04-08
2.1
None Local Low Not required None None Partial
Buffer overflow in Core FTP LE v2.2 allows local attackers to cause a denial or service (crash) via a long string in the Setup->Users->Username editbox.
1675 CVE-2020-21585 434 2021-04-02 2021-04-08
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.
1676 CVE-2020-21452 434 2021-04-29 2021-05-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in uniview ISC2500-S. This is an upload vulnerability where an attacker can upload malicious code via /Interface/DevManage/EC.php?cmd=upload
1677 CVE-2020-21101 79 Exec Code XSS 2021-04-29 2021-05-10
3.5
None Remote Medium ??? None Partial None
Cross Site Scriptiong vulnerabilityin Screenly screenly-ose all versions, including v1.8.2 (2019-09-25-Screenly-OSE-lite.img), in the 'Add Asset' page via manipulation of a 'URL' field, which could let a remote malicious user execute arbitrary code.
1678 CVE-2020-21088 79 XSS +Info 2021-04-14 2021-04-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
1679 CVE-2020-21087 79 Exec Code XSS 2021-04-14 2021-04-16
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
1680 CVE-2020-19778 269 +Priv 2021-04-14 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request.
1681 CVE-2020-19619 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signature field to /settings/profile.
1682 CVE-2020-19618 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post content field to /post/editing.
1683 CVE-2020-19617 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the nickname field to /settings/profile.
1684 CVE-2020-19616 79 XSS 2021-04-01 2021-04-02
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post header field to /post/editing.
1685 CVE-2020-19613 918 2021-04-01 2021-04-06
5.0
None Remote Low Not required Partial None None
Server Side Request Forgery (SSRF) vulnerability in saveUrlAs function in ImagesService.java in sunkaifei FlyCMS version 20190503.
1686 CVE-2020-19596 120 Overflow 2021-04-05 2021-04-09
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow vulnerability in Core FTP Server v1.2 Build 583, via a crafted username.
1687 CVE-2020-19595 120 Overflow 2021-04-05 2021-04-09
5.0
None Remote Low Not required None None Partial
Buffer overflow vulnerability in Core FTP Server v2 Build 697, via a crafted username.
1688 CVE-2020-18084 Exec Code XSS 2021-04-30 2021-04-30
0.0
None ??? ??? ??? ??? ??? ???
Cross Site Scripting (XSS) in yzmCMS v5.2 allows remote attackers to execute arbitrary code by injecting commands into the "referer" field of a POST request to the component "/member/index/login.html" when logging in.
1689 CVE-2020-18070 22 Dir. Trav. 2021-04-30 2021-05-03
6.4
None Remote Low Not required None Partial Partial
Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".
1690 CVE-2020-18035 79 Exec Code XSS 2021-04-29 2021-05-03
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in Jeesns v1.4.2 allows remote attackers to execute arbitrary code by injecting commands into the "CKEditorFuncNum" parameter in the component "CkeditorUploadController.java".
1691 CVE-2020-18032 120 DoS Exec Code Overflow 2021-04-29 2021-07-03
6.8
None Remote Medium Not required Partial Partial Partial
Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
1692 CVE-2020-18022 79 Exec Code XSS +Info 2021-04-28 2021-05-10
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in Qibosoft QiboCMS v7 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information by injecting arbitrary commands in a HTTP request to the "ewebeditor\3.1.1\kindeditor.js" component.
1693 CVE-2020-18020 Exec Code Sql 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component.
1694 CVE-2020-18019 Sql +Info 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the "typeid" variable of the "createfolderAjax" function in the "mode_worcAction.php" component.
1695 CVE-2020-17999 Exec Code XSS 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php".
1696 CVE-2020-17564 22 Dir. Trav. 2021-04-22 2021-04-28
6.4
None Remote Low Not required None Partial Partial
Path Traversal in FeiFeiCMS v4.0 allows remote attackers to delete arbitrary files by sending a crafted HTTP request to the " Admin/DataAction.class.php" component.
1697 CVE-2020-17563 22 Dir. Trav. 2021-04-22 2021-04-28
6.4
None Remote Low Not required None Partial Partial
Path Traversal in FeiFeiCMS v4.0 allows remote attackers to delete arbitrary files by sending a crafted HTTP request to " /index.php?s=/admin-tpl-del&id=".
1698 CVE-2020-17542 79 Exec Code XSS 2021-04-23 2021-04-30
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in dotCMS v5.1.5 allows remote attackers to execute arbitrary code by injecting a malicious payload into the "Task Detail" comment window of the "/dotAdmin/#/c/workflow" component.
1699 CVE-2020-17517 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release. Improper Authorization vulnerability in __COMPONENT__ of Apache Ozone allows an attacker to __IMPACT__. This issue affects Apache Ozone Apache Ozone version 1.0.0 and prior versions.
1700 CVE-2020-17453 79 XSS 2021-04-05 2021-04-08
4.3
None Remote Medium Not required None Partial None
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
Total number of vulnerabilities : 1821   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 (This Page)35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.