CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1701 CVE-2020-15942 200 +Info 2021-04-12 2021-04-20
4.0
None Remote Low ??? Partial None None
An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.
1702 CVE-2020-15795 787 Exec Code 2021-04-22 2022-01-11
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus Source Code (Versions including affected DNS modules). The DNS domain name label parsing functionality does not properly validate the names in DNS-responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.
1703 CVE-2020-15734 346 2021-04-12 2021-04-21
2.1
None Local Low Not required Partial None None
An Origin Validation Error vulnerability in Bitdefender Safepay allows an attacker to manipulate the browser's file upload capability into accessing other files in the same directory or sub-directories. This issue affects: Bitdefender Safepay versions prior to 25.0.7.29.
1704 CVE-2020-15390 269 2021-04-12 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
1705 CVE-2020-15225 681 2021-04-29 2021-11-30
4.0
None Remote Low ??? None None Partial
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.
1706 CVE-2020-15153 89 Sql 2021-04-30 2021-04-30
0.0
None ??? ??? ??? ??? ??? ???
Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.
1707 CVE-2020-15078 287 Bypass +Info 2021-04-26 2021-12-10
5.0
None Remote Low Not required Partial None None
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
1708 CVE-2020-14106 863 2021-04-08 2021-04-14
4.3
None Remote Medium Not required Partial None None
The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.
1709 CVE-2020-14105 2021-04-20 2021-04-23
2.1
None Local Low Not required Partial None None
The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.
1710 CVE-2020-14104 362 2021-04-08 2021-04-15
6.8
None Remote Medium Not required Partial Partial Partial
A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50.
1711 CVE-2020-14103 2021-04-08 2021-04-14
4.3
None Remote Medium Not required Partial None None
The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.
1712 CVE-2020-14099 798 2021-04-08 2021-04-14
5.0
None Remote Low Not required Partial None None
On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password.
1713 CVE-2020-13592 89 Sql CSRF 2021-04-09 2021-04-13
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
1714 CVE-2020-13591 89 Sql CSRF 2021-04-09 2021-04-13
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
1715 CVE-2020-13587 89 Sql CSRF 2021-04-09 2021-04-13
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
1716 CVE-2020-13568 89 Sql 2021-04-13 2021-04-14
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection.
1717 CVE-2020-13566 89 Sql 2021-04-13 2021-04-14
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
1718 CVE-2020-13534 269 2021-04-09 2021-04-14
6.8
None Remote Medium Not required Partial Partial Partial
A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability.
1719 CVE-2020-13533 276 2021-04-09 2021-04-14
4.4
None Local Medium Not required Partial Partial Partial
A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application.
1720 CVE-2020-13532 276 2021-04-09 2021-04-14
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An attacker can provide a malicious file to trigger this vulnerability.
1721 CVE-2020-13422 862 2021-04-06 2021-04-08
5.5
None Remote Low ??? Partial Partial None
OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions.
1722 CVE-2020-13421 732 2021-04-06 2021-04-09
7.5
None Remote Low Not required Partial Partial Partial
OpenIAM before 4.2.0.3 has Incorrect Access Control for the Create User, Modify User Permissions, and Password Reset actions.
1723 CVE-2020-13420 Exec Code 2021-04-06 2021-04-08
7.5
None Remote Low Not required Partial Partial Partial
OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script.
1724 CVE-2020-13419 22 Dir. Trav. 2021-04-06 2021-04-08
5.0
None Remote Low Not required Partial None None
OpenIAM before 4.2.0.3 allows Directory Traversal in the Batch task.
1725 CVE-2020-13418 79 XSS 2021-04-06 2021-04-08
4.3
None Remote Medium Not required None Partial None
OpenIAM before 4.2.0.3 allows XSS in the Add New User feature.
1726 CVE-2020-11925 522 2021-04-02 2021-04-08
8.3
None Local Network Low Not required Complete Complete Complete
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.
1727 CVE-2020-11924 312 2021-04-02 2021-04-07
2.1
None Local Low Not required Partial None None
An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.
1728 CVE-2020-11923 312 2021-04-02 2021-04-07
2.1
None Local Low Not required Partial None None
An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged.
1729 CVE-2020-11922 200 +Info 2021-04-02 2021-04-09
3.3
None Local Network Low Not required Partial None None
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
1730 CVE-2020-11255 401 DoS 2021-04-07 2021-04-12
7.8
None Remote Low Not required None None Complete
Denial of service while processing RTCP packets containing multiple SDES reports due to memory for last SDES packet is freed and rest of the memory is leaked in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables
1731 CVE-2020-11252 125 2021-04-07 2021-04-12
4.7
None Local Medium Not required Complete None None
Trustzone initialization code will disable xPU`s when memory dumps are enabled and lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
1732 CVE-2020-11251 125 2021-04-07 2021-04-12
9.4
None Remote Low Not required Complete None Complete
Out-of-bounds read vulnerability while accessing DTMF payload due to lack of check of buffer length before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
1733 CVE-2020-11247 125 2021-04-07 2021-04-12
9.4
None Remote Low Not required Complete None Complete
Out of bound memory read while unpacking data due to lack of offset length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
1734 CVE-2020-11246 415 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
A double free condition can occur when the device moves to suspend mode during secure playback in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
1735 CVE-2020-11245 190 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
Unintended reads and writes by NS EL2 in access control driver due to lack of check of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
1736 CVE-2020-11243 755 DoS 2021-04-07 2021-04-12
7.8
None Remote Low Not required None None Complete
RRC sends a connection establishment success to NAS even though connection setup validation returns failure and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
1737 CVE-2020-11242 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
User could gain access to secure memory due to incorrect argument into address range validation api used in SDI to capture requested contents in Snapdragon Industrial IOT, Snapdragon Mobile
1738 CVE-2020-11237 20 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
Memory crash when accessing histogram type KPI input received due to lack of check of histogram definition before accessing it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
1739 CVE-2020-11236 20 DoS Mem. Corr. 2021-04-07 2021-04-12
7.8
None Remote Low Not required None None Complete
Memory corruption due to invalid value of total dimension in the non-histogram type KPI could lead to a denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
1740 CVE-2020-11234 416 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
When sending a socket event message to a user application, invalid information will be passed if socket is freed by other thread resulting in a Use After Free condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
1741 CVE-2020-11231 415 2021-04-07 2021-04-12
4.6
None Local Low Not required Partial Partial Partial
Two threads call one or both functions concurrently leading to corruption of pointers and reference counters which in turn can lead to heap corruption in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
1742 CVE-2020-11210 20 Mem. Corr. 2021-04-07 2021-04-12
7.2
None Local Low Not required Complete Complete Complete
Possible memory corruption in RPM region due to improper XPU configuration in Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
1743 CVE-2020-11191 125 2021-04-07 2021-04-12
9.4
None Remote Low Not required Complete None Complete
Out of bound read occurs while processing crafted SDP due to lack of check of null string in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
1744 CVE-2020-10015 787 Exec Code 2021-04-02 2021-04-13
9.3
None Remote Medium Not required Complete Complete Complete
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges.
1745 CVE-2020-10008 2021-04-02 2021-04-07
4.3
None Remote Medium Not required Partial None None
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.0.1. A malicious application with root privileges may be able to access private information.
1746 CVE-2020-10001 20 2021-04-02 2021-11-30
4.3
None Remote Medium Not required Partial None None
An input validation issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to read restricted memory.
1747 CVE-2020-9995 79 XSS 2021-04-02 2021-04-07
5.8
None Remote Medium Not required Partial Partial None
An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Server 5.11. Processing a maliciously crafted URL may lead to an open redirect or cross site scripting.
1748 CVE-2020-9978 2021-04-02 2021-04-07
2.7
None Local Network Low ??? None Partial None
This issue was addressed with improved setting propagation. This issue is fixed in macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0. An attacker in a privileged network position may be able to unexpectedly alter application state.
1749 CVE-2020-9975 416 Exec Code 2021-04-02 2021-04-07
9.3
None Remote Medium Not required Complete Complete Complete
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0. An application may be able to execute arbitrary code with kernel privileges.
1750 CVE-2020-9971 2021-04-02 2021-04-08
6.8
None Remote Medium Not required Partial Partial Partial
A logic issue was addressed with improved validation. This issue is fixed in watchOS 7.0, tvOS 14.0, iOS 14.0 and iPadOS 14.0, macOS Big Sur 11.0.1. A malicious application may be able to elevate privileges.
Total number of vulnerabilities : 1821   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 (This Page)36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.