CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2021-30209 434 2021-04-15 2021-04-23
4.0
None Remote Low ??? None Partial None
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.
152 CVE-2021-30199 476 2021-04-19 2021-04-21
4.3
None Remote Medium Not required None None Partial
In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Dereference, when gf_filter_pck_get_data is called. The first arg pck may be null with a crafted mp4 file,which results in a crash.
153 CVE-2021-30185 2021-04-07 2021-04-15
5.0
None Remote Low Not required None Partial None
CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.
154 CVE-2021-30184 120 Exec Code Overflow 2021-04-07 2021-07-12
6.8
None Remote Medium Not required Partial Partial Partial
GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnload and cmd_pgnreplay functions in frontend/cmd.cc.
155 CVE-2021-30178 476 2021-04-07 2021-06-04
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
156 CVE-2021-30177 89 Exec Code Sql 2021-04-07 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.
157 CVE-2021-30176 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint.
158 CVE-2021-30175 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
159 CVE-2021-30169 200 +Info 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential.
160 CVE-2021-30168 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.
161 CVE-2021-30167 522 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
162 CVE-2021-30166 78 Exec Code 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
The NTP Server configuration function of the IP camera device is not verified with special parameters. Remote attackers can perform a command Injection attack and execute arbitrary commands after logging in with the privileged permission.
163 CVE-2021-30165 798 2021-04-27 2021-04-27
0.0
None ??? ??? ??? ??? ??? ???
The default administrator account & password of the EDIMAX wireless network camera is hard-coded. Remote attackers can disassemble firmware to obtain the privileged permission and further control the devices.
164 CVE-2021-30164 Bypass 2021-04-06 2021-06-02
7.5
None Remote Low Not required Partial Partial Partial
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.
165 CVE-2021-30163 200 +Info 2021-04-06 2021-06-03
5.0
None Remote Low Not required Partial None None
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.
166 CVE-2021-30162 Bypass 2021-04-06 2021-04-13
3.6
None Local Low Not required Partial Partial None
An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software. Attackers can leverage ISMS services to bypass access control on specific content providers. The LG ID is LVE-SMP-210003 (April 2021).
167 CVE-2021-30161 Bypass 2021-04-06 2021-04-12
2.1
None Local Low Not required None Partial None
An issue was discovered on LG mobile devices with Android OS 11 software. Attackers can bypass the lockscreen protection mechanism after an incoming call has been terminated. The LG ID is LVE-SMP-210002 (April 2021).
168 CVE-2021-30159 Bypass 2021-04-09 2021-07-17
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
169 CVE-2021-30158 287 2021-04-06 2021-12-08
5.0
None Remote Low Not required Partial None None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.
170 CVE-2021-30157 79 XSS 2021-04-06 2021-12-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
171 CVE-2021-30156 732 2021-04-09 2021-05-03
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.
172 CVE-2021-30155 862 2021-04-09 2021-12-08
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.
173 CVE-2021-30154 79 XSS 2021-04-06 2021-12-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
174 CVE-2021-30152 732 2021-04-09 2021-12-08
4.0
None Remote Low ??? None Partial None
An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.
175 CVE-2021-30151 79 XSS 2021-04-06 2021-04-09
4.3
None Remote Medium Not required None Partial None
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
176 CVE-2021-30150 79 XSS 2021-04-06 2021-04-08
4.3
None Remote Medium Not required None Partial None
Composr 10.0.36 allows XSS in an XML script.
177 CVE-2021-30149 434 2021-04-06 2021-04-08
7.5
None Remote Low Not required Partial Partial Partial
Composr 10.0.36 allows upload and execution of PHP files.
178 CVE-2021-30147 352 CSRF 2021-04-07 2021-04-12
6.8
None Remote Medium Not required Partial Partial Partial
DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php.
179 CVE-2021-30146 79 XSS 2021-04-06 2021-04-12
3.5
None Remote Medium ??? None Partial None
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
180 CVE-2021-30144 863 Bypass 2021-04-06 2021-04-09
4.0
None Remote Low ??? Partial None None
The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used.
181 CVE-2021-30141 401 2021-04-05 2021-04-15
5.0
None Remote Low Not required None None Partial
** DISPUTED ** Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. NOTE: the vendor states "the feature still requires a valid authentication cookie even if the route is accessible to non-logged users."
182 CVE-2021-30140 79 XSS 2021-04-06 2021-04-12
3.5
None Remote Medium ??? None Partial None
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.
183 CVE-2021-30139 125 Overflow 2021-04-21 2021-04-22
5.0
None Remote Low Not required None None Partial
In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.
184 CVE-2021-30130 347 2021-04-06 2021-04-20
5.0
None Remote Low Not required None Partial None
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
185 CVE-2021-30128 502 2021-04-27 2021-09-20
10.0
None Remote Low Not required Complete Complete Complete
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
186 CVE-2021-30127 863 2021-04-03 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
187 CVE-2021-30126 2021-04-02 2021-04-09
6.4
None Remote Low Not required Partial Partial None
Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1 allows anyone who knows the URL of a publicly available Lightmeter instance to access application settings, possibly including an SMTP password and a Slack access token, via a settings HTTP query.
188 CVE-2021-30125 79 XSS 2021-04-02 2021-04-08
4.3
None Remote Medium Not required None Partial None
Jamf Pro before 10.28.0 allows XSS related to inventory history, aka PI-009376.
189 CVE-2021-30123 120 Exec Code Overflow 2021-04-07 2021-09-29
6.8
None Remote Medium Not required Partial Partial Partial
FFmpeg <=4.3 contains a buffer overflow vulnerability in libavcodec through a crafted file that may lead to remote code execution.
190 CVE-2021-30114 352 CSRF 2021-04-08 2021-04-13
4.3
None Remote Medium Not required None Partial None
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.
191 CVE-2021-30113 79 Exec Code XSS 2021-04-08 2021-04-13
4.3
None Remote Medium Not required None Partial None
A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in event name and description fields. An attacker can inject a JavaScript code that will be stored in the page. If any visitor sees the event, then the payload will be executed and sends the victim's information to the attacker website.
192 CVE-2021-30112 352 CSRF 2021-04-08 2021-04-13
4.3
None Remote Medium Not required None Partial None
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.
193 CVE-2021-30111 79 Exec Code XSS 2021-04-08 2021-04-13
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed.
194 CVE-2021-30109 79 XSS 2021-04-05 2021-04-08
4.3
None Remote Medium Not required None Partial None
Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting (XSS) vulnerability within the hyperlink creation module.
195 CVE-2021-30074 79 XSS 2021-04-02 2021-04-08
4.3
None Remote Medium Not required None Partial None
docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character.
196 CVE-2021-30072 787 Overflow 2021-04-02 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in prog.cgi on D-Link DIR-878 1.30B08 devices. Because strcat is misused, there is a stack-based buffer overflow that does not require authentication.
197 CVE-2021-30058 79 XSS 2021-04-05 2021-04-08
4.3
None Remote Medium Not required None Partial None
Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter.
198 CVE-2021-30057 74 2021-04-05 2021-04-08
3.5
None Remote Medium ??? None Partial None
A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters.
199 CVE-2021-30056 79 XSS 2021-04-05 2021-04-08
3.5
None Remote Medium ??? None Partial None
Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage.
200 CVE-2021-30055 89 Sql 2021-04-05 2021-04-08
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report.
Total number of vulnerabilities : 1821   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.