CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2021-29253 522 +Info 2021-05-26 2021-06-04
2.1
None Local Low Not required Partial None None
The Tableau integration in RSA Archer 6.4 P1 (6.4.0.1) through 6.9 P2 (6.9.0.2) is affected by an insecure credential storage vulnerability. An malicious attacker with access to the Tableau workbook file may obtain access to credential information to use it in further attacks.
302 CVE-2021-29248 200 +Info 2021-05-05 2021-05-11
5.0
None Remote Low Not required Partial None None
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie.
303 CVE-2021-29247 200 +Info 2021-05-05 2021-05-11
5.0
None Remote Low Not required Partial None None
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie.
304 CVE-2021-29155 125 +Info 2021-04-20 2021-06-23
2.1
None Local Low Not required Partial None None
An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
305 CVE-2021-29086 200 +Info 2021-06-23 2021-06-29
5.0
None Remote Low Not required Partial None None
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
306 CVE-2021-29082 200 +Info 2021-03-23 2021-03-24
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBW30 before 2.6.1.4, RBS40V before 2.6.1.4, RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBK754 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBK854 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.
307 CVE-2021-29043 200 +Info 2021-05-17 2021-05-24
4.3
None Remote Medium Not required Partial None None
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing.
308 CVE-2021-29006 200 +Info 2021-10-11 2021-10-16
4.0
None Remote Low ??? Partial None None
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
309 CVE-2021-28993 89 Sql +Info 2021-06-30 2021-07-06
5.0
None Remote Low Not required Partial None None
Plixer Scrutinizer 19.0.2 is affected by: SQL Injection. The impact is: obtain sensitive information (remote).
310 CVE-2021-28938 +Info 2021-04-13 2021-05-04
4.0
None Remote Low ??? Partial None None
Siren Federate before 6.8.14-10.3.9, 6.9.x through 7.6.x before 7.6.2-20.2, 7.7.x through 7.9.x before 7.9.3-21.6, 7.10.x before 7.10.2-22.2, and 7.11.x before 7.11.2-23.0 can leak user information across thread contexts. This occurs in opportunistic circumstances when there is concurrent query execution by a low-privilege user and a high-privilege user. The former query might run with the latter query's privileges.
311 CVE-2021-28805 200 +Info 2021-06-11 2021-06-23
2.1
None Local Low Not required Partial None None
Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408.
312 CVE-2021-28566 200 +Info 2021-09-08 2021-09-14
4.0
None Remote Low ??? Partial None None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
313 CVE-2021-28557 125 +Info 2021-09-02 2021-09-15
4.3
None Remote Medium Not required Partial None None
Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by an Out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to leak sensitive system information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
314 CVE-2021-28479 200 +Info 2021-05-11 2021-05-14
2.1
None Local Low Not required Partial None None
Windows CSC Service Information Disclosure Vulnerability
315 CVE-2021-28325 200 +Info 2021-04-13 2021-04-16
4.0
None Remote Low ??? Partial None None
Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28324.
316 CVE-2021-28324 200 +Info 2021-04-13 2021-04-15
5.0
None Remote Low Not required Partial None None
Windows SMB Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28325.
317 CVE-2021-28323 200 +Info 2021-04-13 2021-04-22
4.0
None Remote Low ??? Partial None None
Windows DNS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28328.
318 CVE-2021-28318 200 +Info 2021-04-13 2021-04-15
2.1
None Local Low Not required Partial None None
Windows GDI+ Information Disclosure Vulnerability
319 CVE-2021-28317 200 +Info 2021-04-13 2021-04-15
2.1
None Local Low Not required Partial None None
Microsoft Windows Codecs Library Information Disclosure Vulnerability
320 CVE-2021-28309 200 +Info 2021-04-13 2021-04-15
2.1
None Local Low Not required Partial None None
Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-27093.
321 CVE-2021-28242 77 Sql +Info 2021-04-15 2021-06-04
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.
322 CVE-2021-28204 78 Exec Code +Info 2021-04-06 2021-04-14
6.5
None Remote Low ??? Partial Partial Partial
The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.
323 CVE-2021-28199 120 Overflow +Info 2021-04-06 2021-04-13
4.0
None Remote Low ??? None None Partial
The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.
324 CVE-2021-28188 120 Overflow +Info 2021-04-06 2021-04-13
4.0
None Remote Low ??? None None Partial
The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.
325 CVE-2021-28169 200 +Info 2021-06-09 2021-12-10
5.0
None Remote Low Not required Partial None None
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
326 CVE-2021-28133 200 +Info 2021-03-18 2021-03-26
4.3
None Remote Medium Not required Partial None None
Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can, of course, use a separate screen-recorder application, unsupported by Zoom, to save all such contents for later replays and analysis.) Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue.
327 CVE-2021-28075 +Info 2021-04-06 2021-04-12
5.0
None Remote Low Not required Partial None None
iKuaiOS 3.4.8 Build 202012291059 has an arbitrary file download vulnerability, which can be exploited by attackers to obtain sensitive information.
328 CVE-2021-27823 200 +Info 2021-05-25 2021-05-28
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability was discovered in /index.class.php (via port 8181) on NetWave System 1.0 which allows unauthenticated attackers to exfiltrate sensitive information from the system.
329 CVE-2021-27672 89 Sql +Info 2021-04-15 2021-04-21
4.0
None Remote Low ??? Partial None None
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.
330 CVE-2021-27610 287 +Info 2021-06-16 2021-06-23
7.5
None Remote Low Not required Partial Partial Partial
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system.
331 CVE-2021-27599 200 +Info 2021-04-14 2021-08-27
4.0
None Remote Low ??? Partial None None
SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted.
332 CVE-2021-27583 200 +Info 2021-02-23 2021-03-01
5.0
None Remote Low Not required Partial None None
** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
333 CVE-2021-27545 89 Sql +Info 2021-04-15 2021-04-21
4.0
None Remote Low ??? Partial None None
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
334 CVE-2021-27437 798 +Info 2021-05-07 2021-05-19
6.4
None Remote Low Not required Partial Partial None
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0.1).
335 CVE-2021-27434 200 Overflow +Info 2021-05-20 2021-05-26
5.0
None Remote Low Not required Partial None None
Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.
336 CVE-2021-27408 125 Exec Code +Info 2021-06-11 2021-06-29
5.0
None Remote Low Not required Partial None None
The affected product is vulnerable to an out-of-bounds read, which can cause information leakage leading to arbitrary code execution if chained to the out-of-bounds write vulnerability on the Welch Allyn medical device management tools (Welch Allyn Service Tool: versions prior to v1.10, Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3, Welch Allyn Software Development Kit (SDK): versions prior to v3.2, Welch Allyn Connex Central Station (CS): versions prior to v1.8.6, Welch Allyn Service Monitor: versions prior to v1.7.0.0, Welch Allyn Connex Vital Signs Monitor (CVSM): versions prior to v2.43.02, Welch Allyn Connex Integrated Wall System (CIWS): versions prior to v2.43.02, Welch Allyn Connex Spot Monitor (CSM): versions prior to v1.52, Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: versions prior to v1.11.00).
337 CVE-2021-27343 120 Overflow +Info 2021-04-06 2021-04-09
5.0
None Remote Low Not required Partial None None
SerenityOS Unspecified is affected by: Buffer Overflow. The impact is: obtain sensitive information (context-dependent). The component is: /Userland/Libraries/LibCrypto/ASN1/DER.h Crypto::der_decode_sequence() function. The attack vector is: Parsing RSA Key ASN.1.
338 CVE-2021-27288 79 XSS +Info 2021-04-14 2021-04-20
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
339 CVE-2021-27260 125 Exec Code +Info 2021-04-14 2021-04-23
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12068.
340 CVE-2021-27244 125 Exec Code +Info 2021-03-29 2021-04-27
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-11925.
341 CVE-2021-27093 200 +Info 2021-04-13 2021-04-16
2.1
None Local Low Not required Partial None None
Windows Kernel Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-28309.
342 CVE-2021-27079 200 +Info 2021-04-13 2021-04-15
6.3
None Remote Medium ??? Complete None None
Windows Media Photo Codec Information Disclosure Vulnerability
343 CVE-2021-27067 200 +Info 2021-04-13 2021-04-15
4.0
None Remote Low ??? Partial None None
Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
344 CVE-2021-26999 200 +Info 2021-08-06 2021-08-13
4.0
None Remote Low ??? Partial None None
NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. The logged information is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version.
345 CVE-2021-26998 200 +Info 2021-08-06 2021-08-13
4.0
None Remote Low ??? Partial None None
NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version.
346 CVE-2021-26966 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
347 CVE-2021-26965 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
348 CVE-2021-26953 908 +Info 2021-02-09 2021-02-16
5.0
None Remote Low Not required Partial None None
An issue was discovered in the postscript crate before 0.14.0 for Rust. It might allow attackers to obtain sensitive information from uninitialized memory locations via a user-provided Read implementation.
349 CVE-2021-26952 908 +Info 2021-02-09 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered in the ms3d crate before 0.1.3 for Rust. It might allow attackers to obtain sensitive information from uninitialized memory locations via IoReader::read.
350 CVE-2021-26939 200 +Info 2021-02-10 2021-02-18
5.0
None Remote Low Not required Partial None None
** DISPUTED ** An information disclosure issue exists in henriquedornas 5.2.17 because an attacker can dump phpMyAdmin SQL content. NOTE: third parties report that this is a site-specific problem.
Total number of vulnerabilities : 767   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.