CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-26308 2021-01-29 2021-02-03
5.0
None Remote Low Not required Partial None None
An issue was discovered in the marc crate before 2.0.0 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated memory, violating soundness.
2 CVE-2021-26307 400 2021-01-29 2021-02-03
2.1
None Local Low Not required None None Partial
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It allows __cpuid_count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash.
3 CVE-2021-26306 400 2021-01-29 2021-02-03
5.0
None Remote Low Not required None None Partial
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods.
4 CVE-2021-26305 908 2021-01-29 2021-02-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Deserializer::read_vec in the cdr crate before 0.2.4 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness.
5 CVE-2021-26304 79 XSS 2021-01-29 2021-02-01
3.5
None Remote Medium ??? None Partial None
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter.
6 CVE-2021-26303 79 XSS 2021-01-29 2021-01-29
4.3
None Remote Medium Not required None Partial None
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the user-profile.php Full Name field.
7 CVE-2021-26276 913 2021-01-27 2021-03-30
5.0
None Remote Low Not required None Partial None
** DISPUTED ** scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data.
8 CVE-2021-26272 829 2021-01-26 2021-10-20
4.3
None Remote Medium Not required None None Partial
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
9 CVE-2021-26271 829 2021-01-26 2021-10-20
4.3
None Remote Medium Not required None None Partial
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
10 CVE-2021-26267 Bypass 2021-01-26 2021-02-03
5.0
None Remote Low Not required None Partial None
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
11 CVE-2021-26266 Bypass 2021-01-26 2021-02-03
5.0
None Remote Low Not required None Partial None
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
12 CVE-2021-26118 287 Bypass 2021-01-27 2021-09-21
5.0
None Remote Low Not required None Partial None
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.
13 CVE-2021-26117 287 2021-01-27 2021-10-20
5.0
None Remote Low Not required None Partial None
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
14 CVE-2021-26067 200 +Info 2021-01-28 2021-02-04
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
15 CVE-2021-26026 863 2021-01-26 2021-02-03
6.8
None Remote Medium Not required Partial Partial Partial
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image.
16 CVE-2021-26025 863 2021-01-26 2021-02-03
6.8
None Remote Medium Not required Partial Partial Partial
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image.
17 CVE-2021-25910 287 2021-01-29 2021-02-05
3.3
None Local Network Low Not required None Partial None
Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user.
18 CVE-2021-25909 400 DoS 2021-01-29 2021-02-05
5.0
None Remote Low Not required None None Partial
ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919.
19 CVE-2021-25908 415 2021-01-26 2021-02-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in the fil-ocl crate through 2021-01-04 for Rust. From<EventList> can lead to a double free.
20 CVE-2021-25907 415 2021-01-26 2021-02-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the containers crate before 0.9.11 for Rust. When a panic occurs, a util::{mutate,mutate2} double drop can be performed.
21 CVE-2021-25906 2021-01-26 2021-02-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. When a TransformContent panic occurs, a double drop can be performed.
22 CVE-2021-25905 125 2021-01-26 2021-02-02
6.4
None Remote Low Not required Partial None Partial
An issue was discovered in the bra crate before 0.1.1 for Rust. It lacks soundness because it can read uninitialized memory.
23 CVE-2021-25904 476 2021-01-26 2021-02-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in the av-data crate before 0.3.0 for Rust. A raw pointer is dereferenced, leading to a read of an arbitrary memory address, sometimes causing a segfault.
24 CVE-2021-25903 476 2021-01-26 2021-02-12
5.0
None Remote Low Not required None None Partial
An issue was discovered in the cache crate through 2021-01-01 for Rust. A raw pointer is dereferenced.
25 CVE-2021-25902 2021-01-26 2021-02-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. When a panic occurs, map_array can perform a double drop.
26 CVE-2021-25901 2021-01-26 2021-02-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in the lazy-init crate through 2021-01-17 for Rust. Lazy lacks a Send bound, leading to a data race.
27 CVE-2021-25900 787 Overflow 2021-01-26 2021-02-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
28 CVE-2021-25864 22 Dir. Trav. 2021-01-26 2021-02-02
5.0
None Remote Low Not required Partial None None
node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
29 CVE-2021-25863 798 2021-01-26 2021-02-03
8.3
None Local Network Low Not required Complete Complete Complete
Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account.
30 CVE-2021-25647 79 XSS 2021-01-28 2021-02-03
3.5
None Remote Medium ??? None Partial None
Mobile application "Testes de Codigo" v11.3 and prior allows stored XSS by injecting a payload in the "feedback" message field causing it to be stored in the remote database and leading to its execution on client devices when loading the "feedback list", either by accessing the website directly or using the mobile application.
31 CVE-2021-25646 732 Exec Code 2021-01-29 2021-04-27
9.0
None Remote Low ??? Complete Complete Complete
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
32 CVE-2021-25325 79 XSS 2021-01-19 2021-01-21
4.3
None Remote Medium Not required None Partial None
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
33 CVE-2021-25324 79 XSS 2021-01-19 2021-01-21
4.3
None Remote Medium Not required None Partial None
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
34 CVE-2021-25323 640 2021-01-19 2021-01-22
6.4
None Remote Low Not required Partial Partial None
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
35 CVE-2021-25312 306 2021-01-27 2021-02-04
6.5
None Remote Low ??? Partial Partial Partial
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method.
36 CVE-2021-25311 22 Dir. Trav. 2021-01-27 2021-08-12
9.0
None Remote Low ??? Complete Complete Complete
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
37 CVE-2021-25295 79 XSS 2021-01-18 2021-01-26
4.3
None Remote Medium Not required None Partial None
OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues.
38 CVE-2021-25294 502 Exec Code 2021-01-18 2021-01-26
10.0
None Remote Low Not required Complete Complete Complete
OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp.
39 CVE-2021-25247 427 Exec Code 2021-01-27 2021-02-03
4.4
None Local Medium Not required Partial Partial Partial
A DLL hijacking vulnerability Trend Micro HouseCall for Home Networks version 5.3.1063 and below could allow an attacker to use a malicious DLL to escalate privileges and perform arbitrary code execution. An attacker must already have user privileges on the machine to exploit this vulnerability.
40 CVE-2021-25226 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scan engine component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
41 CVE-2021-25225 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scheduled scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
42 CVE-2021-25224 400 Exec Code 2021-01-27 2021-02-01
2.1
None Local Low Not required None None Partial
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a manual scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
43 CVE-2021-25178 787 DoS Exec Code Overflow 2021-01-18 2021-03-04
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution.
44 CVE-2021-25177 843 DoS 2021-01-18 2021-03-02
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).
45 CVE-2021-25176 476 DoS 2021-01-18 2021-03-04
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).
46 CVE-2021-25175 704 DoS 2021-01-18 2021-03-04
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).
47 CVE-2021-25174 400 DoS Mem. Corr. 2021-01-18 2021-03-04
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).
48 CVE-2021-25173 770 DoS 2021-01-18 2021-03-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
49 CVE-2021-25138 120 2021-01-29 2021-01-30
7.2
None Local Low Not required Complete Complete Complete
The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server BMC firmware has a local buffer overlfow in spx_restservice uploadsshkey function.
50 CVE-2021-25137 120 2021-01-29 2021-01-30
7.2
None Local Low Not required Complete Complete Complete
The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server BMC firmware has a local buffer overlfow in spx_restservice startflash_func function.
Total number of vulnerabilities : 1524   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.