CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-27803 DoS Exec Code 2021-02-26 2021-04-23
5.4
None Local Network Medium Not required Partial Partial Partial
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
2 CVE-2021-27799 787 Overflow 2021-02-26 2021-03-10
5.0
None Remote Low Not required None None Partial
ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code.
3 CVE-2021-27671 79 XSS 2021-02-25 2021-03-02
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
4 CVE-2021-27670 918 2021-02-25 2021-03-02
7.5
None Remote Low Not required Partial Partial Partial
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
5 CVE-2021-27645 415 DoS 2021-02-24 2021-07-06
1.9
None Local Medium Not required None None Partial
The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
6 CVE-2021-27583 200 +Info 2021-02-23 2021-03-01
5.0
None Remote Low Not required Partial None None
** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
7 CVE-2021-27582 915 2021-02-23 2021-03-25
6.4
None Remote Low Not required Partial Partial None
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
8 CVE-2021-27579 269 2021-02-23 2021-04-06
4.4
None Local Medium Not required Partial Partial Partial
Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. A privilege-escalation vulnerability exists if CPUID is enabled, and thus it should be disabled via configuration settings.
9 CVE-2021-27568 754 2021-02-23 2021-07-20
6.4
None Remote Low Not required Partial None Partial
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
10 CVE-2021-27564 79 XSS 2021-02-22 2021-02-26
3.5
None Remote Medium ??? None Partial None
A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes.
11 CVE-2021-27559 79 XSS 2021-02-22 2021-02-23
3.5
None Remote Medium ??? None Partial None
The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.
12 CVE-2021-27550 369 DoS 2021-02-23 2021-02-26
4.3
None Remote Medium Not required None None Partial
Polaris Office v9.102.66 is affected by a divide-by-zero error in PolarisOffice.exe and EngineDLL.dll that may cause a local denial of service. To exploit the vulnerability, someone must open a crafted PDF file.
13 CVE-2021-27549 312 2021-02-22 2021-02-26
5.0
None Remote Low Not required Partial None None
** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings > Device screen.
14 CVE-2021-27516 2021-02-22 2021-03-30
5.0
None Remote Low Not required Partial None None
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
15 CVE-2021-27515 2021-02-22 2021-03-30
5.0
None Remote Low Not required None Partial None
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
16 CVE-2021-27514 307 Bypass 2021-02-22 2021-02-26
7.5
None Remote Low Not required Partial Partial Partial
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).
17 CVE-2021-27513 434 2021-02-22 2021-02-26
6.5
None Remote Low ??? Partial Partial Partial
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
18 CVE-2021-27509 863 2021-02-19 2021-03-01
5.0
None Remote Low Not required Partial None None
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code.
19 CVE-2021-27405 400 DoS 2021-02-19 2021-03-30
5.0
None Remote Low Not required None None Partial
A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js.
20 CVE-2021-27404 601 2021-02-19 2021-02-25
5.8
None Remote Medium Not required Partial Partial None
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header.
21 CVE-2021-27403 79 XSS 2021-02-19 2021-02-25
4.3
None Remote Medium Not required None Partial None
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS.
22 CVE-2021-27379 269 DoS +Priv 2021-02-18 2021-04-11
5.9
None Local Medium Not required Partial Partial Complete
An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565.
23 CVE-2021-27378 330 2021-02-18 2021-02-25
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.
24 CVE-2021-27377 416 2021-02-18 2021-02-25
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the yottadb crate before 1.2.0 for Rust. For some memory-allocation patterns, ydb_subscript_next_st and ydb_subscript_prev_st have a use-after-free.
25 CVE-2021-27376 119 Overflow 2021-02-18 2021-02-25
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the nb-connect crate before 1.0.3 for Rust. It may have invalid memory access for certain versions of the standard library because it relies on a direct cast of std::net::SocketAddrV4 and std::net::SocketAddrV6 data structures.
26 CVE-2021-27375 668 2021-02-18 2021-02-24
5.0
None Remote Low Not required None Partial None
Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.
27 CVE-2021-27374 2021-02-17 2021-02-25
5.0
None Remote Low Not required Partial None None
VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve "Zugriff auf Inhalte der WebOffice Applikation."
28 CVE-2021-27371 79 XSS 2021-02-22 2021-02-23
3.5
None Remote Medium ??? None Partial None
The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
29 CVE-2021-27370 79 XSS 2021-02-22 2021-04-22
3.5
None Remote Medium ??? None Partial None
The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.
30 CVE-2021-27369 79 XSS 2021-02-22 2021-02-23
3.5
None Remote Medium ??? None Partial None
The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.
31 CVE-2021-27368 79 XSS 2021-02-22 2021-02-23
3.5
None Remote Medium ??? None Partial None
The Contact page in Monica 2.19.1 allows stored XSS via the First Name field.
32 CVE-2021-27367 22 Dir. Trav. 2021-02-17 2021-02-23
5.0
None Remote Low Not required Partial None None
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
33 CVE-2021-27362 125 Exec Code 2021-02-17 2021-02-22
7.5
None Remote Low Not required Partial Partial Partial
The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133, which might allow remote attackers to execute arbitrary code.
34 CVE-2021-27351 613 2021-02-19 2021-05-26
5.0
None Remote Low Not required None Partial None
The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.
35 CVE-2021-27335 502 Exec Code 2021-02-18 2021-02-26
7.5
None Remote Low Not required Partial Partial Partial
KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter.
36 CVE-2021-27330 79 XSS 2021-02-25 2021-03-03
4.3
None Remote Medium Not required None Partial None
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.
37 CVE-2021-27329 918 2021-02-18 2021-02-26
10.0
None Remote Low Not required Complete Complete Complete
Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.
38 CVE-2021-27328 22 Dir. Trav. 2021-02-19 2021-03-09
4.0
None Remote Low ??? Partial None None
Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key.
39 CVE-2021-27279 79 XSS 2021-02-22 2021-02-26
3.5
None Remote Medium ??? None Partial None
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
40 CVE-2021-27237 79 XSS 2021-02-16 2021-02-17
3.5
None Remote Medium ??? None Partial None
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
41 CVE-2021-27236 94 Exec Code File Inclusion 2021-02-16 2021-02-22
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution.
42 CVE-2021-27235 2021-02-16 2021-02-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, there is a functionality at diagzip.asp that allows anyone to export tables of a database.
43 CVE-2021-27234 89 Sql 2021-02-16 2021-02-22
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. The web application suffers from SQL injection on Adminlog.asp, Archivemsgs.asp, Deletelog.asp, Eventlog.asp, and Evmlog.asp.
44 CVE-2021-27233 312 2021-02-16 2021-02-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, password information for external systems is visible in cleartext. The Settings.asp page is affected by this issue.
45 CVE-2021-27232 787 Exec Code Overflow 2021-02-16 2021-02-22
6.8
None Remote Medium Not required Partial Partial Partial
The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Server 7.18.72.11464 has a SetCameraConnectionParameter stack-based buffer overflow. This can be exploited by a remote attacker to potentially execute arbitrary attacker-supplied code. The victim would have to visit a malicious webpage using Internet Explorer where the exploit could be triggered.
46 CVE-2021-27231 2021-02-16 2021-06-03
5.5
None Remote Low ??? Partial Partial None
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.
47 CVE-2021-27229 59 Exec Code 2021-02-16 2021-05-26
6.8
None Remote Medium Not required Partial Partial Partial
Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
48 CVE-2021-27228 798 2021-02-22 2021-02-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI.
49 CVE-2021-27224 787 Exec Code 2021-02-17 2021-02-22
5.0
None Remote Low Not required None None Partial
The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code.
50 CVE-2021-27219 681 Overflow Mem. Corr. 2021-02-15 2021-07-07
5.0
None Remote Low Not required None None Partial
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
Total number of vulnerabilities : 1458   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.