| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-26308 |
|
|
|
2021-01-29 |
2021-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the marc crate before 2.0.0 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated memory, violating soundness. |
|
2 |
CVE-2021-26307 |
|
|
|
2021-01-29 |
2022-07-12 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It allows __cpuid_count() calls even if the processor does not support the CPUID instruction, which is unsound and causes a deterministic crash. |
|
3 |
CVE-2021-26306 |
|
|
|
2021-01-29 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the raw-cpuid crate before 9.0.0 for Rust. It has unsound transmute calls within as_string() methods. |
|
4 |
CVE-2021-26305 |
908 |
|
|
2021-01-29 |
2021-02-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Deserializer::read_vec in the cdr crate before 0.2.4 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness. |
|
5 |
CVE-2021-26304 |
79 |
|
XSS |
2021-01-29 |
2021-02-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the add-expense.php Item parameter. |
|
6 |
CVE-2021-26303 |
79 |
|
XSS |
2021-01-29 |
2021-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XSS via the user-profile.php Full Name field. |
|
7 |
CVE-2021-26276 |
913 |
|
|
2021-01-27 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
** DISPUTED ** scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data. |
|
8 |
CVE-2021-26272 |
829 |
|
|
2021-01-26 |
2022-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). |
|
9 |
CVE-2021-26271 |
829 |
|
|
2021-01-26 |
2021-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). |
|
10 |
CVE-2021-26267 |
|
|
Bypass |
2021-01-26 |
2021-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579). |
|
11 |
CVE-2021-26266 |
|
|
Bypass |
2021-01-26 |
2021-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578). |
|
12 |
CVE-2021-26118 |
|
|
Bypass |
2021-01-27 |
2022-08-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error. |
|
13 |
CVE-2021-26117 |
287 |
|
|
2021-01-27 |
2021-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. |
|
14 |
CVE-2021-26067 |
200 |
|
+Info |
2021-01-28 |
2021-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2. |
|
15 |
CVE-2021-26026 |
863 |
|
|
2021-01-26 |
2021-02-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image. |
|
16 |
CVE-2021-26025 |
863 |
|
|
2021-01-26 |
2021-02-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image. |
|
17 |
CVE-2021-25910 |
287 |
|
|
2021-01-29 |
2021-02-05 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
Partial |
None |
|
Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user. |
|
18 |
CVE-2021-25909 |
400 |
|
DoS |
2021-01-29 |
2021-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ZIV Automation 4CCT-EA6-334126BF firmware version 3.23.80.27.36371, allows an unauthenticated, remote attacker to cause a denial of service condition on the device. An attacker could exploit this vulnerability by sending specific packets to the port 7919. |
|
19 |
CVE-2021-25908 |
415 |
|
|
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the fil-ocl crate through 2021-01-04 for Rust. From<EventList> can lead to a double free. |
|
20 |
CVE-2021-25907 |
415 |
|
|
2021-01-26 |
2021-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in the containers crate before 0.9.11 for Rust. When a panic occurs, a util::{mutate,mutate2} double drop can be performed. |
|
21 |
CVE-2021-25906 |
|
|
|
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. When a TransformContent panic occurs, a double drop can be performed. |
|
22 |
CVE-2021-25905 |
908 |
|
|
2021-01-26 |
2022-05-03 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in the bra crate before 0.1.1 for Rust. It lacks soundness because it can read uninitialized memory. |
|
23 |
CVE-2021-25904 |
476 |
|
|
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the av-data crate before 0.3.0 for Rust. A raw pointer is dereferenced, leading to a read of an arbitrary memory address, sometimes causing a segfault. |
|
24 |
CVE-2021-25903 |
476 |
|
|
2021-01-26 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the cache crate through 2021-01-01 for Rust. A raw pointer is dereferenced. |
|
25 |
CVE-2021-25902 |
|
|
|
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the glsl-layout crate before 0.4.0 for Rust. When a panic occurs, map_array can perform a double drop. |
|
26 |
CVE-2021-25901 |
|
|
|
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the lazy-init crate through 2021-01-17 for Rust. Lazy lacks a Send bound, leading to a data race. |
|
27 |
CVE-2021-25900 |
787 |
|
Overflow |
2021-01-26 |
2021-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many. |
|
28 |
CVE-2021-25864 |
22 |
|
Dir. Trav. |
2021-01-26 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file. |
|
29 |
CVE-2021-25863 |
798 |
|
|
2021-01-26 |
2021-02-03 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. |
|
30 |
CVE-2021-25647 |
79 |
|
XSS |
2021-01-28 |
2021-02-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Mobile application "Testes de Codigo" v11.3 and prior allows stored XSS by injecting a payload in the "feedback" message field causing it to be stored in the remote database and leading to its execution on client devices when loading the "feedback list", either by accessing the website directly or using the mobile application. |
|
31 |
CVE-2021-25646 |
|
|
Exec Code |
2021-01-29 |
2022-07-12 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. |
|
32 |
CVE-2021-25325 |
79 |
|
XSS |
2021-01-19 |
2021-01-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. |
|
33 |
CVE-2021-25324 |
79 |
|
XSS |
2021-01-19 |
2021-01-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. |
|
34 |
CVE-2021-25323 |
640 |
|
|
2021-01-19 |
2021-01-22 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. |
|
35 |
CVE-2021-25312 |
306 |
|
|
2021-01-27 |
2021-02-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method. |
|
36 |
CVE-2021-25311 |
22 |
|
Dir. Trav. |
2021-01-27 |
2021-08-12 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root. |
|
37 |
CVE-2021-25295 |
79 |
|
XSS |
2021-01-18 |
2021-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues. |
|
38 |
CVE-2021-25294 |
502 |
|
Exec Code |
2021-01-18 |
2021-01-26 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp. |
|
39 |
CVE-2021-25247 |
427 |
|
Exec Code |
2021-01-27 |
2021-02-03 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A DLL hijacking vulnerability Trend Micro HouseCall for Home Networks version 5.3.1063 and below could allow an attacker to use a malicious DLL to escalate privileges and perform arbitrary code execution. An attacker must already have user privileges on the machine to exploit this vulnerability. |
|
40 |
CVE-2021-25226 |
400 |
|
Exec Code |
2021-01-27 |
2021-02-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scan engine component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. |
|
41 |
CVE-2021-25225 |
400 |
|
Exec Code |
2021-01-27 |
2021-02-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a scheduled scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. |
|
42 |
CVE-2021-25224 |
400 |
|
Exec Code |
2021-01-27 |
2021-02-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
A memory exhaustion vulnerability in Trend Micro ServerProtect for Linux 3.0 could allow a local attacker to craft specific files that can cause a denial-of-service on the affected product. The specific flaw exists within a manual scan component. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. |
|
43 |
CVE-2021-25178 |
787 |
|
DoS Exec Code Overflow |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution. |
|
44 |
CVE-2021-25177 |
843 |
|
DoS |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). |
|
45 |
CVE-2021-25176 |
476 |
|
DoS |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). |
|
46 |
CVE-2021-25175 |
704 |
|
DoS |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). |
|
47 |
CVE-2021-25174 |
787 |
|
DoS Mem. Corr. |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart). |
|
48 |
CVE-2021-25173 |
770 |
|
DoS |
2021-01-18 |
2022-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart). |
|
49 |
CVE-2021-25138 |
120 |
|
|
2021-01-29 |
2021-01-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server BMC firmware has a local buffer overlfow in spx_restservice uploadsshkey function. |
|
50 |
CVE-2021-25137 |
120 |
|
|
2021-01-29 |
2021-01-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 Server; HPE Cloudline CL5200 Gen9 Server; HPE Cloudline CL4100 Gen10 Server; HPE Cloudline CL3100 Gen10 Server; HPE Cloudline CL5800 Gen10 Server BMC firmware has a local buffer overlfow in spx_restservice startflash_func function. |
