Search Results (Refine Search)

Search Parameters:
There are 155,359 matching records.
Displaying matches 1,341 through 1,360.
Vuln ID Summary CVSS Severity
CVE-2021-32633

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

Published: May 21, 2021; 10:15:07 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-27211

Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. The flash read-out protection (APPROTECT) can be bypassed by injecting a fault during the boot phase.

Published: May 21, 2021; 9:15:07 AM -0400
V3.1: 5.7 MEDIUM
V2.0: 3.3 LOW
CVE-2021-29415

The elliptic curve cryptography (ECC) hardware accelerator, part of the ARMĀ® TrustZoneĀ® CryptoCell 310, contained in the NordicSemiconductor nRF52840 through 2021-03-29 has a non-constant time ECDSA implemenation. This allows an adversary to recover the private ECC key used during an ECDSA operation.

Published: May 21, 2021; 8:15:07 AM -0400
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2021-29414

STMicroelectronics STM32L4 devices through 2021-03-29 have incorrect physical access control.

Published: May 21, 2021; 8:15:07 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 3.6 LOW
CVE-2020-27212

STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. The flash read-out protection (RDP) can be degraded from RDP level 2 (no access via debug interface) to level 1 (limited access via debug interface) by injecting a fault during the boot phase.

Published: May 21, 2021; 8:15:07 AM -0400
V3.1: 7.0 HIGH
V2.0: 4.4 MEDIUM
CVE-2020-27208

The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface.

Published: May 21, 2021; 8:15:07 AM -0400
V3.1: 6.8 MEDIUM
V2.0: 4.6 MEDIUM
CVE-2020-12061

An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the communication and derive the secrets stored in the microcontroller. As a result, the attacker is able to arbitrarily manipulate the firmware of the microcontroller.

Published: May 21, 2021; 8:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 5.0 MEDIUM
CVE-2021-32032

In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak.

Published: May 21, 2021; 12:15:08 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28798

A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.2.1630 Build 20210406 and later QTS 4.3.6.1663 Build 20210504 and later QTS 4.3.3.1624 Build 20210416 and later QuTS hero h4.5.2.1638 Build 20210414 and later QNAP NAS running QTS 4.5.3 are not affected.

Published: May 20, 2021; 11:15:09 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-27209

The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key.

Published: May 20, 2021; 5:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-33477

rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.

Published: May 20, 2021; 4:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-22409

There is a denial of service vulnerability in some versions of ManageOne. There is a logic error in the implementation of a function of a module. When the service pressure is heavy, there is a low probability that an exception may occur. Successful exploit may cause some services abnormal.

Published: May 20, 2021; 4:15:07 PM -0400
V3.1: 5.3 MEDIUM
V2.0: 3.5 LOW
CVE-2021-22339

There is a denial of service vulnerability in some versions of ManageOne. In specific scenarios, due to the insufficient verification of the parameter, an attacker may craft some specific parameter. Successful exploit may cause some services abnormal.

Published: May 20, 2021; 4:15:07 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 3.5 LOW
CVE-2020-18220

Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.

Published: May 20, 2021; 4:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28906

In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.

Published: May 20, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28905

In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617).

Published: May 20, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28904

In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a crash.

Published: May 20, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28903

A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.

Published: May 20, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-28902

In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.

Published: May 20, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-27956

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

Published: May 20, 2021; 2:15:07 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM