Search Results (Refine Search)

Search Parameters:
There are 149,733 matching records.
Displaying matches 1,381 through 1,400.
Vuln ID Summary CVSS Severity
CVE-2020-4081

In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).

Published: February 02, 2021; 4:15:14 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-29662

In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.

Published: February 02, 2021; 4:15:13 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2021-21292

Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.

Published: February 02, 2021; 3:15:12 PM -0500
V3.1: 6.3 MEDIUM
V2.0: 1.9 LOW
CVE-2020-1910

A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image.

Published: February 02, 2021; 3:15:11 PM -0500
V3.1: 7.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-14255

HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.

Published: February 02, 2021; 3:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-14221

HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.

Published: February 02, 2021; 3:15:11 PM -0500
V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-25912

Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.

Published: February 02, 2021; 2:15:14 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-23271

The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.12 and below.

Published: February 02, 2021; 2:15:14 PM -0500
V3.1: 8.0 HIGH
V2.0: 6.0 MEDIUM
CVE-2021-21291

OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.

Published: February 02, 2021; 2:15:14 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2021-21289

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.

Published: February 02, 2021; 2:15:14 PM -0500
V3.1: 8.3 HIGH
V2.0: 7.6 HIGH
CVE-2021-20199

Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.

Published: February 02, 2021; 2:15:14 PM -0500
V3.1: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-7775

This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.

Published: February 02, 2021; 2:15:13 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-28498

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Published: February 02, 2021; 2:15:13 PM -0500
V3.1: 6.8 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-21285

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

Published: February 02, 2021; 1:15:12 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-21284

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Published: February 02, 2021; 1:15:11 PM -0500
V3.1: 6.8 MEDIUM
V2.0: 2.7 LOW
CVE-2020-15097

loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, a path traversal vulnerability exists. Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application. This has been patched in commit 50dd692. Users will need to upgrade their hosted instances of loklak to not be vulnerable to this exploit.

Published: February 02, 2021; 1:15:11 PM -0500
V3.1: 9.1 CRITICAL
V2.0: 6.4 MEDIUM
CVE-2019-25018

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Published: February 02, 2021; 1:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-25017

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Published: February 02, 2021; 1:15:10 PM -0500
V3.1: 5.9 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2021-25310

** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Published: February 02, 2021; 10:15:16 AM -0500
V3.1: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2020-4934

IBM Content Navigator 3.0.CD could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 191752.

Published: February 02, 2021; 10:15:16 AM -0500
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM