SUSE has released security update to resolve a vulnerability in Gegl. An attacker can
exploit this vulnerability to take control of an affected system. The affected products are
SUSE Linux Enterprise Workstation Extension 15-SP3 and SUSE Linux Enterprise Workstation
Extension 15-SP2.
CVE ID: CVE-2021-45463
Multiple vulnerabilities have been fixed in FORT RPKI validator, which can result in Denial
of Service (DoS) or path traversal. It is recommended to upgrade fort-validator packages.
CVE ID: CVE-2021-3907 (Critical), CVE-2021-3909 (High), CVE-2021-43173 (High),
CVE-2021-43114 (High)
A potential product security bypass vulnerability has been discovered in McAfee Application
and Change Control (MACC). The affected versions are MACC prior to version 8.3.4. It is
recommended to install or update to MACC 8.3.4.
CVE ID: CVE-2021-31833 (High)
QNAP NAS has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-44224, CVE-2021-44790, CVE-2021-34347
Multiple vulnerabilities have been discovered in Moxa's equipment. An attacker can exploit
these vulnerabilities to take control of an affected system. The updates are available.
Wireshark has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-4190, CVE-2021-4186, CVE-2021-4185, CVE-2021-4184, CVE-2021-4183,
CVE-2021-4182, CVE-2021-4181
A Denial of Service (DoS) vulnerability has been discovered in ForeScout -SecureConnector
Local Service which can cause the buffer to overflow and override the stack cookie causing
the service to crash.
CVE ID: CVE-2021-36724
A vulnerability has been discovered in Stormshield Network Security (SNS) in which, under
specific update migration scenario the first SSH password change does not properly clean the
old one.
CVE ID: CVE-2021-45885 (High)
A stored XSS vulnerability has been discovered in wiki.js application where a low privileged
user can upload a SVG file that contains malicious JavaScript while uploading assets in the
page. The affected versions are wiki.js version 2.0.0-beta.147 to 2.5.255.
CVE ID: CVE-2021-25993 (Medium)
Multiple vulnerabilities have been discovered in All-in-One SEO WordPress Plugin which can
allow an attacker to gain elevated privileges and perform SQL injection on the targeted
system.
CVE ID: CVE-2021-25036 (High), CVE-2021-25037 (High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in HUAWEI WS318n product.
Successful exploitation can cause certain information disclosure. It is recommended to
update the software.
CVE ID: CVE-2021-40041
Multiple CPU Side-Channel vulnerabilities have been discovered in multiple Huawei products.
Huawei has released software updates to resolve these vulnerabilities.
CVE ID: CVE-2018-3615(Medium), CVE-2018-3620 (Medium), CVE-2018-3646 (Medium)
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Schneider
Electric products. Schneider Electric has released remediations & mitigations to address
these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High),
CVE-2021-4104 (High), CVE-2021-44832
It has been discovered that Panorama Mobile One Time Password (MOTP) system’s specific
function parameter has insufficient validation for user input. An attacker in local area
network can perform SQL injection attack to read, modify or delete backend database without
authentication.
CVE ID: CVE-2021-44161 (High)
SUSE has released security update to resolve a vulnerability in Gegl. An attacker can
exploit this vulnerability to take control of an affected system. The affected products
are SUSE Linux Enterprise Workstation Extension 12-SP5 and SUSE Linux Enterprise Software
Development Kit 12-SP5.
CVE ID: CVE-2021-45463
SUSE has released security update for Permissions. The affected products are SUSE MicroOS
5.1, SUSE MicroOS 5.0, SUSE Linux Enterprise Module for Basesystem 15-SP3 and SUSE Linux
Enterprise Module for Basesystem 15-SP2.
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Siemens
products. Siemens has released workarounds & mitigations to address these
vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-44832
Multiple vulnerabilities have been discovered in Moxa's Equipments. An attacker can exploit
these vulnerabilities to take control of an affected system.
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Huawei
products. The updates are available.
CVE ID: CVE-2021-45046 (Critical), CVE-2021-44228 (Critical)
A Remote Code Execution (RCE) vulnerability has been discovered in Gerapy- distributed
crawler management framework. Versions prior to 0.9.8 are affected. The vulnerability has
been resolved in updated Gerapy version 0.9.8.
CVE ID: CVE-2021-43857 (Critical)
IBM has released security updates to resolve Apache Log4j vulnerabilities in several IBM
Products.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45105 (High), CVE-2021-45046 (Critical)
It has been discovered that KONICA MINOLTA multi-function printers (MFP) and printing
systems contain multiple vulnerabilities. An attacker can exploit these vulnerabilities to
take control of an affected system. Several products and versions are affected.
CVE ID: CVE-2021-20868 (Medium), CVE-2021-20869 (Medium), CVE-2021-20870 (Medium),
CVE-2021-20871 (Medium), CVE-2021-20872 (Medium)
It has been discovered that IDEC PLCs (Programmable Logic Controller) contain multiple
vulnerabilities. An attacker can exploit these vulnerabilities to take control of an
affected system. The updates are available.
CVE ID: CVE-2021-37400 (High), CVE-2021-37401 (High), CVE-2021-20826 (High),
CVE-2021-20827 (High)
Two Remote Code Execution (RCE) vulnerabilities have been resolved in Blackmagic Software
designed DaVinci Resolve software which allow attackers to gain code execution on unpatched
systems.
CVE ID: CVE-2021-40417 (Critical), CVE-2021-40418 (Critical)
Debian has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-30887, CVE-2021-30890
All versions of Node.js package docker-cli-js are susceptible to a OS commands injection
vulnerability. Successful exploitation of this vulnerability may lead to disclosure of
sensitive information, addition or modification of data, or Denial of Service (DoS).
CVE ID: CVE-2021-23732 (Critical)
The vulnerability affects Grafana versions 8.0 to 8.2.3, when the fine-grained access
control beta feature is enabled and there is more than one organisation in the Grafana
instance admins are able to access users from other organisations. This issue has been fixed
in Grafana v8.2.4.
CVE ID: CVE-2021-41244 (Critical)
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and
possible code execution when processing a crafted shell command, due to the shell
mishandling the &&& string.
CVE ID: CVE-2021-42377 (Critical)
Cleartext Transmission of Sensitive Information vulnerability has been identified in Moxa's
MGate MB3180/MB3280/MB3480 series. Moxa has developed appropriate solutions to address this
vulnerability.
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the
cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have
released a joint cybersecurity advisory in response to multiple vulnerabilities in Apache’s
Log4j software library.
CISCO has released list of products that are affected by vulnerabilities in Apache Log4j
Library.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High)
Android apps developed using Yappli application development platform fails to restrict
custom URL schemes properly, which may be exploited to direct the app to connect to
unintended sites. It is recommended to remove the affected version from an application
store, until the rebuilt version is published.
CVE ID: CVE-2021-20873
Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass
vulnerabilities in the local password reset feature. A remote, unauthenticated attacker can
exploit these vulnerabilities to gain administrative privileges.
Huawei has released security update to resolve a Copy On Write (COW) vulnerability in Huawei
products. An attacker can exploit this vulnerability to gain write access to otherwise
read-only memory mappings and thus obtain the highest privileges on the system.
CVE ID: CVE-2016-5195 (High)
Multiple vulnerabilities have been discovered in Netgear Products. A remote attacker can
exploit these vulnerabilities to trigger Denial of Service (DoS) condition, Remote Code
Execution (RCE), disclose sensitive information and perform Cross-Site Scripting (XSS) on
the targeted system.
A vulnerability has been discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and
1.37.x before 1.37.1. This vulnerability may allow an attacker to leak page content from
private wikis or to bypass edit restrictions.
CVE ID: CVE-2021-44858
Multiple vulnerabilities have been discovered in several Agilia Connect Infusion Systems.
Successful exploitation of these vulnerabilities can allow an attacker to gain access to
sensitive information, modify settings or parameters, or perform arbitrary actions as an
authenticated user.
CVE ID: CVE-2021-23236 (High), CVE-2021-31562 (Medium), CVE-2021-41835 (High),
CVE-2021-23196 (High), CVE-2021-23233 (High), CVE-2021-23207 (Medium), CVE-2021-33843
(Medium), CVE-2021-23195 (Medium), CVE-2021-33848 (Medium), CVE-2021-44464 (Medium),
CVE-2021-33846 (Medium), CVE-2021-43355 (High), CVE-2020-35340 (High)
StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible
to a vulnerability which may allow an administrative user to escalate their privileges and
modify settings in SANtricity System Manager.
CVE ID: CVE-2021-27006 (Medium)
Apache Log4j vulnerabilities have been discovered in multiple Schneider Electric Products.
Schneider Electric has released remediation's & mitigations to address these
vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical)
Apache Log4j vulnerabilities have been discovered in Siemens Energy Sensformer and multiple
Siemens products. Siemens has released workarounds and mitigations to resolve
vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High)
Multiple vulnerabilities have been discovered in mySCADA's equipment myPRO, an HMI/SCADA
system. Successful exploitation of these vulnerabilities can allow an attacker to completely
compromise the products.
CVE ID: CVE-2021-43985 (Critical), CVE-2021-43989 (High), CVE-2021-43987 (Critical),
CVE-2021-44453 (Critical), CVE-2021-22657 (Critical), CVE-2021-23198 (Critical),
CVE-2021-43981 (Critical), CVE-2021-43984 (Critical)
An improper input validation vulnerability has been discovered in Horner Automation's
equipment Cscape EnvisionRV that allows an attacker to execute arbitrary code in the context
of the current process.
CVE ID: CVE-2021-44462 (High)
Multiple vulnerabilities such as missing authentication for critical function and
uncontrolled search path element have been discovered in Emerson's equipment DeltaV
Distributed Control System Controllers and Workstations. An attacker can exploit these
vulnerabilities to achieve local privilege escalation or restart a controller, resulting in
a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-26264 (Medium), CVE-2021-44463 (High)
RedHat released security updates to address multiple vulnerabilities in several products. An
attacker can exploit these vulnerabilities to take control of an affected device.
Debian released security update to resolve several vulnerabilities in xorg-server. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011
A Remote Code Execution (RCE) vulnerability has been discovered in Add Review Function in
iResturant 1.0 that allows remote attacker to execute commands remotely.
CVE ID: CVE-2021-43439 (Critical)
Multiple vulnerabilities have been resolved in Thunderbird 91.4.1. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-4126, CVE-2021-44538
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Juniper
Networks Products. Juniper Networks has released workarounds & mitigations to address
these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-4104 (High),
CVE-2021-42550 (Medium)
Multiple vulnerabilities such as Server-Side Request Forgery (SSRF) and buffer overflow have
been discovered in Apache HTTP server. An attacker can exploit these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-44224, CVE-2021-44790
A critical Out-of-bounds Write vulnerability has been discovered in Apache HTTP Server in
which a carefully crafted request body can cause a buffer overflow in the mod_lua multipart
parser (r:parsebody() called from Lua scripts). This issue affects Apache HTTP Server 2.4.51
and earlier.
CVE ID: CVE-2021-44790 (Critical)
Ubuntu has released security update to address multiple vulnerabilities in Firefox and has
introduced several minor regressions. The affected products are Ubuntu 21.10, Ubuntu 21.04,
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
CVE ID: CVE-2021-43536 (Medium), CVE-2021-43537 (High), CVE-2021-43538 (Medium),
CVE-2021-43539 (High), CVE-2021-43541, CVE-2021-43542 (Medium), CVE-2021-43543 (Medium),
CVE-2021-43545 (Medium), CVE-2021-43546 (Medium)
SUSE has released security update to resolve a vulnerability in Samba. The affected products
are SUSE Linux Enterprise Server for SAP 15-SP1, SUSE Linux Enterprise Server 15-SP1-LTSS,
SUSE Linux Enterprise Server 15-SP1-BCL, SUSE Linux Enterprise High Performance Computing
15-SP1-LTSS, SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS, SUSE Linux
Enterprise High Availability 15-SP1, SUSE Enterprise Storage 6 & SUSE CaaS Platform 4.0.
CVE ID: CVE-2020-25717
SUSE has released security update for Corosync to resolve a security issue that doesn’t
recognize isolated nodes when interface is down. The affected product is SUSE Linux
Enterprise High Availability 15-SP2.
It has been discovered that the vulnerabilities in Apache Log4j affects Siemens Energy
TraceAlertServerPLUS and multiple Siemens products. Siemens has released workarounds &
mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical)
It has been discovered that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding
2.12.3) does not protects from uncontrolled recursion from self-referential lookups.
Successful exploitation of the vulnerability allows control over thread context map data to
cause a Denial of Service (DoS) attack when a crafted string is interpreted. This issue is
resolved in Log4j 2.17.0. This vulnerability affects products of Debian, CISCO & NetApp.
CVE ID: CVE-2021-45105
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Debian has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Siemens
Products. Siemens has released workarounds & mitigations to address the vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-45105 (High)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Cisco
Products. Cisco has released patches for multiple products to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-45105
IBM has released security updates to resolve Apache Log4j Remote Code Execution (RCE)
vulnerability in several IBM Products.
CVE ID: CVE-2021-44228 (Critical)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Intel
Products.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
A vulnerability has been discovered in Chain Sea AI chatbot system's file upload function
which has insufficient filtering for special characters in URLs. A remote attacker can
by-pass file type validation, upload malicious script and execute arbitrary code without
authentication, in order to take control of the system or terminate service.
CVE ID: CVE-2021-44164 (Critical)
A vulnerability has been discovered in 4MOSAn GCB Doctor's file upload function which has
improper user privilege control. A remote attacker can upload arbitrary files including
webshell files without authentication and execute arbitrary code in order to perform
arbitrary system operations or Denial of Service (Dos) attack. The affected products are
4MOSAn GCB Doctor version <= 20210811(2.0). The updates are available.
CVE ID: CVE-2021-44159 (Critical)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
An improper input validation vulnerability has been discovered in DataImportHandler of
Apache Solr. Successful exploitation may cause Server Message Block (SMB) attack. It is
recommended to upgrade to Solr 8.11.1.
CVE ID: CVE-2021-44548 (Medium)
Oracle has released security updates & patch to address multiple vulnerabilities in
Apache Log4j.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
VMware has released security updates to address multiple vulnerabilities in several
products. A remote attacker can exploit some of these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-22056 (Medium), CVE-2021-22057 (Medium)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Schneider
Electric Products. Schneider Electric has released workarounds & mitigations to address
the vulnerabilities.
CVE ID: CVE-2021-45046 (Low), CVE-2021-44228 (Critical)
It has been discovered that Apache Log4j Remote Code Execution (RCE) vulnerabilities affects
multiple Atlassian Products. Atlassian has released mitigation to resolve the
vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-4104(High)
Red Hat has released security updates for OpenShift Container Platform which resolve several
vulnerabilities and add enhancements.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-4104 (High)
Drupal has released security update to resolve Cross-Site Scripting (XSS) vulnerability in
CKEditor library.
CVE ID: CVE-2021-41165 (Medium), CVE-2021-41164 (Medium)
It has been discovered that HTMLDOC, a HTML processor which generates indexed HTML, PS and
PDF improperly handled malformed URIs from an input html file. Successful exploitation can
cause a Denial of Service (DoS) attack. The affected products are Ubuntu 21.04 and Ubuntu
20.04LTS. The updates are available.
CVE ID: CVE-2021-23180
Ubuntu has released security update to resolve vulnerability in Mumble, a Low latency
encrypted VoIP client. If a user is tricked into visiting a malicious website from the
public server list, a remote attacker can possibly execute arbitrary code. The affected
products are Ubuntu 20.04LTS and Ubuntu 18.04LTS.
CVE ID: CVE-2021-27229 (High)
Multiple vulnerabilities have been discovered in the Apache Log4j Java logging library that
affects Cisco products. An attacker can exploit these vulnerabilities to take control of an
affected system. To help detect exploitation of these vulnerabilities, Cisco has released
Snort rules.
CVE ID: CVE-2021-44228 (Critical) , CVE-2021-45046 (Low)
VMware has released security update to resolve Server Side Request Forgery (SSRF)
vulnerability in VMware Workspace ONE UEM console. A malicious actor with network access to
UEM can send their requests without authentication and might exploit this issue to gain
access to sensitive information.
CVE ID: CVE-2021-22054 (Critical)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipments. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-35683 (High), CVE-2020-35684 (High), CVE-2021-31401 (High),
CVE-2021-20606 (Medium), CVE-2021-20607 (Medium), CVE-2021-20608 (Medium), CVE-2020-5668
(High)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Huawei
Products. Huawei has released workaround & mitigation to address vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Juniper
Networks Products. For remediation, Juniper Networks has released workaround &
mitigation to address vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-4104 (High)
Microsoft has released security updates to address critical Remote Code Execution (RCE) in
multiple products. An attacker may exploit this vulnerability to take control of an affected
system.
CVE ID: CVE-2021-44228 (Critical)
A use of hard-coded credentials vulnerability has been discovered in Xylem AquaView.
Successful exploitation of this vulnerability can allow an authenticated local attacker to
create users, delete users, disable user groups, and update the system and its security
levels. It is recommended to implement new security settings.
CVE ID: CVE-2021-42833 (Critical)
An out-of-bounds read vulnerability has been discovered in Delta Electronics CNCSoft.
Successful exploitation of this vulnerability can allow information disclosure or an
application crash. It is recommended to upgrade to the latest available patch.
CVE ID: CVE-2021-44768 (Medium)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 22 for the Zimbra 9.0.0 and Patch 29 for Zimbra 8.8.15.
An improper authentication vulnerability has been discovered in eLabFTW versions prior to
4.2.0 which allows an attacker to authenticate as an existing user, if user created using a
single sign-on authentication option such as LDAP or SAML.
CVE ID: CVE-2021-43834 (Critical)
CISA has released Apache Log4j vulnerability guidance for organisations running affected
products.
It is also recommended to review the official Apache release and upgrade to fixed version or apply
mitigations immediately.
Microsoft has released security updates to address multiple vulnerabilities in its products.
An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as arbitrary command execution and Server-Side Request Forgery
(SSRF) have been discovered in Zoom. An attacker can exploit these vulnerabilities to take
control of an affected system. The updates are available.
CVE ID: CVE-2021-34426 (Medium), CVE-2021-34425 (Medium)
Multiple vulnerabilities have been discovered in several Mitsubishi Electric products. An
attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Advantech's R-SeeNet. Successful
exploitation of these vulnerabilities could allow authenticated users to perform a local
privilege escalation and retrieve any information from the product’s database.
Microsoft has released the latest Microsoft Edge Stable Channel (Version 96.0.1054.57) which
incorporates the latest security updates of the Chromium project.
CVE ID: CVE-2021-4102 (High)
Improper Authentication vulnerability in RegistrationMagic WordPress plugin allows an
unauthenticated user to log in as any site user, including administrators with a valid
username on the site due to missing identity validation in the social login function
social_login_using_email() of the plugin. The affected versions are equal to and less than,
5.0.1.7.
CVE ID: CVE-2021-4073 (Critical)
Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media
packages, allowing attackers to include local files from Opencast's host machines and making
them available via the web interface. The issue has been fixed in Opencast 10.6 and 11.0.
CVE ID: CVE-2021-43821 (Critical)
It has been discovered that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 is
incomplete in certain non-default configurations. Successful exploitation of which can lead
to a denial of service (DOS) attack. The issue has been fixed in Log4j 2.16.0.
Some attack signatures are missing in BIG-IP with ASM version running 11.x or 12.x. It might
be if the software version has reached EoSD (End of Software Development).
It is recommended to update to a software version that has not reached EoSD and receives all
the latest attack signatures.
A command injection vulnerability has been identified in Moxa’s NPort W2150A/W2250A Series
Serial Device Servers. Affected firmware version is 1.11 or lower.
It is recommended to upgrade to firmware version 2.2 or higher.
Google Chrome stable channel has been updated to 96.0.4664.110 for Windows, Mac and Linux.
This version addresses vulnerabilities that an attacker can exploit to take control of an
affected system.
CVE ID: CVE-2021-4098 (Critical), CVE-2021-4099 (High), CVE-2021-4100 (High),
CVE-2021-4101 (High), CVE-2021-4102 (High)
Debian has released security update for privoxy that fixed an XSS and a DOS issue. Fixed
version is 3.0.26-3+deb9u3.
CVE ID: CVE-2021-44540, CVE-2021-44543
Vulnerability in Apache Log4j could allow remote unauthenticated attackers to execute code
on vulnerable systems. Siemens has released list of affected products.
It has been discovered that Apache Log4j <=2.14.1 JNDI features used in configuration,
log messages, and parameters do not protect against attacker controlled LDAP and other JNDI
related endpoints. An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Multiple vulnerabilities have been discovered in Node.js versions before v14.16.2 that
affect the Cordova platform packaged with Rational Developer for i Software.
CVE ID: CVE-2021-3712, CVE-2021-37713, CVE-2021-39134, CVE-2021-37712, CVE-2021-39135
IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms,
authentication, and password rules. In addition, IBM Spectrum Copy Data Management is
vulnerable to execution of arbitrary commands on the system, obtaining sensitive
information, and clickjacking.
CVE ID: CVE-2021-38947, CVE-2021-39052, CVE-2021-39065, CVE-2021-39054,
CVE-2021-39053, CVE-2021-39058, CVE-2021-39064
Multiple vulnerabilities in XStream, such as execution of arbitrary code, server-side
request forgery, denial of service, bypassing security restrictions, and deletion of
arbitrary files affects IBM Spectrum Copy Data Management.
Multiple vulnerabilities have been discovered in Netty and Apache Kafka which are dependency
components shipped with the IBM Tivoli Netcool/OMNIbus Transport Module Common Integration
Library for Message Bus Integrations.
CVE ID: CVE-2021-37137, CVE-2021-37136, CVE-2021-38153
NPM command ci versions 7.x through 7.24.2 and 8.x through 8.1.3 are susceptible to a
vulnerability which could lead to disclosure of sensitive information, addition or
modification of data, or Denial of Service (DoS).
CVE ID: CVE-2021-43616 (Critical)
A critical vulnerability in Apache Log4j may allow remote code execution in VMware products.
VMware has released list of impacted products.
CVE ID: CVE-2021-44228 (Critical)
Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer
which could result in denial of service or the execution of arbitrary code.
CVE ID: CVE-2021-22207, CVE-2021-22222, CVE-2021-22235, CVE-2021-39920,
CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925,
CVE-2021-39926, CVE-2021-39928, CVE-2021-39929
A stack buffer overflow vulnerability has been discovered in QNAP NAS running Surveillance
Station. Successful exploitation of this vulnerability allows attackers to execute arbitrary
code.
CVE ID: CVE-2021-38687 (High)
A reflected cross-site scripting (XSS) vulnerability has been discovered in QNAP NAS running
Kazoo Server. Successful exploitation of this vulnerability allow remote attackers to inject
malicious code.
CVE ID: CVE-2021-38680 (Medium)
An improper authentication vulnerability has been discovered in Android devices running
Qfile. Successful exploitation of this vulnerability allows attackers to compromise the app
and access private information.
It has been discovered that the ubiquitous java logging library, log4j, has an
unauthenticated RCE vulnerability if an user-controlled string is logged. This can allow an
attacker to take full control of the affected server.
CVE ID: CVE-2021-44228 (Critical)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43616 (Critical), CVE-2021-0146 (Medium), CVE-2021-0197 (Medium),
CVE-2021-0198 (Medium), CVE-2021-0199 (Medium), CVE-2021-0200 (Medium), CVE-2021-33058
(High), CVE-2021-33059 (Medium), CVE-2021-33098, (Medium), CVE-2021-41771 (Medium),
CVE-2021-41772 (Medium), CVE-2021-43975 (High), CVE-2021-43976 (Medium)
Cross Site Scripting (XSS) vulnerability has been discovered in McAfee Network Security
Manager (NSM). Versions prior to 10.1 Minor 7 are affected by the issue. To remediate this
issue, it is recommended to update NSM to 10.1 M7.
CVE ID: CVE-2021-4038
Authentication Bypass Using an Alternate Path or Channel vulnerability has been discovered
in Hillrom's Equipment- Welch Allyn Cardio Products. Successful exploitation of this
vulnerability can allow an attacker to access privileged accounts.
CVE ID: CVE-2021-43935 (High)
Stack-based Buffer Overflow vulnerability has been discovered in WECON's Equipment-
LeviStudioU. Successful exploitation of this vulnerability can allow arbitrary code
execution.
CVE ID: CVE-2021-43983 (High)
Dell has released security updates to address multiple vulnerabilities in several products
which can be exploited by malicious users to compromise the affected system.
Multiple vulnerabilities have been discovered in the authentication mechanism of FortiWeb's
confd, including an instance of concurrent execution that uses shared resource with improper
synchronization and one of authentication bypass by capture-replay, can allow a remote
unauthenticated attacker to circumvent the authentication process and authenticate as a
legitimate cluster peer.
CVE ID: CVE-2021-41025 (Critical)
An Out-of-bounds read vulnerability has been discovered in Huawei Smartphone. Successful
exploitation of this vulnerability can cause out-of-bounds memory access.
CVE ID: CVE-2021-37051 (Critical)
A Heap-based buffer overflow vulnerability has been discovered in Huawei Smartphone.
Successful exploitation of this vulnerability can rewrite the memory of adjacent objects.
CVE ID: CVE-2021-37049 (Critical)
A parameter injection vulnerability has been discovered in Huawei Smartphone. Successful
exploitation of this vulnerability can cause privilege escalation of files after CIFS share
mounting.
CVE ID: CVE-2021-37040 (Critical)
An UAF vulnerability has been discovered in Huawei Smartphone. Successful exploitation of
this vulnerability can cause the device to restart unexpectedly and the kernel-mode code to
be executed.
CVE ID: CVE-2021-37045 (Critical)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38926 (Medium), CVE-2021-23358 (Critical), CVE-2021-39002 (Medium),
CVE-2021-38937 (Medium), CVE-2021-29678 (High), CVE-2021-38917 (High)
A code injection vulnerability has been discovered in the Ivanti EPM Cloud Services
Appliance (CSA) which allows an unauthenticated user to execute arbitrary code with limited
permissions.
CVE ID: CVE-2021-44529 (Critical)
An authentication bypass by capture-replay vulnerability has been discovered in FortiClient
EMS versions 7.0.1 and below and 6.4.4 and below may allow an unauthenticated attacker to
impersonate an existing user by intercepting and re-using valid SAML authentication
messages.
CVE ID: CVE-2021-41030
Android has released security bulletin to address multiple vulnerabilities affecting several
Android devices. Security patch levels of 2021-12-05 or later address all of these issues.
An integer overflow or wraparound vulnerability has been discovered in FortiOS SSLVPN memory
allocator which can allow an unauthenticated attacker to corrupt control data on the heap
via specifically crafted requests to SSLVPN, resulting in arbitrary code execution.
CVE ID: CVE-2021-26109 (Critical)
It has been discovered that BlueZ incorrectly handled memory when processing SDP attribute
requests. A remote attacker can use this vulnerability to cause BlueZ to crash, leading to a
Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2019-8922
Multiple vulnerabilities such as Memory Leak, and Information Disclosure have been
discovered in several Huawei products. An attacker with the ability to access the log file
of device can cause the information leak or cause memory exhaust.
CVE ID: CVE-2021-40008 (Medium), CVE-2021-40007 (Medium)
The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS)
which allows attackers with administrative user access to inject arbitrary web scripts, in
versions up to and including 3.0.4.
CVE ID: CVE-2021-41836 (Medium)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
CVE ID: CVE-2021-43082, CVE-2020-1927 (Medium), CVE-2021-23037 (High)
Google has released Chrome Beta channel update 97.0.4692.45 for Windows, Mac and Linux,
Beta channel 97.0.4692.44 (Platform version: 14324.33.0) for most Chrome OS devices, and
Chrome Beta 97 (97.0.4692.45) for Android.
It has been discovered that a missing bounds check in image blurring code prior to WhatsApp
for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 can allow an
out-of-bounds write if a user sends a malicious image.
CVE ID: CVE-2021-24041 (Critical)
It has been discovered that PrestaShop prior to 1.7.8.2 is vulnerable to blind SQL injection
using search filters with `orderBy` and `sortOrder` parameters. The problem has been
resolved in version 1.7.8.2.
CVE ID: CVE-2021-43789 (Critical)
An exposed dangerous function vulnerability has been discovered in Ivanti Avalanche before
6.3.3 that uses inforail Service, which allows Privilege Escalation via Enterprise Server
Service.
CVE ID: CVE-2021-42128 (Critical)
A deserialization of untrusted data vulnerability has been discovered in Ivanti Avalanche
before 6.3.3 that uses Inforail Service. Successful exploitation allows arbitrary code
execution via Data Repository Service.
CVE ID: CVE-2021-42127 (Critical)
It has been discovered that Git-it allows OS command injection at the Branches Aren't Just
For Birds challenge step. During the verification process, it attempts to run the reflog
command followed by the current branch name (which is not sanitized for execution).
CVE ID: CVE-2021-44685 (Critical)
A Denial of Service vulnerability in Database Security (DBS) prior to 4.8.4 allows a remote
authenticated administrator to trigger a denial-of-service attack against the DBS server. It
is recommended to install or update to Database Security 4.8.4.
CVE ID: CVE-2021-31850 (Medium)
Multiple vulnerabilities such as integer coercion error, and out-of-bounds write have been
discovered in FANUC's Equipment- R-30iA and R-30iB series controllers. Successful
exploitation of these vulnerabilities can crash the device being accessed and a buffer
overflow condition can allow Remote Code Execution (RCE).
CVE ID: CVE-2021-32996 (High), CVE-2021-32998 (High)
Multiple vulnerabilities have been discovered in SonicWall SMA 100 Series. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20038 (Critical), CVE-2021-20039 (High), CVE-2021-20040 (Medium),
CVE-2021-20041 (High), CVE-2021-20042 (Medium), CVE-2021-20043 (High), CVE-2021-20044
(High), CVE-2021-20045 (Critical)
A SQL injection vulnerability has been discovered in feature services provided by Esri
ArcGIS Server 10.9 and below which allows a remote, unauthenticated attacker to impact the
confidentiality, integrity and availability of targeted services via specifically crafted
queries.
CVE ID: CVE-2021-29114 (Critical)
It was discovered that b2evolution CMS v7.2.3 contains a SQL injection vulnerability via the
parameter cfqueryparam in the User login section. This vulnerability allows attackers to
execute arbitrary code via a crafted input.
CVE ID: CVE-2021-31632 (Critical)
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in SquaredUp for SCOM
5.2.1.6654. An attacker can exploit this vulnerability to take control of an affected
system.
CVE ID: CVE-2021-40091 (Critical)
It has been discovered that Laravel v5.1 contains a deserialization vulnerability via the
component \Mockery\Generator\DefinedTargetClass. An attacker can exploit this vulnerability
to take control of an affected system.
CVE ID: CVE-2021-37298 (Critical)
It has been discovered that ThinkPHP v6.0.8 contains a deserialization vulnerability via the
component League\Flysystem\Cached\Storage\AbstractCache. An attacker can exploit this
vulnerability to take control of an affected system.
CVE ID: CVE-2021-36567 (Critical), CVE-2021-36564 (Critical)
It has been discovered that it is possible to bypass 2FA for LDAP users and access some
specific pages with Basic Authentication in GitLab 14.1.1 and above.
CVE ID: CVE-2021-39890 (Critical)
It has been discovered that the Registrations for the Events Calendar WordPress plugin
before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX
action before using it in a SQL statement that leads to an unauthenticated SQL injection.
CVE ID: CVE-2021-24943 (Critical)
It has been discovered that the Secure Copy Content Protection and Content Locking WordPress
plugin before 2.8.2 does not escape the sccp_id parameter of the
ays_sccp_results_export_file AJAX action before using it in a SQL statement that leads to an
SQL injection.
CVE ID: CVE-2021-24931 (Critical)
It has been discovered that the WP Data Access WordPress plugin before 5.0.0 does not
properly sanitise and escape the backup_date parameter before it is used in a SQL statement,
leading to a SQL injection vulnerability and arbitrary table deletion.
CVE ID: CVE-2021-24866 (Critical)
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
A missing cryptographic steps vulnerability has been discovered in the function that
encrypts users' LDAP and RADIUS credentials in FortiSandbox, FortiWeb, FortiADC, and
FortiMail. Successful exploitation may allow an attacker in possession of the password
store to compromise the confidentiality of the encrypted secrets.
CVE ID: CVE-2021-32591
An incorrect permission assignment for a critical resource vulnerability has been
discovered in FortiNAC which may allow an authenticated attacker to access sensitive system
data and, as a consequence, raise the authenticated user's privilege to admin.
CVE ID: CVE-2021-43065
Multiple vulnerabilities have been discovered in Hitachi Energy Products XMC20 and
FOX61x. Successful exploitation of these vulnerabilities can allow an attacker to gain
unauthorized access to the Data Communication Network (DCN) routing configuration and cause
a disruption to the Network Management (NMS) and Network Element (NE) communication.
CVE ID: CVE-2021-40333 (High), CVE-2021-40334 (High)
Multiple vulnerabilities have been discovered in Hitachi Energy Products RTU500
Series. Successful exploitation of these vulnerabilities can cause a Denial of Service
(DoS) condition in the affected version of the RTU500 series product.
CVE ID: CVE-2020-36229 (High), CVE-2020-36230 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
CVE ID: CVE-2021-23037 (High), CVE-2021-23043 (Medium), CVE-2020-29573 (High),
CVE-2021-20305 (High)
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that bitcoin miner is targeting all QNAP NAS. Successful infected CPU
usage becomes unusually high where a process named "[oom_reaper]" can occupy around 50% of
the total CPU usage. The updates are available.
HarmonyOS has released security bulletin to address multiple vulnerabilities affecting
several HarmonyOS devices. Security patch levels of 2021-12-01 address all of these issues.
Google has released update to resolve multiple vulnerabilities for Stable channel version
96.0.4664.93 for Windows, Mac & Linux and Chrome 96 (96.0.4664.92) for Android.
Debian has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that multiple NetApp products, incorporate Samba versions prior to
4.15.2 are susceptible to vulnerabilities which can cause disclosure of sensitive
information & addition or modification of data, or Denial of Service (DoS).
CVE ID: CVE-2016-2124 (Low), CVE-2020-25717 (High), CVE-2020-25718 (High),
CVE-2020-25719 (High), CVE-2020-25721 (High), CVE-2020-25722 (high), CVE-2021-23192
(Medium), CVE-2021-3738 (High)
Multiple vulnerabilities have been discovered in the Link Layer Discovery Protocol (LLDP)
implementation for Cisco Small Business 220 Series Smart Switches. Successful exploitation
can cause code execution , unexpectedly reload and can cause LLDP database corrupt on the
affected device. The update is available.
CVE ID: CVE-2021-34779 (High), CVE-2021-34780 (High), CVE-2021-34775 (Medium),
CVE-2021-34776 (Medium), CVE-2021-34777 (Medium), CVE-2021-34778 (Medium)
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been resolved in GitLab updated versions 14.5.2, 14.4.4, and
14.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Multiple vulnerabilities have been discovered in Kaseya Unitrends Backup Appliance before
10.5.5. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43035 (Critical), CVE-2021-43033 (Critical), CVE-2021-43036 (High),
CVE-2021-43038 (High), CVE-2021-43037 (High), CVE-2021-43040 (High), CVE-2021-43034 (High),
CVE-2021-43039 (Medium), CVE-2021-43042 (High), CVE-2021-43041 (Medium), CVE-2021-43043
(High), CVE-2021-43044 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
An Uncontrolled Recursion vulnerability has been discovered in NGINX ModSecurity WAF. An
attacker using specifically formatted JSON messages can cause high resource utilization and
potentially Denial-of-Service (DoS).
CVE ID: CVE-2021-42717 (Medium)
An authentication bypass vulnerability has been discovered in ManageEngine Desktop Central
and Desktop Central MSP. This vulnerability can allow an adversary to bypass authentication
and execute arbitrary code.
CVE ID: CVE-2021-44515 (Critical)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-23718 (High), CVE-2021-25742 (High), CVE-2021-3715
(High), CVE-2021-41229 (Medium), CVE-2019-8921 (Medium), CVE-2019-8922 (High)
Multiple vulnerabilities have been discovered in LibreCAD, an application for computer aided
design (CAD) in two dimensions. An attacker can trigger code execution through malicious
.dwg and .dxf files. It is recommended to upgrade the librecad packages.
CVE ID: CVE-2021-21898, CVE-2021-21899, CVE-2021-21900
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38297 (Critical), CVE-2021-23449 (Critical), CVE-2021-23807 (High),
CVE-2021-23214 (High), CVE-2021-2161 (Medium), CVE-2021-20400 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
An exposure of sensitive information to an unauthorized actor vulnerability has been
discovered in Johnson Controls' Equipment- Entrapass. Successful exploitation of this
vulnerability can allow an unauthorized user to access sensitive data.
Google has released Chrome Beta channel update to 97.0.4692.36 (Platform version:
14324.27.0) for most Chrome OS devices and Chrome Beta 97 (97.0.4692.39) for iOS.
It has been discovered that Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk
Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated
Remote Code Execution (RCE).
CVE ID: CVE-2021-44077 (Critical)
Multiple vulnerabilities such as authentication bypass by primary weakness and unrestricted
upload of file with dangerous type have been discovered in Distributed Data Systems'
Equipment- WebHMI. Successful exploitation of these vulnerabilities can allow an
administrator account login without password authentication and Remote Code Execution (RCE)
with root privileges.
CVE ID: CVE-2021-43931 (Critical), CVE-2021-43936 (Critical)
It has been discovered that D-Link DIR-809 devices with firmware through
DIR-809Ax_FW1.12WWB03_20190410 contain a stack buffer overflow vulnerability in the function
FUN_80046eb4 in /formSetPortTr. This vulnerability can be triggered via a crafted POST
request.
CVE ID: CVE-2021-33265 (Critical)
It has been discovered that libretime hv3.0.0-alpha.10 is affected by a path manipulation
vulnerability in
/blob/master/legacy/application/modules/rest/controllers/ShowImageController.php through the
rename function.
CVE ID: CVE-2021-43685 (Critical)
It has been discovered that the Attendance Management System 1.0 is affected by a SQL
injection vulnerability in admin/incFunctions.php through the makeSafe function.
CVE ID: CVE-2021-44280 (Critical)
It has been discovered that django-helpdesk is vulnerable to improper neutralization of
input during Web Page Generation.
CVE ID: CVE-2021-3994 (Critical)
Multiple vulnerabilities have been discovered in Moxa Realtek AP- Router SDK which can allow
remote unauthenticated attacker to compromise the target device and execute arbitrary code
with the highest level of privilege.
CVE ID: CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395
Multiple vulnerabilities have been discovered in Moxa HCC Embedded’s InterNiche stack and
NicheLite. An unauthenticated attacker may use specially crafted network packets to cause a
Denial-of-Service (DoS) attack, disclose information, or execute arbitrary code on the
target device remotely.
CVE ID: CVE-2020-25767, CVE-2020-25926, CVE-2020-25927, CVE-2020-25928,
CVE-2020-35683, CVE-2020-35684, CVE-2020-35685, CVE-2021-27565, CVE-2021-31226,
CVE-2021-31227, CVE-2021-31228, CVE-2021-31400, CVE-2021-31401, CVE-2021-36762
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
A stored Cross-Site Scripting (XSS) vulnerability has been resolved in Variation Swatches
for WooCommerce, a WordPress plugin which allows an attacker with low-level permissions to
inject malicious JavaScript.
CVE ID: CVE-2021-42367 (Medium)
Ubuntu has released security update to address vulnerability in Thunderbird & Network
Security Service library. Successful exploitation can cause Denial of Service (DoS) or
possibly execute arbitrary code. The affected products are Ubuntu 21.10, Ubuntu 21.04,
Ubuntu 20.04 , Ubuntu 18.04, Ubuntu 16.04ESM and Ubuntu 14.04ESM.
CVE ID: CVE-2021-43527
A buffer overflow vulnerability has been discovered in DOPRA SSP products. An attacker by
sending a specific message to the target device can cause a Denial of Service (DoS)
condition.
CVE ID: CVE-2021-39999 (Medium)
Dell has released security updates to address multiple vulnerabilities in several products
which can be exploited by malicious users to compromise the affected system.
CVE ID: CVE-2021-36320 (High), CVE-2021-36321 (High), CVE-2021-36322 (Medium),
CVE-2020-3382, CVE-2020-15379
An improper input validation vulnerability that leads to arbitrary file creation has been
discovered in copy method of Nexacro platform. Remote attackers can use copy method to
execute arbitrary command after the file creation included malicious code.
CVE ID: CVE-2021-26612 (Critical)
A vulnerability was discovered when the ipTIME C200 IP Camera was synchronized with the
ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS
send ans setCookie('[COOKIE]'). The value is transferred to the --header option in wget
binary, and there is no validation check. This vulnerability allows remote attackers to
execute remote command.
CVE ID: CVE-2020-7879 (Critical)
It has been discovered that NSS (Network Security Services) with Thunderbird are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
CVE ID: CVE-2021-43527 (Critical)
It has been discovered that the `pygmalion`, `pygmalion-virtualenv` and `refined` themes use
`print -P` on user-supplied strings to print them to the terminal. All of them do that on
git information, particularly the branch name, so if the branch has a specially-crafted name
the vulnerability can be exploited.
CVE ID: CVE-2021-3769 (Critical)
It has been discovered that the `rand-quote` and `hitokoto` plugins fetch quotes from
quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print
-P` to print them. If these quotes contained the proper symbols, they can trigger command
injection.
CVE ID: CVE-2021-3727 (Critical)
It has been discovered that in JetBrains TeamCity before 2021.1.3, the X-Frame-Options
header is missing in some cases.
CVE ID: CVE-2021-43202 (Critical)
Multiple vulnerabilities have been discovered in BIG-IP products. An attacker can exploit
some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-23039 (Medium), CVE-2021-23025 (High)
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Trend Micro has released a new version of Trend Micro Security. This update resolves the
Folder Shield protected folder bypass affecting the Trend Micro Security 2021 family of
consumer products.
CVE ID: CVE-2021-43772 (Medium)
An integer overflow or wraparound vulnerability has been discovered in in multiple Real-Time
Operating Systems (RTOS) and supporting libraries. Successful exploitation of these
vulnerabilities can result in unexpected behavior such as a crash or a Remote Code Execution
(RCE) / injection.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics'
Equipment- CNCSoft. Successful exploitation of this vulnerability can allow for arbitrary
code execution.
CVE ID: CVE-2021-43982 (High)
An off-by-one error vulnerability has been discovered in Johnson Controls' Equipment- CEM
Systems AC2000. Successful exploitation of this vulnerability can allow a local attacker to
obtain “super user” access on the underlying Linux operating system.
CVE ID: CVE-2021-3156 (High)
A SQL injection vulnerability has been discovered in Xylem's Equipment- Aanderaa GeoView.
Successful exploitation of this vulnerability can allow an attacker to manipulate the
database server.
CVE ID: CVE-2021-41063 (High)
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Debian has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that NetworkPkg/IScsiDxe has remotely exploitable buffer overflows
vulnerability. The update is available.
CVE ID: CVE-2021-38575 (Critical)
Multiple SQL injection vulnerabilities have been discovered in openSIS when MySQL or MariaDB
is used as the application database.
CVE ID: CVE-2021-41677 (Critical), CVE-2021-41678 (Critical), CVE-2021-41679
(Critical)
Multiple vulnerabilities have been discovered in Web Applications operating on Business-DNA
Solutions. The affected versions are Business-DNA Solutions GmbHâ€s TopEase Platform
Version 7.1.27 & prior.
CVE ID: CVE-2021-42115 (Critical), CVE-2021-42544 (Critical)
It has been discovered that the `title` function defined in `lib/termsupport.zsh` uses
`print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is
always used securely, but custom user code can use the `title` function in a way which can
be unsafe.
CVE ID: CVE-2021-3726 (Critical)
An unauthenticated SQL Injection vulnerability has been discovered in Rosario Student
Information System that allows remote attackers to execute PostgreSQL statements through
/Side.php via the syear parameter. The affected products are Rosario Student Information
System before 8.1.1.
CVE ID: CVE-2021-44427 (Critical)
It has been discovered that Vesta 0.9.8-24 is affected by a file inclusion vulnerability in
file web/add/user/index.php.
CVE ID: CVE-2021-43693 (Critical)
It has been discovered that the Contest Gallery WordPress plugin before 13.1.0.6 does not
have capability checks and does not sanitise or escape the cg-search-user-name-original
parameter before using it in a SQL statement when exporting users from a gallery.This can
allow unauthenticated to perform SQL injections attacks, as well as get the list of all
users registered on the blog, including their username and email address.
CVE ID: CVE-2021-24915 (Critical)
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Mitsubishi
Electric's Equipment- MELSEC series and MELIPC series. A remote attacker can stop the
program execution or Ethernet communication of the products by sending specially crafted
packets.
CVE ID: CVE-2021-20609 (High), CVE-2021-20610 (High), CVE-2021-20611 (High)
Multiple vulnerabilities have been discovered in WordPress. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42364 (High), CVE-2021-42358 (High), CVE-2021-42365 (Medium)
An unsafe search path vulnerability has been discovered in FortiClient and FortiClient EMS
that allows an attacker to perform a DLL Hijack attack on affected devices via a malicious
OpenSSL engine library in the search path.
CVE ID: CVE-2021-32592 (High)
SUSE has released security updates to resolve several vulnerabilities in multiple products.
CVE ID: CVE-2021-27291, CVE-2021-28704, CVE-2021-28707, CVE-2021-28708,
CVE-2021-28705, CVE-2021-28709, CVE-2021-28706
Multiple vulnerabilities have been discovered in ImageMagick. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20312,
CVE-2021-20313
Multiple vulnerabilities have been discovered in OpenSC. It is recommended to upgrade the
opensc packages.
CVE ID: CVE-2019-15945, CVE-2019-15946, CVE-2019-19479, CVE-2020-26570,
CVE-2020-26571, CVE-2020-26572
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40438 (Critical), CVE-2019-17571 (Critical), CVE-2021-39000
(Medium), CVE-2021-2369 (Medium), CVE-2021-38967 (High), CVE-2021-3549 (Medium),
CVE-2021-38958 (Medium), CVE-2021-34798 (Medium), CVE-2021-39275 (Low), CVE-2021-35517
(Medium), CVE-2021-36090 (High), CVE-2021-38999 (Medium), CVE-2021-36090 (High)
A Remote Command Execution (RCE) vulnerability has been discovered on the background in
zrlog 2.2.2, at the upload avatar function, which can bypass the original limit, upload the
JSP file to get a WebShell.
CVE ID: CVE-2021-44093 (Critical)
It has been discovered that HejHome GKW-IC052 IP Camera contained a hard-coded credentials
vulnerability. This vulnerability allows remote attackers to operate the IP Camera.
CVE ID: CVE-2021-26611 (Critical)
An use-after-free vulnerability has been discovered in the International Components for
Unicode (ICU) library which can result in Denial of Service (DoS) or potentially the
execution of arbitrary code. It is recommended to upgrade the icu packages.
CVE ID: CVE-2020-21913
Debian has released security update to address a stack-based buffer over-reads vulnerability
for crafted NTLM requests in libntlm, a library that implements Microsoft's NTLM
authentication.
CVE ID: CVE-2019-17455
Debian has released security update to resolve multiple vulnerabilities in Bluez. Successful
exploitation of vulnerabilities can cause a Denial of Service (DoS) or leak information.
CVE ID: CVE-2019-8921, CVE-2019-8922, CVE-2021-41229
It has been discovered that roundcube does not properly sanitize requests and mail messages.
This allows an attacker to perform Cross-Side Scripting (XSS) or SQL injection attacks. It
is recommended to upgrade the roundcube packages.
CVE ID: CVE-2021-44025, CVE-2021-44026
Debian has released security update to address several vulnerabilities in libvorbis-a
popular library for the Vorbis audio codec.
CVE ID: CVE-2017-14160, CVE-2018-10392, CVE-2018-10393
An out-of-bounds buffer read on truncated key frames in vp8_decode_frame has been resolved
in libvpx, a popular library for the VP8 and VP9 video codecs. It is recommended to upgrade
the libvpx packages.
CVE ID: CVE-2020-0034
It has been discovered that Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow
when the virtual machine or JNI natives converts from UTF-8 characters to platform encoding.
A remote attacker by sending an overly long string can overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVE ID: CVE-2020-27221 (Critical)
Multiple vulnerabilities such as command injection and improper authentication have been
discovered in QVR that affects QNAP VS Series NVR running QVR. Successful exploitation of
vulnerabilities can allow remote attackers to run arbitrary commands or compromise the
security of the system. The security updates are available.
CVE ID: CVE-2021-38685 (Critical), CVE-2021-38686 (High)
Multiple vulnerabilities such as OS command injection and arbitrary code upload in database
restore have been discovered in baserCMS. An attacker can exploit these vulnerabilities to
take control of an affected system.
CVE ID: CVE-2021-41243 (High), CVE-2021-41279 (Medium)
A vulnerability has been discovered in python urllib3 which can cause a Denial of Service
(DoS) if a URL is passed as a parameter or redirected to via an HTTP redirect.
CVE ID: CVE-2021-33503 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37714 (High), CVE-2020-9488 (Low), CVE-2018-15494 (Medium),
CVE-2021-40690 (Medium)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43267 (Critical), CVE-2011-1075 (Low), CVE-2021-22096 (Medium),
CVE-2021-43057 (High), CVE-2021-41174 (Medium)
Multiple vulnerabilities such as arbitrary code execution and information disclosure have
been discovered in Mitsubishi Electric's Equipment- GENESIS64, MELSOFT MC Works64.
CVE ID: CVE-2021-27040 (Low), CVE-2021-27041 (High)
It has been discovered that International Components for Unicode (ICU) library contains a
double free vulnerability. An attacker can use this vulnerability to cause a Denial of
Service (DoS) or possibly execute arbitrary code. The affected products are Ubuntu 21.04
and Ubuntu 20.04.
CVE ID: CVE-2021-30535 (High)
A cookie prefix spoofing vulnerability has discovered in CGI::Cookie.parse of Ruby. An
attacker can exploit this vulnerability to spoof security prefixes in cookie names, which
may be able to trick a vulnerable application.
CVE ID: CVE-2021-41819
Multiple vulnerabilities such as buffer overflow and process memory exposure have been
discovered in Zoom. An attacker can exploit these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-34424 (Medium), CVE-2021-34423 (High)
An out-of-bounds read vulnerability has been discovered in Huawei Products. Successful
exploitation of this vulnerability can lead to Denial of Service (DoS).
CVE ID: CVE-2021-39995 (Medium), CVE-2021-22366 (Medium)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-36374 (Medium), CVE-2021-36373 (Medium), CVE-2021-29736 (Medium),
CVE-2021-21290 (Low), CVE-2021-21409 (High), CVE-2020-2773 (Low), CVE-2021-21295 (Medium),
CVE-2021-32803 (High), CVE-2021-2341 (Low)
Multiple vulnerabilities have been discovered in Apache HTTP Server that affects Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275,
CVE-2021-40438
It has been discovered that WordPress Plugin "Browser and Operating System Finder" contains
a Cross-Site Request Forgery (CSRF) vulnerability. If a user with an administrative
privilege views a malicious page while logged in, unintended operations can be performed.
CVE ID: CVE-2021-20851 (Medium)
It has been discovered that PowerCMS XMLRPC API allows a remote attacker to execute an
arbitrary OS command via unspecified vectors. The affected products are PowerCMS 5.19 and
earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series.
CVE ID: CVE-2021-20850
An use after free vulnerability has been discovered in Web Transport of Google Chrome prior
to 95.0.4638.69. This vulnerability allows a remote attacker to potentially perform a
sandbox escape via a crafted HTML page.
CVE ID: CVE-2021-38002 (Critical)
It has been discovered that Dell EMC CloudLink contains a hard-coded password vulnerability.
A remote high privileged attacker, with the knowledge of the hard-coded credentials, can
exploit this vulnerability to gain unauthorized access to the system.
CVE ID: CVE-2021-36312 (Critical)
Dell has released security updates to address multiple vulnerabilities in several Dell
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2019-3723 (Critical), CVE-2021-21510 (Medium), CVE-2021-21513 (High),
CVE-2021-21514 (Medium), CVE-2020-26198 (Medium), CVE-2019-3764, CVE-2019-3722 (High),
CVE-2019-3720 (Medium), CVE-2019-3721 (Medium)
Multiple Vulnerabilities have been discovered in Hitachi Energy's Equipment- FOX61x, XMC20,
RTU500 Series. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-40333 (Critical), CVE-2020-35198 (Critical), CVE-2021-40334 (High),
CVE-2021-35533 (High), CVE-2020-1968 (Low), CVE-2020-24977 (Medium), CVE-2021-3517 (High),
CVE-2020-28895 (High), CVE-2020-36229 (High), CVE-2020-36230 (High)
Multiple vulnerabilities such as unauthorized arbitrary file read and Server-Side Request
Forgery (SSRF) have been discovered in VMware vCenter Server. An attacker can exploit these
vulnerabilities to take control of an affected system. The affected products are VMware
vCenter Server and VMware Cloud Foundation.
CVE ID: CVE-2021-21980 (High), CVE-2021-22049 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38891 (Medium), CVE-2021-38890 (Medium), CVE-2021-32029 (Medium),
CVE-2021-3647 (High), CVE-2021-29425 (High), CVE-2021-22960 (Medium), CVE-2021-38873
(Medium), CVE-2021-22959 (Medium), CVE-2021-29060 (High), CVE-2021-23445 (High),
CVE-2021-37701 (High), CVE-2021-37712 (High), CVE-2021-37713 (High)
A vulnerability in net/tipc/crypto.c in the Linux kernel before 5.14.16 is affecting F5
product- Traffix SDC. An attacker can exploit this vulnerability to access restricted
information, modify files, or cause a Denial of Service (DoS) attack.
CVE ID: CVE-2021-43267
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-25219 (Medium), CVE-2021-42327 (High), CVE-2021-42739 (High),
CVE-2021-41182 (Medium), CVE-2021-41183 (Medium), CVE-2021-41184 (Medium), CVE-2021-42252
(High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in Apache JSPWiki that can
allow an attacker to execute JavaScript in the victim's browser and get some sensitive
information about the victim. The affected products are Apache JSPWiki up to 2.11.0.M8.
CVE ID: CVE-2021-40369
It has been discovered that remote attackers can delete arbitrary files in a system hosting
a JSPWiki instance by using a carefully crafted http request on logout, given that those
files are reachable to the user running the JSPWiki instance. The affected products are
Apache JSPWiki up to 2.11.0.M8.
CVE ID: CVE-2021-44140
Multiple vulnerabilities have been discovered in mbed TLS, a lightweight crypto and SSL/TLS
library which can result in Denial of Service (DoS), information disclosure or side-channel
attacks. It is recommended to upgrade the mbed TLS packages.
CVE ID: CVE-2018-9988, CVE-2018-9989, CVE-2020-36475, CVE-2020-36476, CVE-2020-36478,
CVE-2021-24119
Ubuntu has released security updates to resolve several vulnerabilities in BlueZ and
FreeRDP. The affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 LTS and Ubuntu
18.04 LTS.
CVE ID: CVE-2021-3658, CVE-2021-41229, CVE-2021-43400, CVE-2021-41159, CVE-2021-41160
It has been discovered that in x86 HVM and PVH, malicious or buggy guest kernels can mount a
Denial of Service (DoS) attack affecting the entire system. This vulnerability affects
versions Xen 3.4 and above.
CVE ID: CVE-2021-28705, CVE-2021-28709
A heap-based buffer over-read vulnerability has been discovered in Croatia Control Asterix.
An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-44144 (Critical)
Multiple vulnerabilities have been discovered in Moxa's Equipment- NPort Series, ioLogik
Series. An attacker can exploit these vulnerabilities to take control of an affected system.
McAfee has released security update to resolve multiple vulnerabilities in Policy Auditor.
It is recommended to Install or update to Policy Auditor 6.5.2.
CVE ID: CVE-2021-31851 (Medium), CVE-2021-31852 (Medium)
It has been discovered that LibreOffice incorrectly handled digital signatures. An attacker
can possibly use this vulnerability to create a specially crafted document that can display
a validly signed indicator, contrary to expectations.
CVE ID: CVE-2021-25634 (High), CVE-2021-25633 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 21 for the Zimbra 9.0.0 and Patch 28 for Zimbra 8.8.15.
A vulnerability in Linux Kernel is affecting multiple F5 products that can allow
unauthorized disclosure of information and disruption of service.
CVE ID: CVE-2017-1000365 (High)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38297 (Critical), CVE-2021-21703 (High), CVE-2021-25219 (Medium),
CVE-2021-42327 (High), CVE-2021-41182 (Medium), CVE-2021-41183 (Medium), CVE-2021-41184
(Medium)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
A Remote Code Execution (RCE) vulnerability has been discovered in Microsoft Edge
(Chromium-based). An attacker can exploit this vulnerability to take control of an affected
system.
CVE ID: CVE-2021-43221
Multiple vulnerabilities have been discovered in Salt, a powerful remote execution manager.
It is recommended to upgrade the salt packages.
CVE ID: CVE-2021-21996, CVE-2021-31607, CVE-2021-25284, CVE-2021-25283,
CVE-2021-25282, CVE-2021-25281, CVE-2021-3197, CVE-2021-3148, CVE-2021-3144, CVE-2020-35662,
CVE-2020-28972, CVE-2020-28243
An information disclosure vulnerability evident when a user or an application uploads
unprotected private key data as part of an authentication certificate KeyCredential on an
Azure AD Application or Service Principal.
CVE ID: CVE-2021-42306 (High)
It has been discovered that HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and
1.8.4 templated ACL policies always match the first-created entity alias if multiple entity
aliases exist for a specified entity and mount combination, potentially resulting in
incorrect policy enforcement.
CVE ID: CVE-2021-43998 (Critical)
It has been discovered that the Easy Registration Forms WordPress plugin is vulnerable to
Cross-Site Request Forgery (CSRF) which allows attackers to inject arbitrary web scripts.
CVE ID: CVE-2021-39353 (High)
Multiple vulnerabilities have been resolved in several QNAP products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34358 (Medium), CVE-2021-38681 (Medium)
Multiple vulnerabilities have been discovered in VISAM's Equipment- VBASE. Successful
exploitation of these vulnerabilities can allow an attacker to read the contents of
unexpected files, escalate privileges to system level, execute arbitrary code on the
targeted system, bypass security mechanisms, and discover the cryptographic key for the web
login. The affected products are VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module.
CVE ID: CVE-2020-10599 (Critical), CVE-2020-7008 (High), CVE-2020-7004 (High),
CVE-2020-10601 (High), CVE-2020-7000 (High)
A vulnerability has been discovered in IBM MQ that can be used by an attacker to create a
Denial of Service (DoS) attack. An attacker can exploit this vulnerability to take control
of an affected system.
CVE ID: CVE-2021-29843 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-40130 (Medium), CVE-2021-40129 (Medium), CVE-2021-40131 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- Patient Information
Center iX (PICiX); PerformanceBridge Focal Point; IntelliVue Patient Monitors MX100,
MX400-MX850, and MP2-MP90; and IntelliVue X2, and X3. Successful exploitation of these
vulnerabilities can result in unauthorized access, interrupted monitoring, and collection of
access information and/or patient data.
CVE ID: CVE-2020-16214 (Medium), CVE-2020-16218 (Low), CVE-2020-16222 (Medium),
CVE-2020-16228 (Medium), CVE-2020-16224 (Medium), CVE-2020-16220 (Low), CVE-2020-16216
(Medium), CVE-2020-16212 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- Patient Information
Center iX (PIC iX) and Efficia CM Series. Successful exploitation of these vulnerabilities
can allow an attacker unauthorized access to data and create a Denial of Service (DoS)
resulting in temporary interruption of viewing physiological data at the central station.
CVE ID: CVE-2021-43548 (Medium), CVE-2021-43552 (Medium), CVE-2021-43550 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- IntelliBridge EC 40
and EC 80 Hub. Successful exploitation of these vulnerabilities can allow an attacker
unauthorized access to the IntelliBridge EC40 and80 Hub.
CVE ID: CVE-2021-32993 (High), CVE-2021-33017 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Symbio 700 and
Symbio 800 controllers. Successful exploitation of this vulnerability can allow an
authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38448 (High)
Red Hat has released security updates to address multiple vulnerabilities in several
products.
CVE ID: CVE-2021-42574 (High), CVE-2021-29923 (High), CVE-2021-34558 (Medium)
It has been discovered in netkit-rsh that due to insufficient input validation in path names
send by server, a malicious server can do arbitrary file overwrites in the target directory
or modify permissions of the target directory. It is recommended to upgrade the netkit-rsh
packages.
CVE ID: CVE-2019-7282 (Medium), CVE-2019-7283 (Medium)
Multiple vulnerabilities have been discovered in Apache Ozone. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-36372 (Critical), CVE-2021-39231 (Critical), CVE-2021-39232 (High),
CVE-2021-39233 (Critical), CVE-2021-39234 (Medium), CVE-2021-39235 (Medium), CVE-2021-39236
(High), CVE-2021-41532 (Medium)
Trend Micro has released updated versions of the Trend Micro Antivirus for MAC 2021 family
of consumer products which resolves an improper access control privilege escalation
vulnerability.
CVE ID: CVE-2021-43771 (High)
It has been discovered that the Preview E-Mails for WooCommerce WordPress plugin is
vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the
~/views/form.php file which allows attackers to inject arbitrary web scripts.
CVE ID: CVE-2021-42363 (Medium)
It has been discovered that due to improper sanitization MedData HBYS software suffers from
a remote SQL injection vulnerability. An unauthenticated attacker with the web access can
extract critical information from the system.
CVE ID: CVE-2021-43362 (Critical)
It has been discovered that due to improper sanitization iPack SCADA Automation software
suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web
access can extract critical information from the system.
CVE ID: CVE-2021-3958 (Critical)
Google has released update for Chrome Dev channel version 97.0.4692.20 (Platform version:
14324.13.0) for Chrome OS devices and Chrome Beta 97 (97.0.4692.21) for iOS. These versions
address vulnerabilities that an attacker can exploit to take control of an affected system.
Red Hat has released security updates to address multiple vulnerabilities in several
products.
CVE ID: CVE-2021-42574, CVE-2021-29923, CVE-2021-34558, CVE-2021-23369,
CVE-2021-23383
Ubuntu has released security update to resolve a vulnerability in OpenEXR. The affected
products are Ubuntu 18.04 LTS & Ubuntu 16.04 ESM.
CVE ID: CVE-2021-3941
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22940 (High), CVE-2021-39014 (Medium)
A Cross Site Scripting (XSS) vulnerability has been discovered in Drupal. An attacker may be
able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with
access to the WYSIWYG CKEditor, including site admins with privileged access.
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-40131 (Medium), CVE-2021-40129 (Medium), CVE-2021-40130 (Medium)
A vulnerability has been discovered in Apache ShenYu Admin. The incorrect use of JWT in
ShenyuAdminBootstrap allows an attacker to bypass authentication. The affected versions are
Apache ShenYu 2.3.0 and 2.4.0.
CVE ID: CVE-2021-37580 (Critical)
Dell has released security updates to address multiple vulnerabilities in several Dell
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2019-3762 (High), CVE-2021-21546 (High), CVE-2021-21558 (High),
CVE-2021-21559 (High), CVE-2012-6708, CVE-2019-11358, CVE-2019-7317, CVE-2019-2821,
CVE-2019-2762, CVE-2019-2769, CVE-2019-2745, CVE-2019-2816, CVE-2019-2842, CVE-2019-2786,
CVE-2019-2818, CVE-2019-2766
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Debian has released security update to resolve multiple vulnerabilities in atftp package
which can cause Denial of Service (DoS) attack.
CVE ID: CVE-2020-6097 (High), CVE-2021-41054 (High)
Multiple deserialization of untrusted data Remote Code Execution (RCE) vulnerability have
been discovered in Veritas Enterprise Vault server. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-44682 (Critical), CVE-2021-44681 (Critical), CVE-2021-44680
(Critical), CVE-2021-44679 (Critical), CVE-2021-44678 (Critical), CVE-2021-44677 (Critical)
Multiple vulnerabilities such as out-of-bounds write, and stack-based buffer overflow have
been discovered in FATEK Automation's Equipment- WinProladder. Successful exploitation of
these vulnerabilities can allow for arbitrary code execution. The affected products are
WinProladder versions 3.30_24518 and prior.
Avast has released its Q3'21 Threat Report that reveals elevated risk for ransomware and RAT
attacks, rootkits and exploit kits return by exploiting Certificate Authority.
Ubuntu has released security update to resolve a vulnerability in AccountsService which
incorrectly handled memory when performing certain language setting operations. A local
attacker can use this issue to escalate privileges.
CVE ID: CVE-2021-3939 (High)
Ubuntu has released security update to resolve a vulnerability in hivex which incorrectly
handled certain input. An attacker can use this vulnerability to cause a crash or obtain
sensitive information.
CVE ID: CVE-2021-3504 (Medium)
Oracle Solaris has released security update to address multiple vulnerabilities in third
party software that is included in Oracle Solaris distributions.
An elevation of privilege vulnerability has been discovered in Windows 10 Update Assistant.
An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42297 (Medium), CVE-2021-43211 (Medium)
It has been discovered modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a
vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer
attacks.
CVE ID: CVE: 2021-42114 (Critical)
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in WordPress Plugin
"Push Notifications for WordPress (Lite)" provided by Delite Studio. If a user with an
administrative privilege views a malicious page while logged in, unintended operations can
be performed.
CVE ID: CVE-2021-20846 (Medium)
A Cross-Site Scripting (XSS) vulnerability has been discovered in rwtxt provider Zack Scholl
Content Management System (CMS). An arbitrary script can be executed on the web browser of
the user who is accessing the website using rwtxt.
CVE ID: CVE-2021-20848 (Medium)
A vulnerability has been discovered in OpenSSL which affects multiple F5 Products. A remote
attacker can exploit this vulnerability by triggering an application to create an
ASN1_STRING and process it with an affected OpenSSL function to access restricted
information or cause a Denial-of-Service (DoS).
CVE ID: CVE-2021-3712 (High)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Products . An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20601 (High), CVE-2021-20587 (High), CVE-2021-20588 (High),
CVE-2020-14521
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43560, CVE-2021-43559, CVE-2021-43558, CVE-2021-3943
VigorConnect software has released security update for Windows and Linux Operating System
(OS).
CVE ID: CVE-2021-20123 (High), CVE-2021-20124 (High), CVE-2021-20125 (Critical),
CVE-2021-20126 (High), CVE-2021-20127 (High), CVE-2021-20128 (Medium), CVE-2021-20129 (High)
Ruby has released security update for a Regular expression Denial of Service vulnerability
(ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an
effective DoS attack.
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43560, CVE-2021-43559, CVE-2021-43558, CVE-2021-3943
Ubuntu has released security update to resolve multiple vulnerabilities in Vim, Vi IMproved.
An attacker can exploit these vulnerabilities to take control of an affected system. The
affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Ubuntu
16.04 ESM and Ubuntu 14.04 ESM.
CVE ID: CVE-2021-3928 (High), CVE-2021-3927 (High), CVE-2017-17087(Medium),
CVE-2019-20807 (Medium), CVE-2021-3903 (High), CVE-2021-3872 (High)
Multiple vulnerabilities have been discovered in several IBM
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-38882 (Medium), CVE-2020-27221 (Critical), CVE-2021-3711 (Critical),
CVE-2021-28165 (High), CVE-2020-27225 (Medium), CVE-2021-38949 (Medium)
A stack buffer overflow vulnerability has been resolved in QNAP NAS running Multimedia
Console. This vulnerability can allow attackers to execute arbitrary code. It is recommended
to update Multimedia Console to the latest version.
CVE ID: CVE-2021-38684 (High)
Google has released Stable channel 94.0.4606.124 (Platform version: 14150.87.0) for most
Chrome OS devices, Chrome 96.0.4664.45 for Windows, Mac and Linux and Chrome 96
(96.0.4664.45) for Android.
Microsoft has released out-of-band updates to address authentication failures related to
Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions
of Windows Server and Systems.
Multiple vulnerabilities have been discovered in ffmpeg- tools for transcoding, streaming
and playing of multimedia files. It is recommended to upgrade the ffmpeg packages.
CVE ID: CVE-2020-20445, CVE-2020-20446, CVE-2020-20451, CVE-2020-20453,
CVE-2020-22037, CVE-2020-22041, CVE-2020-22044, CVE-2020-22046, CVE-2020-22048,
CVE-2020-22049, CVE-2020-22054, CVE-2021-38171, CVE-2021-38291
Proofpoint has released security updates to address vulnerabilities in Proofpoint
Essentials, and Proofpoint Enterprise Protection (PPS/PoD). An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-31608 (High)
Multiple vulnerabilities such as authenticated arbitrary file upload and authenticated block
import to stored XSS have been discovered in WordPress. It is recommended to upgrade the
WordPress packages.
CVE ID: CVE-2021-42362 (High), CVE-2021-42360 (High)
It has been discovered that Unlimited Sitemap Generator of XML-Sitemaps contains a
Cross-Site Request Forgery (CSRF) vulnerability. If a user views a malicious page while
logged in, unintended operations can be performed. The affected versions are Unlimited
Sitemap Generator versions prior to v8.2.
CVE ID: CVE-2021-20845 (Medium)
Multiple vulnerabilities have been discovered in Jenkins core. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21699 (High), CVE-2021-21700 (High), CVE-2021-21701 (High),
CVE-2021-43576 (High), CVE-2021-43577 (High), CVE-2021-43578 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38979 (Medium), CVE-2021-38972 (Medium), CVE-2021-38976 (Medium),
CVE-2021-38978 (Medium), CVE-2021-38982 (Medium), CVE-2021-38977 (Low), CVE-2021-38985
(Medium), CVE-2021-38983 (Medium), CVE-2021-20492 (Medium), CVE-2021-32803 (High),
CVE-2021-38974 (Medium), CVE-2021-38973 (Low), CVE-2021-38975 (Medium), CVE-2021-38984
(Low), CVE-2021-38981 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-1236 (Medium), CVE-2021-34738 (Medium), CVE-2021-40121 (Medium)
It has been discovered that Apache Tomcat do not properly release an HTTP upgrade connection
for WebSocket connections once the WebSocket connection is closed. This is creating a memory
leak that, over time and can lead to a Denial of Service (DoS) via an OutOfMemoryError. It
is recommended to upgrade the Tomcat9 packages.
CVE ID: CVE-2021-42340 (High)
A vulnerability has been discovered in Grafana, an open source data visualization platform.
F5 has fixed this vulnerability in NGINX Service Mesh 1.2.1.
CVE ID: CVE-2021-39226 (Critical)
Microsoft has observed an increase in the use of HTML smuggling that leverages legitimate
HTML5 and JavaScript features by using email campaigns for deploying banking malware, Remote
Access Trojans (RATs) and other payloads related to targeted attacks.
It has been discovered that the command line restriction that controls snippet use with
NGINX Ingress Controller does not apply to Ingress objects. An attacker with privileges to
deploy Ingress resources can inject configuration snippets that can allow them to gain
access to secrets using the Ingress service account permissions.
CVE ID: CVE-2021-23055
Use of insufficiently random values vulnerability has been discovered in multiple
open-source and proprietary TCP/IP stacks Equipment's . Successful exploitation of weak
Initial Sequence Numbers (ISN) can be used to hijack or spoof TCP connections, cause Denial
of Service (DoS) conditions & can inject malicious data, or bypass authentication.
CVE ID: CVE-2020-27213 (High), CVE-2020-27630 (High), CVE-2020-27631 (High),
CVE-2020-27632 (High), CVE-2020-27633 (High), CVE-2020-27634 (High), CVE-2020-27635 (High),
CVE-2020-27636 (High), CVE-2020-28388 (Medium)
Multiple vulnerabilities have been discovered in multiple open-source and proprietary Object
Management Group (OMG) Data-Distribution Service (DDS) implementations Equipment's.
Successful exploitation of these vulnerabilities can result in Denial of Service (DoS) or
buffer-overflow conditions which can lead to Remote Code Execution (RCE) or information
exposure.
Multiple vulnerabilities such as stack-based buffer overflow and out-of-bounds write have
been discovered in WECON's Equipment- PLC Editor. Successful exploitation of these
vulnerabilities can allow arbitrary code execution.
CVE ID: CVE-2021-42705 (High), CVE-2021-42707 (High)
A Denial of Service (DoS) vulnerability has been discovered in VMware Tanzu Application
Service for VMs. Patches and workarounds are available to remediate this vulnerability.
CVE ID: CVE-2021-22101 (High)
Debian has released security update to resolve multiple vulnerabilities in PostgreSQL
database system which can cause in Man-In-The-Middle (MITM) attacks.
CVE ID: CVE-2021-23214, CVE-2021-23222
Debian has released security update to address multiple vulnerabilities in node-tar which
can be bypassed and allow a malicious Tar archive to symlink into an arbitrary location.
CVE ID: CVE-2021-37701, CVE-2021-37712
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
An authenticated database reset vulnerability has been discovered in WordPress WP Reset PRO
Premium Plugin. The affected versions are WordPress WP Reset PRO premium plugin v5.98 and
below.
CVE ID: CVE-2021-36909 (High)
Microsoft has released security updates to address multiple
vulnerabilities in Microsoft software. An attacker can exploit these vulnerabilities to take
control of an affected system.
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and
gateway interfaces that enables an unauthenticated network-based attacker to disrupt system
processes and potentially execute arbitrary code with root privileges.
CVE ID: CVE-2021-3064 (Critical)
Apple has released security updates to address vulnerabilities in iCloud for Windows. An
attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30852, CVE-2021-30814, CVE-2021-30835, CVE-2021-30847,
CVE-2021-30823, CVE-2021-30849
A privilege escalation vulnerability has been discovered in vCenter Server. A malicious
actor with non-administrative access to vCenter Server can exploit this vulnerability to
elevate privileges to a higher privileged group. The affected products are VMware Center
Server and VMware Cloud Foundation.
CVE ID: CVE-2021-22048 (High)
Debian has released security update to resolve multiple vulnerabilities in Salt which allow
for local privilege escalation on a minion, server side template injection attacks,
insufficient checks for eauth credentials, shell and command injections or incorrect
validation of SSL certificates.
CVE ID: CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-3144, CVE-2021-3148,
CVE-2021-3197, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284,
CVE-2021-31607
Apple has released security update to resolve several vulnerabilities in ImageIO and WebKit
of iCloud for Windows 13. An attacker can exploit these vulnerabilities to take control of
an affected device.
CVE ID: CVE-2021-30852, CVE-2021-30814, CVE-2021-30835, CVE-2021-30847,
CVE-2021-30823, CVE-2021-308499
A weak secure algorithm vulnerability has been discovered in Huawei product which can cause
information leakage. Huawei has released software updates to resolve this vulnerability.
CVE ID: CVE-2021-22356
Debian has released security update to address several vulnerabilities in Icinga2, a
general-purpose monitoring application.
CVE ID: CVE-2021-32739 (High), CVE-2021-32743(High), CVE-2021-37698 (High)
Microsoft has released security updates to address multiple vulnerabilities in Microsoft
software. An attacker can exploit these vulnerabilities to take control of an affected
system.
A pre-authentication buffer overflow vulnerability has been discovered in NETGEAR that
requires access via user's local area network to be exploited.
CVE ID: CVE-2021-34991 (High)
Multiple vulnerabilities have been discovered in Zoom. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34422 (High), CVE-2021-34421 (Low), CVE-2021-34420 (Medium),
CVE-2021-34419 (Low), CVE-2021-34418 (Medium), CVE-2021-34417 (High)
McAfee has released security update to resolve DLL Search Order Hijacking vulnerability in
McAfee Drive Encryption (MDE). It is recommended to update to MDE 7.3.0 HF2.
CVE ID: CVE-2021-31853 (High)
Intel has released security updates to address multiple vulnerabilities in several Intel
products. A remote attacker can exploit some of these vulnerabilities to take control of an
affected system.
Google has released update for Chrome Dev channel to 97.0.4692.6 (Platform version:
14324.5.0) for most Chrome OS devices, Chrome 96 (96.0.4664.36) for iOS and 97.0.4692.8 for
Windows, Mac and Linux.
It has been discovered that compilers permit Unicode control and homoglyph characters that
may change the visually apparent meaning of source code. An attacker with the ability to
influence source code can introduce undetected ambiguity into source code using this type of
attack.
CVE ID: CVE-2021-42574 (Critical), CVE-2021-42694 (Critical)
Samba has released security updates to resolve vulnerabilities in multiple versions of
Samba. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192
Multiple vulnerabilities have been discovered in Advantech's Equipment- WebAccess HMI
Designer. Successful exploitation of these vulnerabilities can result in memory corruption,
code execution, hijacking of user’s cookie/session tokens, and unintended browser action.
The affected products are WebAccess HMI Designer Versions prior to 2.1.11.0. The updates are
available.
CVE ID: CVE-2021-33000 (High), CVE-2021-33002 (High), CVE-2021-33004 (High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in OSIsoft's Equipment- PI
Web API. Successful exploitation of this vulnerability can allow a remote authenticated
attacker access to sensitive information or deliver false information. The affected products
are all versions of PI Web API 2019 SPI and prior.
Multiple vulnerabilities such as Cross-Site Scripting (XSS) and incorrect authorisation have
been discovered in OSIsoft's Equipment- PI Vision. Successful exploitation of these
vulnerabilities can lead to information disclosure, modification, or deletion. The affected
products are PI Vision all versions prior to 2021.
A relative path traversal vulnerability has been discovered in mySCADA's Equipment-
myDESIGNER. Successful exploitation of this vulnerability can allow Remote Code Execution
(RCE). The affected versions are myDESIGNER Versions 8.20.0 and prior.
Multiple vulnerabilities have been discovered in several Schneider Electric products. An
attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Philips' Equipment- MRI 1.5T and 3T.
Successful exploitation of these vulnerabilities can allow an unauthorized attacker access
to execute software, modify system configuration, view/update files and export data to an
untrusted environment. The affected products are MRI 1.5T version 5.x.x and MRI 3T version
5.x.x
Multiple vulnerabilities have been discovered in several products of Siemens. A remote
attacker can exploit these vulnerabilities to take control of an affected system.
Adobe has released security updates to address multiple vulnerabilities in multiple Adobe
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-42727 (High), CVE-2021-43015 (High), CVE-2021-43016 (Medium),
CVE-2021-43017 (Medium)
Citrix has released security updates to address vulnerabilities affecting multiple versions
of Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP
Edition. Successful exploitation may cause Denial of Service (DoS) and disruption of the
Management GUI, Nitro API and RPC communication.
CVE ID: CVE-2021-22955, CVE-2021-22956
SAP has released security updates to address several vulnerabilities affecting multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-40501 (Critical), CVE-2021-40502 (High), CVE-2020-6369 (High),
CVE-2021-40503 (Medium), CVE-2021-42062 (Medium), CVE-2021-38164 (Medium), CVE-2021-40504
(Medium)
Multiple NetApp products incorporate Systemd. It has been discovered that basic/unit-name.c
in systemd is susceptible to a vulnerability which on successful exploitation can lead to
Denial of Service (DoS).
CVE ID: CVE-2021-33910 (Medium)
Debian has released security update to address a vulnerability in Botan1.10, a C++
cryptography library, an attacker can use this issue to recover bits of secret exponents
with help of cache analysis.
CVE ID: CVE-2017-14737 (Medium)
A vulnerability has been discovered in multiple versions of BIND. Successful exploitation
can significantly degrade resolver performance.
CVE ID: CVE-2021-25219 (Medium)
It has been discovered that insufficiently restricted permissions on container root and
plugin directories can result in privilege escalation vulnerability. It is recommended to
upgrade the containerd packages.
CVE ID: CVE-2021-41103 (High)
Multiple SQL injection vulnerabilities have been discovered in SQLAlchemy, a SQL toolkit and
Object Relational Mapper for Python, when the order_by or group_by parameters can be
controlled by an attacker. It is recommended to upgrade the sqlalchemy packages.
CVE ID: CVE-2019-7164, CVE-2019-7548
Debian has released security update to address multiple vulnerabilities in Redis which can
result in Denial of Service (DoS) or the execution of arbitrary code.
CVE ID: CVE-2021-32626, CVE-2021-32627, CVE-2021-32628, CVE-2021-32672,
CVE-2021-32675, CVE-2021-32687, CVE-2021-32762, CVE-2021-41099, CVE-2021-32761
Multiple vulnerabilities have been discovered in src:python3.5, the Python interpreter v3.5.
It is recommended to upgrade the python3.5 packages.
CVE ID: CVE-2021-3733, CVE-2021-3737
A vulnerability has been discovered in udisks2-a service to access and manipulate storage
devices, which can result in Denial of Service (DoS). It is recommended to upgrade udisks2
packages.
CVE ID: CVE-2021-3802
Improper Access Controls vulnerability has been discovered in Hitachi Energy's Equipment-
GMS600, PWC600, and Relion 670/650/SAM600-IO. Successful exploitation of this vulnerability
can allow an attacker with user credentials to bypass security controls enforced by the
product, which can lead to unauthorized modifications on data/firmware, and/or permanent
disabling of the product.
CVE ID: CVE-2021-35534 (High)
It has been discovered that certain HP Enterprise LaserJet, HP LaserJet Managed, HP
Enterprise PageWide, HP PageWide Managed products are vulnerable to potential buffer
overflow.
CVE ID: CVE-2021-39238 (Critical)
An improper access control vulnerability has been discovered in Hitachi Energy's Equipment-
Retail Operations and Counterparty Settlement and Billing (CSB) Product. Successful
exploitation of this vulnerability can allow unauthorized access to data and modification of
data inside the affected product.
CVE ID: CVE-2021-35528 (High)
Ubuntu has released security update to address a use after free issue in ICU - International
Components for Unicode library. An attacker can use this issue to cause a Denial of Service
(DoS) with crafted input. The affected products are Ubuntu 18.04LTS, Ubuntu 16.04ESM and
Ubuntu 14.04ESM.
CVE ID: CVE-2020-21913 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker may exploit these vulnerabilities to take control of an affected
system.
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Multiple SQL Injection vulnerabilities have been discovered in Philips Tasy EMR HTML5
3.06.1803 and prior which can allow unauthorized access, or create a Denial of Service (DoS)
condition. It is recommended to upgrade Tasy EMR HTML5 to Version 3.06.1804 or later.
CVE ID: CVE-2021-39375 (High), CVE-2021-39376 (High)
Multiple vulnerabilities have been discovered in VISAM VBASE Pro-RT/ Server-RT (Web Remote)
Version 11.6.0.6. An attacker can exploit these vulnerabilities to take control of an
affected system. It is recommended to update to VBASE v11.7.0.2 or later.
CVE ID: CVE-2021-95907 (High), CVE-2021-42535 (Medium), CVE-2021-42537 (Medium),
CVE-2021-34803 (Medium), CVE-2020-13699 (Medium), CVE-2019-18988 (Medium), CVE-2018-16550
(Medium), CVE-2018-14333 (Medium), CVE-2005-2475 (Medium)
Multiple vulnerabilities have been discovered in DAQFactory All Versions 18.1 Build 2347 and
prior. Successful exploitation of these vulnerabilities can allow code execution, memory
corruption, or unauthorized access to user information.
CVE ID: CVE-2021-42543 (High), CVE-2021-42698 (High), CVE-2021-42699 (Medium),
CVE-2021-42701 (Medium)
Multiple vulnerabilities have been discovered in Subversion Plugin version 2.15.0 and
earlier, Jenkins 2.318 and earlier, Jenkins LTS 2.303.2 and earlier. It is recommended to
update to Subversion Plugin version 2.15.1, Jenkins weekly to version 2.319 and Jenkins LTS
to version 2.303.3 to resolve vulnerabilities.
Multiple vulnerabilities have been resolved in Thunderbird 91.3 . An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38503 (High), CVE-2021-38504 (High), CVE-2021-38505 (High),
CVE-2021-38506 (High), CVE-2021-38507 (High), CVE-2021-38508 , CVE-2021-38509,
CVE-2021-38510
Mozilla has released security updates to address vulnerabilities in Firefox ESR and Firefox
94. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in HAProxy, distributed as part of Watson
Knowledge Catalog for IBM Cloud Pak for Data. These flaws can allow a remote attacker to
bypass security restrictions, caused by improper input validation by the ":method" field.
CVE ID: CVE-2021-39241 (Medium)
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can
exploit these vulnerabilities to take control of an affected system.
A Cross-Site Scripting (XSS) vulnerability has been discovered in Sensormatic Electronics'
Equipment- VideoEdge . Successful exploitation of vulnerability can allow the execution of
untrusted code when viewing the VideoEdge admin graphical user interface. The affected
products are VideoEdge all versions prior to v5.7.1 .
CVE ID: CVE-2020-11023 (Medium)
Multiple vulnerabilities have been discovered in WECON s' Equipment-PI Studio. Successful
exploitation of these vulnerabilities can allow execution of code and disclose sensitive
information under the context of administrator. The affected products are PI Studio HMI
Versions 4.1.9 and prior and PI Studio Versions 4.2.125 and prior.
CVE ID: CVE-2018-14818 (High), CVE-2018-14810 (High), CVE-2018-17889 (Medium),
CVE-2018-14814 (Low)
Security Update has been released for BIND 9 (Berkeley Internet Name Domain). The
vulnerabilities can degrade resolver performance causing resulting in Denial of Service
(DoS) or to experience an assertion failure in name.c .
CVE ID: CVE-2018-5740 (High), CVE-2021-25219
Multiple Vulnerabilities in have been discovered in InHand Networks' Equipment- IR615
Router. Successful exploitation of these vulnerabilities can allow an attacker to have full
control over the product, remotely perform actions on the product, intercept communication
and steal sensitive information, session hijacking, and successful brute-force against user
passwords.
CVE ID: CVE-2021-38470 (Critical), CVE-2021-38478 (Critical), CVE-2021-38480
(Critical), CVE-2021-38484 (Critical), CVE-2021-38462 (Critical),CVE-2021-38472 (Low),
CVE-2021-38486 (High), CVE-2021-38464 (Medium), CVE-2021-38474 (Medium), CVE-2021-38466
(High), CVE-2021-38482 (High), CVE-2021-38468 (High), CVE-2021-38476 (Medium)
Ubuntu has released security updates to address multiple vulnerabilities in Ceph. The
affected products are Ubuntu 21.04 and Ubuntu 18.04 LTS.
CVE ID: CVE-2021-3531 (Medium), CVE-2021-3524 (Medium), CVE-2021-3509 (Medium),
CVE-2021-20288 (High), CVE-2020-27781 (High)
Ubuntu has released security updates to resolve multiple vulnerabilities in WebKitGTK Web
and JavaScript engines. The affected products are Ubuntu 21.10, Ubuntu 21.04 and Ubuntu
20.04 LTS.
CVE ID: CVE-2021-42762 (Medium), CVE-2021-30846 (High), CVE-2021-30851 (High)
Ubuntu has released security updates to resolve multiple vulnerabilities in mailman -
Web-based mailing list manager package. The affected products are Ubuntu 20.04 LTS.
CVE ID: CVE-2020-12108(Medium), CVE-2020-12137(Medium), CVE-2021-42096(Medium),
CVE-2020-15011(Medium), CVE-2021-42097 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple security vulnerabilities have been discovered in GlusterFS, a clustered file
system. These flaws can cause buffer overflow and path traversal issues which lead to
information disclosure, Denial of Service (DoS) or the execution of arbitrary code. It is
recommended to upgrade glusterfs Packages.
Android has released security bulletin to address multiple vulnerabilities affecting several
Android devices. Security patch levels of 2021-11-06 or later address all of these issues.
A vulnerability has been discovered in Tiff, a Tag Image File Format library, which may
result in denial of service or the execution of arbitrary code. It is recommended to upgrade
tiff packages.
CVE ID: CVE-2020-19143 (Medium)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in the wpewebkit web engine which may lead to
arbitrary code execution and sandbox bypassing. It is recommended to upgrade wpewebkit
packages.
CVE ID: CVE-2021-30846 (High), CVE-2021-30851, CVE-2021-42762 (Medium)
A vulnerability has been discovered in Snort detection engine due to improper memory
resource management while it processes ICMP packets. Multiple Cisco products are affected by
this vulnerability. It is recommended to update the vulnerable release of Cisco Softwares.
CVE ID: CVE-2021-40114 (Medium)
A vulnerability has been discovered in the Internet Key Exchange Version 2 (IKEv2)
implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower
Threat Defense (FTD) Software due to improper control of a resource. It is recommended to
update to the fixed versions.
CVE ID: CVE-2021-40125 (Medium)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 95.0.1020.40) which
incorporates the latest security updates of the Chromium project.
CVE ID: CVE-2021-25219 (Medium)
A vulnerability has been discovered affecting multiple versions of the ISC Berkeley Internet
Name Domain (BIND) in which exploitation of broken authoritative servers using a flaw in
response processing can cause degradation in BIND resolver performance. It is recommended to
upgrade to the patched release.
CVE ID: CVE-2021-25219 (Medium)
Google's Extended Stable channel 94.0.4606.113 for Windows and Mac and Stable channel
95.0.4638.69 for Windows, Mac and Linux has been updated. These versions address several
vulnerabilities that an attacker can exploit to take control of an affected system.
A command injection vulnerability has been resolved in QNAP NAS running the Media Streaming
add-on. Successful exploitation may allow remote attackers to run arbitrary commands.
CVE ID: CVE-2021-34362 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics DOPSoft
Version 4.00.11 and prior. Successful exploitation of this vulnerability may allow arbitrary
code execution. It is recommended to update to DOPSoft v4.00.11.22.
CVE ID: CVE-2021-33019 (High)
A use of hard-coded credentials vulnerability has been discovered in Sensormatic Electronics
Victor Versions 5.7 and prior, which can allow unauthorised elevation of privileges. It is
recommended to upgrade victor to Version 5.7.1.
CVE ID: CVE-2019-19492 (High)
Multiple vulnerabilities have been resolved in GitLab updated versions 14.4.1, 14.3.4, and
14.2.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
GoCD, an open-source Continuous Integration and Continuous Delivery system has released a
security update to address a highly critical authentication vulnerability in GoCD versions
20.6.0 through 21.2.0.
Apple has released security updates to address vulnerabilities in Safari 15.1. An attacker
can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30887, CVE-2021-30888, CVE-2021-30889, CVE-2021-30890
A Denial-of-Service (DoS) vulnerability has been discovered in MELSEC iQ-R series C
Controller Module due to uncontrolled resource consumption. A remote attacker can prevent
the module from starting up by sending a large number of packets to the module starting up
in a short time.
CVE ID: CVE-2021-20600 (Medium)
Juniper Networks has released security updates to resolve multiple vulnerabilities such as
local privilege escalation vulnerability and improper privilege management vulnerability in
Juniper Networks Junos OS and Junos OS Evolved.
CVE ID: CVE-2021-31359 (High), CVE-2021-31360 (High)
Juniper Networks has released security update to resolve a buffer overflow vulnerability in
the TCP/IP stack of Juniper Networks Junos OS which allows an attacker to send specific
sequences of packets to the device thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
F5 Networks has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
CVE ID: CVE-2021-3712 (High), CVE-2021-39226 (Critical), CVE-2019-11811 (Medium)
Google has released Chrome Beta 96 (96.0.4664.27) for Android and iOS, Beta channel
96.0.4664.25 (Platform version: 14268.18.0) for most Chrome OS devices and Beta channel
96.0.4664.27 for Windows, Mac and Linux. These versions address several vulnerabilities that
an attacker can exploit to take control of an affected system.
A null dereference vulnerability has been discovered in mosquitto, MQTT message broker which
can lead to crashes for applications using the library. It is recommended to upgrade
mosquitto packages.
CVE ID: CVE-2017-7655 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Pulse Connect Secure before 9.1R12.1 which can allow
an unauthenticated user to cause a Denial of Service (DoS) when a malicious request is sent
to the device.
CVE ID: CVE-2021-22965 (Medium)
Ubuntu has released security update to resolve multiple vulnerabilities in Libslirp. The
affected product is Ubuntu 21.10.
CVE ID: CVE-2021-3593 (Low), CVE-2021-3595 (Low), CVE-2021-3594 (Low), CVE-2021-3592
(Low)
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Fuji Electric Tellus Lite V-Simulator and
V-Server Lite. It is recommended to update software to the latest version.
CVE ID: CVE-2021-38413 (High), CVE-2021-38419 (High), CVE-2021-38401 (High),
CVE-2021-38421 (High), CVE-2021-38409 (High), CVE-2021-38415 (High)
The Federal Bureau of Investigation (FBI) has released Indicators of Compromise (IoCs)
associated with attacks using Ranzy Locker, a ransomware variant.
Debian has released security update to address an out-of-bounds read and write vulnerability
in the PHP-FPM code of php7.3 and php7.4 which can result in escalation of privileges from
local unprivileged user to the root user.
CVE ID: CVE-2021-21703 (High)
Juniper Networks has released security update to resolve a vulnerability in the python
cryptographic library used in Juniper Networks Junos OS and Wind River Linux which allows an
attacker to perform timing oracle attacks against RSA decryption.
CVE ID: CVE-2020-25659 (Medium)
It has been discovered that threat actor NOBELIUM is attempting to gain access to downstream
customers of multiple Cloud Service Providers (CSP), Managed Service Providers (MSP), and
other IT services organisations that have been granted administrative or privileged access
by other organisations.
McAfee has released security update to resolve multiple vulnerabilities in ePolicy
Orchestrator. It is recommended to Install or update to ePO 5.10 CU 11.
CVE ID: CVE-2021-31834, CVE-2021-31835
Multiple vulnerabilities have been discovered in faad2, a freeware Advanced Audio Decoder
player. It is recommended to upgrade faad2 packages.
CVE ID: CVE-2018-20199, CVE-2018-20360, CVE-2019-6956, CVE-2021-32274,
CVE-2021-32276, CVE-2021-32277, CVE-2021-32278
Multiple vulnerabilities have been discovered in Mailman - Web-based mailing list manager. A
remote attacker can use these vulnerabilities to perform Cross-Site Request forgery (CSRF)
attack or brute force attack.
CVE ID: CVE-2021-42096, CVE-2021-42097
A vulnerability has been resolved in the proxy service of Cisco AsyncOS for Cisco Web
Security Appliance (WSA) which can allow an unauthenticated, remote attacker to exhaust
system memory and cause a Denial of Service (DoS) condition on an affected device. The
updates are available.
CVE ID: CVE-2021-34698 (High)
Multiple vulnerabilities have been addressed in the Cisco ATA 190 Series Analog Telephone
Adapter Software which can allow an attacker to perform a command injection attack resulting
in Remote Code Execution (RCE) or cause a Denial of Service (DoS) condition on an affected
device. The updates are available.
CVE ID: CVE-2021-34710 (High), CVE-2021-34735 (High)
A command injection vulnerability has been resolved in QNAP NAS running the Media Streaming
add-on. This vulnerability can allow remote attackers to run arbitrary commands. It is
recommended to update the Media Streaming add-on to the latest version.
CVE ID: CVE-2021-34362 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Libwebp which may cause highest threat to
data confidentiality, integrity, and system availability.
CVE ID: CVE-2018-25011 (Critical), CVE-2020-36328 (Critical), CVE-2020-36329
(Critical), CVE-2018-25014 (Critical)
Multiple vulnerabilities have been resolved in Linux kernel. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-3702 (Medium), CVE-2021-3732, CVE-2021-38198 (Medium),
CVE-2021-38205 (Low), CVE-2021-40490 (High), CVE-2021-42008 (High)
A Remote Code Execution (RCE) vulnerability has been discovered in Discourse versions 2.7.8
and earlier. This issue is patched in the versions 2.7.9 or later.
CVE ID: CVE-2021-41163 (Critical)
Multiple vulnerabilities have been discovered in McAfee EPolicy Orchestrator. A remote
attacker can exploit some of these vulnerabilities to trigger Denial of Service(DoS)
condition, sensitive information disclosure, data manipulation and Cross-Site Scripting
(XSS) on the targeted system. The updates are available.
CVE ID: CVE-2021-33037, CVE-2021-31835, CVE-2021-31834, CVE-2021-30639,
CVE-2021-23840, CVE-2021-3712, CVE-2021-2432, CVE-2021-2161
A Remote Code Execution vulnerability has been discovered in Insight - Asset Management app
& Jira Service Management Data Center and Server. It is recommended to upgrade to the
latest version.
CVE ID: CVE-2018-10054 (Critical)
Multiple vulnerabilities have been resolved in Linux kernel for Microsoft Azure cloud
systems. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2019-19449 (High), CVE-2020-26541 (Medium), CVE-2020-36311 (Medium),
CVE-2021-22543 (High), CVE-2021-3612 (High), CVE-2021-3759, CVE-2021-38199 (Medium)
Multiple vulnerabilities have been fixed in libcaca - text mode graphics utilities. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30498(Critical), CVE-2021-30499(Critical)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 95.0.1020.30) which
incorporates the latest security updates of the Chromium project.
Google has released updated Beta channel 96.0.4664.13 (Platform version: 14268.9.0) and Dev
Channel 97.0.4669.0 (Platform version: 14295.0.0) for most Chrome OS devices, Chrome Beta 96
(96.0.4664.17) for Android, Dev channel 97.0.4676.0 and Beta channel for Windows, Mac and
Linux.
A bug has been discovered in GPS Daemon(GPSD) used by Network Time Protocol (NTP) servers.
The bug may rollback the date to 1,024 weeks which may cause systems and services to become
unavailable or unresponsive. The affected versions of GPSD are versions 3.20-3.22.
Multiple vulnerabilities have been discovered in B. Braun Infusomat Space Large Volume
Pump. Successful exploitation of these vulnerabilities can allow a remote unauthenticated
attacker to gain user-level command-line access, send the device malicious data to be used
in place of correct data, reconfigure the device from an unknown source, obtain sensitive
information, or overwrite critical files. The security updates are available.
CVE ID: CVE-2021-33886 (Medium), CVE-2021-33885 (Critical), CVE-2021-33882 (Medium),
CVE-2021-33883 (Medium), CVE-2021-33884 (Medium)
Multiple vulnerabilities have been discovered in Delta Electronics DIALink industrial
automation server. An attacker can exploit these vulnerabilities to take control of an
affected system. The affected products are DIALink versions 1.2.4.0 and prior.
It has been discovered that Babel.Locale in Babel before 2.9.1 allow attackers to load
arbitrary locale .dat files (containing serialized Python objects) via directory traversal,
leading to code execution. It is recommended to upgrade python-babel packages.
CVE ID: CVE-2021-42771
Multiple vulnerabilities such as arbitrary code execution and Denial of Service (DoS) have
been discovered in AutoCAD (DWG) file import function and OPC UA SDK respectively installed
in GENESIS64 and MC Works64. It is recommended to update the software by using the GENESIS64
and MC Works64 security patches.
CVE ID: CVE-2021-27041 (High), CVE-2021-27432 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
A reflected cross-site scripting (XSS) vulnerability has been discovered in an undisclosed
page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in
the context of the currently logged-in user.
CVE ID: CVE-2021-23037 (Critical)
Multiple vulnerabilities such as Out of Bounds Write, Path Traversal, CSV Injection,
Multiple Threads Race Condition, and Improper Signature Management have been discovered in
several Huawei products. An attacker may exploit these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-37129, CVE-2021-37130, CVE-2021-37131, CVE-2021-22340,
CVE-2021-37127
It has been discovered that unsquashfs in squashfs-tools, the tools to create and extract
Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker
can take advantage of this flaw for writing to arbitrary files to the filesystem if a
malformed Squashfs image is processed. It is recommended to upgrade squashfs-tools packages.
CVE ID: CVE-2021-41072 (High)
It has been discovered that a carefully crafted request uri-path can cause mod_proxy_uwsgi
to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server
versions 2.4.30 to 2.4.48 (inclusive).
CVE ID: CVE-2021-36160 (High)
Multiple vulnerabilities have been fixed in Linux kernel. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42008, CVE-2021-38166, CVE-2021-40490, CVE-2021-3739, CVE-2021-3743,
CVE-2021-3753, CVE-2021-3732, CVE-2020-3702
Ubuntu has released security update to address a vulnerability in strongSwan which may cause
a Denial of Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2021-41991
Oracle has released critical patch update for October 2021 containsing 419 new security
patches for multiple vulnerabilities across multiple products. A remote attacker can exploit
some of these vulnerabilities to take control of an affected system.
Oracle Solaris has released security update to address multiple vulnerabilities in third
party software that is included in Oracle Solaris distributions.
The Oracle VM Server for x86 has released security bulletin. This Oracle VM Server for x86
Bulletin contains 14 new security patches for the Oracle VM Server for x86.
An information disclosure vulnerability has been discovered in vRealize Operations Tenant
App. A malicious actor with network access to port 443 on the vRealize Operations Tenant App
may access any set system environment variables. It is recommended to apply the patches.
CVE ID: CVE-2021-22034 (Medium)
Google has released Chrome 95 (95.0.4638.50) for Android, Chrome 95 for Windows, Mac and
Linux , and Chrome 95 (95.0.4638.50) for iOS. These versions address several vulnerabilities
that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in AUVESY Versiondog. Successful exploitation
of these vulnerabilities can allow an attacker to achieve remote code execution, and acquire
complete remote control over the machine.
A Cross-site Scripting vulnerability has been discovered in Trane's Building Automation
Controllers (Tracer SC). Successful exploitation of this vulnerability can allow an attacker
to redirect a user to a malicious webpage and steal the user’s cookie.
CVE ID: CVE-2021-42534 (Medium)
Tenable has released Tenable.sc Patch 202110.1 to address multiple vulnerabilities. This
patch updates Apache to version 2.4.51 to address the identified vulnerabilities.
CVE ID: CVE-2021-33193, CVE-2021-34798, CVE-2021-40438
Multiple vulnerabilities have been discovered in all versions of Uffizio GPS Tracker
software. Successful exploitation of these vulnerabilities can allow an attacker to view
sensitive information, gain code execution, cause a redirection to an arbitrary external
domain and perform actions on behalf of an unsuspecting user.
CVE ID: CVE-2020-17483, CVE-2020-17485, CVE-2020-17484, CVE-2021-32927,
CVE-2021-32929
A heap-based buffer overflow vulnerability has been discovered in all versions of SINUMERIK
808D and all versions prior to v4.95 of SINUMERIK 828D. Successful exploitation of this
vulnerability can allow an unauthenticated attacker with network access to the affected
devices to cause system failure with total loss of availability.
CVE ID: CVE-2021-37199
Multiple vulnerabilities have been discovered in Siemens SCALANCE. Successful exploitation
of these vulnerabilities can allow an attacker to inject commands or trigger buffer
overflows. It is recommended to upgrade SCALANCE W1750 to Versions 8.7.1.3 or later. Users
should apply workarounds and mitigations to reduce the risk.
Multiple vulnerabilities have been discovered in WordPress, a web blogging tool which allow
remote attackers to perform Cross-Site Scripting (XSS) attacks or impersonate other users.
It is recommended to upgrade the WordPress packages.
CVE ID: CVE-2021-39200, CVE-2021-39201
Red Hat has released security update to address Server-Side Request Forgery (SSRF)
vulnerability via a crafted request uri-path containing "unix:" in httpd: 2.4.
CVE ID: CVE-2021-40438
It has been discovered that a stack-based buffer overflow vulnerability exists in the Palo
Alto Networks GlobalProtect app that enables a Man-In-The-Middle (MITM) attacker to disrupt
system processes and potentially execute arbitrary code with SYSTEM privileges.
CVE ID: CVE-2021-3057 (High)
An information exposure vulnerability has been discovered in IBM WebSphere Application
Server Liberty which allow a remote user to enumerate usernames due to a difference of
responses from valid and invalid login attempts. The affected products are all versions of
Liberty for Java in IBM Cloud up to and including v3.61.
CVE ID: CVE-2021-29842 (Low)
Multiple vulnerabilities have been discovered in Draytek VigorConnect 1.6.0-B3. An attacker
can exploit these vulnerabilities to take control of an affected system. Draytek has
released fixes for these issues in VigorConnect 1.6.1.
VMware has released security updates to address multiple vulnerabilities in Cloud Foundation
and vRealize products. A remote attacker can exploit these vulnerabilities to take control
of an affected system.
CVE ID: CVE-2021-22033 (Low), CVE-2021-22035 (Medium), CVE-2021-22036 (Medium)
ManageEngine has released security updates to address multiple vulnerabilities in OpManger
v12.5. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that Proofpoint Insider Threat Management Server contains an unsafe
deserialization vulnerability in the Web Console. An attacker with write access to the local
database can cause arbitrary code to execute with SYSTEM privileges on the underlying
server. The affected products are all versions prior to 7.11.2.
CVE ID: CVE-2021-40843 (High)
Microsoft has released security updates to resolve multiple vulnerabilities in Microsoft
software. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- Data
Collector module for IGSS (Interactive Graphical SCADA System) product. Successful
exploitation of these vulnerabilities can allow an attacker to gain code execution,
read/delete files, and create arbitrary files. The affected products are IGSS Data Collector
(dc.exe) V15.0.0.21243 and prior.
CVE ID: CVE-2021-22802 (Critical), CVE-2021-22803 (Critical), CVE-2021-22804 (High),
CVE-2021-22805 (Medium)
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as heap-based buffer overflow and stack-based buffer overflow
have been discovered in Advantech's Equipment- WebAccess. Successful exploitation of these
vulnerabilities can allow an attacker to gain Remote Code Execution (RCE). The affected
products are WebAccess Versions 9.02 and prior.
CVE ID: CVE-2021-33023 (Critical), CVE-2021-38389 (Critical)
A missing authorization vulnerability has been discovered in Advantech's Equipment-
WebAccess SCADA. Successful exploitation of this vulnerability can allow an attacker to
access project names and paths. The affected products are WebAccess/SCADA: Versions 9.0.3
and prior.
CVE ID: CVE-2021-38431 (Medium)
Apple has released security update to address a memory corruption issue in multiple
products. An application may be able to execute arbitrary code with kernel privileges.
CVE ID: CVE-2021-30883
Multiple vulnerabilities have been discovered in LibreOffice. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-25633, CVE-2021-25634, CVE-2021-25635
Google has released Chrome 94 (94.0.4606.85) for Android, and Dev channel 96.0.4657.0
(Platform version: 14268.0.0) for most Chrome OS devices. These versions address several
vulnerabilities that an attacker can exploit to take control of an affected system.
A vulnerability has been discovered in Neutron- the OpenStack virtual network service
which allows a reconfiguration of dnsmasq via crafted dhcp_extra_opts parameters. It is
recommended to upgrade the neutron packages.
CVE ID: CVE-2021-40085
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for
collaborative work which can result in Cross-Site Scripting (XSS), Denial of Service (DoS)
and certain unintended API access. It is recommended to upgrade the mediawiki packages.
CVE ID: CVE-2021-35197 (High), CVE-2021-41798, CVE-2021-41799
A vulnerability has been discovered in Libntlm which incorrectly handled specially crafted
NTML requests. An attacker can possibly use this vulnerability to cause a Denial of Service
(DoS) or another unspecified impact.
CVE ID: CVE-2019-17455
Several vulnerabilities have been discovered in the Apache HTTP server, which can result in
Denial of Service (DoS). It is recommended to upgrade apache2 packages.
CVE ID: CVE-2021-34798 (High), CVE-2021-36160 (High), CVE-2021-39275
(Critical), CVE-2021-40438 (Critical)
Cisco has released security updates to resolve several vulnerabilities in multiple products.
CVE ID: CVE-2021-34720(High), CVE-2021-1594(High), CVE-2021-34713 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3757, CVE-2021-31525, CVE-2021-22118, CVE-2021-2388 ,
CVE-2021-2369 , CVE-2021-2432
It has been discovered that HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may
have an unexpected interaction between glob-related policies and the Google Cloud secrets
engine which may cause more privileges than intended.
CVE ID: CVE-2021-42135
A stack-based buffer overflow vulnerability has been discovered in FATEK Automation's
Equipment- Communication Server. Successful exploitation of this vulnerability can allow
remote code execution. The affected products are Communication Server versions 1.13 and
prior.
CVE ID: CVE-2021-38432 (Critical)
Multiple vulnerabilities have been discovered in FATEK Automation's Equipment- WinProladder.
Successful exploitation of these vulnerabilities can allow arbitrary code execution, Remote
Code Execution (RCE), heap corruption, and unauthorized information disclosure. The affected
products are WinProladder: Versions 3.30 and prior.
CVE ID: CVE-2021-38438 (High), CVE-2021-38426 (High), CVE-2021-38434 (High),
CVE-2021-38430 (High), CVE-2021-38436 (High), CVE-2021-38442 (High), CVE-2021-38440 (High)
Multiple vulnerabilities have been discovered in InHand Networks' Equipment- IR615 Router.
Successful exploitation of these vulnerabilities can allow an attacker to have full control
over the product, remotely perform actions on the product, intercept communication and steal
sensitive information, session hijacking, and successful brute-force against user passwords.
The affected products are IR615 Router: Versions 2.3.0.r4724 and 2.3.0.r4870.
Multiple vulnerabilities have been discovered in Johnson Controls' Equipment- exacqVision
Server 32-bit, and exacqVision Server Bundle. Successful exploitation of these
vulnerabilities can allow an unauthenticated remote user to exploit an integer overflow in
the exacqVision Server with a specially crafted script and cause a Denial of Service (DoS)
condition or access credentials stored in the exacqVision Server.
CVE ID: CVE-2021-27665 (High), CVE-2021-27664 (Critical)
Multiple vulnerabilities have been discovered in Mobile Industrial Robots' Equipment-
MiR100, MiR200, MiR250, MiR500, MiR1000, MiR Fleet. Successful exploitation of these
vulnerabilities can lead to privilege escalation, data exfiltration, control of the robot
and Denial of Service (DoS) condition.
Google Chrome stable channel has been updated to 94.0.4606.81 for Windows, Mac, and Linux.
This version addresses vulnerabilities that an attacker can exploit to take control of an
affected system.
CVE ID: CVE-2021-37977 (High), CVE-2021-37978 (High), CVE-2021-37979 (High),
CVE-2021-37980 (High)
Apache Software Foundation has released security update to address path traversal and Remote
Code Execution (RCE) vulnerabilities in Apache HTTP Server 2.4.49 and 2.4.50.
CVE ID: CVE-2021-41773 (Critical), CVE-2021-42013 (Critical)
Cisco has released software updates for Cisco ATA 190 Series to address multiple
vulnerabilities. These vulnerabilities can allow an attacker to perform a command injection
attack resulting in Remote Code Execution (RCE) or cause a Denial of Service (DoS) condition
on an affected device.
CVE ID: CVE-2021-34710 (High), CVE-2021-34735 (High)
A Denial-of-Service (DoS) vulnerability has been discovered in MELSEC iQ-R series C
Controller Module due to uncontrolled resource consumption. A remote attacker can prevent
the module from starting up by sending a large number of packets to the module starting up
in a short time.
CVE ID: CVE-2021-20600 (Medium)
A vulnerability has been discovered in multiple F5 products. The users with
non-administrator roles with TMOS Shell (tmsh) access, can run arbitrary commands with
elevated privilege using a crafted tmsh command.
CVE ID: CVE-2020-5858 (High)
Multiple vulnerabilities have been fixed in Linux kernel. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22543, CVE-2021-38160, CVE-2021-41073, CVE-2021-3612,
CVE-2020-26541, CVE-2021-38199
Cisco has released security updates to address several critical vulnerabilities in multiple
Cisco products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in Jenkins core. An attacker can exploit some
of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2014-3577 (Medium), CVE-2021-21683 (Medium), CVE-2021-21684 (High),
CVE-2021-21682 (Medium)
Red Hat has released security update to address vulnerability in JBoss Enterprise Web Server
which may cause infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE
engine.
CVE ID: CVE-2021-41079 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
A vulnerability has been discovered in Salesforce DX Command Line Interface (CLI) that
allows an authenticated user to create an access URL using the CLI interface.
Ubuntu has released security update to address vulnerability in Squid which may cause
exposure of sensitive information or result in a Denial of Service (DoS).
CVE ID: CVE-2021-28116 (Medium)
Xen has released security update to address vulnerability in certain PCI devices. Successful
exploitation of vulnerability can cause Denial of Service (DoS) and escalation of
privilege.
CVE ID: CVE-2021-28702
Mozilla has released security updates to address vulnerabilities in Firefox ESR and Firefox
93. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as improper handling of exceptional conditions and improper
input validation have been discovered in Mitsubishi Electric's Equipment- GOT and Tension
Controller. The affected products are GOT2000 series all versions, GOT SIMPLE series all
versions and LE7-40GU-L all versions.
CVE ID: CVE-2021-20602 (High), CVE-2021-20603 (High), CVE-2021-20604 (High),
CVE-2021-20605 (High)
Multiple vulnerabilities have been discovered in Emerson's Equipment- WirelessHART
Gateway network communication devices. The affected products are WirelessHART 1410
Gateway-all versions prior to v4.7.94, WirelessHART 1410D Gateway all versions prior to
v4.7.94 and WirelessHART 1420 Gateway all versions prior to v4.7.94.
CVE ID: CVE-2021-85337 (High), CVE-2021-03554 (High), CVE-2021-24769 (High),
CVE-2021-22439 (High), CVE-2021-81019 (High), CVE-2021-10073 (High)
Multiple vulnerabilities such as cleartext transmission of sensitive information and
authentication bypass by capture-replay have been discovered in Medtronic's Equipment -
Medtronic MiniMed MMT-500 and MMT-503 Remote Controllers. Successful exploitation of these
vulnerabilities can allow an attacker to replay captured wireless communications and cause
an insulin (bolus) delivery.
CVE ID: CVE-2018-10634 (Medium), CVE-2018-14781 (Medium)
Multiple vulnerabilities have been discovered in Honeywell's Equipment- Experion Process
Knowledge System (PKS) C200, C200E, C300 and ACE Controllers all versions. Successful
exploitation of these vulnerabilities can lead to Remote Code Execution (RCE) and Denial of
Service (DoS) conditions.
CVE ID: CVE-2021-38397 (Critical), CVE-2021-38395 (Critical), CVE-2021-38399
(High)
It has been discovered that when validating an origin server or peer certificate, Squid can
incorrectly classify certain certificates as trusted. This vulnerability allows a remote
server to obtain security trust when the trust is not valid and can cause clients to access
to unsafe or hijacked services.
CVE ID: CVE-2021-41611 (High)
Apache has released security update to address multiple vulnerabilities in the Apache HTTP
server. A remote attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-41524, CVE-2021-41773
Ubuntu has released security update to address vulnerability in docker.io which may cause
expose of sensitive information or gain administrative privileges.
CVE ID: CVE-2021-41089 (Low)
Multiple vulnerabilities such as buffer overflow, out-of-bound read, and NULL pointer
dereference have been discovered in fig2dev, utilities for converting XFig figure files.
These vulnerabilities can lead to a Denial of Service (DoS) or other unspecified impact. It
is recommended to upgrade the fig2dev packages.
Ubuntu has released security update to address several vulnerabilities in Mercurial package.
An attacker can use these vulnerabilities to write arbitrary files to the target’s
filesystem or cause a Denial of Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2019-3902, CVE-2018-17983
Ubuntu has released security update to address vulnerability in MongoDB which incorrectly
handled certain wire protocol messages. A remote attacker can possibly use this
vulnerability to cause MongoDB to crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2019-20925 (High)
Ubuntu has released security update to address multiple vulnerability in LedgerSMB which
incorrectly handled certain inputs. An attacker can use this vulnerability to leak sensitive
information, cause Denial of Service (DoS), or execute arbitrary code.
CVE ID: CVE-2021-3693, CVE-2021-3694, CVE-2021-3731 (Medium)
Multiple vulnerabilities have been discovered in QEMU, a fast processor emulator which can
result in Denial of Service (DoS) or the the execution of arbitrary code. It is recommended
to upgrade the qemu packages.
CVE ID: CVE-2021-3544 (Medium), CVE-2021-3545 (Medium), CVE-2021-3546 (High),
CVE-2021-3638, CVE-2021-3682 (High), CVE-2021-3713 (High), CVE-2021-3748
A vulnerability has been discovered in OpenSSL of multiple F5 products. A remote attacker
can exploit the vulnerability by triggering an application to create an ASN1_STRING and
process it with an affected OpenSSL function to access restricted information or cause a
Denial-of-Service (DoS).
CVE ID: CVE-2021-3712 (Medium)
A vulnerability has been discovered in Netty - an open-source asynchronous event-driven
network application framework of several F5 products. Successful exploitation may result in
HTTP request smuggling.
CVE ID: CVE-2021-21295 (Medium)
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for
collaborative work, which can result in Cross-Site Scripting (XSS), Denial of Service (DoS)
and a bypass of restrictions in the replace text extension. It is recommended to upgrade the
mediawiki packages.
CVE ID: CVE-2021-35197 (High), CVE-2021-41798, CVE-2021-41799, CVE-2021-41800,
CVE-2021-41801
Microsoft has released security updates to address multiple vulnerabilities in Edge
(Chromium-based). An attacker may exploit some of these vulnerabilities to take control of
an affected system.
CVE ID: CVE-2021-37976, CVE-2021-37975, CVE-2021-37974
It has been discovered that a command injection vulnerability affects certain QNAP EOL
devices running QVR. Successful exploitation can allow remote attacker to run arbitrary
commands. The updates are available.
CVE ID: CVE-2021-34352 (Medium)
Google has released Chrome version 94.0.4606.71 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
CVE ID: CVE-2021-37974 (High), CVE-2021-37975 (High), CVE-2021-37976 (Medium)
Multiple vulnerabilities have been discovered in Linux kernel for Raspberry Pi systems. An
attacker can use these vulnerabilities to expose sensitive information or cause Denial of
Service (DoS).
CVE ID: CVE-2021-33624 (Medium), CVE-2021-3679 (Medium), CVE-2021-38160 (High),
CVE-2021-38199 (Medium), CVE-2021-38204 (Medium)
Multiple vulnerabilities have been discovered in TagLib, a library for reading and editing
audio meta data. It is recommended to upgrade the taglib packages.
CVE ID: CVE-2017-12678 (High), CVE-2018-11439 (Medium)
Multiple vulnerabilities have been discovered in Boston Scientific's Equipment- ZOOM
LATITUDE Programmer/Recorder/Monitor Model 3120. Successful exploitation of these
vulnerabilities can allow an attacker with physical access to the affected device to obtain
patient protected health information, and/or compromise the integrity of the device.
CVE ID: CVE-2021-38400 (Medium), CVE-2021-38394 (Medium), CVE-2021-38392 (Medium),
CVE-2021-38396 (Medium), CVE-2021-38398 (Medium)
Multiple vulnerabilities have been discovered in the chat client WeeChat. It is recommended
to upgrade the weechat packages.
CVE ID: CVE-2020-8955, CVE-2020-9759, CVE-2020-9760, CVE-2021-40516
Multiple vulnerabilities have been discovered in MIT Kerberos package krb5, a system for
authenticating users and services on a network. It is recommended to upgrade the krb5
packages.
CVE ID: CVE-2018-5729 (Medium), CVE-2018-5730 (Low), CVE-2018-20217 (Medium),
CVE-2021-37750 (Medium)
A vulnerability has been discovered in the Lasso Security Assertion Markup Language (SAML)
Single Sign-On (SSO) library. This vulnerability can allow an authenticated attacker to
impersonate another authorised user when interacting with an application. The update has
been released to resolve this vulnerability.
CVE ID: CVE-2021-28091(High)
It has been discovered that the build of some language stacks of Eclipse Che version 6
includes pulling some binaries from an unsecured HTTP endpoint and are vulnerable to MITM
attacks that allow the replacement of original binaries with arbitrary ones.
CVE ID: CVE-2021-41034
It has been discovered that the Credova_Financial WordPress plugin discloses a site’s
associated Credova API account username and password in plaintext via an AJAX action
whenever a site user goes to checkout on a page that has the Credova Financing option
enabled. The affected versions are Credova_Financial plugin 1.4.8 and below.
CVE ID: CVE-2021-39342 (Medium)
RedHat has released security update to address vulnerability and bug fix for Migration
Toolkit for Containers (MTC) 1.6.0 .
CVE ID: CVE-2021-3749 (High)
Ubuntu has released security updates to address several vulnerabilities in Linux kernel and
Apache HTTP server. An attacker can exploit these vulnerabilities to take control of an
affected system.
Google has released stable channel 93.0.4577.95 (Platform version: 14092.66.0) for most
Chrome OS devices, and Chrome Beta 95 (95.0.4638.32) for Android, iOS and Windows, Mac and
Linux. These versions address several vulnerabilities that an attacker can exploit to take
control of an affected system.
Huawei has released software updates to address an improper authentication vulnerability in
Hero-CT060. Successful exploit can allow an attacker to do certain operations which the user
are supposed not to do.
CVE ID: CVE-2021-37123
Google has released Dev channel 96.0.4652.0 (Platform version: 14244.0.0) for Chrome OS
devices , 96.0.4655.0 for Linux and 96.0.4655.5 for Mac. These versions address several
vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 19 for the Zimbra 9.0.0 and Patch 26 for Zimbra 8.8.15.
RedHat has released security updates to resolve multiple vulnerabilities in fwupd, shim,
shim-unsigned-aarch64 and shim-unsigned-x64 .
CVE ID: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,
CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
Multiple file parsing vulnerabilities have been discovered in Solid Edge before SE2021MP8.
These flaws can be triggered when the application reads files in IFC, JT or OBJ formats. It
is recommended to update to the latest version.
CVE ID: CVE-2021-37202 (High), CVE-2021-37203 (High), CVE-2021-41533 (Low),
CVE-2021-41534 (Low), CVE-2021-41535 (High), CVE-2021-41536 (High), CVE-2021-41537 (High),
CVE-2021-41538 (Low), CVE-2021-41539 (High), CVE-2021-41540 (High)
Cisco has released security update to address a vulnerability in IPv6 traffic processing of
Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless
Controllers. Successful exploitation of vulnerability can allow an unauthenticated, adjacent
attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a Denial of Service
(DoS) condition for that VLAN. The affected products are Catalyst 9800 Wireless Controllers
and Catalyst 9800 Wireless Controllers for Cloud.
CVE ID: CVE-2021-34767 (High)
Multiple vulnerabilities have been discovered in Intel Processor which may allow an
authorised user to potentially enable information disclosure via local access.
CVE ID: CVE-2021-0086 (Medium), CVE-2021-0089 (Medium)
Hikvision has released security update to resolve a command injection vulnerability in the
web server of some Hikvision product. A remote attacker can exploit this vulnerability to
take control of an affected device.
CVE ID: CVE-2021-36260
Ubuntu has released security updates to address several vulnerabilities in Linux kernel
and Apache HTTP server. An attacker can exploit these vulnerabilities to take control of an
affected system.
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in Streama. The
application does not have CSRF checks in place when performing actions such as uploading
local files. As a result, attackers can make a logged-in administrator upload arbitrary
local files via a CSRF attack and send them to the attacker. The affected versions are
Streama v1.10.3 and below.
CVE ID: CVE-2021-41764
A vulnerability has been discovered in the Safari extension bundled with versions 7.7.0 to
7.8.6 of 1Password for Mac. This vulnerability allows a malicious web page to autofill items
in certain categories without user interaction when 1Password is unlocked.
CVE ID: CVE-2021-41795
It has been discovered that symlink exchange can allow host filesystem access in Kubernetes
for Red Hat OpenShift Container Platform. Red Hat OpenShift Container Platform release
4.8.13 is available with updates to packages and images that fix several bugs and add
enhancements.
CVE ID: CVE-2021-25741 (High)
A vulnerability has been discovered in the web filtering features of multiple Cisco
products. This vulnerability can allow an unauthenticated remote attacker to bypass web
reputation filters and threat detection mechanisms on an affected device and exfiltrate data
from a compromised host to a blocked external server.
CVE ID: CVE-2021-34749 (Medium)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22137 (Low), CVE-2021-22135 (Low), CVE-2021-32029 (Medium)
Multiple vulnerabilities have been discovered in the Linux kernel that may lead to a
privilege escalation, denial of service or information leak. It is recommended to upgrade
the Linux packages.
VMware has released security updates to address multiple vulnerabilities in vCenter Server
and Cloud Foundation. A remote attacker can exploit these vulnerabilities to take control of
an affected system.
Google has released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This version
addresses a vulnerability CVE-2021-37973 that an attacker can exploit to take control of an
affected system.
CVE ID: CVE-2021-37973 (High)
Multiple vulnerabilities have been discovered in Cisco SD-WAN vEdge Software. These
vulnerabilities may allow an attacker to execute arbitrary code as the root user or cause a
Denial of Service (DoS) condition on an affected device.
CVE ID: CVE-2021-1509 (High), CVE-2021-1510 (High), CVE-2021-1511 (Medium)
It has been discovered that Node.js y18n module may allows a remote attacker to execute
arbitrary code on the system, caused by a prototype pollution vulnerability. By sending a
specially-crafted request, an attacker can exploit this vulnerability to execute arbitrary
code on the system.
CVE ID: CVE-2020-7774 (High)
It has been discovered that an improper access control vulnerability in SMA100 allows a
remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary
file potentially resulting in a reboot to factory default settings. The affected products
are SMA 100 Series 9.0.0.10-28sv & earlier, 10.2.0.7-34sv & earlier
and 10.2.1.0-17sv & earlier.
CVE ID: CVE-2021-20034 (Critical)
An uncontrolled search path element privilege escalation vulnerability has been discovered
in Trend Micro HouseCall for Home Networks that can lead to arbitrary code execution. The
affected versions are HouseCall for Home Networks 5.3.1225 and below.
CVE ID: CVE-2021-32466
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Ovarro's Equipment TBox, a Remote Terminal
Unit (RTU). Successful exploitation of these vulnerabilities can result in Remote Code
Execution (RCE) which can cause a Denial-of-Service (DoS) condition. The affected products
are TBoxLT2 (All models), TBox MS-CPU32, TBox MS-CPU32-S2, TBox RM2 ( All models), TBox
TG2 ( All models) and all versions prior to TWinSoft 12.4 and Firmware 1.46.
CVE ID: CVE-2021-22646 (High), CVE-2021-22648 (High), CVE-2021-22642 (High),
CVE-2021-22640 (High), CVE-2021-22644 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Symbio 700 and
Symbio 800 controllers. Successful exploitation of this vulnerability can allow an
authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38448 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Tracer SC, Tracer
SC+, and Tracer Concierge. Successful exploitation of this vulnerability can allow an
authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38450 (Critical)
Ubuntu has released security update to resolve CA-certificates issue in Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.04.
Ubuntu has released security updates to address several vulnerabilities in EDK II. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-11098 (Medium), CVE-2021-38575, CVE-2021-3712 (High), CVE-2021-23840
(High)
Cisco has released security updates to address several critical vulnerabilities in multiple
Cisco products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities such as server-side request forgery, path traversal, improper file
upload control and command injection have been discovered in several Huawei products. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37104, CVE-2021-22440 (Medium), CVE-2021-37105, CVE-2021-37106
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-3612 (High), CVE-2021-22543 (High), CVE-2021-38160 (High),
CVE-2021-34693 (Medium)
It has been discovered that in Progress WhatsUp Gold- an application endpoint failed to
adequately sanitize malicious input which can allow an unauthenticated attacker to execute
arbitrary code in a victim’s browser. The affected versions are WhatsUp Gold prior to
21.1.0.
CVE ID: CVE-2021-41318
Multiple vulnerabilities such as improper access control, DLL sideloading and improper
privilege management have been discovered in McAfee Agent for Windows prior to 5.7.4. It is
recommended to update to McAfee Agent 5.7.4.
CVE ID: CVE-2021-31847 (High), CVE-2021-31841 (High), CVE-2021-31836 (Medium)
VMware has released security updates to address multiple vulnerabilities in vCenter Server
and Cloud Foundation. A remote attacker can exploit these vulnerabilities to take control of
an affected system.
Google has released stable channel 94.0.4606.54 and Dev channel 95.0.4638.17 for Windows,
Mac and Linux, Chrome 94 (94.0.4606.50) for Android, and Chrome 94 (94.0.4606.52) for iOS.
These versions address several vulnerabilities that an attacker can exploit to take control
of an affected system.
NETGEAR has released security updates to address a remote code execution vulnerability in
multiple NETGEAR routers. A remote attacker can exploit this vulnerability to take control
of an affected system.
CVE ID: CVE-2021-40847 (High)
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit these vulnerabilities to take control of an affected device. The
affected products are versions prior to iOS 15, versions prior to iPadOS 15, versions prior
to Safari 15, versions prior to tvOS 15, versions prior to watchOS 8, versions prior to
iTunes 12.12 for Windows and versions prior to Xcode 13.
Multiple vulnerabilities have been discovered in rh-ruby27-ruby. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-36327 (High), CVE-2021-31799 (High), CVE-2021-31810 (Medium),
CVE-2021-32066 (High)
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40695, CVE-2021-40694, CVE-2021-40693, CVE-2021-40692,
CVE-2021-40691
Multiple vulnerabilities have been discovered in nextcloud desktop client which can result
in information disclosure. It is recommended to upgrade the nextcloud-desktop packages.
CVE ID: CVE-2021-22895 (Medium), CVE-2021-32728 (Medium)
It has been discovered that the legacy 1.0 version of OpenSSL fails to validate alternate
trust chains in some conditions. It is recommended to upgrade the openssl1.0 packages.
A potential DOM-based Cross Site Scripting (XSS) vulnerability has been discovered in HPE
StoreOnce. Successful exploitation of this vulnerability can cause an elevation of privilege
which lead to partial impact to confidentiality, availability and integrity. CVE ID: CVE-2021-26587 (Medium)
Ubuntu has released security update to address multiple vulnerabilities in the Linux
kernel. CVE ID: CVE-2021-3656, CVE-2021-3653, CVE-2021-34693 (Medium), CVE-2021-3612 (High),
CVE-2021-38160 (High)
Apache has released security update to address multiple vulnerabilities in the Apache HTTP
server. A remote attacker can exploit these vulnerabilities to take control of an affected
system. CVE ID: CVE-2021-33193 (High), CVE-2021-34798, CVE-2021-36160, CVE-2021-39275,
CVE-2021-40438
Multiple vulnerabilities have been discovered in Moxa's Equipment- MGate Series, MXview
Series. An attacker can exploit these vulnerabilities to take control of an affected
system. CVE ID: CVE-2021-33823, CVE-2021-33824
McAfee has released security update to address multiple vulnerabilities such as improper
privileges management and XML entity expansion injection in McAfee Endpoint Security (ENS)
for Windows.
CVE ID: CVE-2021-31843 (High), CVE-2021-31842 (Medium)
Microsoft has released an update to address a Remote Code Execution (RCE) vulnerability in
Azure Linux Open Management Infrastructure (OMI). An attacker can use this vulnerability to
take control of an affected system.
CVE ID: CVE-2021-38647 (Critical)
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
An authentication bypass vulnerability affecting Representational State Transfer (REST)
Application Programming Interface (API) URLs has been discovered in Zoho ManageEngine
ADSelfService Plus, which can cause Remote Code Execution (RCE). Zoho ManageEngine
ADSelfService Plus has released security update to address this vulnerability. The affected
versions are Zoho ManageEngine ADSelfService Plus version 6113 and prior.
CVE ID: CVE-2021-40539
Multiple vulnerabilities such as access bypass, and Cross Site Request Forgery(CSRF) have
been discovered in Drupal. An attacker can exploit these vulnerabilities to take control of
an affected system. The affected products are Drupal 9.2, Drupal 9.1 and Drupal 8.9.
CVE ID: CVE-2020-13673, CVE-2020-13674, CVE-2020-13675, CVE-2020-13676,
CVE-2020-13677
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that when Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for
TLS, a specially crafted packet can be used to trigger an infinite loop resulting in a
Denial of Service (DoS). The affected versions are Apache Tomcat 10.0.0-M1 to 10.0.2,
9.0.0-M1 to 9.0.43, and 8.5.0 to 8.5.63.
CVE ID: CVE-2021-41079
A vulnerability has been discovered in the IP Service Level Agreements (IP SLA) responder
and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software.
Successful exploitation of this vulnerability can allow an unauthenticated remote attacker
to cause device packet memory to become exhausted or cause the IP SLA process to crash,
resulting in a Denial of Service (DoS) condition.
CVE ID: CVE-2021-34720 (High)
Apple has released security update to resolve vulnerability in iTunes U for iOS and iPadOS.
An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30862
Ubuntu has released security update for Squashfs-Tools which mishandled certain malformed
SQUASHFS files. An attacker can use this vulnerability to write arbitrary files to the
filesystem.
CVE ID: CVE-2021-41072
A potential unauthorized information security vulnerability has been discovered in Micro
Focus Directory and Resource Administrator (DRA). The affected products are all DRA versions
prior to 10.1 Patch 1. The updates are available.
CVE ID: CVE-2021-22535 (Medium)
A path traversal vulnerability has been discovered in Schneider Electric's Equipment-
EcoStruxure Control Expert, EcoStruxure Process Expert and SCADAPack RemoteConnect for x70.
Successful exploitation of this vulnerability can result in code execution on the
engineering workstation.
CVE ID: CVE-2021-22796 (High)
Multiple vulnerabilities such as exposure of sensitive information to an unauthorised actor,
execution with unnecessary privileges and improper handling of insufficient permissions or
privileges have been discovered in Siemens' Equipment- RUGGEDCOM ROX. Successful
exploitation of these vulnerabilities can allow an attacker to gain root access to the
affected devices.
CVE ID: CVE-2021-37173 (High), CVE-2021-37174 (High), CVE-2021-37175 (Medium)
A Remote Code Execution (RCE) vulnerability has been discovered in Windows WLAN AutoConfig
which can allow a remote attacker to execute arbitrary code on the target system.
CVE ID: CVE-2021-36965 (High)
McAfee has released security update to resolve a buffer overflow vulnerability in McAfee
Data Loss Prevention (DLP) Endpoint for Windows and DLP Discover.
CVE ID: CVE-2021-31844 (High), CVE-2021-31845 (High)
Adobe has released security updates to address several vulnerabilities in multiple Adobe
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Citrix has released a security update to address a vulnerability affecting Citrix ShareFile
storage zones controller. A remote attacker can exploit this vulnerability to take control
of an affected system.
CVE ID: CVE-2021-22941
Microsoft has released security updates to address multiple vulnerabilities in Microsoft
software. A remote attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in several Siemens products. An attacker can
exploit these vulnerabilities to take control of an affected system.
An improper authentication vulnerability has been discovered in Digi International's
Equipment- PortServer TS 16. Successful exploitation of this vulnerability allows write
access, which grants control of settings, command execution and access to the command line
interface.
CVE ID: CVE-2021-38412 (Critical)
An authentication bypass vulnerability has been discovered in Johnson Controls' Equipment-
KT-1 door controllers. Successful exploitation of this vulnerability can allow replay
attacks. The affected versions are KT-1 door controllers’ versions up to and including 3.01.
CVE ID: CVE-2021-27662 (High)
Multiple vulnerabilities have been discovered in several products of Schneider Electric. A
remote attacker can exploit these vulnerabilities to take control of an affected system.
SAP has released security updates to address several vulnerabilities affecting multiple
products. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
A Denial of Service (DoS) vulnerability has been discovered in Mitsubishi Electric's
Equipment- MELSEC iQ-R Series modules. When a module receives a specially crafted SLMP
packet from a malicious attacker, the program execution and communication may enter a DoS
condition.
CVE ID: CVE-2020-5668 (High)
Apple has released security updates to address two vulnerabilities in multiple products. An
attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30858, CVE-2021-30860
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-3653, CVE-2021-3656, CVE-2021-22555 (High), CVE-2021-33909 (High),
CVE-2021-40330 (High)
Google has released stable channel 93.0.4577.82 for Windows, Mac and Linux, Chrome 93
(93.0.4577.82) for Android, Dev channel 95.0.4635.0 (Platform version: 14209.0.0) for most
Chrome OS devices, and Chrome 93 (93.0.4577.78) for iOS. These versions address several
vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that mlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an
infinite loop in a certain end-of-file situation. An attacker can exploit this vulnerability
to cause the application to enter into an infinite loop resulting in a Denial of Service
(DoS).
CVE ID: CVE-2020-7595
It has been discovered that Ghostscript incorrectly handled certain PostScript files. If a
user or automated system is tricked into processing a specially crafted file, a remote
attacker can use this vulnerability to access arbitrary files, execute arbitrary code, or
cause a Denial of Service(DoS).
CVE ID: CVE-2021-3781
Multiple vulnerabilities such as certificate validation and NULL pointer dereference have
been discovered in OpenSSL that affects multiple Cisco products. Exploitation of these
vulnerabilities can allow an attacker to use a valid non-certificate authority (CA)
certificate to act as a CA and sign a certificate for an arbitrary organisation, user or
device or to cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-3450 (High), CVE-2021-3449 (Medium)
Multiple vulnerabilities have been resolved in several QNAP products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28816 (High), CVE-2021-34343 (High), CVE-2021-34344 (Critical),
CVE-2021-34345 (Critical), CVE-2021-34346 (Critical), CVE-2021-28813 (High), CVE-2018-19957
(High)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
A DLL hijacking vulnerability has been discovered in AVEVA's Equipment- Platform Common
Services (PCS) Portal. Successful exploitation of this vulnerability can allow malicious
code execution within context of the PCS Portal application.
CVE ID: CVE-2021-38410 (High)
Multiple vulnerabilities have been discovered in NetApp Products. An attacker can exploit
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38402 (High), CVE-2021-38406 (High), CVE-2021-38404 (High)
Multiple vulnerabilities such as stack-based buffer overflow, out-of-bounds write and
heap-based buffer overflow have been discovered in Delta Electronics' Equipment- DOPSoft 2.
Successful exploitation of these vulnerabilities may allow arbitrary code execution. The
affected products are DOPSoft 2 version 2.00.07 and prior.
CVE ID: CVE-2021-38402 (High), CVE-2021-38406 (High), CVE-2021-38404 (High)
Multiple vulnerabilities have been discovered in NTFS-3G, a read-write NTFS driver for FUSE.
A local user can take advantage of these vulnerabilities for local root privilege
escalation. It is recommended to upgrade the ntfs-3g packages.
It has been discovered that Postorius, the administrative web frontend for Mailman 3, do not
validate whether a logged-in user owns the email address when unsubscribing. It is
recommended to upgrade the postorius packages.
CVE ID: CVE-2021-40347
Microsoft has released the latest Microsoft Edge Stable Channel Version 93.0.961.44 which
incorporates the latest Security Updates of the Chromium project.
CVE ID: CVE-2021-38669 (Medium)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Ubuntu has released security update to address multiple vulnerabilities in the Linux kernel.
CVE ID: CVE-2021-3656, CVE-2021-3653, CVE-2021-34693, CVE-2021-3612, CVE-2021-38160
Huawei has released software updates to address an improper authorization vulnerability in
some Huawei products. An attacker can exploit this vulnerability by physically accessing the
device and implanting malicious code. Successful exploitation can lead to arbitrary code
execution in the target device.
CVE ID: CVE-2021-37101
The Stable channel has been updated to 93.0.4577.69 (Platform version: 14092.46.0) for most
Chrome OS devices. Systems will be receiving updates over the next several days.
Zoho has released a security update on an authentication bypass vulnerability affecting
ManageEngine ADSelfService Plus that can result in Remote Code Execution (RCE). A remote
attacker can exploit this vulnerability to take control of an affected system. The affected
versions are ManageEngine ADSelfService Plus builds 6113 and below.
CVE ID: CVE-2021-40539
Ubuntu has released security updates to address multiple vulnerabilities in GD Graphics
Library. An attacker can possibly use these vulnerabilities to cause a crash or expose
sensitive information or Denial of Service (DoS).
CVE ID: CVE-2017-6363 (High), CVE-2021-38115 (Medium), CVE-2021-40145 (High)
Ubuntu has released security updates to address vulnerability in Open vSwitch. A remote
attacker can use this vulnerability to cause Open vSwitch to crash resulting in a Denial of
Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2021-36980 (Medium)
Ubuntu has released security updates to address vulnerability in cpio, a tool to manage
archives of files. A remote attacker can use this vulnerability to cause cpio to crash
resulting in a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-38185 (High)
Multiple vulnerabilities have been discovered in various Palo Alto Networks products. An
attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-10188 (High), CVE-2021-3051 (High), CVE-2021-3052 (High),
CVE-2021-3053 (High), CVE-2021-3054 (High), CVE-2021-3055 (Medium), CVE-2021-3049 (Low)
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system. The updates are
available.
It has been discovered that KVM hypervisor implementation for AMD processors in the Linux
kernel do not properly prevent a guest VM from enabling AVIC in nested guest VMs. An
attacker in a guest VM can use this to write to portions of the host’s physical memory.
Ubuntu has released security update for Ubuntu 16.04 and 14.04 to address this vulnerability
in Linux kernel .
CVE ID: CVE-2021-3653
The Android Security Bulletin contains details of security vulnerabilities affecting Android
devices. Security patch levels of 05 Sep 2021 or later address all of these issues.
Mozilla has released security updates to address multiple vulnerabilities in Firefox,
Firefox ESR and Thunderbird. An attacker can exploit these vulnerabilities to take control
of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-26116, CVE-2021-22127, CVE-2021-24017, CVE-2021-24016,
CVE-2021-32600, CVE-2019-16151, CVE-2021-36169, CVE-2019-17655 , CVE-2020-29012,
CVE-2021-36179 , CVE-2021-36182, CVE-2020-29013
Multiple vulnerabilities have been discovered in MELSEC iQ-R Series CPU Module. Successful
exploitation of these vulnerabilities can allow a remote attacker an unauthorized access to
legitimate usernames, CPU module access, or the ability to deny access to legitimate users.
CVE ID: CVE-2021-20594 (Medium), CVE-2021-20597 (High), CVE-2021-20598 (Low)
Debian has released security update to address a vulnerability in haproxy which can result
in request smuggling attacks or response splitting attacks.
CVE ID: CVE-2021-40346 (Critical)
Tenable has released upgraded version Nessus Agent 8.3.1 which resolve multiple local
privilege escalation vulnerabilities in Nessus Agent 8.3.0 and earlier versions.
CVE ID: CVE-2021-20117, CVE-2021-20118
Microsoft has released mitigation and workaround to address a Remote Code Execution (RCE)
vulnerability in several Window products.
CVE ID: CVE-2021-40444 (Medium)
A vulnerability has been discovered in Hitachi ABB Power Grids' System Data Manager SDM600
all versions prior to 1.2 FP2 HF6. Successful exploitation of this vulnerability can allow
access to sensitive information.
CVE ID: CVE-2021-35526
Multiple DoS vulnerabilities have been discovered in Mitsubishi TCP/IP Protocol Stack of GOT
and Tension Controller due to improper handling of exceptional conditions and improper input
validation. It is recommended to follow mitigation measures to minimize the risk of
exploitations.
Debian has released security update to address XML External Entity (XXE) injection
vulnerability in pywps which allows an attacker to view files on the application server
filesystem by assigning a path to the entity.
CVE ID: CVE-2021-39371 (High)
CISA has released Insights on Risk Considerations for Managed Service Provider Customers
(MSPs), which provides MSP customers a framework for reducing risk. The framework is
designed for government and private sector organisations of all sizes, and suggests
considerations for IT management planning, best practices, and tools for reducing overall
risk.
Cisco has released software updates to resolve a Remote Code Execution (RCE) vulnerability
in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software.
CVE ID: CVE-2021-1518 (Medium)
Multiple vulnerabilities have been discovered in IBM Cloud Private. An attacker can exploit
these vulnerabilities to take control of an affected device. The security updates are
available.
CVE ID: CVE-2020-7016 (Medium), CVE-2020-7017 (Medium), CVE-2020-7018 (Medium),
CVE-2020-7019 (Medium)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 93.0.961.38), which
incorporates the latest Security Updates of the Chromium project.
A vulnerability has been discovered in JTEKT TOYOPUC Products. Successful exploitation of
this vulnerability can allow a remote attacker to deny ethernet communications between
affected devices without authorization.
A vulnerability has been discovered in WebAccess, an HMI platform. Successful exploitation
of this vulnerability may allow Remote Code Execution (RCE).
CVE ID: CVE-2021-38408
An identity authentication bypass vulnerability has been discovered in some Dahua products
during the login process. Attackers can bypass device identity authentication by
constructing malicious data packets.
CVE ID: CVE-2021-33044 (High), CVE-2021-33045 (High)
Cisco has released security updates to address a critical vulnerability affecting Cisco
Enterprise Network Function Virtualization Infrastructure Software (NFVIS) Release 4.5.1.
Successful exploitation may allow an unauthenticated, remote attacker to bypass
authentication and log in to an affected device as an administrator.
CVE ID: CVE-2021-34746 (Critical)
Moxa has released security updates to address multiple vulnerabilities in several products
of Moxa's TAP-323 Series and WAC-1001/2004 Series Railway Wireless Controllers. As the
WAC-2004 Series has been discontinued, Moxa has advised workaround to minimise risk.
Moxa has released security updates to address multiple vulnerabilities in several products
of Mox's OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router. As the WDR-3124A
Series has been discontinued, Moxa has advised workaround to minimise risk.
Red Hat has released security update to resolve multiple vulnerabilities and bugs in
OpenShift Container Platform 4.7.28.
CVE ID: CVE-2021-27218 (High), CVE-2021-22555 (High), CVE-2021-22543 (High),
CVE-2021-3609, CVE-2021-3121 (High)
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products.
CVE ID: CVE-2021-34746 (Critical), CVE-2021-34733 (Medium), CVE-2021-34732 (Medium),
CVE-2021-34759 (Medium), CVE-2021-34765 (Medium)
Multiple vulnerabilities have been discovered in the GPAC multimedia framework which can
result in Denial of Service (DoS) or the execution of arbitrary code.
Google Chrome stable channel has been updated to 93.0.4577.63 for Windows, Mac, and Linux.
This version addresses vulnerabilities that an attacker can exploit to take control of an
affected system.
It has been discovered that Squashfs Tools, mishandled certain malformed SQUASHFS files. An
attacker can use this vulnerability to write arbitrary files to the filesystem. Ubuntu has
released security update to address this vulnerability in Ubuntu 21.04, Ubuntu 20.04 and
Ubuntu 18.04.
CVE ID: CVE-2021-40153
GitLab has released version 14.2.2, 14.1.4, and 14.0.9 for GitLab Community Edition (CE) and
Enterprise Edition (EE).
CVE ID: CVE-2021-22258, CVE-2021-22257, CVE-2021-22238
SUSE has released security updates to address multiple vulnerabilities in
mysql-connector-java.
CVE ID: CVE-2020-2875 (Medium), CVE-2020-2933 (Low), CVE-2020-2934 (Medium)
SUSE has released security update to address vulnerability in bind. A truncated TSIG
response can lead to an assertion failure.
CVE ID: CVE-2020-8622 (Medium)
Grilo is a framework for discovering and browsing media. It was discovered that grilo
incorrectly handled certain TLS certificate verification which attackers can use to perform
MITM attacks. The issue can be resolved by updating the packages.
CVE ID: CVE-2021-39365 (Medium)
A heap-based buffer overflow issue was discovered in gthumb. It is recommended to upgrade
gthumb packages to fixed version 3:3.4.4.1-5+deb9u2 to resolve the issue.
CVE ID: CVE-2019-20326 (High)
It was discovered that a test was not correctly backported from the latest upstream release
of redis, thus binaries were not available on all LTS platforms. The problem has been fixed
in this update.
CVE ID: CVE-2021-32761 (High)
Improper Authorization vulnerability has been discovered in Controlled Electronic Management
Systems' AC2000. Successful exploitation of this vulnerability could allow a remote attacker
access to the system without adequate authorization.
CVE ID: CVE-2021-27663 (High)
Multiple vulnerabilities have been discovered in Delta Electronics' DIAEnergie version 1.7.5
and prior. Successful exploitation of these vulnerabilities could allow an attacker to
retrieve passwords in cleartext, remotely execute code, cause a user to carry out an action
unintentionally, or log in and use the device with administrative privileges.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics'
DOPSoft version 4.00.11 and prior, which may allow an attacker to execute arbitrary code.
CVE ID: CVE-2021-33019 (High)
It has been discovered that libssh can be made to crash or run programs using specially
crafted network traffic. Ubuntu has released security update to address this vulnerability
in Ubuntu 21.04 and Ubuntu 20.04 LTS.
CVE ID: CVE-2021-3634
It has been discovered that OpenSSL incorrectly handled certain ASN.1 strings. A remote
attacker can use this issue to cause OpenSSL to crash or obtain sensitive information.
Ubuntu has released security update to address this vulnerability in Ubuntu 18.04LTS, Ubuntu
16.04 ESM and Ubuntu 14.04 ESM.
CVE ID: CVE-2021-3712
An OGNL injection vulnerability has been discovered in Confluence Server and Data Center.
Successful exploitation may allow an authenticated user and in some instances
unauthenticated user to execute arbitrary code. Atlassian has released versions 6.13.23,
7.4.11, 7.11.6, 7.12.5, and 7.13.0 to address this vulnerability.
CVE ID: CVE-2021-26084 (Critical)
Red Hat has released security update to address multiple vulnerabilities in several
OpenShift Service Mesh.
CVE ID: CVE-2021-32777 (High), CVE-2021-32779 (High), CVE-2021-32781 (High),
CVE-2021-39155 (High), CVE-2021-39156 (High)
A vulnerability has been discovered in an API endpoint of Cisco Application Policy
Infrastructure Controller (APIC) and Cisco Cloud APIC that allows an unauthenticated remote
attacker to read or write arbitrary files on an affected system. Cisco has released security
update to address vulnerability.
CVE ID: CVE-2021-1577
Firefox released security update USN-5037-1 to resolve multiple vulnerabilities which caused
Firefox to repeatedly prompt for a password. Firefox has released fresh update USN-5037-2 to
resolve issue.
A Cross-Site Scripting (XSS) vulnerability due to improper user input validation has been
discovered in VMware vRealize Log Insight and VMware Cloud Foundation. It is recommended to
update affected VMware products to remediate this vulnerability.
CVE ID: CVE-2021-22021 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
A vulnerability has been discovered in Joomla! CMS 4.0.0. The media manager does not
correctly checks the user's permissions before executing a file deletion command. It is
recommended to upgrade to Joomla! CMS version 4.0.1.
CVE ID: CVE-2021-26040 (High)
A SM2 decryption buffer overflow vulnerability has been discovered in OpenSSL versions
1.1.1k and below. It is recommended to upgrade to OpenSSL 1.1.1l.
CVE ID: CVE-2021-3711 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Hitachi ABB Power Grids equiment -TropOS
and Retail Operations and Counterparty Settlement Billing (CSB) software. An attacker can
exploit these vulnerabilities to take control of an affected system.
A heap-based buffer overflow vulnerability has been discovered in Delta Electronics
TPEditor. Successful exploitation of this vulnerability may allow for arbitrary code
execution.
CVE ID: CVE-2021-33007 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
CVE ID: CVE-2020-8277, CVE-2020-1971, CVE-2021-25214, CVE-2020-14364, CVE-2020-13692,
CVE-2021-25215
An impersonate vulnerability has been discovered in the TCP protocol stack of multiple
Mitsubishi Electric products. An attacker can impersonate a legitimate device and execute
arbitrary commands, which may cause information disclosure, information tampering or
destruction.
CVE ID: CVE-2020-16226 (Critical)
An integer overflow vulnerability has been discovered in BlackBerry QNX Products which
affects Cisco Products. Successful exploitation can allow an attacker to execute arbitrary
code or cause a Denial of Service (DoS).
CVE ID: CVE-2021-22156 (Critical)
A vulnerability has been discovered in Java SE related to the Java SE Security component in
ITNCM version 6.4.2 product which can allow an unauthenticated attacker to cause a Denial of
Service (DoS). It is recommended to upgrade to ITNCM 6.4.2 Fix Pack 14 (6.4.2.14).
CVE ID: CVE-2020-2773 (Low)
An out-of-bounds array read vulnerability in the apr_time_exp*() functions has been resolved
in the Apache Portable Runtime 1.6.3 release. The same vulnerability is still not resolved
in APR 1.7.x branch.
CVE ID: CVE-2017-12613 (High)
A flaw in the signature verification code in Tor, a connection-based low-latency anonymous
communication system has been discovered. A remote attacker can take advantage of this flaw
to cause an assertion failure, resulting in Denial of Service (DoS). It is recommended to
upgrade tor packages.
CVE ID: CVE-2021-38385
A vulnerability in tnef, a tool to unpack MIME application/ms-tnef attachments has been
resolved. It is recommended to upgrade tnef packages.
CVE ID: CVE-2019-18849 (Medium)
It has been discovered that malicious cyber actors are actively exploiting the ProxyShell
vulnerabilities. It is recommended to identify vulnerable systems on the networks and
immediately apply Microsoft's Security Update from May 2021 to remediate the
vulnerabilities.
CVE ID: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
A vulnerability has been fixed in scrollz, an advanced ircII-based IRC client. A crafted
CTCP UTC message could allow an attacker to disconnect the victim from an IRC server due to
a segmentation fault and client crash. It is recommended to upgrade scrollz packages.
CVE ID: CVE-2021-29376 (High)
Multiple vulnerabilities such as Heap-based Buffer Overflow, Null Pointer Dereference, and
Improper Handling of Exceptional Conditions have been discovered in AVEVA SuiteLink Server.
Successful exploitation of these vulnerabilities can allow a malicious entity to crash the
server.
CVE ID: CVE-2021-32959, CVE-2021-32963, CVE-2021-32979, CVE-2021-32971,
CVE-2021-32987, CVE-2021-32999
Microsoft has released security updates to address multiple vulnerabilities in Microsoft
Edge Stable Channel (Version 92.0.902.78). A remote attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30601,
CVE-2021-30599, CVE-2021-30598
Schneider Electric has released security bulletin for multiple memory allocation
vulnerabilities dubbed as ‘BadAlloc’ that affect a wide range of domains including
Industrial Control Systems, Industrial IoT, medical IoT and Operational Technology (OT).
A denial of service vulnerability has been discovered in VMware Workspace ONE UEM console. A
malicious actor with access to /API/system/admins/session can cause an API denial of service
due to improper rate limiting. To remediate this vulnerability, it is recommended to patch
the affected VMware products.
CVE ID: CVE-2021-22029 (Medium)
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0
SP1). Affected devices allow to modify configuration settings over an unauthenticated
channel. This could allow a local attacker to escalate privileges and execute own code on
the device. Siemens has released a firmware update for SINEMA Remote Connect Client.
CVE ID: CVE-2021-31338 (High)
A vulnerability has been discovered in Firefox - Mozilla Open Source web browser. This flaw
can be exploited by an attacker to conduct header splitting attacks. It is recommended to
update package versions .
CVE ID: CVE-2021-29991
A vulnerability has been discovered in Inetutils telnet server which allows remote attackers
to execute arbitrary code via short writes or urgent data. It is recommended to update
package versions.
CVE ID: CVE-2020-10188 (Critical)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
The Oracle VM Server for x86 has released security bulletin listing all CVEs which have been
resolved in Oracle VM Server for x86 Security Advisories (OVMSA). It contains 4 new security
patches for the Oracle VM Server for x86.
Oracle has released critical patch update for July 2021 containing 342 new security patches
for multiple vulnerabilities across multiple products. A remote attacker can exploit these
vulnerabilities to take control of an affected system.
A too-strict assertion check vulnerability has been discovered in BIND. The affected
versions are BIND 9.16.19, 9.17.16 and BIND Supported Preview Edition 9.16.19-S1.
CVE ID: CVE-2021-25218 (High)
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker may exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-34716 (Medium), CVE-2021-34715 (Medium), CVE-2021-34734 (Medium),
CVE-2021-1561 (Medium), CVE-2021-34749 (Medium), CVE-2021-34730 (Critical), CVE-2021-22156
(Critical)
An OS command injection vulnerability has been discovered in FortiWeb's management interface
that can allow a remote authenticated administrator to execute arbitrary commands on the
system via the SAML server configuration page. The affected versions are FortiWeb 6.4.0 and
below, 6.3.14 and below, and 6.2.4 and below.
CVE ID: CVE-2021-22123 (High)
Ubuntu has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that the wordexp function in the GNU C Library (aka glibc) can crash
or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted,
crafted pattern. This vulnerability can result in Denial of Service (DoS) or disclosure of
information.
CVE ID: CVE-2021-35942 (Critical)
Adobe has released security updates to resolve multiple vulnerabilities in Adobe products.
An attacker can exploit these vulnerabilities to take control of an affected system.
An improper access control vulnerability has been discovered in ThroughTek's Equipment-
Kalay P2P SDK. Successful exploitation of this vulnerability can permit Remote Code
Execution (RCE) and unauthorized access to sensitive information, such as to camera
audio/video feeds.
CVE ID: CVE-2021-28372 (Critical)
An integer overflow or wraparound vulnerability has been discovered in multiple Real-Time
Operating Systems (RTOS) & supporting libraries. Successful exploitation of this
vulnerability can result in crash or a remote code injection/execution or Denial of Service
(DoS) attack.
An improper authentication vulnerability has been discovered in Advantech's Equipment-
WebAccess/NMS- a network management system. Successful exploitation of this vulnerability
can lead to the exposure of resources or functionality and can result in sensitive
information disclosure.
CVE ID: CVE-2021-32951 (Medium)
Multiple vulnerabilities such as Cross-Site Scripting (XSS) and improper input validation
have been discovered in xArrow's Equipment- xArrow SCADA/HMI. Successful exploitation of
these vulnerabilities can result in Remote Code Execution (RCE).
CVE ID: CVE-2021-33021 (Medium), CVE-2021-33001 (Medium), CVE-2021-33025 (Medium)
It has been discovered that HAProxy- fast and reliable load balancing reverse proxy
incorrectly handles the HTTP/2 protocol. A remote attacker can possibly use this
vulnerability to bypass restrictions.
Multiple vulnerabilities have been discovered in Exiv2 an EXIF/IPTC/XMP metadata
manipulation tool. An attacker can possibly use these vulnerabilities to cause a Denial of
Service (DoS) attack.
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
A buffer overflow vulnerability has been discovered in the TCP/IP stack of Juniper Networks
Junos OS which allows an attacker to send specific sequences of packets to the device
thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
Multiple vulnerabilities have been discovered in Moxa's EDR-810 series secure router. Moxa
has developed appropriate solutions to address these vulnerabilities.
F5 Networks has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
CVE ID: CVE-2019-6111, CVE-2019-11331, CVE-2019-10247, CVE-2018-1126, CVE-2018-10675,
CVE-2018-1122, CVE-2018-16850, CVE-2019-10208, CVE-2019-10241, CVE-2015-1283, CVE-2017-18344
Mozilla has released security updates to address vulnerability in Firefox and Thunderbird.
An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-29991 (High)
HPE has released security updates to address multiple vulnerabilities in the BIOS firmware
of certain Intel processors in SGI UV 300/3000 series and HPE Integrity MC990 X servers
which may cause escalation of privilege.
CVE ID: CVE-2020-12357 (Medium), CVE-2020-12360 (High)
A path traversal vulnerability has been discovered in numerous routers manufactured by
multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated
user to access sensitive information and alter router configuration.
CVE ID: CVE-2021-20090
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Ubuntu has released security notice to address an out-of-bounds write vulnerability in
setsockopt() implementation of netfilter subsystem in the Linux kernel.
CVE ID: CVE-2021-22555 (High)
Apple has released security update to resolve several vulnerabilities in ImageIO of iCloud
for Windows 12.5. An attacker can exploit these vulnerabilities to take control of an
affected device.
CVE ID: CVE-2021-30779, CVE-2021-30785
Debian has released security update to resolve a vulnerability in Thunderbird which can
result in the execution of arbitrary code.
CVE ID: CVE-2021-29989
It has been discovered that systems with microprocessors utilizing speculative execution and
indirect branch prediction may allow unauthorized disclosure of information to an attacker
with local user access via a side-channel analysis (Spectre v2). It is recommended to
upgrade amd64-microcode packages.
CVE ID: CVE-2017-5715 (Medium)
An improper input validation vulnerability has been discovered in Apache Commons IO used by
IBM Spectrum Scale Transparent Cloud Tiering. An attacker may send a specially-crafted URL
request to view arbitrary files on the system.
CVE ID: CVE-2021-29425 (High)
Ubuntu has released security update to resolve MySQL vulnerabilities in MariaDB10.3 and
10.5- open source relational databases.
CVE ID: CVE-2021-2389, CVE-2021-2372
It has been discovered that Eclipse Jetty is susceptible to a vulnerability which when
successfully exploited can lead to disclosure of sensitive information or addition or
modification of data. The affected versions are Eclipse Jetty through 9.4.40, 10.0.2 and
11.0.2.
CVE ID: CVE-2021-34428 (Low)
Multiple vulnerabilities have been discovered in Apache Traffic Server- a reverse and
forward proxy server. These vulnerabilities may result in Denial of Service (DoS) & HTTP
request smuggling or cache poisoning. It is recommended to upgrade the Apache Traffic Server
packages.
CVE ID: CVE-2021-27577, CVE-2021-32566, CVE-2021-32567, CVE-2021-35474,
CVE-2021-32565
Multiple vulnerabilities have been discovered in Exiv2- a C++ library & a command line
utility to manage image metadata which can result in Denial of Service(DoS) or the execution
of arbitrary code if a malformed file is parsed. It is recommended to upgrade the exiv2
packages.
CVE ID: CVE-2019-20421, CVE-2021-3482, CVE-2021-29457, CVE-2021-29473, CVE-2021-31292
It has been discovered that in Apache Airflow if remote logging is not used, the worker (in
the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask
logging server which can listen on a specific port and also can bind on 0.0.0.0 by default.
This logging server has no authentication and can allow reading log files of DAG jobs. The
affected version is Apache Airflow below 2.1.2.
CVE ID: CVE-2021-35936
Multiple vulnerabilities have been discovered in VMware Workspace ONE Access, Identity
Manager and vRealize Automation. Patches and workarounds are available to address these
vulnerabilities in affected VMware products.
CVE ID: CVE-2021-22002 (High), CVE-2021-22003 (Low)
It has been discovered that OpenSSH incorrectly handled certain messages, and requests. An
attacker could possibly use these vulnerabilities to cause a denial of service or access
sensitive information.
CVE ID: CVE-2016-10708 (High), CVE-2018-15473 (Medium)
It has been discovered that Drupal project uses CKEditor, library for WYSIWYG editing. An
attacker may exploit Cross-Site Scripting (XSS) vulnerabilities to target users with access
to the WYSIWYG CKEditor, including site admins with privileged access. CKEditor has released
a security update to address the flaw.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-29781 (Critical), CVE-2021-29880 (Medium), CVE-2021-20478 (Medium)
It has been discovered that the PostgreSQL planner could create incorrect plans in certain
circumstances, and PostgreSQL incorrectly handled certain SSL renegotiation ClientHello
messages from clients. A remote attacker could use these vulnerabilities to cause PostgreSQL
to crash, resulting in a denial of service, or possibly obtain sensitive information from
memory.
CVE ID: CVE-2021-3677, CVE-2021-3449
It has been discovered that the netfilter subsystem in the Linux kernel had an out-of-bounds
write vulnerability in its setsockopt() implementation. A local attacker could use this flaw
to cause a denial of service (system crash) or possibly execute arbitrary code.
CVE ID: CVE-2021-22555 (High)
Deserialization of Untrusted Data vulnerability has been discovered in Cognex's Equipment-
In-Sight OPC Server. Successful exploitation of this vulnerability could allow a remote
attacker access to system level permissions and local privilege escalation.
CVE ID: CVE-2021-32935 (High)
Multiple vulnerabilities such as Out-of-bounds Write, Access of Uninitialized Pointer, and
Out-of-bounds Read have been discovered in Horner Automation's Equipment- Cscape. Successful
exploitation of these vulnerabilities may allow code execution in the context of the current
process.
CVE ID: CVE-2021-32995 (High), CVE-2021-33015 (High), CVE-2021-32975 (High)
Improper Input Validation vulnerability has been discovered in Johnson Controls' Equipment-
C-CURE 9000. Successful exploitation of this vulnerability could allow remote execution of
lower privileged Windows programs.
CVE ID: CVE-2021-27660 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform. Red
Hat OpenShift Container Platform release 4.6.42 is now available with updates to packages
and images that fix several bugs and add enhancements.
CVE ID: CVE-2021-33195 (High), CVE-2021-33197 (Medium), CVE-2021-33198 (High),
CVE-2021-34558 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit these vulnerabilities to take control of an affected
device.
Multiple vulnerabilities such as Improper handling of untypical characters in domain names,
Use after free, and Incomplete validation of rejectUnauthorized parameter have been
discovered in Node.js. An attacker could exploit these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-22931 (High), CVE-2021-22940 (High), CVE-2021-22939 (Low)
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco
Identity Services Engine (ISE) which could allow an authenticated, remote attacker to
conduct a stored cross-site scripting (XSS) attack against a user. Cisco has released
software updates that address these vulnerabilities.
CVE ID: CVE-2021-1603 (Medium), CVE-2021-1604 (Medium), CVE-2021-1605 (Medium),
CVE-2021-1606 (Medium), CVE-2021-1607 (Medium)
Multiple vulnerabilities have been fixed in Thunderbird 91 which could have out of bounds
read or memory corruption and a potentially exploitable crash.
CVE ID: CVE-2021-29986, CVE-2021-29981, CVE-2021-29988, CVE-2021-29984,
CVE-2021-29980, CVE-2021-29987, CVE-2021-29985, CVE-2021-29982
A remote code execution vulnerability has been found in the Windows Print Spooler service
that improperly performs privileged file operations. An attacker who successfully exploited
this vulnerability could run arbitrary code with SYSTEM privileges.
CVE ID: CVE-2021-36958 (Medium)
libspf2 is a library for validating mail senders with SPF. Stack-based buffer overflow
vulnerability has been discovered in libspf2 which could result in denial of service, or
potential execution of arbitrary code when processing a specially crafted SPF record. It is
recommended to upgrade the libspf2 packages.
CVE ID: CVE-2021-20314
Multiple vulnerabilities have been discovered in .NET. An update for .NET Core 3.1 is now
available for .NET Core on Red Hat Enterprise Linux.
CVE ID: CVE-2021-26423, CVE-2021-34485, CVE-2021-34532
Multiple vulnerabilities have been discovered in Palo Alto Networks. An attacker could
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3050 (High), CVE-2021-3046 (Medium), CVE-2021-3048 (Medium),
CVE-2021-3047 (Medium), CVE-2021-26701
A vulnerability has been discovered in Huawei product which can cause memory use-after-free,
compromising normal service. Huawei has released software updates to resolve vulnerability.
CVE ID: CVE-2021-22321 (Medium)
A Denial of Service vulnerability has been discovered in Huawei smartphone. Huawei has
released software updates to address vulnerability.
CVE ID: CVE-2021-22364 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Microsoft has released security updates to address multiple vulnerabilities in Microsoft
software. A remote attacker can exploit these vulnerabilities to take control of an affected
system.
SAP has released security updates to resolve several vulnerabilities affecting multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Adobe has released security updates to resolve multiple vulnerabilities in Adobe Connect and
Adobe Magento. An attacker can exploit these vulnerabilities to take control of an affected
system.
Mozilla has released security updates to address multiple vulnerabilities in Firefox,
Firefox ESR, and Thunderbird. An attacker can exploit these vulnerabilities to take control
of an affected system.
Citrix has released a security update to address a vulnerability affecting Citrix ShareFile
storage zones controller. An attacker can exploit this vulnerability to obtain access to
sensitive information.
CVE ID: CVE-2021-22932
Multiple vulnerabilities have been discovered in several products of Siemens. An attacker
can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in c-ares, a library that performs DNS requests and name
resolution asynchronously. Missing input validation of hostnames returned by DNS servers can
lead to output of wrong hostnames (leading to Domain Hijacking). It is recommended to
upgrade the c-ares packages.
CVE ID: CVE-2021-3672
Multiple vulnerabilities have been discovered in HCC Embedded's software called InterNiche
stack (NicheStack) & NicheLite, which provides TCP/IP networking capability to embedded
systems. It is recommended to update to the latest stable version of NicheStack software.
Ubuntu has released security updates to address numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in several products of Schneider Electric. A
remote attacker may exploit these vulnerabilities to take control of an affected system. The
updates are available.
Apple has released security update to resolve several vulnerability in ImageIO of iTunes for
Windows. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30779, CVE-2021-30785
MISP- open source threat intelligence platform & open standards for threat information
sharing has released MISP- 2.4.148 to resolve multiple vulnerabilities.
CVE ID: CVE-2021-37742 (Medium), CVE-2021-37743 (Medium)
It has been discovered that the PERL Encode library incorrectly handle paths. A local
attacker can possibly use this vulnerability to trick the library into executing arbitrary
code from the current working directory.
CVE ID: CVE-2021-36770
ReDoS via malicious user-agent header vulnerability has been discovered in
nodejs-ua-parser-js of Red Hat OpenShift Jaeger. An update is now available for Red Hat
OpenShift Jaeger 1.24.
CVE ID: CVE-2021-27292 (High)
Multiple vulnerabilities have been discovered in the OpenJDK Java runtime resulting in
bypass of sandbox restrictions, incorrect validation of signed Jars or information
disclosure. It is recommended to upgrade the openjdk-8 packages.
CVE ID: CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
It has been discovered that Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI
which allows remote attackers to discover cleartext credentials.
It is recommended to upgrade the lynx packages.
CVE ID: CVE-2021-38165
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
It has been discovered that unarr.go in go-unarr (aka Go bindings for unarr) allows
Directory Traversal via ../ in a pathname within a TAR archive. The affected version is
go-unarr 0.1.1.
CVE ID: CVE-2021-38197
It has been discovered that Roxy-WI allows SQL Injection via check_login. An unauthenticated
attacker can extract a valid uuid to bypass authentication. The affected versions are
Roxy-WI through 5.2.2.0.
CVE ID: CVE-2021-38167
Multiple vulnerabilities have been resolved in Ansible version 2.7.7+dfsg-1+deb10u1- a
configuration management, deployment and task execution system. These vulnerabilities can
result in information disclosure or argument injection. It is recommended to upgrade ansible
packages.
Multiple vulnerabilities have been resolved in Bluez version 5.50-1.2~deb10u2, the Linux
Bluetooth protocol stack. An attacker can exploit these vulnerabilities to take control of
an affected system. It is recommended to upgrade bluez packages.
CVE ID: CVE-2020-26558, CVE-2020-27153, CVE-2021-0129
Ivanti has released Pulse Connect Secure system software version 9.1R12 to address multiple
vulnerabilities previous versions. An attacker can exploit these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-22937 (Critical), CVE-2021-22933 (High), CVE-2021-22934 (High),
CVE-2021-22935 (Critical) , CVE-2021-22936 (High), CVE-2021-22938 (High)
HTTP Request Smuggling vulnerability has been discovered in HTTP web proxies and web
accelerators that support HTTP/2 for an HTTP/1.1 backend webserver. An attacker can send a
crafted HTTP/2 request with malicious content to bypass network security measures thereby
reaching internal protected servers and accessing sensitive data. It is recommended to
install vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or
rejected.
An authentication bypass vulnerability has been discovered in MELSEC iQ-R series CPU
modules. A remote attacker can obtain the credentials and can be able to login to the CPU
module unauthorisedly. The affected products & versions are R08/16/32/120SFCPU all
versions & R08/16/32/120PSFCPU all versions.
It has been discovered that Apache Tomcat do not correctly parse the HTTP transfer-encoding
request header in some circumstances leading to the possibility to request smuggling when
used with a reverse proxy. A remote attacker may be able to bypass security controls and
gain access to restricted content. The affected products are Apache Tomcat 10.0.0-M1 to
10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66.
CVE ID: CVE-2021-33037 (Medium)
VMware has released security updates to address several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to gain access to confidential
information.
CVE ID: CVE-2021-22002 (High), CVE-2021-22003 (Low)
Multiple vulnerabilities have been discovered in HCC Embedded's Equipment- InterNiche stack
(NicheStack), NicheLite. Successful exploitation of these vulnerabilities may result in
unauthorized access to arbitrary information, DNS cache poisoning, Remote Code Execution
(RCE), or a Denial-of-Service (DoS) condition. The affected products are InterNiche stack
all versions prior to v4.3 and NicheLite all versions prior to v4.3.
Multiple vulnerabilities have been discovered in FATEK Automation's Equipment FvDesigner- a
software tool used to design and develop FATEK FV HMI series product projects. Successful
exploitation of these vulnerabilities may allow an attacker to execute arbitrary code. The
affected products are FvDesigner Versions 1.5.88 and prior.
CVE ID: CVE-2021-32947 (High), CVE-2021-32939 (High)
Multiple vulnerabilities have been discovered in mySCADA's Equipment myPRO- a professional
HMI/SCADA system. Successful exploitation of these vulnerabilities can allow unauthorized
users the ability to access sensitive information and upload arbitrary files. The affected
products are myPro all versions prior to 8.20.0.
CVE ID: CVE-2021-33013 (High), CVE-2021-33009 (High), CVE-2021-33005 (High),
CVE-2021-27505 (High)
Multiple vulnerabilities have been discovered in Advantech's Equipment- WebAccess/SCADA, a
browser-based SCADA software package. Successful exploitation of these vulnerabilities can
allow an attacker to hijack a user’s cookie/session tokens, gain unauthorized access to
files and directories, and execute arbitrary code. The affected products are WebAccess/SCADA
versions prior to 8.4.5 and WebAccess/SCADA versions prior to 9.0.1.
CVE ID: CVE-2021-22676 (Medium), CVE-2021-22674 (Medium), CVE-2021-32943 (Critical)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
Multiple vulnerabilities have been resolved in docker.io - Linux container runtime. It is
recommended to update system and restart Docker to make all the necessary changes.
A Remote Code Execution (RCE) vulnerability has been discovered in the Cisco Adaptive
Security Device Manager (ASDM) Launcher which can allow an unauthenticated, remote attacker
to execute arbitrary code on a user's operating system.
CVE ID: CVE-2021-1585 (Medium)
Microsoft has released security updates to address multiple vulnerabilities in Microsoft
Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-30597, CVE-2021-30596, CVE-2021-30594, CVE-2021-30593,
CVE-2021-30592, CVE-2021-30591, CVE-2021-30590
Multiple Vulnerabilities such as Denial-of -Service (DoS), unauthorized login and
information disclosure have been discovered in MELSEC iQ-R Series CPU Module. A remote
attacker may exploit these vulnerabilities to take control of an affected system. The
mitigation / workarounds are available.
CVE ID: CVE-2021-20594 (Medium), CVE-2021-20597 (High), CVE-2021-20598 (Low)
Multiple vulnerabilities such as cross-site scripting, information disclosure and privilege
escalation or Denial of Service (DoS) have been resolved in Jetty, a Java servlet engine and
webserver. It is recommended to upgrade jetty9 packages.
CVE ID: CVE-2019-10241, CVE-2019-10247, CVE-2020-27216, CVE-2020-27223,
CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
It has been discovered that the Perl Database Interface (DBI) module incorrectly handled
certain long strings and opened files outside of the folder specified in the data source
name. An attacker can possibly use these vulnerabilities to cause the DBI module to crash,
resulting in a Denial of Service (DoS) or obtain sensitive information.
CVE ID: CVE-2014-10402, CVE-2020-14393
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker may exploit some of these vulnerabilities to take control of an
affected system.
Multiple vulnerabilities have been discovered in OpenEXR, a library and tools for the
OpenEXR high dynamic-range (HDR) image format. An attacker can cause a Denial of Service
(DoS) through application crash and possibly execute code. It is recommended to upgrade the
OpenEXR packages.
CVE ID: CVE-2021-3605, CVE-2021-20299, CVE-2021-20300, CVE-2021-20302, CVE-2021-20303
A vulnerability has been discovered in the Asterisk telephony system. If the IAX2 channel
driver received a packet that contained an unsupported media format a crash can have
occurred. It is recommended to upgrade the asterisk packages.
CVE ID: CVE-2021-32558
It has been discovered that a vulnerability in libpam-tacplus (a security module for using
the TACACS+ authentication service) allows to share secrets such as private server keys that
are being added in the clear to various logs. It is recommended to upgrade the
libpam-tacplus packages.
CVE ID: CVE-2020-13881
Siemens has released security updates to address multiple vulnerabilities in Siemens
Interniche IP stack, also known as “INFRA:HALT”.
CVE ID: CVE-2020-35683 (High), CVE-2020-35684 (High), CVE-2020-35685 (High),
CVE-2021-31401 (High)
An insufficient verification of data authenticity vulnerability has been discovered in Robot
Motion Servers. This security bug allows an adjacent attacker to execute arbitrary code.
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency
(CISA) released a Cybersecurity Technical Report, "Kubernetes Hardening Guidance". This
report details threats to Kubernetes environments and provides configuration guidance to
minimize risk.
Multiple vulnerabilities have been discovered in Swisslog Healthcare's Equipment- Translogic
PTS (Pneumatic Tube Systems). Successful exploitation of these vulnerabilities can allow an
attacker to gain control of the device, escalate privileges, or execute arbitrary code.
Multiple vulnerabilities such as buffer overflow and NULL-pointer dereference have been
discovered in VideoLAN (aka 'vlc'). It is recommended to upgrade the vlc packages.
CVE ID: CVE-2021-25801, CVE-2021-25802, CVE-2021-25803, CVE-2021-25804
Stack corruption and stack-based buffer overflow vulnerability have been discovered in glibc
packages consists of standard C libraries (libc), POSIX thread libraries (libpthread),
standard math libraries (libm), and the name service cache daemon (nscd). An update for
glibc is now available for Red Hat Enterprise Linux 7.7 Extended Update Support.
CVE ID: CVE-2020-29573 (High), CVE-2020-10029 (Medium)
Multiple vulnerabilities such as wrong ciphertext/tag, URLs with invalid userinfo, SSRF
bypass, use of freed hash key, URL decoding of cookie names, and NULL pointer dereference
have been discovered in PHP. An update for rh-php73-php is now available for Red Hat
Software Collections.
CVE ID: CVE-2020-7069, CVE-2020-7071, CVE-2021-21705, CVE-2020-7068, CVE-2020-7070,
CVE-2021-21702
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Android has released security bulletin to address multiple security vulnerabilities
affecting multiple Android devices. Security patch levels of 2021-08-05 or later address all
of these issues.
Google has released Chrome version 92.0.4515.131 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
HTTP/2 request smuggling attack via a large content-length header for a POST request has
been discovered in Varnish Cache -a high-performance HTTP accelerator. An update for the
varnish:6 module is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux
8.1 Extended Update Support, and Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2021-36740
It has been discovered that GnuTLS library is incorrectly handle sending certain extensions
when being used as a client. A remote attacker can use this vulnerability to cause GnuTLS to
crash, resulting in a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-20232, CVE-2021-20231
It has been discovered that Exiv2- EXIF/IPTC/XMP metadata manipulation tool incorrectly
handled certain images. An attacker can possibly use this vulnerability to cause a Denial of
Service (DoS).
CVE ID: CVE-2021-31291
Multiple vulnerabilities named PwnedPiper is affecting Translogicc Pneumatic Tube System
(PTS) stations used throughout thousands of hospitial networks. Successful exploitation of
these vulnerabilities can result in leakage of sensitive information, enable an adversary to
manipulate data, and even compromise the PTS network to carry out a Man-in-the-Middle (MitM)
attack and deploy ransomware thereby effectively halting the operations of the hospital.
A XML signature wrapping vulnerability has been resolved in lasso, a library for Liberty
Alliance and SAML protocols when parsing SAML responses. It is recommended to apply updates.
CVE ID: CVE-2021-28091 (High)
Ubuntu has released security update to resolve several vulnerabilities in QPDF- tools for
transforming and inspecting PDF files . An attacker can exploit these vulnerabilities to
take control of an affected system.
CVE ID: CVE-2021-36978(Medium), CVE-2018-18020 (Low)
The Stable channel has been updated to 92.0.4515.130 (Platform version: 13982.69.0) for most
Chrome OS devices. Systems will be receiving updates over the next several days.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20227 (Medium), CVE-2020-14040 (High)
It has been discovered that Microsoft Windows Active Directory Certificate Services (AD CS)
by default can be used as a target for NTLM relay attacks, which can allow a domain-joined
computer to take over the entire Active Directory.
Multiple vulnerabilities such as heap-based and stack buffer overflows, use-after-free and
infinite loops have been discovered in lrzip, a compression program. These vulnerabilities
can allow attackers to cause a Denial of Service (DoS) or possibly other unspecified impact
via a crafted file. It is recommended to upgrade the lrzip packages.
It has been discovered that HTCondor- a distributed workload management system has incorrect
access control vulnerability. It is possible to use a different authentication method to
submit a job than the administrator has specified which may cause reduce security and
unauthorised access. It is recommended to upgrade the condor packages.
CVE ID: CVE-2019-18823
It has been discovered that the ptp4l program in linuxptp an implementation of the Precision
Time Protocol (PTP) does not validate the messageLength field of incoming messages allowing
a remote attacker to cause a Denial of Service (DoS), information leak, or potentially
Remote Code Execution (RCE). It is recommended to upgrade the linuxptp packages.
CVE ID: CVE-2021-3570 (High)
A Privilege Escalation Vulnerability has been discovered in configuration management of
Cisco AsyncOS for Cisco Web Security Appliance (WSA) which can allow an authenticated,
remote attacker to perform command injection and elevate privileges to root.
CVE ID: CVE-2021-1359 (High)
It has been discovered that IBM QRadar User Behavior Analytics is vulnerable to Cross-Site
Request Forgery (CSRF) which can allow an attacker to execute malicious and unauthorized
actions transmitted from a user that the website trusts.
CVE ID: CVE-2021-29757 (Medium)
It has been discovered that Node.js is vulnerable to a use after free attack where an
attacker might be able to exploit the memory corruption, to change process behavior. The
affected versions are all versions of the Node.js 16.x, 14.x, and 12.x releases lines. The
security updates are now available.
CVE ID: CVE-2021-29757 (Medium)
Buffer over-read vulnerability has been discovered in Wibu-Systems AG's Equipment- CodeMeter
Runtime. Successful exploitation of these vulnerabilities can allow an attacker to read data
from the heap of the CodeMeter Runtime network server, or crash the CodeMeter Runtime
Server.
CVE ID: CVE-2021-20094 (High), CVE-2021-20093 (Critical)
Insufficiently protected credentials vulnerability has been discovered in Hitachi ABB Power
Grids' Equipment- Enterprise Shift Operations. Management System (eSOMS). Successful
exploitation of this vulnerability can allow access to user credentials that are stored by
the browser.
CVE ID: CVE-2021-35527 (High)
It has been discovered that PHP Extension and Application Repository (PEAR) incorrectly
handled symbolic links in archives. A remote attacker can possibly use this vulnerability to
execute arbitrary code.
CVE ID: CVE-2021-32610
It has been discovered that QPDF- tools for transforming and inspecting PDF files
incorrectly handled certain malformed PDF files. A remote attacker can use this issue to
cause QPDF to crash or consume resources, resulting in a Denial of Service (DoS), or
possibly execute arbitrary code.
CVE ID: CVE-2018-18020, CVE-2021-36978
NSA has released the guideline to securing wireless devices in public settings such as
public Wi-Fi & Near-Field Communications (NFC), a short-range wireless technology,
Buletooth etc.
Red Hat has released security update to resolve multiple vulnerability in Red Hat Single
Sign-On 7.4.
CVE ID: CVE-2021-21409(Medium), CVE-2021-3536 (Medium)
Ubuntu has released security notices to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-32610, CVE-2018-18020, CVE-2021-36978, CVE-2021-3246, CVE-2021-3246.
Apple has released security update to address a memory corruption vulnerability in
IOMobileFrameBuffer extension exists in both iOS and macOS. An attacker can exploit this
vulnerability to take control of an affected device.
CVE ID: CVE-2021-30807
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20417, CVE-2021-20415, CVE-2019-17638, CVE-2021-25215,
CVE-2021-29736, CVE-2021-29781
A vulnerability has been discovered in Apache Tomcat which allow an attacker to remotely
trigger a Denial of Service (DoS). The affected versions are Apache Tomcat 10.0.3 to 10.0.4;
9.0.44; 8.5.64.
CVE ID: CVE-2021-30639 (High)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber
Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the
U.S. Federal Bureau of Investigation (FBI) has released the top 30 Common Vulnerabilities
and Exposures (CVEs) exploited by malicious cyber actors in 2020 and being widely exploited
thus far in 2021.
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
Multiple Vulnerabilities like Use of Hard-Coded Credentials have been discovered in KUKA KR
C4- a powerful, intelligent, safe, and more flexible controller. Successful exploitation of
these vulnerabilities can result in unauthorized access to sensitive information and access
to shell.
CVE ID: CVE-2021-33016(Critical), CVE-2021-33014(High)
Multiple Vulnerabilities such as missing authentication for critical function, command
injection, stack-based buffer overflow have been discovered in Geutebrück G-Cam E2 and
G-Code firmware for IP cameras. A remote attacker can exploit some of these vulnerabilities
to take control of an affected system.
CVE ID: CVE-2021-33543 (Critical), CVE-2021-33544 (High), CVE-2021-33545 (High),
CVE-2021-33546 (High), CVE-2021-33547 (High), CVE-2021-33548 (High), CVE-2021-33549 (High),
CVE-2021-33550 (High), CVE-2021-33551 (High), CVE-2021-33552 (High), CVE-2021-33553 (High),
CVE-2021-33554 (High)
Cross-site Scripting (XSS) vulnerability has been discovered in LCDS's Equipment- LAquis
SCADA automation platform. Successful exploitation of this vulnerability can allow an
unauthenticated remote attacker to access sensitive information or execute arbitrary code.
CVE ID: CVE-2021-32989 (Critical)
Multiple vulnerabilities such as type confusion, and out-of-bounds write have discovered in
Delta Electronics' Equipment- DIAScreen sofware. Successful exploitation of these
vulnerabilities can crash the device being accessed and may allow remote code execution.
CVE ID: CVE-2021-32965 (High), CVE-2021-32969 (High)
An out-of-bounds read vulnerability has been discovered in Delta Electronics' Equipment-
DOPSoft a software supporting the DOP-100 series HMI screens. Successful exploitation of
these vulnerabilities can allow arbitrary code execution and disclose information.
CVE ID: CVE-2021-27455 (Low), CVE-2021-27412 (High)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipments . An
attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that Sunhillo SureLine application contained an unauthenticated
Operating System (OS) command injection vulnerability that allowed an attacker to execute
arbitrary commands with root privileges. This would have allowed for a threat actor to
establish an interactive channel, effectively taking control of the target system.
CVE ID: CVE-2021-36380 (Critical)
Apple has released security updates to address a memory corruption vulnerability in multiple
products. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30807
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22885 (Critical), CVE-2021-31525 (High), CVE-2021-20562 (Medium)
MySQL has released security updates to resolve multiple vulnerabilities . An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-25051
It has been discovered that Aspell- GNU Aspell spell-checker incorrectly handled certain
inputs. An attacker can possibly use this issue to execute arbitrary code or cause a crash.
The updates are available.
CVE ID: CVE-2019-25051
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 17 for the Zimbra 9.0.0, and Patch 24 for Zimbra 8.8.15.
Ubuntu has released security notices to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Oracle has released critical patch update for July 2021 contains 342 new security patches
for multiple vulnerabilities across multiple products. A remote attacker can exploit some of
these vulnerabilities to take control of an affected system.
Fake Win 11 downloaders are delivering adware and malware payloads on computers. A standard
Windows installation wizard appears, but its main purpose is to download and run the
problematic executable which is also an installer and comes with a license agreement and
installs sponsored software. Accepting the agreement means different types of malicious
software will get installed on the device.
It has been discovered that the Key Distribution Center (KDC) in krb5 the MIT implementation
of Kerberos is prone to a NULL pointer dereference flaw. An unauthenticated attacker can
take advantage of this flaw to cause a Denial of Service (DoS) by sending maliciously
crafted request. It is recommended to upgrade your krb5 packages.
CVE ID: CVE-2021-36222
A Cross Site Scripting (XSS) vulnerability has been discovered in angular.js. To mitigate
this vulnerability use a unique and isolated web browser and restrict access of the system
to only allow trusted users. The affected versions are angular.js prior to 1.8.0 .
CVE ID: CVE-2020-7676 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
A vulnerability has been resolved in Lemonldap-ng , a Web-SSO system. The vulnerability can
result in information disclosure, authentication bypass, or can allow an attacker to
increase its authentication level or impersonate another user. It is recommended to upgrade
your lemonldap-ng packages.
CVE ID: CVE-2021-35472
A Missing Authentication vulnerability for Ehcache RMI has been discovered in Jira Data
Center and Jira Service Management Data Center products. Successful exploitation of this
vulnerability may allow an attacker to perform Remote Code Execution (RCE), which may lead
to a compromise of the Jira server.
CVE ID: CVE-2020-36239
It has been discovered that the actionpack_page-caching Ruby gem, a static page caching
module for Rails, allows an attacker to write arbitrary files to a web server, potentially
resulting in Remote Code Execution (RCE) if the attacker can write unescaped ERB to a view.
It is recommended to upgrade the ruby-actionpack-page-caching packages.
CVE ID: CVE-2020-8159
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
A vulnerability has been discovered in web-based management interface of Cisco Unified
Customer Voice Portal (CVP) which can allow an unauthenticated, remote attacker to perform a
cross-site scripting (XSS) attack against a user.
CVE ID: CVE-2021-1599 (Medium)
It has been discovered that multiple modules expose secured values in ansible of ovirt.
Updated dependency packages for ovirt-engine and ovirt-host that fix several bugs and add
various enhancements are now available.
CVE ID: CVE-2021-3447 (Medium)
SQL injection vulnerability has been discovered in SourceCodester Travel Management System
that allows remote attackers to execute arbitrary SQL statements, via the catid parameter to
subcat.php.
CVE ID: CVE-2021-25213
It has been discovered that by abusing the 'install rpm url' command an attacker can escape
the restricted clish shell on affected versions of Ivanti MobileIron Core. It is recommended
to upgrade to Ivanti MobileIron Core version 11.1.0.0.
CVE ID: CVE-2021-3198
It has been discovered that the restricted shell provided by Akkadian Provisioning Manager
Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command.
CVE ID: CVE-2021-31581
Multiple vulnerabilities have been discovered in Curl - HTTP, HTTPS, and FTP client and
client libraries. It is recommended to update your system to the latest package versions.
CVE ID: CVE-2021-22898, CVE-2021-22925, CVE-2021-22924
An insufficient input validation vulnerability has been discovered in several Huawei
Smartphones due to the lack of parameter validation. An attacker may trick a user into
installing a malicious APP.
CVE ID: CVE-2021-22400
Microsoft has released Security Updates to address multiple vulnerabilities in Microsoft
Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take
control of an affected system.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3450( High), CVE-2021-3449(Medium), CVE-2021-2207(Low)
CVE-2020-5258(High)
Argo Workflows is an open-source, container-native workflow engine for orchestrating
parallel jobs on Kubernetes. Misconfigured permissions for Argo’s web-facing dashboard allow
unauthenticated attackers to run code on Kubernetes targets, including cryptomining
containers.
CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA
encourages users and administrators to review the following 13 Malware Analysis Reports
(MARs) for threat actor Techniques, Tactics and Procedures (TTPs) and Indicators of
Compromise (IOCs).
Apple has released security updates to address several vulnerabilities in multiple products.
An attacker can exploit some of these vulnerabilities to take control of an affected device.
Oracle has released critical patch update for July 2021 contains 342 new security patches
for multiple vulnerabilities across multiple products. A remote attacker can exploit some of
these vulnerabilities to take control of an affected system.
Ubuntu has released security notices to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Cisco has released security updates to address several vulnerabilities in multiple Cisco
products. An attacker may exploit some of these vulnerabilities to take control of an
affected system.
NULL Pointer Dereference vulnerability has been discovered in Mitsubishi Electric's
Equipment- MELSEC-F Series. Successful exploitation of this vulnerability may cause a
Denial-of-Service (DoS) condition in communication with the product.
CVE ID: CVE-2021-2059 (High)
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity
Advisory as well as updates to five alerts and advisories related to Industrial Control
Systems (ICS).
MITRE releases Common Weakness Enumeration (CWE) mentioning 25 most dangerous software
weaknesses which are often easy to find, exploit and can allow adversaries to completely
take over a system, steal data, or prevent an application from working.
CVE ID: CVE-2021-33910
Adobe has released security updates to address several vulnerabilities in multiple Adobe
products. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
RedHat has released security updates to address multiple vulnerabilities in several
products. An attacker can exploit some of these vulnerabilities to take control of an
affected device.
It has been discovered that an attacker-controlled allocation using the alloca() function
can result in memory corruption, allowing to crash systemd- a suite of basic building blocks
for a Linux system and hence the entire operating system. It is recommended to upgrade your
systemd packages.
CVE ID: CVE-2021-33910
Multiple Vulnerabilities have been discovered in Linux kernel that may lead to a privilege
escalation, Denial of Service (DoS) or information leaks. It is recommended to upgrade your
linux packages.
CVE ID: CVE-2020-36311 (Medium), CVE-2021-3609, CVE-2021-33909, CVE-2021-34693
(Medium)
Oracle Solaris has released security update to address multiple vulnerabilities in third
party software that is included in Oracle Solaris distributions.
Juniper has released security bulletin to resolve multiple vulnerabilities in Juniper
Networks Junos OS and Junos OS Evolved. These vulnerabilities may allow an attacker to
expose information or cause a Denial of Service (DoS) condition.
CVE ID: CVE-2020-8284 (Low), CVE-2020-8286 (High), CVE-2020-8285 (High)
Microsoft has found an elevation of privilege vulnerability in multiple Window products.
This exists because of overly permissive Access Control Lists (ACLs) on multiple system
files, including the Security Accounts Manager (SAM) database. An attacker who successfully
exploited this vulnerability can run arbitrary code with SYSTEM privileges and can view,
change, or delete data or create new accounts with full user rights.
CVE ID: CVE-2021-36934 (HIgh)
Multiple vulnerabilities have been discovered in Citrix ADC and Citrix Gateway, and Citrix
SD-WAN WANOP. These vulnerabilities if exploited can result in uncontrolled resource
consumption, improper access control, and session fixation.
CVE ID: CVE-2021-22919, CVE-2021-22920, CVE-2021-22927
A Denial of Service (DoS) vulnerability has been discovered in a ethernet interface block of
MELSEC-F series. An attacker may cause DoS condition by sending specially crafted packets.
It is recommended to upgrade product versions.
CVE ID: CVE-2021-20596 (High)
A use after free vulnerability has been discovered in FortiManager and FortiAnalyzer fgfmsd
daemon that can allow a remote, non-authenticated attacker to execute unauthorized code as
root via sending a specifically crafted request to the fgfm port of the targeted device.
CVE ID: CVE-2021-32589 (High)
A buffer overflow vulnerability has been discovered in the TCP/IP stack of Juniper Networks
Junos OS which allows an attacker to send specific sequences of packets to the device
thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
Multiple vulnerabilities have been discovered in rabbitmq-server, a message-broker software.
It is recommended to upgrade the rabbitmq-server packages.
CVE ID: CVE-2017-4965 (Medium), CVE-2017-4966 (High), CVE-2017-4967 (Medium),
CVE-2019-11281 (Medium), CVE-2019-11287 (High), CVE-2021-22116 (High)
A Vulnerability has been discovered in nettle- a low level cryptographic library which can
result out of bounds memory access in signature verification. It is recommended to upgrade
nettle packages.
CVE ID: CVE-2021-20305 (High)
It has been discovered that a race condition in the CAN BCM networking protocol of the Linux
kernel leading to multiple use-after-free vulnerabilities. A local attacker can use this
issue to execute arbitrary code. The updates are available.
CVE ID: CVE-2021-3609
Apple has released security updates to address several vulnerabilities in multiple products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released Security Updates to address multiple vulnerabilities in Microsoft
Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-30559, CVE-2021-30541, CVE-2021-30560, CVE-2021-30561,
CVE-2021-30562, CVE-2021-30563, CVE-2021-30564
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-29707 (High), CVE-2021-25215 (High)
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2021-1422 (High), CVE-2018-0155 (High), CVE-2021-1397 (Medium)
Multiple vulnerabilities have been discovered in multiple NetApp Products. An attacker can
exploit these vulnerabilities to take control of an affected system.
Google has released Chrome version 91.0.4472.164 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
An elevation of privilege vulnerability has been observed in Windows Print Spooler service
while performing privileged file operations. An attacker who successfully exploits this
vulnerability can run arbitrary code with SYSTEM privileges which allow attacker to install
programs , view, change, or delete data & can create new accounts with full user rights.
CVE ID: CVE-2021-34481 (High)
Juniper Networks has released security updates to address multiple vulnerabilities in
several Junos OS products. An attacker can exploit these vulnerabilities to take control of
an affected system.
CISA has launched a new website to help public and private organisations to defend against
the rise in ransomware. This webpage is an interagency resource that provides organisation
with ransomware protection, detection, and response guidance.
Multiple vulnerabilities have been discovered in Ypsomed's Equipment- mylife Cloud &
mylife Mobile Application. Successful exploitation of these vulnerabilities can allow an
attacker to obtain sensitive application information or modify the integrity of data being
transmitted.
CVE ID: CVE-2021-27491 (Medium), CVE-2021-27495 (Medium), CVE-2021-27499 (Medium),
CVE-2021-27503 (Medium)
Multiple vulnerabilities have been discovered in QEMU- Machine emulator and virtualiser. An
attacker may exploit these vulnerabilities to take control of an affected system. The
security updates are available.
It has been discovered that libslirp- a general purpose TCP-IP emulator library incorrectly
handled certain header data lengths and udp packets. An attacker inside a guest can possibly
use these vulnerabilities to leak sensitive information from the host.
CVE ID: CVE-2020-29129 (Medium), CVE-2020-29130 (Medium), CVE-2021-3592 (Low),
CVE-2021-3593 (Low), CVE-2021-3594 (Low), CVE-2021-3595 (Low)
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
CVE ID: CVE-2020-3155 (High), CVE-2021-1422 (High)
Multiple vulnerabilities have been discovered in Mozilla. An attacker can exploit these
vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29978 (Low), CVE-2021-29954 (High)
Multiple vulnerabilities have been discovered in Juniper Networks products. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in HPE products. An attacker can exploit some
of these vulnerabilities to take control of an affected system.
Red Hat OpenShift Container Platform releases 4.6.38 with security updates to packages and
images to resolve vulnerability that tricked into adding or modifying properties.
CVE ID: CVE-2020-7598 (Medium)
It has been discovered that threat actors are actively targeting SonicWall Secure Mobile
Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and
End-Of-Life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.
Multiple vulnerabilities such as privilege escalation and logic error have been discovered
in several Huawei products. An attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-22396 (Medium), CVE-2021-22397 (Medium), CVE-2021-22398 (High)
Multiple vulnerabilities such as reflected Cross-Site Scripting (XSS) and Local Privilege
Escalation (LPE) have been discovered in Palo Alto Networks Prisma Cloud Compute web console
and Cortex XDR agent respectively. An attacker may exploit some of these vulnerabilities to
take control of an affected system.
CVE ID: CVE-2021-3043 (High), CVE-2021-3042 (High)
Citrix releases security update to address local privilege escalation vulnerability on
Windows Virtual Desktop Access (VDA) in Citrix Virtual Apps and Desktops.
CVE ID: CVE-2021-22928
SAP has released security updates to address vulnerabilities affecting multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA has issued emergency directive to mitigate windows print spooler service Remotely Code
Execution (RCE) vulnerability. An attacker can exploit RCE vulnerability with system level
privileges to quickly compromise the entire identity infrastructure of a targeted
organisation.
CVE ID: CVE-2021-34527 (Critical)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker can exploit some of these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities such as improper authentication and Denial-of-Service (DoS) have
been discovered in VMware ESXi, and VMware Cloud Foundation. An attacker can exploit these
vulnerabilities to take control of an affected system. The updates are available.
CVE ID: CVE-2021-21994 (High), CVE-2021-21995 (Medium)
CISA has created a webpage to provide information and guidance for the recent ransomware
attack against Kaseya customers that include Managed Service Providers (MSPs) and their
downstream customers.
Adobe has released security updates to address several vulnerabilities in multiple Adobe
products. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Siemens has released security updates to address multiple vulnerabilities in several Siemens
products. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Multiple vulnerabilities have been discovered in several products of Schneider Electric. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
The updates are available.
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
A RCE vulnerability has been verified by Huawei in Huawei HG532. Successful exploitation by
sending malicious packets to port 37215 can lead to the remote execution of arbitrary code.
CVE ID: CVE-2017-17215 (High)
The Man-In-The-Middle (MITM) attack vulnerability has been discovered in Apache Cassandra.
The local attacker without access to the Apache Cassandra process or configuration files can
capture user names and passwords to access the JMX interface which may cause unauthorized
operations and may allow access to sensitive information. The affected products are Apache
Cassandra all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2.
CVE ID: CVE-2020-13946 (Medium), CVE-2019-2684 (Medium)
Kaseya has released VSA version 9.5.7a for their VSA On-Premises software. This version
addresses vulnerabilities that enabled the ransomware attacks on Kaseya’s customers.
It has been discovered that SOGo- a fully supported and trusted groupware server does not
validate the signatures of any Security Assertion Markup Language (SAML) assertions it
receives. Any actor with network access to the deployment can impersonate users when SAML is
the authentication method. It is recommended to upgrade the sogo packages.
CVE ID: CVE-2021-33054 (High)
Multiple vulnerabilities have been discovered in jetty and netty for AMQ Broker- a
high-performance messaging implementation based on ActiveMQ Artemis. The updates are now
available.
Multiple vulnerabilities have been discovered in Apache Tomcat. An attacker can exploit
these vulnerabilities to take control of an affected system. The updates are now available.
A vulnerability has been discovered in Serv-U Managed File Transfer Server and Serv-U
Secured FTP. A threat actor who successfully exploited this vulnerability can run arbitrary
code with privileges , install & run malicious programs and may view, change, or delete
data on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3
HF1 and all prior versions.
CVE ID: CVE-2021-35211
A stored Cross Site Scripting (XXS) vulnerability has been discovered in ArcGIS Server
Services Directory that may allow a remote authenticated attacker to pass and store
malicious strings in the ArcGIS Services Directory. The affected version are ArcGIS Server
Services Directory version 10.8.1 and below.
CVE ID: CVE-2021-29105 (Medium)
It has been discovered that PuTTY proceeds with establishing an SSH session even if it has
never sent a substantive authentication response. This makes it easier for an
attacker-controlled SSH server to present a later spoofed authentication prompt (that the
attacker can use to capture credential data, and use that data for purposes that are
undesired by the client user).
CVE ID: CVE-2021-36367
A vulnerability has been discovered in the XSI-Actions interface of Cisco BroadWorks
Application Server that allows an authenticated, remote attacker to access sensitive
information on an affected system.
CVE ID: CVE-2021-1562 (Medium)
A reflected cross site scripting (XSS) vulnerability has been discovered in
dotAdmin/#/c/links of dotCMS that allows attackers to execute arbitrary commands or HTML via
a crafted payload. The affected version is dotCMS 21.05.1.
CVE ID: CVE-2021-35361
Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol
allows an attacker to cause a system instability or potentially read sensitive information
from the memory locations.
CVE ID: CVE-2021-20024 (High)
It has been discovered that the HTTP server of Everything provided by voidtools contains an
HTTP header injection vulnerability. On the web browser of a user who accessed a website
which uses the product 'Everything' an arbitrary script may be executed or the displayed
page may be altered.
CVE ID: CVE-2021-20784 (Medium)
CISA has published a new Malware Analysis Report (MAR) on DarkSide Ransomware and issue
updated best practices for preventing business disruption from ransomware attacks.
A vulnerability has been discovered in the Bidirectional Forwarding Detection (BFD) offload
implementation of Cisco catalyst series switches software which allow an unauthenticated
remote attacker to cause a crash of the iosd process, causing a denial of Service (DoS)
condition.
CVE ID: CVE-2018-0155 (High)
CISA has released an analysis and infographic detailing the findings from the Risk and
Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors.
CVE ID: CVE-2020-7008 (High), CVE-2020-7004 (High), CVE-2020-10601 (High),
CVE-2020-7000 (High), CVE-2020-10599 (Critical)
Multiple vulnerabilities have been discovered in VISAM's Equipment- VBASE- an automation
platform. The successful exploitation of these vulnerabilities can allow an attacker to read
the contents of unexpected files, escalate privileges to system level, execute arbitrary
code on the targeted system, bypass security mechanisms, and discover the cryptographic key
for the web login. The affected products are VBASE Editor, Version 11.5.0.2 and VBASE
Web-Remote Module.
CVE ID: CVE-2020-7008 (High), CVE-2020-7004 (High), CVE-2020-10601 (High),
CVE-2020-7000 (High), CVE-2020-10599 (Critical)
Multiple vulnerabilities have been discovered in MDT Software's Equipment- MDT AutoSave. The
successful exploitation of these vulnerabilities by an attacker with detailed understanding
of the product architecture and database structure can lead to full remote execution on the
Remote MDT Server without an existing user or password.
An improper input validation vulnerability has been discovered in Rockwell Automation's
Equipment- MicroLogix 1100. Successful exploitation of this vulnerability can allow an
attacker to create a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-33012 (High)
Multiple vulnerabilities have been discovered in scilab, particularly in ezXML embedded
library. It recommend to upgrade the scilab packages.
CVE ID: CVE-2021-30485, CVE-2021-31229, CVE-2021-31347, CVE-2021-31348,
CVE-2021-31598
Huawei has released software updates to address DoS vulnerability in the Bluetooth function
of some Huawei smartphones. An attacker can install third-party apps to send specific
broadcasts, causing the Bluetooth module to crash.
CVE ID: CVE-2021-22399 (Medium)
Android has released security bulletin to address multiple security vulnerabilities
affecting multiple Android devices. Security patch levels of 2021-07-05 or later address all
of these issues.
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities such as StartTLS stripping and FTP PASV responses have been
discovered in Net::IMAP and NET::FTP respectively of Ruby. The affected versions are Ruby
2.6.7 and earlier, Ruby 2.7.3 and earlier, and Ruby 3.0.1 and earlier.
CVE ID: CVE-2021-32066, CVE-2021-31810
It has been discovered that Avahi incorrectly handled termination signals on the Unix socket
and certain hotnames. A local attacker can possibly use these vulnerabilities to cause Avahi
to hang or crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2021-3468 (Medium), CVE-2021-3502 (Medium)
Multiple vulnerabilities have been discovered in PHP. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-7068 (Low), CVE-2020-7071 (Medium), CVE-2021-21702, CVE-2021-21704,
CVE-2021-21705
A use-after-free vulnerability has been discovered in net/bluetooth/hci_event.c when
destroying an hci_chan of kernel. An update is now available for Red Hat Enterprise Linux
8.1 Extended Update Support.
CVE ID: CVE-2021-33034 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these
vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28165 (High), CVE-2021-27568 (Critical), CVE-2021-29711 (Medium),
CVE-2021-27223 (High), CVE-2021-26296 (High)
Huawei has released security updates to address CPU vulnerabilities "Meltdown" and "Spectre"
in multiple products. A local attacker can exploit these vulnerabilities to read memory
information belonging to other processes or other operating system kernel.
CVE ID: CVE-2017-5715 (Medium), CVE-2017-5753 (Medium), CVE-2017-5754 (Medium)
Multiple vulnerabilities have been discovered in multiple Philips Clinical Collaboration
Platform Portal (officially registered as Vue PACS) products. An attacker can exploit some
of these vulnerabilities to take control of an affected system.
Microsoft has security updates to address a Remote Code Execution (RCE) vulnerability known
as PrintNightmare in the Windows Print spooler service.
CVE ID: CVE-2021-34527 (Critical)
Multiple vulnerabilities discovered in OpenSSL affects various Cisco products. Exploitation
of these vulnerabilities can allow an attacker to use a valid non-Certificate Authority (CA)
certificate to act as a CA and sign a certificate for an arbitrary organisation, user or
device, or to cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450 (High)
Multiple vulnerabilities have been discovered in multiple Joomla! products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-26039 (Low), CVE-2021-26038 (Low), CVE-2021-26037 (Low),
CVE-2021-26036 (Low), CVE-2021-26035 (Low)
An improper access control vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync)
certain versions has been resolved. If exploited this vulnerability allows attackers to
compromise the security of the operating system.
Multiple vulnerabilities such as information disclosure and OS command injection have been
discovered in ELECOM routers. An unauthenticated network-adjacent attacker can possibly
obtain sensitive information or execute arbitrary OS commands.
CVE ID: CVE-2021-20738 (Medium), CVE-2021-20739 (Medium)
An out-of-bounds read vulnerability has been discovered in the uv__idna_to_ascii() function
of Libuv- an asynchronous event notification library which can result in Denial of Service
(DoS) or information disclosure. It is recommended to upgrade the libuv1 packages.
CVE ID: CVE-2021-22918
Multiple vulnerabilities have been discovered in PHP-a widely-used open source general
purpose scripting language which can result a Server-Side Request Forgery (SSRF) bypass of
the FILTER_VALIDATE_URL check and Denial of Service (DoS) or potentially the execution of
arbitrary code in the Firebird PDO. It is recommended to upgrade the php7.3 packages.
CVE ID: CVE-2021-21704, CVE-2021-21705
A vulnerability has been in XStream- a Java library to serialize objects to and from XML
which can allow a remote attacker to execute commands of the host only by manipulating the
processed input stream. It is recommended to upgrade the libxstream-java packages.
CVE ID: CVE-2021-29505 (High)
A recent supply-chain ransomware attack is leveraging a vulnerability in Kaseya VSA software
against multiple Managed Service Providers (MSPs) and their customers. CISA issued guideline
to protect Server & End Point against supply chain ransomware attack.
Multiple vulnerabilities have been discovered in OpenEXR, a library and tools for the
OpenEXR high dynamic-range (HDR) image format. An attacker can cause a Denial of Service
(DoS) through application crash and excessive memory consumption. It is recommended to
upgrade the openexr packages.
A vulnerability has been discovered in iconv program of the GNU C Library (aka glibc or
libc6) 2.31 and earlier. An attacker can exploit this vulnerability by crafting a sequence
of invalid multi-byte input to an application using the iconv program and causing the
application to enter an infinite loop, leading to a Denial-of-Service (DoS).
CVE ID: CVE-2016-10228
Multiple vulnerabilities have been discovered in multiple NetApp Products. An attacker can
exploit these vulnerabilities to take control of an affected system.
New versions of Azure PowerShell have been released to address a .NET Core remote code
execution vulnerability CVE-2021-24112 in PowerShell versions 7.0 and 7.1. It recommend to
install the updated versions as soon as possible.
Multiple vulnerabilities have been discovered in multiple QNAP NAS products. An attacker can
exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28802, CVE-2021-28804, CVE-2020-36196, CVE-2021-28803,
CVE-2020-25684, CVE-2020-25685, CVE-2020-25686
An use of password hash with insufficient computational effort vulnerability has been
discovered in Bachmann Electronic's Equipment- All M-Base Controllers. The successful
exploitation of this vulnerability can allow an unauthenticated remote attacker to gain
access to the password hashes of the controller if Security Level 4 is not in use as
recommended.
CVE ID: CVE-2020-16231 (High)
Multiple vulnerabilities such as incorrect implementation of authentication algorithm, and
improper restriction of XML external entity reference have been discovered in Mitsubishi
Electric's Equipment- Multiple Air Conditioning Systems. The successful exploitation of
these vulnerability may allow an attacker to disclose some of the data and configuration
information of the air conditioning system or may cause a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-20593 (High), CVE-2021-20595 (Critical)
An out-of-bounds read vulnerability has been discovered in Delta Electronics' Equipment-
DOPSoft, a software supporting the DOP-100 series HMI screen. Successful exploitation of
this vulnerabilities can allow arbitrary code execution and disclose information.
CVE ID: CVE-2021-27455 (Low), CVE-2021-27412(High)
An improper input validation vulnerability has been discovered in Sensormatic Electronics'
Equipment- C-CURE 9000, a security and event management System . The successful exploitation
of this vulnerability can allow remote execution of lower privileged Windows programs. The
affected products are C-CURE 9000 all versions prior to 2.80.
CVE ID: CVE-2021-27660 (High)
An improper privilege management vulnerability has been discovered in Johnson Controls'
Equipment- Facility Explorer SNC Series Supervisory Controller Version 11. Successful
exploitation of this vulnerability can give an authenticated user an unintended level of
access to the controller’s file system.
CVE ID: CVE-2021-27661 (High)
It has been discovered that malformed archive can cause panic or memory exhaustion in
golang. An update for go-toolset-1.15 and go-toolset-1.15-golang is now available for Red
Hat Developer Tools.
CVE ID: CVE-2021-33196
It has been discovered in Grafana- a parts of the HTTP API allow unauthenticated use. This
makes it possible to run a Denial of Service (DoS) attack against the server running
Grafana.
CVE ID: CVE-2019-15043 (High)
Google has released Chrome version 91.0.4472.147 (Platform version: 13904.77.0) for most
Chrome OS devices. This version addresses vulnerabilities that an attacker can exploit to
take control of an affected system.
It has been discovered that the Microsoft Windows Print Spooler service fails to restrict
access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated
attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
CVE ID: CVE-2021-1675 (High)
CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware
Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders
through a step-by-step process to evaluate their cybersecurity practices on their networks.
A vulnerability has been discovered in ipmitool, an utility for IPMI control with kernel
driver or LAN interface. Neglecting proper checking of input data might result in buffer
overflows and possible remote code execution. It is recommended to upgrade the ipmitool
packages.
CVE ID: CVE-2020-5208 (High)
A vulnerability has been discovered in node-bl: a Node.js module to access multiple buffers
with buffer interface. By crafted user input uninitialised memory might be exposed due to a
buffer over-read . It is recommended to upgrade the node-bl packages.
CVE ID: CVE-2020-8244 (Medium)
Multiple Vulnerabilities have been discovered in jetty and jenkins plugin of OpenShift
Container Platform. An update is now available for Red Hat OpenShift Container Platform
3.11.
CVE ID: CVE-2021-21642 (High), CVE-2021-21644 (Medium), CVE-2020-27216 (High),
CVE-2020-27218 (Medium), CVE-2020-27223 (Medium), CVE-2021-21643 (Medium), CVE-2021-21645
(Medium)
Red Hat has released security updates to address numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities such as integer truncation privilege escalation and exposed
hazardous function Remote Code Execution (RCE) have been discovered in Trend Micro password
manager. These vulnerabilities allow an unprivileged local attacker or client to trigger a
buffer overflow or manipulate the registry and escalate privileges on affected
installations.
CVE ID: CVE-2021-32461 (High), CVE-2021-32462 (High)
A vulnerability has been discovered in supported versions of Access Management (AM). Using a
well-constructed request an attacker may be able to perform Remote Code Execution (RCE) by
sending a specially crafted request to an exposed remote endpoint.
CVE ID: CVE-2021-35464
CISA is developing a catalog of bad practices that are exceptionally risky especially in
organisations supporting Critical Infrastructure or National Critical Functions (NCFs) such
as use of unsupported (or end-of-life) software & use of known/fixed/default passwords
and credentials. The presence of these bad practices in organisations that support Critical
Infrastructure or NCFs is exceptionally dangerous and increases risk.
An authentication bypass using an alternate path or channel vulnerability has been
discovered in Claroty's Equipment- Secure Remote Access (SRA) Site. The successful
exploitation of this vulnerability enables an attacker with local (Linux) system access to
bypass access controls for the central configuration file of the SRA Site software.
CVE ID: CVE-2021-32958 (Medium)
An improper restriction of operations within the bounds of a memory buffer vulnerability has
been discovered in JTEKT Corporation's Equipment- TOYOPUC PLC. The successful exploitation
of this vulnerability can crash the device being accessed.
CVE ID: CVE-2021-27477 (Medium)
An improper restriction of XML external entity reference vulnerability has been discovered
in Panasonic's Equipment- FPWIN Pro programming control software. The successful
exploitation of this vulnerability can allow a remote attacker to retrieve sensitive
information from the file system where affected software is installed. The affected version
are FPWIN Pro programming control software all versions 7.5.1.1 and prior.
CVE ID: CVE-2021-32972 (Medium)
A cross-site scripting vulnerability has been discovered in Exacq Technologies'Equipment-
exacqVision Enterprise Manager software. The successful exploitation of this vulnerability
can allow an attacker to send malicious requests on behalf of the victim. The affected
versions are exacqVision Enterprise Manager version 20.12 and prior.
CVE ID: CVE-2021-27658 (Medium)
A cross-site scripting vulnerability has been discovered in Exacq Technologies'Equipment-
exacqVision Web Service software. The successful exploitation of this vulnerability can
allow an attacker to send malicious requests on behalf of the victim. The affected versions
are exacqVision Web Service version 21.03 and prior.
CVE ID: CVE-2021-27659 (Medium)
A XML External Entity (XXE) vulnerability has been discovered in libjdom2-java, a library
for reading and manipulating XML documents. An attacker can cause a Denial of Service (DoS)
attack via a specially-crafted HTTP request. It is recommended to upgrade the libjdom2-java
packages.
CVE ID: CVE-2021-33813 (High)
Multiple vulnerabilities have been discovered in jetty of OpenShift Container Platform
4.6.36. An attacker can exploit these vulnerabilities to take control of an affected system.
The updates are now available.
CVE ID: CVE-2020-27216 (High), CVE-2020-27218 (Medium), CVE-2020-27223 (Medium)
A possible heap corruption with LzmaUefiDecompressGetInfo vulnerability has been discovered
in EDK2 ( Embedded Development Kit)- a project to enable UEFI support for Virtual Machines
(VM). An update for edk2 is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-28211 (Medium)
Multiple vulnerabilities such as privilege escalation and arbitrary file upload have been
discovered in ProfilePress Plugin of WordPress. The affected versions are ProfilePress 3.0-
3.1.3.
CVE ID: CVE-2021-34621 (Critical), CVE-2021-34622 (Critical), CVE-2021-34623
(Critical), CVE-2021-34624 (Critical)
A privilege escalation vulnerability has been discovered in Nessus Agent which can allow a
Nessus administrator user to upload a specially crafted file that can lead to gaining
administrator privileges on the Nessus host. The affected versions are Nessus Agent 8.2.5
and earlier.
CVE ID: CVE-2021-20106 (Medium)
Multiple vulnerabilities have been discovered in the web services interface of Cisco
Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software
which can allow an unauthenticated, remote attacker to conduct Cross-Site Scripting (XSS)
attacks against a user of the web services interface of an affected device.
CVE ID: CVE-2020-3580(Medium), CVE-2020-3581(Medium), CVE-2020-3582(Medium)
A memory corruption vulnerability has been discovered in the DMG File Format Handler (FFH)
functionality of PowerISO 7.9. A specially crafted DMG file can lead to an out-of-bounds
write. An attacker can provide a malicious file to trigger this vulnerability. The updates
are now available.
CVE ID: CVE-2021-21871 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 16 for the Zimbra 9.0.0, and Patch 23 for Zimbra 8.8.15.
CVE ID: CVE-2021-34807, CVE-2021-35209, CVE-2021-35208, CVE-2021-35207
Multiple vulnerabilities have been discovered in klibc that can lead to the execution of
arbitrary code, privilege escalation, or Denial of service (DoS). It is recommended to
upgrade the klibc packages.
CVE ID: CVE-2021-31870 (Critical), CVE-2021-31871 (High), CVE-2021-31872 (Critical),
CVE-2021-31873 (Critical)
It has been discovered that XML parsers used by XMLBeans does not set the properties need to
protect the user from malicious XML input. Vulnerabilities include the possibility for XML
Entity Expansion attacks which can lead to a Denial-of-Service (DoS). It is recommended to
upgrade the xmlbeans packages.
CVE ID: CVE-2021-23926 (Critical)
It has been discovered that some languages in Prism- a syntax highlighting library are
vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight
untrusted text, an attacker can craft a string that will take a very very long time to
highlight. The affected versions are Prism version before 1.24.0.
CVE ID: CVE-2021-32723
It has been discovered that a cross-site scripting vulnerability in Fudousan plugin allows a
remote authenticated attacker to inject an arbitrary script via unspecified vectors. The
affected versions are udousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User
Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier.
CVE ID: CVE-2021-20749
It has been discovered that Inkdrop allows an attacker to execute arbitrary OS commands on
the system where it runs by loading a file or code snippet containing an invalid iframe into
Inkdrop. The affected versions are Inkdrop versions prior to v5.3.1.
CVE ID: CVE-2021-20745
Multiple vulnerabilities such as Man-In-The-Middle(MITM) attack and information disclosure
have been discovered in bluez- a package with Bluetooth tools and daemons . It is
recommended to upgrade the bluez packages.
CVE ID: CVE-2020-26558 (Medium), CVE-2021-0129 (Medium)
Security update has been released for some types of Intel CPUs microcode to resolve multiple
vulnerabilities which can result in privilege escalation in combination with VT-d and
various side channel attacks.
CVE ID: CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
Multiple vulnerabilities have been discovered in AVEVA Software's Equipment- System
Platform. Successful exploitation of these vulnerabilities can allow a malicious entity to
achieve arbitrary code execution with system privileges or cause a Denial-of-Service (DoS)
condition. The security updates are now available.
Multiple Vulnerabilities have been discovered in Ceph- distributed storage and file system.
An attacker can use these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-25678 (Medium), CVE-2020-27781 (High), CVE-2020-27839 (Medium),
CVE-2021-20288 (High), CVE-2021-3509 (Medium), CVE-2021-3524 (Medium), CVE-2021-3531
(Medium)
NVIDIA has released a software security update for NVIDIA GeForce Experience software that
address multiple vulnerabilities such as information disclosure, data tampering or Denial of
Service(DoS).
CVE ID: CVE-2021-1073 (High)
Multiple vulnerabilities such as out-of-bounds read, out-of-bounds write and improper
restriction of operations within the bounds of a memory buffer have been discovered in FATEK
Automation's Equipment- WinProladder- a PLC. Successful exploitation of these
vulnerabilities can allow for the execution of arbitrary code.
CVE ID: CVE-2021-32990 (High), CVE-2021-32988 (High), CVE-2021-32992 (High)
A clear text transmission of sensitive information vulnerability has been discovered in
Philips' Equipment- Interoperability Solution XDS. Successful exploitation of this
vulnerability can allow an attacker to read the LDAP system credentials by gaining access to
the network channel used for communication. This risk applies to configurations using LDAP
via TLS and where the domain controller returns LDAP referrals.
CVE ID: CVE-2021-32966 (Low)
A vulnerability has been discovered in libgcrypt20, a crypto library. Mishandling of ElGamal
encryption results in a possible side-channel attack and an interoperability problem with
keys not generated by GnuPG/libgcrypt. It is recommended to upgrade the libgcrypt20
packages.
CVE ID: CVE-2021-33560 (High)
Google has released Chrome version 91.0.4472.123/.124 for Windows, Mac, and Linux. This
version addresses vulnerabilities that an attacker can exploit to take control of an
affected system.
It has been discovered that RabbitMQ- AMQP server written in Erlang incorrectly handled
certain inputs. An attacker can possibly use this issue to cause a Denial of Service (DoS).
CVE ID: CVE-2021-22116 (High), CVE-2019-11287 (High)
It has been discovered that Emote interactive remote mouse on Windows allows attackers to
execute arbitrary programs as administrator by using the Image Transfer Folder (ITF) feature
to navigate to cmd.exe. It binds to local ports to listen for incoming connections. The
affected version is Emote Interactive Remote Mouse 3.008.
CVE ID: CVE-2021-35448
Dell is releasing remediations for multiple security vulnerabilities affecting the
BIOSConnect and HTTPS Boot features such as improper certificate validation and buffer
overflow. An attacker may exploit these vulnerabilities using a person-in-the-middle attack
which may lead to a Denial of Service (DoS) or run arbitrary code and bypass UEFI
restrictions.
CVE ID: CVE-2021-21571 (Medium), CVE-2021-21572 (High), CVE-2021-21573 (High),
CVE-2021-21574 (High)
It has been discovered that LoadBalancer Service type don't create a HNS policy for empty or
invalid external loadbalancer IP in kubernetes, this can lead to Man In The Middle (MITM)
attack. The security update components for Windows Container Support for Red Hat OpenShift
2.0.1 are now available.
CVE ID: CVE-2021-25736
An out of bound access has been discovered while processing read commands in QEMU. An update
for qemu-kvm-rhev is now available for Red Hat Virtualization for Red Hat Virtualization
Host 7.
CVE ID: CVE-2020-29443 (Low)
Multiple vulnerabilities have been discovered in Citrix Hypervisor each of which may allow
privileged code in a guest VM which cause the host to crash or become unresponsive. The
affected version is Citrix Hypervisor 8.2 LTSR.
CVE ID: CVE-2021-3416 (Medium), CVE-2021-20257
Multiple vulnerabilities have been discovered in linux-oem-5.10 , a Linux kernel for OEM
systems. An attacker can exploit these vulnerabilities to take control of an affected
system.
It has been discovered that the blockchain node in FISCO-BCOS may have a vulnerability when
dealing with unformatted packet and lead to a crash. The affected version is FISCO-BCOS
V2.7.2.
CVE ID: CVE-2021-35041
A vulnerability has been discovered in OpenGrok- a fast and usable source code search and
cross reference engine that allows low privileged attacker with network access via HTTPS to
compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of
OpenGrok.
CVE ID: CVE-2021-2322
Multiple vulnerabilities have been discovered in Linux kernel. An attacker can exploit some
of these vulnerabilities to take control of an affected system.
An improper input validation vulnerability has been discovered in python flask that can
result in large amount of memory usage possibly leading to Denial of Service (DoS). This
vulnerability is exploitable via attacker provides JSON data in incorrect encoding.
CVE ID: CVE-2018-1000656 (High)
Red Hat has released security updates to address numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
An improper authorization vulnerability has been discovered in Palo Alto Networks Cortex
XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR
server to perform unauthorized actions through the REST API.
CVE ID: CVE-2021-3044 (Critical)
Multiple Vulnerabilities such as heap-based buffer overflow, out-of-bounds write, and
improper restriction of operation within the bounds of a memory buffer have been discovered
in Advantech's Equipment. Successful exploitation of these vulnerabilities can result in
memory corruption and code execution.
CVE ID: CVE-2021-33000 (High), CVE-2021-33002 (High), CVE-2021-33004 (High)
It has been discovered that VMware Tools for Windows, VMRC for Windows and VMware App
Volumes contain a local privilege escalation vulnerability. Updates are available to
remediate this vulnerability in affected VMware products.
CVE ID: CVE-2021-21999
It has been discovered that OpenEXR- tools for the OpenEXR image format incorrectly handled
certain malformed EXR image files. If a user is tricked into opening a crafted EXR image
file, a remote attacker can cause a Denial of Service (DoS), or possibly execute arbitrary
code.
CVE ID: CVE-2021-3605, CVE-2021-26260 (Medium), CVE-2021-20296 (Medium),
CVE-2021-23215 (Medium), CVE-2021-3598
Multiple vulnerabilities have been discovered in Red Hat Virtualization Host. An update for
imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now
available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-27219 (High), CVE-2021-3501 (High), CVE-2021-3560 (High),
CVE-2020-24489
It has been discovered that out-of-bound heap buffer access via an interrupt ID field, and
OOB access during mmio operations may lead to DoS in qemu for virt and virt-devel. An update
for the virt:8.2 and virt-devel:8.2 modules is now available for Advanced Virtualization for
RHEL 8.2.1.
CVE ID: CVE-2020-13754 (Medium), CVE-2021-20221 (Medium)
It has been discovered that the server variable support for Service Provider (SP) module for
Microsoft's IIS is implemented incorrectly and vulnerable to header smuggling or spoofing
attacks. This vulnerability affects all versions of the SP module since V3.0.0 when the IIS
7+ module is used. The updated version is now available.
Multiple vulnerabilities have been discovered in Zephyr Bluetooth LE Link Layer and L2CAP
implementation. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Multiple Vulnerabilities have been discovered in Thunderbird - Mozilla Open Source mail and
newsgroup client If a user is tricked into opening a specially crafted website in a browsing
context, an attacker can potentially exploit these to cause a Denial of Service (DoS),obtain
sensitive information, spoof the UI, bypass security restrictions or execute arbitrary code.
. It is recommended to update Thunderbird package versions.
An authentication bypass vulnerability in the VMware Carbon Black App Control management has
been discovered Updates are available to remediate this vulnerability in the affected VMware
product.
CVE ID: CVE-2021-21998 (Critical)
Huawei has released software updates to resolve an improper permission assignment
vulnerability in Huawei LTE USB Dongle products.
CVE ID: CVE-2021-22382
A command injection vulnerability in McAfee MVISION EDR (MVEDR) prior to 3.4.0 has been
discovered which allows an authenticated MVEDR administrator to trigger the EDR client to
execute arbitrary commands through PowerShell using the EDR functionality 'execute
reaction'. The update is now available.
CVE ID: CVE-2021-31838 (High)
It has been discovered that Lexmark printer software G2 installation package can allow a
local attacker to execute arbitrary code on the system, caused by an unquoted service path
vulnerability in the LM__bdsvc. By placing a specially-crafted file, an attacker can exploit
this vulnerability to execute arbitrary code on the system. The affected version is Lexmark
Printer Software G2 Installation Package 1.8.0.0.
Multiple vulnerabilities have been discovered in Dovecot- IMAP and POP3 email server. An
attacker can possibly use these vulnerabilities to validate tokens using arbitrary keys or
inject plaintext commands before STARTTLS negotiation.
CVE ID: CVE-2021-33515, CVE-2021-29157
A Cross Site Scripting (XSS) vulnerability has been discovered in Hitachi application server
in which Help allows a remote attacker to inject an arbitrary script via unspecified
vectors. The affected version is Hitachi Application Server V10 Manual version 10-11-01 foe
Windows and UNIX.
CVE ID: CVE-2021-20741
A vulnerability has been discovered in eLabFTW- an open source electronic lab notebook for
research labs which allows an attacker to make GET requests on behalf of the server. It is
"blind" because the attacker cannot see the result of the request. The affected versions are
eLabFTW prior to eLabFTW 4.0.0.
CVE ID: CVE-2021-32698 (Medium)
It has been discovered that Apache Nuttx (incubating) is vulnerable to integer wrap-around
in functions malloc, realloc and memalign. This improper memory assignment can lead to
arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote
code injection/execution. The affected versions are Apache Nuttx (incubating) versions prior
to 10.1.0.
CVE ID: CVE-2021-26461
Multiple vulnerabilities have been discovered in Apache HTTP Server which can allow a remote
attacker possibly to use this issue to cause Apache to crash, resulting in a Denial of
Service (DoS). It is recommended to update apache2 packages.
CVE ID: CVE-2021-26691, CVE-2020-35452(High), CVE-2021-30641(Medium),
CVE-2021-26690(High), CVE-2020-13950(High)
A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager,
Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure can allow an
authenticated, local attacker to identify directories and write arbitrary files to the file
system.
CVE ID: CVE-2021-1306 (Medium)
It has been discovered that White Shark System (WSS)- a browser based collaborative office
platform has a sensitive information disclosure vulnerability. Remote attackers can obtain
username information for all users of the current site. The affected version is White Shark
System 1.3.2.
CVE ID: CVE-2020-20472
A deserialization vulnerability has been discovered in Huawei AnyOffice product .An attacker
can construct a specific request to exploit this vulnerability. Successful exploitation of
vulnerability can execute remote malicious code injection to control the device.
CVE ID: CVE-2021-22439
Multiple vulnerabilities have been discovered in multiple products of NVIDIA Jetson. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Tor- a connection-based low-latency
anonymous communication system, which can result in Denial of Service (DoS) or spoofing. It
is recommended to upgrade the tor packages.
CVE ID: CVE-2021-34548, CVE-2021-34549, CVE-2021-34550
Red Hat has released security updates to address numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in GRUB 2- GRand Unified Bootloader which can
allow an attacker to bypass UEFI Secure Boot restrictions. The updates are available.
CVE ID: CVE-2021-20225(Medium), CVE-2020-14372(High), CVE-2020-25632(High),
CVE-2020-27749(Medium), CVE-2020-27779(High), CVE-2021-20233(High)
Multiple vulnerabilities have been discovered in nettle- a low level cryptographic library
which can result in Denial of Service (DoS) (remote crash in RSA decryption via specially
crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of
ECDSA signatures. It is recommended to upgrade your nettle packages.
CVE ID: CVE-2021-3580, CVE-2021-20305
Apple has released security updates to address vulnerability in iMovie 10.2.4. An attacker
can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30757
Multiple vulnerabilities have been discovered in Cisco Jabber for Windows, Cisco Jabber for
Mac, and Cisco Jabber for mobile platforms which can allow an attacker to access sensitive
information or cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-1569(Medium), CVE-2021-1570(Medium)
A Denial of Service (DoS) vulnerability has been discovered in VMware Tools for Windows. The
updates are available to remediate this vulnerability in affected VMware products.
CVE ID: CVE-2021-21997(Low)
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- ISaGRAF5
Runtime. Successful exploitation of these vulnerabilities may result in Remote Code
Execution (RCE), information disclosure, or a Denial-of-Service (DoS) condition.
CVE ID: CVE-2020-25176 (Critical), CVE-2020-25184 (High), CVE-2020-25178 (High),
CVE-2020-25182 (Medium), CVE-2020-25180 (Medium)
A deserialization of untrusted data vulnerability has been discovered in M&M Software
GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into
loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Multiple vulnerabilities such as open redirect, and relative path traversal have been
discovered in Advantech's Equipment- WebAccess/SCADA- a browser-based SCADA software package
. Successful exploitation of these vulnerabilities can allow an attacker to read files
outside the intended directory or redirect a user to a malicious webpage.
CVE ID: CVE-2021-32956 (High), CVE-2021-32954 (Medium)
An improper restriction of operations within the bounds of a memory buffer vulnerability has
been discovered in Softing's Equipment- OPC-UA C++ SDK. A remote attacker may be able to
crash the device, resulting in a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-32994 (High)
Google has released Chrome version 91.0.4472.114 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
CVE ID: CVE-2021-30554 (High), CVE-2021-30555 (High), CVE-2021-30556 (High),
CVE-2021-30557 (High)
It has been discovered that Nettle incorrectly handled RSA decryption, and certain padding
oracles. A remote attacker can possibly use these vulnerabilities to perform a variant of
the Bleichenbacher attack or cause Nettle to crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2021-3580, CVE-2018-16869 (Medium)
It has been discovered that in jetty - a Java servlet engine and webserver requests to the
ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF
directory. An attacker can access sensitive information regarding the implementation of a
web application. It is recommended to upgrade the jetty9 packages.
CVE ID: CVE-2021-28169 (Medium)
An out of bound read vulnerability has been discovered in Firefox. This vulnerability is
only affects Firefox on Windows, the other operating systems are unaffected. The
vulnerability has been resolved.
CVE ID: CVE-2021-29968
Cisco has released security updates to address numerous vulnerabilities in multiple Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system. The affected systems and software are Webex Teams, Jabber, Meeting Server, Cisco ESA
& Cisco WSA.
It has been discovered that BlueZ- a Bluetooth tools and daemons incorrectly handled
redundant disconnect MGMT events and array indexes, and incorrectly checked certain
permissions when pairing. A local attacker can use these vulnerabilities to cause BlueZ to
crash, resulting in a Denial of Service (DoS) or possibly execute arbitrary code or obtain
sensitive information or impersonate devices.
CVE ID: CVE-2020-26558 (Medium), CVE-2020-27153 (High), CVE-2021-3588
Multiple vulnerabilities have been discovered in prosody- a Jabber (XMPP) server. It is
recommended to upgrade the prosody packages.
CVE ID: CVE-2021-32917 (Medium), CVE-2021-32921 (Medium)
It has been discovered that a Cross Site Scripting (XSS) vulnerability in Moodle allows
remote attackers to execute arbitrary web script or HTML via the "Description" field. The
affected version is Moodle 3.10.3.
CVE ID: CVE-2021-32244
An out of bounds read vulnerability has been discovered on several Huawei Products due to a
message-handling function. An attacker can exploit this vulnerability by sending a specific
message to the target device, which can cause a Denial of Service (DoS).
CVE ID: CVE-2021-22383
QNAP NAS running myQNAPcloud Link releases security update to resolve the vulnerability
which allows remote attackers to read sensitive information by accessing the unrestricted
storage mechanism.
CVE ID: CVE-2021-28815 (Medium)
An SMB out-of-bounds read vulnerability has been discovered in QNAP NAS running QTS and QuTS
hero. If exploited, this vulnerability allows attackers to obtain sensitive information on
the system.
CVE ID: CVE-2021-20254 (Medium)
Multiple vulnerabilities have been discovered in the Xen hypervisor which can result in
Denial of Service (DoS)or information leaks. The Updates are available.
CVE ID: CVE-2021-0089, CVE-2021-26313(Medium), CVE-2021-28690, CVE-2021-28692
Multiple vulnerabilities have been discovered in OpenClinic GA's Equipment- OpenClinic GA- a
product of open-source collaboration on Source Forge. Successful exploitation of these
vulnerabilities can allow an attacker to bypass authentication, discover restricted
information, view/manipulate restricted database information and/or execute malicious code.
Multiple vulnerabilities have been discovered in Automation Direct's Equipment- CLICK PLC
CPU modules. Successful exploitation of these vulnerabilities can allow an attacker to log
in as a currently or previously authenticated user or discover passwords for valid users.
CVE ID: CVE-2021-32980 (Critical), CVE-2021-32984 (Critical), CVE-2021-32986
(Critical), CVE-2021-32982 (High), CVE-2021-32978 (High)
IBM releases security updates to resolve multiple vulnerabilities in several products. An
attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Red Hat Ceph Storage. An update for ceph,
ceph-ansible, ceph-iscsi, python-waitress, and tcmu-runner is now available for Red Hat Ceph
Storage 4.2.
CVE ID: CVE-2021-20288 (High), CVE-2020-27839 (Medium), CVE-2021-3509 (Medium)
Multiple vulnerabilities have been discovered in ImageMagick- Image manipulation programs
and library which incorrectly handled certain malformed image files. When a user or
automated system using ImageMagick is tricked into opening a specially crafted image can
cause a Denial of Service (DoS) or possibly execute arbitrary code with user privilege.
Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language
(SAML) Single Sign-On (SSO) library affecting multiple CISCO products. This vulnerability
can allow an authenticated attacker to impersonate another authorized user when interacting
with an application.
CVE ID: CVE-2021-28091 (High)
A vulnerability has been discovered in Juniper OS, in certain condition the IPv6 Distributed
Denial of Service (DDoS) protection might not be affective when it reaches the threshold
condition. The DDoS protection allows the device to continue to function while it is under
DDoS attack, protecting both the Routing Engine (RE) and the Flexible PIC Concentrator (FPC)
during the DDoS attack. The affected products are Junos OS 17.2, 17.2X75, 17.3, 17.4, 18.2,
18.2X75, 18.3 & Affected platforms MX series/EX9200 Series.
CVE ID: CVE-2020-1665 (Medium)
A buffer overflow vulnerability has been discovered in SonicOS which allows a remote
attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This
vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE ID: CVE-2021-20027 (High)
Apple has released security updates to address vulnerabilities in iOS 12.5.4. An attacker
can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30737, CVE-2021-30761, CVE-2021-30762
It has been discovered in openshift logging the plugin/unmarshal/unmarshal.go lacks certain
index validation in gogo/protobuf. The security update has been released to resolve
vulnerability.
CVE ID: CVE-2021-3121 (High)
Multiple vulnerabilities have been discovered in elFinder - an open-source file manager for
web, written in JavaScript using jQuery UI. . These vulnerabilities can allow an attacker to
execute arbitrary code and commands on the server hosting the elFinder PHP connector, even
with minimal configuration. The affected version is elFinder 2.1.58. The upgrade is
available.
CVE ID: CVE-2021-32682 (Critical)
Multiple Vulnerabilities such as Denial of Service (DoS) and Remote Code Execution (RCE)
vulnerabilities have been discovered in Mitsubishi Electric products -MC Works 64 and MC
Works 32. . An attacker can exploit these vulnerabilities by sending specially crafted data.
The updates are available.
A cross-site scripting vulnerability has been discovered in Apache ActiveMQ used by IBM
Operations Analytics Predictive Insights. A remote attacker can exploit this vulnerability
by using a specially-crafted URL to execute script in web browser & to steal the
authentication credentials. The updates are available.
CVE ID: CVE-2020-13947(Medium)
Multiple vulnerabilities such as path traversal and information disclosure have been
discovered in Dell Technologies NetWorker. A NetWorker server user with remote access to
NetWorker clients may potentially exploit these vulnerabilities and gain access to
unauthorized information. The affected versions are Dell Technologies NetWorker 18.x, Dell
Technologies NetWorker 19.1.x, 19.2.x, 19.3.x, and 19.4.x versions until 19.4.0.2.
CVE ID: CVE-2021-21569 (Medium), CVE-2021-21570 (Medium)
A potential caching vulnerability has been found in Financial Transaction Manager for
Corporate Payment Services. A remote attacker can exploit this vulnerability to expose
sensitive information or consume memory resources.
CVE ID: CVE-2020-5003 (Medium)
IBM has released security update to resolve a command injection vulnerability in IBM
Integration Bus & IBM App Connect Enterprise V11 ship with Node.js. By sending a
specially-crafted request an attacker can exploit this vulnerability to execute arbitrary
commands on the system.
CVE ID: CVE-2021-23337 (High)
An out-of-bounds read vulnerability has been discovered in certain QNAP switches running
QSS. If exploited this vulnerability allows attackers to read sensitive information on the
system. The updates are available.
CVE ID: CVE-2021-28801(Low)
An inclusion of sensitive information in the source code has been reported to affect certain
QNAP switches running QSS. If exploited this vulnerability allows attackers to read
application data. The updates are available.
CVE ID: CVE-2021-28805 (High)
A Cross Site Scripting (XSS) vulnerability has been discovered in McAfee Data Loss
Prevention (DLP) Endpoint for Windows prior to 11.6.200.It is recommended to update to DLP
Endpoint for Windows 11.6.200.
CVE ID: CVE-2021-31832 (Medium)
Multiple Vulnerabilities such as Path Traversal and Cross-Site Scripting (XSS) have been
discovered in AGG Software's Equipment- Web Server. Successful exploitation of these
vulnerabilities can allow Remote Code Execution (RCE) and exposure of arbitrary system
files. The affected products are v4.0.40.1014 and prior (webserver.dll)
CVE ID: CVE-2021-32964 (Medium), CVE-2021-32962 (High)
Multiple Vulnerabilities have been discovered in ZOLL's Equipment- Defibrillator Dashboard-
a Defibrillator device management platform. Successful exploitation of these vulnerabilities
can allow Remote Code Execution (RCE), allow an attacker to gain access to credentials, or
impact confidentiality, integrity, and availability of the application.
CVE ID: CVE-2021-27489 (Critical), CVE-2021-27481 (High), CVE-2021-27487 (High),
CVE-2021-27479 (Medium), CVE-2021-27485 (High), CVE-2021-27483 (Medium)
A protection mechanism failure vulnerability has been discovered in Rockwell Automation's
Equipment- FactoryTalk Services Platform. Successful exploitation of this vulnerability may
allow remote authenticated users to bypass FactoryTalk Security policies that are based on a
computer name.
CVE ID: CVE-2021-32960 (High)
IBM releases security updates to resolve multiple vulnerabilities in several products.
CVE ID: CVE-2021-29754 (Medium), CVE-2021-20396 (Medium), CVE-2021-2161 (Medium)
A vulnerability has been discovered in lasso, a library for Liberty Alliance and SAML
protocols, which results to a improper verification of a cryptographic signature. It is
recommended to upgrade the lasso packages.
CVE ID: CVE-2021-28091 (High)
It has been discovered that rpcbind incorrectly handled certain large data sizes. A remote
attacker can use this flaw to cause rpcbind to consume resources, leading to a Denial of
Service (DoS). The updates are available.
It has been discovered that the NetworkPolicy resources in servicemesh-operator incorrectly
specify ports for ingress resources. An update for servicemesh-operator is now available for
OpenShift Service Mesh 2.0.
CVE ID: CVE-2021-3586
Red Hat has released security updates to resolve numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Ubuntu has released security notices to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
The Stable channel has been updated to 91.0.4472.102 (Platform version: 13904.55.0) for most
Chrome OS devices. Systems will be receiving updates over the next several days.
It has been discovered that the coredump implementation in the Linux kernel does not use
locking or other mechanisms to prevent vma layout or vma flags changes while it runs which
allows local users to obtain sensitive information, cause a Denial of Service( DoS) or
possibly have unspecified other impact by triggering a race condition. The affected versions
are Linux kernel before 5.0.10.
CVE ID: CVE-2019-11599 (Medium)
The rise in ransomware attacks has been discovered which targeting critical infrastructure
Operational Technology (OT) assets and control systems often connected to Information
Technology (IT) networks. All organisations are at risk of being targeted by ransomware and
have an urgent responsibility to protect against ransomware threats.
Google has released Chrome version 91.0.4472.101 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
It has been discovered that mrxvt, a lightweight multi-tabbed X terminal emulator, allowed
(potentially remote) code execution because of improper handling of certain escape
sequences. It is recommended to upgrade the mrxvt packages.
CVE ID: CVE-2021-33477 (High)
A SQL injection vulnerability has been discovered in SILUtility.vb in MOVEit.DMZ.WebApp in
the MOVEit Transfer web app. This can allow an authenticated attacker to gain unauthorized
access to the database.
CVE ID: CVE-2021-33894
A Cross-Site Scripting (XSS) vulnerability has been discovered in the Portal Workflow
module's edit process page in Liferay. This vulnerability allows remote attackers to inject
arbitrary web script or HTML via the currentURL parameter.
CVE ID: CVE-2021-29049
It has been discovered that an attacker can store malicious code in the User Avatar
attribute in Zammad- a web-based, open source user support/ticketing solution. Every time
the Avatar will be shown the malicious code will be executed in the session of the current
user. It is recommended to upgrade to Zammad 4.0.1, or 4.1.0.
CVE ID: CVE-2021-35303
An improper privilege management vulnerability has been discovered in Schneider Electric's
Equipment- Enerlin'X Com’X 510. Successful exploitation of this vulnerability can allow
elevation of privileges which can result in unintended disclosure of device configuration
information to any authenticated user.
CVE ID: CVE-2021-22769 (High)
A Denial of Service(DoS) vulnerability has been discovered in RabbitMQ, EMQ X, and VerneMQ
open source message broker applications. The malformed MQTT messages are discovered that can
cause excessive memory consumption in each of the affected message brokers, resulting in the
application being terminated by the Operating System (OS).
CVE ID: CVE-2021-22116, CVE-2021-33175 (High), CVE-2021-33176 (High)
Intel has released security updates to address multiple vulnerabilities in several Intel
products. A remote attacker can exploit some of these vulnerabilities to take control of an
affected system.
SAP has released security updates to address multiple critical vulnerabilities affecting
several products. An attacker can exploit some of these vulnerabilities to take control of
an affected system.
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker can exploit some of these vulnerabilities to take control of an affected
system.
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- ISaGRAF5
Runtime, an automation software. Successful exploitation of these vulnerabilities can result
in Remote Code Execution (RCE), information disclosure, or a Denial-of-Service (DoS)
condition.
CVE ID: CVE-2020-25176 (Critical), CVE-2020-25184 (High), CVE-2020-25178 (High),
CVE-2020-25182 (Medium), CVE-2020-25180 (Medium)
Multiple vulnerabilities have been discovered in Open Design Alliance's Equipment- Drawings
SDK, a software development kit for DWG and DGN. Successful exploitation of these
vulnerabilities can allow code execution in the context of the current process or cause a
Denial-of-Service (DoS) condition.
A clear text storage of sensitive information in memory vulnerability has been discovered in
AVEVA Software's Equipment- InTouch 2020 R2 and all prior versions. Successful exploitation
of this vulnerability can expose cleartext credentials from InTouch Runtime if an authorized
privileged user creates a diagnostic memory dump of the process and saves it to a
non-protected location.
CVE ID: CVE-2021-32942 (Medium)
A incomplete cleanup vulnerability has been discovered in Thales' Equipment- Thales Sentinel
LDK Run-Time Environment (RTE). The products that have uninstalled software using the
Sentinel LDK Run-Time Environment may have a port left open that may allow an attacker to
connect. The affected products are Sentinel LDK Run-Time Environment: Versions 7.6 and
prior.
CVE ID: CVE-2021-32928 (Critical)
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- IGSS
(Interactive Graphical SCADA System) and Modicon X80. An attacker can exploit some of these
vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. An attacker
can exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that the affected versions of Jira Server and Jira Data Center have a
XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to
inject arbitrary HTML or JavaScript. The affected versions are version < 8.5.14 , 8.6.0 ≤
version < 8.13.6 and 8.14.0 ≤ version < 8.16.1.
CVE ID: CVE 2021-26080
A cleartext transmission of sensitive information vulnerability has been discovered in
ThroughTek's Equipment- P2P SDK. Successful exploitation of this vulnerability can permit
unauthorized access to sensitive information, such as camera audio/video feeds.
CVE ID: CVE-2021-32934 (Critical)
The Android Security Bulletin contains details of security vulnerabilities affecting Android
devices. Security patch levels of 2021-06-05 or later address all of these issues.
It has been discovered that an unspecified vulnerability in Java SE related to the Libraries
component can allow an unauthenticated attacker to cause no confidentiality impact, low
integrity impact, and no availability impact. The affected versions are DB2 Recovery Expert
for Linux- UNIX and Windows 5.5 IF 1, 5.5 IF 2, 5.5.0.1, and 5.5.0.1 IF 1.
CVE ID: CVE-2020-14782 (Low)
A buffer overflow vulnerability has been discovered in NGINX, a small, powerful, scalable
web/proxy server, when encountered by the autoindex module. It is recommended to upgrade the
nginx packages.
CVE ID: CVE-2017-20005
A role-based privileges escalation vulnerability has been discovered in Cloudforms where
export or import of administrator files is possible. An attacker with a specific group can
perform actions restricted only to system administrator.
CVE ID: CVE-2020-25716
An XXE vulnerability has been discovered in Nokogiri, a Rubygem providing HTML, XML, SAX,
and Reader parsers with XPath and CSS selector support. It is recommended to upgrade the
ruby-nokogiri packages.
CVE ID: CVE-2020-26247 (Medium)
It has been discovered that the aaugustin websockets library for Python has an Observable
Timing Discrepancy (OTD) on servers when HTTP Basic Authentication is enabled with
basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password
via a timing attack. The affected versions are aaugustin websockets library before 9.1.
CVE ID: CVE-2021-33880
It has been discovered that in Invoice Ninja has an unsafe call to unserialize() in
app/Ninja/Repositories/AccountRepository.php which may allow an attacker to deserialize
arbitrary PHP classes. The affected version are Ninja before 4.4.0.
CVE ID: CVE-2021-33898
Multiple vulnerabilities have been discovered in Django, the Python-based web development
framework It is recommended to upgrade the python-django packages.
CVE ID: CVE-2021-33203, CVE-2021-33571
Multiple security vulnerabilities have been discovered in Thunderbird, which can result in
the execution of arbitrary code. The updates are available.
CVE ID: CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
A improper privilege management vulnerability has been discovered in Johnson Controls'
Equipment- Metasys Servers, Engines, and Tools. Successful exploitation of this
vulnerability can give an authenticated Metasys user an unintended level of access to the
server file system allowing them to access or modify system files by sending specifically
crafted web messages to the Metasys system.
CVE ID: CVE-2021-27657 (High)
It has been discovered that OpenVPN access server allows a remote attackers to bypass
authentication & access control channel data on servers configured with deferred
authentication which can be used to potentially trigger further information leaks. The
affected versions are OpenVPN Access Server 2.8.7 and earlier.
CVE ID: CVE-2020-15077
It has been discovered that in bubble fireworks the package- an open source java package
relating to Spring Framework do not properly verify the signature of JSON Web Tokens. This
allows to forgery of valid JWTs. The affected versions are bubble fireworks before version
2021.
CVE ID: CVE-2021-29500(High)
Multiple vulnerabilities have been resolved in the Linux kernel which allow local attacker
to cause a Denial of Service (DoS) (system crash) or possibly execute arbitrary code.
Multiple critical vulnerabilities have been discovered in CODESYS automation software that
can be exploited to Remote Code Execution (RCE) on Programmable Logic Controllers (PLCs).
CVE ID: CVE-2021-30189(Critical), CVE-2021-30190(Critical), CVE-2021-30191
(Critical), CVE-2021-30192 (Critical), CVE-2021-30193 (Critical),CVE-2021-30194 (Critical),
CVE-2021-30195(High), CVE-2021-30186(High), CVE-2021-30188(High), CVE-2021-30187(Medium)
It has been discovered that the quiz and survey plugin of WordPress does not sanitise or
escape its result_id parameter when displaying an existing quiz result page, leading to a
reflected Cross-Site Scripting (XSS) vulnerability. This can allow for privilege escalation
by inducing a logged in admin to open a malicious link.
CVE ID: CVE-2021-24368
An authentication bypass vulnerability has been discovered in Red Hat package polkit. When a
requesting process disconnects from dbus-daemon just before the call to
polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of
the process and it cannot verify the privileges of the requesting process which may be a
threat to data confidentiality and integrity
CVE ID: CVE-2021-3560 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is
recommended to use Patch 15 for the Zimbra 9.0.0, and Patch 22 for Zimbra 8.8.15.
It has been discovered that the resolution for CVE-2020-25712 (heap-buffer overflow) in the
Xorg X server addressed in DLA-2486-1 causes a regression in caribou making it crash
whenever special characters are entered. It is recommended to upgrade the caribou packages.
Microsoft releases the latest Microsoft Edge Stable Channel (Version 91.0.864.41), which
incorporates the latest Security Updates of the Chromium project.
CVE ID: CVE-2021-33741(High)
Multiple vulnerabilities have been discovered in Advantech's Equipment- iView. Successful
exploitation of these vulnerabilities can allow an attacker to disclose information and
perform remote code execution. The affected products are Advantech’s iView versions prior to
v5.7.03.6182.
CVE ID: CVE-2021-32930 (High), CVE-2021-32932 (Critical)
Multiple vulnerabilities have been discovered in Thunderbird. An attacker can exploit some
of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29964, CVE-2021-29967
It has been discovered that the server in Luca allows remote attackers to cause a Denial of
Service (insertion of many fake records related to COVID-19) because phone number data lacks
a digital signature. The affected versions are Luca through 1.1.14.
CVE ID: CVE-2021-33840
It has been discovered that Foreman-a complete lifecycle management tool for physical and
virtual servers is affected by an improper authorization handling Vulnerability. An
authenticated attacker can impersonate the foreman-proxy if product enable the Puppet
Certificate Authority (CA) to sign certificate requests that have subject alternative names
(SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to
`false`. The affected versions are Foreman versions before 2.3.4 and before 2.4.0.
CVE ID: CVE-2021-3469
RedHat has released security updates to resolve several vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Ubuntu has released security updates to address numerous vulnerabilities in multiple
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and
macOS on June 08, 2021. These updates will address critical vulnerabilities in the
software.
IBM has released security updates to resolve several vulnerabilities in multiple products.
An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as post-authentication reflected XSS, DOM-based XSS, and
command injection have been discovered in QNAP NAS products. If exploited these
vulnerabilities allows remote attackers to inject malicious code or execute arbitrary
commands. The updates are available.
CVE ID: CVE-2021-28807 (High), CVE-2021-28806 (Medium), CVE-2021-28812 (High)
Multiple vulnerabilities have been discovered in the Linux kernel. A local attacker can use
these to cause a Denial of Service (DoS) or possibly execute arbitrary code. The updates are
available.
An information leak vulnerability has been discovered in Huawei Products. The module does
not deal with specific input sufficiently. A high privilege attackers can exploit this
vulnerability by sending specially crafted input which leads to an information leak.
CVE ID: CVE-2021-22342
A command injection vulnerability has been discovered in Huawei Products. A attacker can
exploit this vulnerability by sending malicious parameters to inject command which
compromise normal service.
CVE ID: CVE-2021-22377
A race condition vulnerability has been discovered in Huawei Products. Successful exploit
may cause the affected device abnormal.
CVE ID: CVE-2021-22378
CISA has released Best Practices for MITRE ATT&CK Mapping. The guide shows analysts
through instructions and examples how to map adversary behavior to the MITRE ATT&CK
framework.
It has been discovered that the reference implementation of FUSE, local attacker is able to
specify the allow_other option even if forbidden in /etc/fuse.conf, leading to exposure of
FUSE filesystems to other users. This vulnerability only affects systems with SELinux
active. The affected versions are FUSE before 2.9.8.
CVE ID: CVE-2021-33805
It has been discovered that Froala what-you-see-is-what-you-get (WYSIWYG) Editor is affected
by a vulnerability in its HTML sanitization parsing, which allows an attacker to bypass
built-in Cross-Site Scripting (XSS) protections and execute arbitrary JavaScript code. The
affected version is WYSIWYG Editor 3.2.6.
CVE ID: CVE-2021-28114 (High)
RedHat has released security updates for EAP XP 1 to resolve multiple vulnerabilities in EAP
7.3.x base. There are no changes to the EAP XP1 code base.
Multiple vulnerabilities have been discovered in Firefox. If a user is tricked into opening
a specially crafted website an attacker can potentially exploit these to cause a Denial of
Service (DoS), re-enable camera devices without an additional permission prompt, spoof the
browser UI, or execute arbitrary code. The updates are available.
CVE ID: CVE-2021-29959, CVE-2021-29961,CVE-2021-29966, CVE-2021-29967, CVE-2021-29960
Cisco has released security updates to address numerous vulnerabilities in multiple Cisco
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
The Stable channel has been updated to 91.0.4472.81 (Platform version: 13904.41.0) for most
Chrome OS devices. This build contains a number of features, bug fixes, and security
updates.
An Improper permission assignment vulnerability has been discovered in Huawei LTE USB Dongle
Products. An attacker can locally access and log in to a PC to induce a user to install a
specially crafted application. After successfully exploiting this vulnerability, the
attacker can perform unauthenticated operations. The updates are available.
The BIG-IQ Configuration utility has an authenticated remote command execution vulnerability
in undisclosed pages. This vulnerability allows an authenticated admin user or a user
account assigned with an administrator role and no shell access to execute arbitrary system
commands as a root user.
CVE ID: CVE-2021-23024
Multiple Vulnerabilities have been discovered in Apache HTTP Server. An attacker can exploit
some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-31618
A missing permission check vulnerability has been discovered in Nextcloud Mail App- a mail
app for the Nextcloud platform. . This vulnerability allows another authenticated users to
access mail metadata of other users. The affected versions are Nextcloud Mail before 1.4.3
and 1.8.2.
CVE ID: CVE-2021-32652(High)
Multiple vulnerabilities have been discovered in HPE Integrated Lights-Out 5 (iLO 5), and
HPE Integrated Lights-Out 4 (iLO 4). HPE has made the software update to resolve the
vulnerabilities in HPE Integrated Lights-Out 5 (iLO 5) version 2.44 or later, and HPE
Integrated Lights-Out4 (iLO 4) version 2.78 or later.
An unauthenticated arbitrary file Upload vulnerability has been discovered in Fancy Product
Designer, a WordPress plugin. The affected versions are Fancy Product Designer prior 4.6.9.
The update is available.
CVE ID: CVE-2021-24370 (Critical)
Multiple vulnerabilities have been discovered in McAfee Database Security (DBSec). The
affected versions are DBSec prior to 4.8.2. It is recommended to upgrade to DBSec 4.8.2.
CVE ID: CVE-2021-23894 (Critical), CVE-2021-23895 (Critical), CVE-2021-23896 (Low),
CVE-2021-31830 (Medium), CVE-2021-31831 (Medium)
Multiple vulnerabilities have been discovered in IBM Jazz Team Server. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Korenix Technology, Westermo and
Pepperl+Fuchs products. An attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2020-12500 (Critical), CVE-2020-12501 (Critical), CVE-2020-12501 (High),
CVE-2020-12503 (High), CVE-2020-12504 (Critical)
Multiple vulnerabilities such as Out-of-Bounds Write, Out-of-Bounds Read have been
discovered in Hillrom's Equipment- Welch Allyn medical device management tools. Successful
exploitation of these vulnerabilities can allow an attacker to cause memory corruption and
remotely execute arbitrary code.
CVE ID: CVE-2021-27410 (Medium), CVE-2021-27408 (Medium)
Mozilla has released security updates to address vulnerabilities in Firefox for iOS, Firefox
ESR, and Firefox 89. An attacker can exploit some of these vulnerabilities to take control
of an affected system.
Cisco has released security updates to address vulnerabilities in Cisco Integrated
Management Controller (IMC) and Lasso Security Assertion Markup Language (SAML) Single
Sign-On (SSO) library. An attacker can exploit these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-1397 (Medium), CVE-2021-28091
It has been discovered that a lack of filename validation when unzipping archives prior to
WhatsApp for Android and WhatsApp Business for Android can have allowed path traversal
attacks that overwrite WhatsApp files. The affected versions are WhatsApp for Android
v2.21.8.13 and WhatsApp Business for Android v2.21.8.13.
CVE ID: CVE-2021-24035
Multiple vulnerabilities have been discovered in various FortiGate products. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Python through 3.8.3. In Lib/tarfile.py in Python ,
an attacker is able to craft a TAR archive leading to an infinite loop when opened by
tarfile.open, because _proc_pax lacks header validation.
CVE ID: CVE-2019-20907 (High)
A vulnerabilty has been discovered in Python3.8. The Python stdlib ipaddress API incorrectly
handled octal strings. A remote attacker can possibly use this issue to perform a wide
variety of attacks, including by passing certain access restrictions.
CVE ID: CVE-2021-29921 (Critical)
It has been discovered that libwebp - a lossy compression of digital photographic images
incorrectly handled certain malformed images. If a user or automated system is tricked into
opening a specially crafted image file a remote attacker can use this vulnerability to cause
libwebp to crash, resulting in a Denial of Service (DoS) or possibly execute arbitrary code.
It has been discovered that GUPnP- a framework for creating UPnP devices & control
points incorrectly filtered local requests. If a user is tricked into visiting a malicious
website, a remote attacker can possibly use this issue to perform actions against local UPnP
services such as obtaining or altering sensitive information.
CVE ID: CVE-2021-33516 (High)
It has been discovered that the restapps (aka Rest Phone apps) module for Sangoma FreePBX
and PBXact allows remote code execution via a URL variable to an AMI command. The affected
versions are Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2.
CVE ID: CVE-2020-10666
It has been discovered that LZ4- extremely fast compression algorithm incorrectly handled
certain memory operations. If a user or automated system is tricked into uncompressing a
specially-crafted LZ4 file, a remote attacker can use this issue to cause LZ4 to crash,
resulting in a Denial of Service(DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-3520
A security update has been released for Docker that automates the deployment of any
application as a lightweight, portable, self-sufficient container which runs virtually
anywhere. This update resolve the vulnerability to symlink exchange attack.
CVE ID: CVE-2021-30465
It has been discovered that RebornCore library before 4.7.3 allows remote code execution
because it deserializes untrusted data in ObjectInputStream.readObject as part of
reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the
classpath with any data.
CVE ID: CVE-2021-33790
It has been discovered that rxvt-unicode,a customizable terminal emulator allow (potentially
remote) code execution because of improper handling of certain escape sequences (ESC G Q). A
response is terminated by a newline. It is recommended to upgrade the rxvt-unicode packages.
CVE ID: CVE-2021-33477 (High)
A vulnerability has been discovered in libxml2, the GNOME XML library. This vulnerability is
called "Parameter Laughs"-attack and related to parameter entities expansion. It is
recommended to upgrade the libxml2 packages.
CVE ID: CVE-2021-3541
Multiple vulnerabilities have been discovered in Webkit2gtk web engine that leads to
arbitrary code execution. The updates are available.
CVE ID: CVE-2021-1788(High), CVE-2021-1844(High), CVE-2021-1871(Critical)
A remote code execution vulnerability has been discovered in the web UI of VoIPmonitor. When
the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code)
is injected into config/configuration.php. The affected versions are web UI of VoIPmonitor
prior 24.61.
CVE ID: CVE-2021-30461
An argument injection vulnerability in the Dragonfly gem for Ruby, suitable for image
uploading allows remote attackers to read and write to arbitrary files via a crafted URL
when the verify_url option is disabled. This can lead to code execution. The affected
versions are Dragonfly gem prior 1.4.0.
CVE ID: CVE-2021-33564
A vulnerability has been discovered in import functionality of Hyperkitty- the web user
interface to access Mailman 3 archives which do not restrict the visibility of private
archives during the import.The update is available.
CVE ID: CVE-2021-33038
It has been observed that threat actor is sending spoofed emails that appeared to originate
from government organisation or IGOs or NGOs. The emails contained a legitimate constant
contact link that redirected to a malicious URL from which a malicious ISO file is dropped
onto the victim’s machine. The ISO file contains a malicious Dynamic Link Library (DLL), a
benign decoy PDF & a malicious shortcut file that executes the Cobalt Strike Beacon
loader.
Multiple vulnerabilities are discovered in Samba, SMB/CIFS file, print, and login server for
Unix. An attacker can exploit some of these vulnerabilities to take control of an affected
system.
It has been discovered that Frontier ichris mishandles making a DNS request for the hostname
in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS. The
affected version are RFrontier ichris through 5.18.
CVE ID: CVE-2021-31702
A memory protection bypass vulnerability has been discovered in SIMATIC S7-1200 and S7-1500
CPU products that can allow an attacker to write arbitrary data and code to protected memory
areas or read sensitive data to launch further attacks.
CVE ID: CVE-2020-15782
It has been discovered that an unspecified vulnerability in Java SE related to the Libraries
component can allow an unauthenticated attacker to cause no confidentiality impact, high
integrity impact, and no availability impact.
CVE ID: CVE-2021-2161 (Medium)
A vulnerability has been discovered in the SonicWall NSM On-Prem product that allows an
authenticated attacker to perform OS command injection using a crafted HTTP request. This
vulnerability affects NSM On-Prem 2.2.0-R10 and earlier versions.
CVE ID: CVE-2021-20026 (High)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipment- MELSEC
iQ-R Series, FA engineering software products, Mitsubishi Electric Factory Automation
products, and Mitsubishi Electric Factory Automation Engineering products. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20591 (Medium), CVE-2021-20587 (High), CVE-2021-20588 (High),
CVE-2020-14523 (High), CVE-2020-14521 (High)
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email
campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds. This
wide-scale email campaign leverages the legitimate service constant contact to send
malicious links that are obscured behind the mailing service’s URL
Off-by-one Error vulnerability has been discovered in Sensormatic Electronics Equipment -
VideoEdge versions prior to 5.7.0 , LLC, a subsidiary of Johnson Controls. Under specific
circumstances, a local authenticated user may be able to exploit this vulnerability to gain
administrative access.
CVE ID: CVE-2021-3156 (High)
Heap-based Buffer Overflow vulnerability has been discovered in GENIVI Alliance's Equipment-
DLT-Daemon. Successful exploitation of this vulnerability can lead to remote code execution
or crash the application. The affected products are DLT-daemon (diagnostic log and trace)
versions prior to 2.18.6.
CVE ID: CVE-2020-36244 (Critical)
Multiple vulnerabilities have been discovered in Mesa Labs' Equipment- AmegaView- a
continuous monitoring hardware and software platform . Successful exploitation of these
vulnerabilities can allow remote code execution or allow access to the device.
CVE ID: CVE-2021-27447 (Critical), CVE-2021-27451 (High), CVE-2021-27453 (High),
CVE-2021-27449 (Critical), CVE-2021-27445 (High)
A Vulnerability has been discovered in nginx -small, powerful, scalable web/proxy server
that incorrectly handled responses to the DNS resolver. A remote attacker can use this issue
to cause nginx to crash, resulting in a Denial of Service(DoS) or possibly execute arbitrary
code.
CVE ID: CVE-2021-23017
Multiple vulnerabilities have been discovered in Moxa’s NPort IAW5000A-I/O Series Wireless
Device Server. This may allow remote attackers to initiate a Denial of Service (DoS) attack
and Execute Arbitrary Code (RCE).
A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM)
version 7.6. Hewlett Packard Enterprise (HPE) has released a security update to address
vulnerability. HPE SIM is a remote support automation and management solution for HPE
servers, storage, and networking products, including HPE's ProLiant Gen10 and ProLiant Gen9
servers.
CVE ID: CVE-2020-7200(Critical)
Multiple vulnerabilities have been discovered in several products of Codesys. An attacker
can exploit some of these vulnerabilities to take control of an affected system.
An improper neutralization of Carriage Return Line Feed (CRLF) sequences in HTTP Headers
('HTTP Response Splitting') weakness has been discovered in J-web of Juniper Networks Junos
OS that leads to buffer overflows, segment faults, or other impacts. This allows an attacker
to modify the integrity of the device and exfiltration information from the device without
authentication.
CVE ID: CVE-2021-0268(High)
Google has released update for Chrome Dev channel to version 2.0.4515.19/20 for Windows
92.0.4515.20 for Mac and Linux. This version addresses vulnerabilities that an attacker can
exploit to take control of an affected system.
It has been discovered that a program code used by the ISC DHCP package to read and parse
stored leases has a vulnerability that can be exploited by an attacker to cause one of
several undesirable outcomes, depending on the component attacked and the way in which it
was compiled. The dhcpd and dhclient are affected.
CVE ID: CVE-2021-25217 (High)
It has been discovered that ansible.log file is visible to unprivileged users. An update for
tripleo-ansible is now available for Red Hat OpenStack Platform 16.1 (Train).
CVE ID: CVE-2021-31918 (High)
It has been discovered Drupal core uses the third-party CKEditor library. This library has
an error in parsing HTML which can lead to an XSS attack. The affected versions are Drupal
8.9, 9.0, and 9.1
Multiple vulnerabilities such as Carriage Return Line Feed (CRLF) injection and Denial of
Service via malicious header have been discovered in python-httplib2. An update for
python-httplib2 is now available for Red Hat OpenStack Platform 16.1 (Train).
CVE ID: CVE-2020-11078 (Medium), CVE-2021-21240 (High)
Multiple vulnerabilities have been discovered in Luxion KeyShot. An attacker can exploit
some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-27488 (High), CVE-2021-27492 (Medium), CVE-2021-27494 (High),
CVE-2021-27496 (High), CVE-2021-27490 (High)
It has been discovered that zettlr- the markdown editor contains a Cross-Site Scripting(XSS)
vulnerability. The affected versions are zettlr versions from 0.20.0 until 1.8.8.
CVE ID: CVE-2021-20727 (Medium)
Google has released Chrome version 91.0.4472.77 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
VMware has released security updates to address multiple vulnerabilities in vCenter Server
and Cloud Foundation. A remote attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-21985, CVE-2021-21986
The vulnerability has been discovered in Rockwell Automation's Equipment- Micro800,
MicroLogix 1400. When an authenticated password change request takes place this
vulnerability can allow the attacker to intercept the message that includes the legitimate,
new password hash and replace it with an illegitimate hash. The user will no longer be able
to authenticate to the controller causing a denial of service (DoS) condition.
CVE ID: CVE-2021-32926 (Medium)
Multiple vulnerabilities have been discovered in Datakit's Equipment- software libraries
embedded in Luxion KeyShot software. Successful exploitation of these vulnerabilities can
lead to execution of arbitrary code and disclosure of arbitrary files to unauthorized
actors.
CVE ID: CVE-2021-27488 (High), CVE-2021-27492 (Medium), CVE-2021-27494 (High),
CVE-2021-27496 (High), CVE-2021-27490 (High)
It has been discovered that IBM WebSphere Application Server Java Batch is vulnerable to an
XML External Entity Injection (XXE) attack when processing XML data. A remote attacker can
exploit this vulnerability to expose sensitive information or consume memory resources.
CVE ID: CVE-2021-20492 (Medium)
Google discovered new vulnerability called Half-Double, a new Rowhammer technique that
capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents
of memory. Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can
tamper with the data stored at other addresses.
It has been discovered that Checkbox Survey insecurely deserializes ASP.NET View State data,
which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable
server. The affected versions are Checkbox Survey prior to version 7.0.
CVE ID: CVE-2021-27852
A critical unauthenticated stored XSS vulnerability has been discovered in the Target First
WordPress Plugin v2.0, also previously known as Watcheezy. An attacker can change the
license key value through a POST on any URL with the 'weeWzKey' parameter that will be saved
as the 'weeID option and is not sanitized.
CVE ID: CVE-2021-24305
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
A missing length validation vulnerability has been discovered in various functions provided
by libx11. The X11 client-side library, allows to inject X11 protocol commands on X clients
which lead to authentication bypass, Denial of Service (DoS) or potentially the execution of
arbitrary code. It is recommended to upgrade the libx11 packages.
CVE ID: CVE-2021-31535
A vulnerability has been discovered in Koel- a web-based personal audio streaming service
which lacks login throttling & password strength policy and shows whether a failed login
attempt has a valid username. This might make brute-force attacks easier. The affected
versions are Koel before 5.1.4.
CVE ID: CVE-2021-33563
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Shopizer- an
e-commerce solution in Java built for the cloud. The vulnerability allows remote attackers
to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary
product. The affected versions are Shopizer prior to 2.17.0.
CVE ID: CVE-2021-33562
It has been discovered that EyesOfNetwork eonweb allows Remote Command Execution (RCE) by
authenticated users via shell metacharacters in the nagios_path parameter to
lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring
for the shell. The affected versions are EyesOfNetwork eonweb through 5.3-11.
CVE ID: CVE-2021-33525
It has been discovered that Feehi CMS is affected by a Server-Side Request Forgery (SSRF)
vulnerability. When the user modifies the HTTP Referer header to any url, the server can
make a request to it. The affected version is Feehi CMS 2.1.1.
CVE ID: CVE-2021-30108
A vulnerability discovered in OpenLDAP- an open source implementation of the Lightweight
Directory Access Protocol which allows an attacker to process malicious packet by OpenLDAP’s
slapd server trigger an assertion failure. The highest threat from this vulnerability is to
system availability.
CVE ID: CVE-2020-20178
Multiple vulnerabilities have been discovered in Bluetooth Core and Mesh specifications The
devices supporting the Bluetooth Core and Mesh specifications are vulnerable to
impersonation attacks and AuthValue disclosure that can allow an attacker to impersonate a
legitimate device during pairing.
CVE ID: CVE-2020-26555, CVE-2020-26556, CVE-2020-26557, CVE-2020-26558,
CVE-2020-26559, CVE-2020-26560
Untrusted search path vulnerability has been discovered in the installer of Overwolf which
allows an attacker to gain privileges and execute arbitrary code with the privilege of the
user invoking the installer via a Trojan horse DLL in an unspecified directory. The affected
versions are Overwolf 2.168.0.n and earlier.
CVE ID: CVE-2021-20726
An integer overflow vulnerability has been discovered in LZ4-lossless compression algorithm
which can result in memory corruption.Security update has been released for LZ4.
CVE ID: CVE-2021-3520
A vulnerability has been discovered in ring- a secure and distributed voice, video and chat
platform. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker
is able to crash the server resulting in a denial of service(DoS).
CVE ID: CVE-2021-21375 (Medium)
A vulnerability has been discovered in the InterProcess communication (IPC) channel of Cisco
AnyConnect Secure Mobility Client Software which can allow an authenticated, local attacker
to cause a targeted AnyConnect user to execute a malicious script.
CVE ID: CVE-2020-3556 (High)
Multiple NetApp products incorporate GNU Binutils- a collection of binary tools. GNU
Binutils version 2.35.1 is susceptible to a vulnerability which when successfully exploited
can lead to denial of service (DoS).
CVE ID: CVE-2021-20284 (Medium)
It has been discovered that PuTTY on Windows allows remote servers to cause a denial of
service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at
high speed, which results in many SetWindowTextA or SetWindowTextW calls. The affected
versions are PuTTY prior to 0.75.
CVE ID: CVE-2021-33500 (High)
A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1. An
attacker can execute arbitrary PHP code via exploitation of client_upgrade_edition.php and
Upgrade.php. The affected version is QibosoftX1 v1.0.
CVE ID: CVE-2021-27811
A relative path traversal vulnerability has been discovered in QNAP NAS running QTS and QuTS
hero. If exploited this vulnerability allows attackers to modify files which impact system
integrity.
CVE ID: CVE-2021-28798 (High)
A vulnerability has been discovered in QNAP NAS. The ransomware Qlocker is exploiting this
vulnerability to attack QNAP NAS running certain versions of Hybrid Backup Sync (HBS) 3.
Once a NAS is infected, the ransomware moves files on the NAS into password-protected 7z
archives. To prevent infection from Qlocker update HBS 3 to the latest version.
CVE ID: CVE-2021-28799 (Critical)
In Trusted Firmware-M which is developed as an Open Source project under an Open Governance
Model cleaning up the memory allocated for a multi-part cryptographic operation (in the
event of a failure) can prevent the abort() operation in the associated cryptographic
library from freeing internal resources, causing a memory leak. The affected versions are
Trusted Firmware-M through 1.3.0.
CVE ID: CVE-2021-32032
Multiple vulnerabilities such as Remote Code Execution (RCE), privilege
escalation,authenticated remote code execution and information disclosure have been
discovered in Nagios XI and Nagios Fusion servers. An attacker may exploit some of these
vulnerabilities to take control of an affected system.
Cisco has released security updates to address multiple vulnerabilities in several Cisco
products. A remote attacker can exploit some of these vulnerabilities to take control of an
affected system.
Google has released update for Chrome Dev channel to version 92.0.4512.3/6 for Windows
92.0.4512.4 for Mac and Linux. This version addresses vulnerabilities that an attacker can
exploit to take control of an affected system.
An authorization bypass vulnerability has been discovered when using AUTO_PASSTHROUGH in
istio servicemesh. An update for servicemesh is now available for OpenShift Service Mesh
1.1.
CVE ID: CVE-2021-31921
Multiple vulnerabilities have been discovered in keycloak based Red Hat Single Sign-On. New
Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 6.
CVE ID: CVE-2021-3461, CVE-2021-3424
Denial of Service (DoS) vulnerability has been discovered in some versions of ManageOne- an
end-to-end data center management solution.
CVE ID: CVE-2021-22409
A stack overflow vulnerability discovered in libyang can cause a Denial of Service(DoS)
through function lyxml_parse_mem(). lyxml_parse_elem() function can be called recursively,
which will consume stack space and lead to crash. The affected versions are libyang v1.0.225
and below.
CVE ID: CVE-2021-28903
It has been discovered that Pajbot, a Twitch chat bot, is vulnerable to Cross-Site Request
Forgery (CSRF). The affected versions are Pajbot prior to 1.52.
CVE ID: CVE-2021-32632
Multiple vulnerabilities have been discovered in OpenvSwitch which provides standard network
bridging functions and support for the OpenFlow protocol for remote per-flow control of
traffic. An update for openvswitch is now available in Fast Datapath for Red Hat Enterprise
Linux 7.
CVE ID: CVE-2015-8011(Critical), CVE-2020-27827(High), CVE-2020-35498(High)
Multiple vulnerabilities have been discovered in VMware Workstation and Horizon Client for
Windows. Updates and workarounds are available to remediate these vulnerabilities in
affected VMware products.
CVE ID: CVE-2021-21987, CVE-2021-21988, CVE-2021-21989
Multiple vulnerabilities has been discovered in multiple Real-Time Operating Systems (RTOS)
and supporting libraries. Successful exploitation of these vulnerabilities can result in
unexpected behavior such as a crash or a remote code injection/execution.
Multiple vulnerabilities have been discovered in redis.The affected products are SUSE Linux
Enterprise Module for Server Applications 15-SP3 & SUSE Linux Enterprise Module for
Server Applications 15-SP2. The updates are now available.
CVE ID: CVE-2021-21309(High), CVE-2021-29477(High), CVE-2021-29478(High)
A vulnerability has been found in the restricted shell of Cisco Evolved Programmable Network
(EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure which
allow an authenticated, local attacker to identify directories and write arbitrary files to
the file system. CVE ID: CVE-2021-1306
Multiple vulnerabilities have been found in Cisco DNA Spaces Connector which allow an
authenticated, remote attacker to perform a command injection attack on an affected device.
CVE ID: CVE-2021-1559, CVE-2021-1560
Multiple vulnerabilities have been discovered in Cisco DNA Spaces Connector that allow an
authenticated, local attacker to elevate privileges and execute arbitrary commands on the
underlying operating system as root. CVE ID: CVE-2021-1557, CVE-2021-1558
A vulnerability has been discovered in the web-based management interface of Cisco Finesse
which allow an unauthenticated, remote attacker to redirect a user to an undesired web page.
CVE ID: CVE-2021-1358
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco
Finesse that allow an authenticated, remote attacker to conduct a Cross-Site Scripting (XSS)
attack against a user of the interface. CVE ID: CVE-2021-1254
Multiple Vulnerabilities have been discovered in the web-based management interface of
certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points which allow an
authenticated, remote attacker to perform command injection attacks against an affected
device. CVE ID: CVE-2021-1547, CVE-2021-1548, CVE-2021-1549
A vulnerability has been discovered in the CLI of Cisco NX-OS Software which allow an
authenticated, local attacker to access internal services that should be restricted on an
affected device. CVE ID: CVE-2019-1726(High)
A vulnerability has been discovered in the web UI of Cisco Modeling Labs that allow an
authenticated, remote attacker to execute arbitrary commands with the privileges of the web
application on the underlying operating system of an affected Cisco Modeling Labs server.
CVE ID: CVE-2021-1531
A vulnerability has been discovered in the web-based management interface of Cisco Prime
Infrastructure and EPN Manager which allow an authenticated remote attacker to execute
arbitrary commands on an affected system. CVE ID: CVE-2021-1487
It has been discovered that runC incorrectly checked mount targets. An attacker with a
malicious container image can possibly mount the host filesystem into the container and
escalate privileges. CVE ID: CVE-2021-30465
It has been discovered that pip-Python package installer incorrectly handled unicode
separators in git references. A remote attacker can possibly use this issue to install a
different revision on a repository.
Multiple Vulnerabilities have been found in Pillow-Python Imaging Library. If a user or
automated system are tricked into opening a specially-crafted file, a remote attacker can
cause Pillow to crash or hand, resulting in a Denial of Service. CVE ID: CVE-2021-28677, CVE-2021-28675, CVE-2021-28678, CVE-2021-25287,
CVE-2021-25288, CVE-2021-28676
A vulnerability has been discovered in Babel-tools for internationalizing python
applications. If the user incorrectly handled certain inputs an attacker can possibly use
this issue to execute arbitrary code. CVE ID: CVE-2021-20095(High)
Security Update has been released for OpenShift Container Platform 4.7.11 that fixes
multiple vulerabilities. The Red Hat OpenShift Container Platform is designed for on-premise
or private cloud deployments. CVE ID: CVE-2021-3121, CVE-2021-20206
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application
Platform 7.3.7. Security updates are now available for Red Hat JBoss Enterprise Application
Platform 7.3 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application
Platform 7.3.7 on RHEL 8. Security updates are now available for Red Hat JBoss Enterprise
Application Platform 7.3 on RHEL 8 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application
Platform 7.3.7 on RHEL 7. Security updates are now available for Red Hat JBoss Enterprise
Application Platform 7.3 on RHEL 7 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application
Platform 7.3.7 on RHEL 6. Security updates are now available for Red Hat JBoss Enterprise
Application Platform 7.3 on RHEL 6 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Security update has been released for Red Hat OpenShift GitOps 1.1 that fixes multiple
vulnerabilities. CVE ID: CVE-2020-15586, CVE-2020-16845, CVE-2020-25648, CVE-2020-25692,
CVE-2020-28362, CVE-2021-3114, CVE-2021-3557, CVE-2021-20305, CVE-2021-25215
A Denial of Service (DoS) vulnerability has been discovered in Huawei smartphone products
HUAWEI Mate 30 & HUAWEI Mate 30 (5G). The module does not verify certain parameters
sufficiently and it leads to some exceptions. CVE ID: CVE-2021-22364
A resource management error vulnerability has been discovered in Some Huawei Products. An
authenticate attacker can perform specific operations to exploit this vulnerability &
due to improper resource management function this can cause service abnormal on affected
devices. CVE ID: CVE-2021-22360
A Denial of Service (DoS) Vulnerability has been discovered in Some Huawei Products. An
attacker can exploit vulnerability by sending specifically crafted message to a targeted
device & due to insufficient input validation, successful exploit can cause DoS. CVE ID: CVE-2021-22359
Multiple Vulnerabilities have been discovered in Linux kernel for Ubuntu 20.04 LTS and
Ubuntu 18.04 LTS specifically for Raspberry Pi devices. A local attacker can use these
vulnerabilities to cause a Denial of Service (system crash) and gain elevated
privileges. CVE ID: CVE-2021-29265(Medium), CVE-2021-28660(High), CVE-2021-30002(Medium),
CVE-2020-25639, CVE-2021-28038(Medium), CVE-2021-29650(Medium), CVE-2021-28375(High)
Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher,
and HTTP data objects. Security Update has been released for squid:4 in Red Hat Enterprise
Linux 8 that fixes improper input validation allowing a trusted client to perform HTTP
request smuggling.
CVE ID: CVE-2020-25097(High)
Security Update has been released for Red Hat IdM:DL1 in Red Hat Enterprise Linux 8 that
fixes NULL dereference (DoS) with specially crafted Binding DN. Red Hat IdM is a centralized
authentication, identity management, and authorization solution for both traditional and
cloud-based enterprise environments.
CVE ID: CVE-2021-3480
Security Update has been released for Berkeley Internet Name Domain (BIND)-an implementation
of the Domain Name System (DNS) protocols in Red Hat Enterprise Linux 8. The vulnerability
can cause an assertion check fail while answering queries for DNAME records that require the
DNAME to be processed to resolve itself.
CVE ID: CVE-2021-25215(High)
Security Update has been released for Red Hat OpenShift Serverless 1.10.2 that fixes
incorrect operations on the P-224 curve and packages using cgo causing arbitrary code
execution at build time.
Persistent Cross-Site Scripting (XSS) vulnerability has been discovered in the web interface
of Concerto that allows an unauthenticated remote attacker to introduce arbitrary JavaScript
by injecting an XSS payload into the First Name or Last Name parameter upon registration.
The affected versions are Concerto through 2.3.6.
CVE ID: CVE-2021-31930
It has been discovered that HedgeDoc is vulnerable to a cross-site scripting attack using
the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in
the Open Graph metadata section of the note, resulting in the frontend rendering the script
tag as part of the '<head>' section. The affected versions are HedgeDoc
prior to 1.8.2.
CVE ID: CVE-2021-29503 (High)
A cross-site scripting vulnerability has been discovered in Adminer that affects users of
MySQL, MariaDB, PgSQL and SQLite. The affected versions are Adminer versions 4.6.1 to 4.8.0
CVE ID: CVE-2021-29625 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Storage. The
updates for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8 are now
available.
Integer overflow vulnerability via STRALGO LCS command has been discovered in redis- an
advanced key-value store. An update for the redis:6 module is now available for Red Hat
Enterprise Linux 8.
CVE ID: CVE-2021-29477 (High)
NULL dereference (DoS) vulnerability with specially crafted Binding DN has been discovered
in slapi-nis. An update for slapi-nis is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2021-3480
Integer overflow vulnerability has been discovered in Intel(R) Graphics Drivers kernel. An
update for linux-firmware is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-12362 (High)
Miltiple vulnerabilities such as use-after-free, out-of-bounds write, stack buffer overflow,
and heap out-of-bounds have been discovered in grub2 of shim. An update for shim,
shim-unsigned-aarch64, and shim-unsigned-x64 is now available for Red Hat Enterprise Linux
8.
It has been discovered that IBM Maximo Asset Management is vulnerable to stored Cross-Site
Scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the
Web UI thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session. The affected versions are IBM Maximo Asset Management
7.6.0 and 7.6.1.
CVE ID: CVE-2021-20374 (Medium)
Security Update has been released for Pandoc-a Haskell library for converting from one
markup format to another in Red Hat Enterprise Linux 8 that fixes exponential time to parse
certain inputs leading to Denial of Service (DoS).
CVE ID: CVE-2020-5238(Medium)
Multiple vulnerabilities have been discovered in Mingw- a free and open source software
development environment to create Microsoft Windows applications. Security update has been
released for mingw-binutils, mingw-bzip2, mingw-filesystem, and mingw-sqlite for Red Hat
Enterprise Linux 8.
CVE ID: CVE-2019-16168(Medium), CVE-2020-13434(Medium) ,CVE-2020-13630(High),
CVE-2020-13631(Medium), CVE-2020-13632(Medium)
Multiple vulnerabilities have been discovered in RHEL8 Rust toolset- a systems programming
language that runs blazingly fast, prevents segfaults, and guarantees thread safety.Security
update has been released for Rust-toolset:rhel8 in Red Hat Enterprise Linux 8 that fixes
flaws like use-after-free or double free in VecDeque::make_contiguous and memory safety
violation in String::retain().
CVE ID: CVE-2020-36317(High), CVE-2020-36318(Critical)
An improper pathname handling vulnerability has been discovered in ruby-rack-cors a
middleware that makes Rack-based apps CORS compatible, resulting in access to private
resources.
CVE ID: CVE-2019-18978 (Medium)
Multiple Vulnerabilities have been discovered in SUSE MicroOS 5.0 that can allow attacker to
obtain sensitive information from kernel memory or Denial of Service (DoS) or take control
of affected system.
The Chrome stable channel has been updated to 90.0.4430.218 (Platform version: 13816.80.0)
for most Chrome OS devices. This build contains a number of bug fixes and security updates.
Multiple vulnerabilities have been discovered in Emerson's Equipment- Rosemount X-STREAM Gas
Analyzer software. Successful exploitation of these vulnerabilities can allow an attacker to
obtain sensitive information, modify configuration, or affect the availability of the
device.
CVE ID: CVE-2021-27457 (High), CVE-2021-27459 (High), CVE-2021-27461 (High),
CVE-2021-27463 (Medium), CVE-2021-27465 (Medium), CVE-2021-27467 (Medium)
Multiple vulnerabilities have been discovered in libvncserver - a C library that enables to
implement VNC server functionality . An attacker can exploit some of these vulnerabilities
to take control of an affected system.
CVE ID: CVE-2018-21247 (High), CVE-2019-20839 (High), CVE-2020-14397 (High),
CVE-2020-14405 (Medium), CVE-2020-25708 (High)
It has been discovered that in bluez double free in gatttool client disconnect callback
handler in src/shared/att.c which can lead to Denial of Service (DoS) or Remote Code
Execution (RCE). An update for bluez is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-27153 (High)
Multiple vulnerabilities such as heap-based buffer overflow and out of bounds array have
been discovered in raptor2- the RDF Parser Toolkit for Redland. . An update for raptor2 is
now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-25713, CVE-2017-18926 (High)
A symbolic link attack in SELinux-enabled and a possible directory existence test due to
race condition have been discovered in sudoedit for sudo. An update for sudo is now
available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-23240 (High), CVE-2021-23239 (Low)
It has been discovered that when effective UID is not equal to its real UID the saved UID is
not dropped in bash. An update for bash is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2019-18276 (High)
Multiple vulnerabilities such as out of bounds read, and integer overflow have been
discovered in FreeRDP- a free implementation of the Remote Desktop Protocol (RDP) . An
update for FreeRDP is now available for Red Hat Enterprise Linux 8.
Multiple vulnerabilities such as use-after-free, buffer overflow, NULL pointer dereference,
and division by zero have been discovered in ghostscript- utilities for rendering PostScript
and PDF documents. An update for ghostscript is now available for Red Hat Enterprise Linux
8.
Multiple vulnerabilities such as integer overflow, out-of-bounds write, infinite loop,
symbolic link traversal, assertion failure and Denial of Service have been discovered in
unbound- a validating, recursive, and caching DNS or DNSSEC resolver. An update for unbound
is now available for Red Hat Enterprise Linux 8.
An authentication bypass vulnerability in saml authentication in crewjam/saml and XSS
vulnerability via a query alias for the Elasticsearch and Testdata datasource have been
discovered in grafana- an open source, feature rich metrics dashboard and graph editor for
Graphite, InfluxDB & OpenTSDB. An update for grafana is now available for Red Hat
Enterprise Linux 8.
CVE ID: CVE-2020-27846 (Critical), CVE-2020-24303 (Medium)
A vulnerability in NetworkManager & libnma has been discovered that Profile with
match.path setting triggers crash . An update for NetworkManager and libnma is now available
for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-20297
A Denial of Service (DoS) Vulnerability has been found in Mitsubishi Electric MELSEC iQ-R, Q
and L series CPU modules due to uncontrolled resource consumption. When the CPU module
receives a specially crafted packet from a malicious attacker, Ethernet communication may
enter a DoS condition.
CVE ID: CVE-2020-16850 (High)
A Denial of Service (DoS) Vulnerability has been found in Mitsubishi Electric MELSEC iQ-R, Q
and L series CPU modules due to uncontrolled resource consumption. When the CPU module
receives a specially crafted packet from a malicious attacker, Ethernet communication may
enter a DoS condition.
CVE ID: CVE-2020-5652 (High)
A Denial of Service (DoS) Vulnerability has been found in MELSEC iQ-R series modules due to
uncontrolled resource consumption. When a module receives a specially crafted SLMP packet
from a malicious attacker, the program execution and communication may enter a DoS
condition.
CVE ID: CVE-2020-5668 (High)
A Vulnerability has been discovered in Mitsubishi Electric robot controller of MELFA FR
Series and CR Series as well as cooperative robot ASSISTA due to a resource management
errors. These robot controllers allow an attacker to cause a Denial of Service (DoS) of the
execution of the robot program and the Ethernet communication by sending a large amount of
packets in burst over a short period of time.
CVE ID: CVE-2021-20586 (High)
Multiple vulnerabilities have been discovered in Siemens' Equipment- JT2Go and Teamcenter
Visualization. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
A Vulnerability has been discovered in Juniper Networks SRX Series devices that leads to
memory leak when querying Aggregated Ethernet (AE) interface statistics. The affected
products are Junos OS 17.1 versions 17.1R3 and above prior to 17.3R3-S11, 17.4, 18.2, 18.3,
18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3.
CVE ID: CVE-2021-0230 (High)
A memory corruption issue has been discovered in Apple boot camp 6.1.14. A malicious
application may be able to elevate privileges. The affected products are Mac Pro (Late 2013
and later), MacBook Pro (Late 2013 and later), MacBook Air (Mid 2013 and later), Mac mini
(Mid 2014 and later), iMac (Mid 2014 and later), MacBook (Early 2015 and later), iMac Pro
(Late 2017). Apple security updates are available.
CVE ID: CVE-2021-30675
Twelve vulnerabilities have been discovered in frame aggregation and fragmentation
implementations of 802.11 standard in Cisco products, out of which one vulnerability is in
the frame aggregation functionality, two vulnerabilities are in the frame fragmentation
functionality, and the other nine are implementation vulnerabilities. These vulnerabilities
can allow an attacker to forge encrypted frames, which can in turn enable the exfiltration
of sensitive data from a targeted device.
A vulnerability has been discovered in the web-based management interface of Cisco Unified
Intelligence Center Software that can allow an unauthenticated, remote attacker to conduct a
Cross-Site Scripting (XSS) attack.
CVE ID: CVE-2021-1463(Medium)
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which
can be triggered when the products read files in different file formats. If a user is
tricked to opening of a malicious file with the affected products, this can lead to
application crash, or potentially arbitrary code execution or data extraction on the target
host system. The update has been released to fix these vulnerabilities.
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which
can be triggered when the products read files in different file formats. If a user is
tricked to opening of a malicious file with the affected products, this can lead to
application crash, or potentially arbitrary code execution or data extraction on the target
host system. The update has been released to fix these vulnerabilities.
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which
can be triggered when the products read files in different file formats. If a user is
tricked to opening of a malicious file with the affected products, this can lead to
application crash, or potentially arbitrary code execution or data extraction on the target
host system. The update has been released to fix these vulnerabilities.
A vulnerability has been discovered in Eventlet - concurrent networking library incorrectly
handled certain requests. An attacker can possibly use this issue to cause a Denial of
Service.
CVE ID: CVE-2021-21419 (Medium)
It has been discovered that the caribou-configurable on screen keyboard with scanning mode
can be made to crash when given certain input values. An attacker can use this to bypass
screen-locking applications that support using caribou as an input mechanism.
CVE ID: CVE-2020-25712 (High)
A vulnerability has been discovered that in InvoicePlane-a self-hosted open source
application for managing quotes, invoices, clients and payments. A misconfigured web server
allows unauthenticated directory listing and file download. The affected version is
InvoicePlane 1.5.11.
CVE ID: CVE-2021-29024
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web
page. It has been discovered that when uploading a file, the local file preview can lead to
execution of scripts embedded in the uploaded file. This only impacts the local user while
in the process of uploading. The affected versions are Matrix-React-SDK versions prior to
3.21.0.
CVE ID: CVE-2021-32622 (Medium)
Multiple vulnerabilities have been discovered in Intel Microcode processor-a processor
microcode for Intel CPUs. A local attacker can possibly use these vulnerabilities to expose
sensitive information.
CVE ID: CVE-2020-8695 (Medium), CVE-2020-8696 (Medium), CVE-2020-8698 (Medium)
Multiple vulnerabilities have been discovered in Rust-Pleaser-Please package,a polite
regex-first sudo alternative. A local attacker can use these vulnerabilities to cause Please
to crash, resulting in a Denial of Service (DoS), or possibly escalate privileges.
CVE ID: CVE-2021-31155, CVE-2021-31154, CVE-2021-31153
DjVuLibre- a DjVu image format library and tools incorrectly handled certain memory
operations. If a user or automated system is tricked into processing a specially crafted
DjVu file, a remote attacker can cause applications to hang or crash, resulting in a Denial
of Service, or possibly execute arbitrary code.
CVE ID: CVE-2021-32493, CVE-2021-32490, CVE-2021-3500, CVE-2021-32492, CVE-2021-32491
Security update has been released for lz4 - lossless compression algorithm that fixes
multiple vulnerabilities.
CVE ID: CVE-2021-3520, CVE-2019-17543(High)
Buffer overflow vulnerability has been discovered in the Pulse Connect Secure (PCS) gateway,
this allows a remote authenticated user with privileges to browse SMB shares to execute
arbitrary code as the root user. The affected versions are PCS 9.0Rx, and 9.1Rx. It is
recommended to upgrade the PCS server software version to the 9.1R.11.5.
CVE ID: CVE-2021-22908 (High)
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker can
exploit some of these vulnerabilities to take control of an affected system.
An Advanced Persistent Threat (APT) actor added malicious code to multiple versions of
SolarWinds Orion. After entering the network, the threat actor bypassed Multi-Factor
Authentication (MFA) and moved laterally to Microsoft Cloud systems by compromising
federated identity solutions. Eviction guidance for networks affected is available.
Multiple vulnerabilities have been discovered in jetty, a Java servlet engine and webserver.
An attacker can reveal cryptographic credentials such as passwords to a local user, disclose
installation paths, hijack user sessions or tamper with collocated webapps. It is
recommended to upgrade the jetty9 packages.
CVE ID: CVE-2017-9735 (High), CVE-2018-12536 (Medium), CVE-2019-10241 (Medium),
CVE-2019-10247 (Medium), CVE-2020-27216 (High)
It has been discovered that the memcpy() implementation for 32 bit ARM processors in the GNU
C Library contained an integer underflow vulnerability and the POSIX regex implementation in
the GNU C Library do not properly parse alternatives. An attacker can possibly use these to
cause a Denial of Service or execute arbitrary code.
CVE ID: CVE-2020-6096 (High), CVE-2009-5155 (High)
Multiple vulnerabilities have been discovered in Cisco products. These vulnerabilities can
allow an attacker to forge encrypted frames, which can in turn enable the exfiltration of
sensitive data from a targeted device.
Red Hat AMQ Streams 1.6.4 has been released that replaces Red Hat AMQ Streams 1.6.2 and also
fixes numerous security vulnerabilities.
CVE ID: CVE-2021-28163(Low), CVE-2021-28164(Medium), CVE-2021-28165(High)
Security update has been released for the Linux Kernel that solves multiple vulnerabilities.
CVE ID: CVE-2020-36310, CVE-2020-36312, CVE-2020-36322, CVE-2021-28950,
CVE-2021-29155, CVE-2021-29650
Multiple vulnerabilities related to the functionality of Wi-Fi devices have been found that
affect multiple products. Exploitation of these vulnerabilities may result in data
exfiltration.
It has been discovered that Dell EMC XtremIO contain a Cross-Site Request Forgery(CSRF)
vulnerability in XMS. A non-privileged attacker can potentially exploit this vulnerability,
leading to a privileged victim application user being tricked into sending state-changing
requests to the vulnerable application, causing unintended server operations. The affected
products are Dell EMC XtremIO Versions prior to 6.3.3-8.
CVE ID: CVE-2021-21549 (High)
WordPress versions between 3.7 and 5.7.1 are affected by Object injection vulnerability. An
attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2020-36326 (Critical), CVE-2018-19296 (High)
Exposure of sensitive information to an unauthorised actor vulnerability has been discovered
in Unified Automation GmbH's Equipment- .NET applications. Successful exploitation of this
vulnerability can allow an unauthenticated attacker to read any file on the file system.
CVE ID: CVE-2021-27434 (High)
Uncontrolled recursion vulnerability has been discovered in OPC Foundation's Equipment- OPC
UA Servers. Successful exploitation of this vulnerability can trigger a stack overflow.
CVE ID: CVE-2021-27432 (High)
Off-by-one error vulnerability has been discovered in Johnson Controls' Equipment- Tyco AI.
Under specific circumstances, a local attacker can use this vulnerability to obtain
super-user access to the underlying openSUSE Linux operating system. The affected products
are Tyco AI all versions up to and including v1.2.
CVE ID: CVE-2021-3156 (High)
Deserialization of untrusted data, path traversal, and improper input validation have been
discovered in Rockwell Automation's Equipment- Connected Components Workbench. Successful
exploitation of these vulnerabilities may allow remote code execution, authentication
bypass, or privilege escalation.
CVE ID: CVE-2021-27475 (High), CVE-2021-27471 (High), CVE-2021-27473 (Medium)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit
some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in PostgreSQL. An attacker can exploit some of
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
A potential memory corruption vulnerability has been discovered in the lz4 compression
algorithm library. It is recommended to upgrade the lz4 packages.
CVE ID: CVE-2021-3520
Privilege escalation vulnerability has been discovered in .NET Core single-file application.
An update for rh-dotnet50-dotnet is now available for .NET on Red Hat Enterprise Linux.
CVE ID: CVE-2021-31204
An Authentication Bypass vulnerability has been discovered in the SAML Authentication
component of BlackBerry Workspaces Server (deployed with Appliance-X) which can allow an
attacker to potentially gain access to the application in the context of the targeted user’s
account. The affected versions are BlackBerry Workspaces Server 10.1, 9.1 and earlier.
CVE ID: CVE-2021-22155
It has been discovered that Deskpro Cloud Platform and on-premise 2020.2.3.48207 from
2020-07-30 contains a Cross-Site Scripting (XSS) vulnerability that can lead to an account
takeover via custom email templates.
CVE ID: CVE-2020-28722
A vulnerability has been discovered in keycloak. Directories can be created prior to the
Java process creating them in the temporary directory, but with wider user permissions,
allowing the attacker to have access to the contents that keycloak stores in this directory.
CVE ID: CVE-2021-20202
A vulnerability has been discovered in Endpoint Security for Linux - Threat Prevention and
Firewall (ENSL TP/FW) version 10.7.x, 10.6.x &10.5.x . By exploiting a Time Of Check To
Time Of Use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention
and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege
escalation attack to obtain administrator privileges for the purpose of executing arbitrary
code through insecure use of predictable temporary file locations.
CVE ID: CVE-2021-23892 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker can exploit some of these vulnerabilities to take control of an affected
system.
A vulnerability has been that can result in a local user escalating their privilege level to
SYSTEM on the computer running Citrix Workspace app for Windows.
CVE ID: CVE-2021-22907
Multiple vulnerabilities have been discovered in Juniper Networks Mist Access Points. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
Buffer Access with Incorrect Length Value vulnerability has been discovered in Mitsubishi
Electric Corporation's Equipment- GOT and Tension Controller. Successful exploitation of
this vulnerability may be able to stop the communication function of the products, requiring
a reset to regain functionality.
CVE ID: CVE-2021-20589 (Medium)
Stack-based Buffer Overflow vulnerability has been discovered in Omron's Equipment- CX-One.
Successful exploitation of this vulnerability may allow arbitrary code execution.
CVE ID: CVE-2021-27413 (High)
Multiple vulnerabilities have been discovered in multiple products of Siemens. A remote
attacker can exploit some of these vulnerabilities to take control of an affected system.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Multiple vulnerabilities have been discovered in kernel. An update for kernel is now
available for Red Hat Enterprise Linux 7.7 Extended Update Support.
SAP has released security updates to address multiple critical vulnerabilities affecting
several products. An attacker can exploit some of these vulnerabilities to take control of
an affected system.
Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
Multiple vulnerabilities have been discovered in the WebKitGTK Web and JavaScript engines.
If a user is tricked into viewing a malicious website, a remote attacker can exploit
multiple vulnerabilities related to web browser security, including cross-site scripting
attacks, Denial of Service attacks, and arbitrary code execution.
CVE ID: CVE-2021-1871 (Critical), CVE-2021-1844 (High), CVE-2021-1788 (High)
A vulnerability has been discovered in the Linux kernel's implementation of some networking
protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is
created between two hosts, the kernel isn't correctly routing tunneled data over the
encrypted link rather sending the data unencrypted. This allows anyone in between the two
endpoints to read the traffic unencrypted data.
CVE ID: CVE-2020-1749 (High)
It has been discovered that PyYAML incorrectly handled untrusted YAML files with the
FullLoader loader. A remote attacker can possibly use this issue to execute arbitrary code.
CVE ID: CVE-2020-14343 (Critical)
An out-of-bounds memory access vulnerability has been discovered in Hivex, a library to
parse Windows Registry hive files. It is recommended to upgrade the hivex packages.
CVE ID: CVE-2021-3504
Multiple vulnerabilities have been discovered in libxml2, a library providing support to
read, modify and write XML and HTML files, which can cause Denial of Service via application
crash when parsing specially crafted files. It is recommended to upgrade the libxml2
packages.
CVE ID: CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537
It has been discovered that Exiv2- EXIF/IPTC/XMP metadata manipulation tool incorrectly
handled certain images. An attacker can possibly use these vulnerabilities to cause a Denial
of Service or execute arbitrary code or cause a crash.
CVE ID: CVE-2021-29457 (High), CVE-2021-3482 (Medium), CVE-2021-29458 (medium),
CVE-2021-29470 (Medium)
Insufficient input validation vulnerability has been discovered in the Marvin Minsky 1967
implementation of the Universal Turing Machine allows program users to execute arbitrary
code via crafted data.
CVE ID: CVE-2021-32471
A vulnerability has been discovered in Tenda AC11 devices with firmware through
02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows
attackers to execute arbitrary code on the system via a crafted post request.
CVE ID: CVE-2021-31758
A vulnerability has been discovered in Foxit Reader that allows remote attackers to execute
arbitrary code. The affected version is Foxit Reader 10.1.1.37576.
CVE ID: CVE-2021-31458
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the
IdentTrust DST Root CA X3 certificate, is expiring, breaking a chain of trust that can
result in widespread problems during HTTPS communication. Any website or application using
this certificate will be unreachable with a warning that accessing the website or
application can be dangerous.
SIF is an open source implementation of the Singularity Container Image Format. The `siftool
new` command and func siftool.New() produce predictable UUID identifiers due to insecure
randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.
CVE ID: CVE-2021-29499 (High)
A vulnerability has been discovered in Emote Remote Mouse. It uses cleartext HTTP to check,
and request, updates. Thus, attackers can machine-in-the-middle a victim to download a
malicious binary in place of the real update, with no SSL errors or warnings. The affected
versions are Emote Remote Mouse through 4.0.0.0.
CVE ID: CVE-2021-27574
An integer overflow vulnerability exists in the APIs of the host MCU while trying to connect
to a WIFI network can lead to vulnerabilities such as a denial-of-service condition or code
execution on the SimpleLink Wi-Fi.
CVE ID: CVE-2021-22677
It has been discovered that HashiCorp vault-action- a tool for secrets management,
encryption as a service, and privileged access management allows attackers to obtain
sensitive information from log files because a multi-line secret is not correctly registered
with GitHub Actions for log masking. The affected version is HashiCorp vault-action before
2.2.0.
CVE ID: CVE-2021-32074
Multiple vulnerabilities have been discovered in Ceph Storage. An update is now available
for Red Hat Ceph Storage 3.3 - Extended Life Support on Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-27781 (High), CVE-2020-13379 (High), CVE-2021-3139 (High),
CVE-2020-12059 (High)
Multiple vulnerabilities have been discovered in Open Design Alliance's Equipment- Drawings
SDK, a software development kit for DWG and DGN. Successful exploitation of these
vulnerabilities can allow code execution in the context of the current process or cause a
denial-of-service condition.
CVE ID: CVE-2021-25178 (High), CVE-2021-25177 (High), CVE-2021-25176 (High),
CVE-2021-25175 (High), CVE-2021-25174 (High), CVE-2021-25173 (High)
Multiple vulnerabilities have been discovered in Unbound-a validating, recursive, caching
DNS resolver. Integer overflows, assertion failures, an out-of-bound write and an infinite
loop vulnerabilities may lead to a denial-of-service or have a negative impact on data
confidentiality. It is recommended to upgrade the unbound1.9 packages.
Multiple vulnerabilities have been discovered in jackson-databind and golang for Openshift
Logging. Red Hat OpenShift Logging release 5.0.3 is available with updates to packages and
images that fix several bugs and security issues.
Multiple vulnerabilities have been discovered in postgresql-an advanced object-relational
Data Base Management System (DBMS). An update for postgresql is now available for Red Hat
Enterprise Linux 7.
CVE ID: CVE-2020-25694 (High), CVE-2020-25695 (High), CVE-2019-10208 (High)
Multiple vulnerabilities have been discovered in netty for Red Hat AMQ Clients. An update is
now available for Red Hat AMQ Clients 2.9.1.
CVE ID: CVE-2021-21290 (Medium), CVE-2021-21295 (Medium), CVE-2021-21409 (Medium)
It has been discovered that GNOME Autoar-archive integration support for GNOME can extract
files outside of the intended directory. If a user is tricked into extracting a specially
crafted archive, a remote attacker can create files in arbitrary locations, possibly leading
to code execution.
CVE ID: CVE-2021-28650 (Medium)
It has been discovered that a proxy functionality built into Hubs Cloud’s Reticulum software
allowed access to internal URLs, including the metadata service.
CVE ID: CVE-2021-29954 (Critical)
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker may
exploit some of these vulnerabilities to take control of an affected system.
A remote code execution vulnerability has been discovered in VMware vRealize Business for
Cloud. A remote attacker can exploit this vulnerability to take control of an affected
system.
CVE ID: CVE-2021-21984 (Critical)
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Firefox and Firefox for Android. An
attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29953 (Critical), CVE-2021-29952 (High)
Multiple vulnerabilities have been discovered in rh-eclipse-jetty. An update for
rh-eclipse-jetty is now available for Red Hat Developer Tools.
CVE ID: CVE-2021-28163 (Low), CVE-2021-28164 (Medium), CVE-2021-28165 (High)
Multiple vulnerabilities have been discovered in mediawiki, a wiki website engine for
collaborative work. An attacker can exploit some of these vulnerabilities to take control of
an affected system.
CVE ID: CVE-2021-20270 (High), CVE-2021-27291 (High), CVE-2021-30152 (Medium),
CVE-2021-30155 (Medium), CVE-2021-30158 (Medium), CVE-2021-30159 (Medium)
It has been discovered that ArcGIS GeoEvent Server has a read-only directory path traversal
vulnerability that can allow an unauthenticated, remote attacker to perform directory
traversal attacks and read arbitrary files on the system. The affected versions are ArcGIS
GeoEvent Server versions 10.8.1 and below.
CVE ID: CVE-2021-29101 (High)
Multiple vulnerabilities have been discovered CGAL-a software project that provides easy
access to efficient and reliable geometric algorithms . An attacker can provide malicious
input to trigger these vulnerabilities.
CVE ID: CVE-2020-28601 (Critical), CVE-2020-28636 (Critical), CVE-2020-35628
(Critical), CVE-2020-35636 (Critical)
Apple has released security updates to address vulnerabilities in Safari 14.1. An attacker
can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30665, CVE-2021-30663
Use of Hard-coded Credentials vulnerability has been discovered in Advantech's Equipment-
WISE-PaaS/RMM. Successful exploitation of this vulnerability could allow an attacker to
obtain sensitive information.
CVE ID: CVE-2021-27437 (Critical)
Out-of-bounds Write vulnerability has been discovered in Delta Electronics' Equipment-
CNCSoft ScreenEditor. Successful exploitation of this vulnerability could crash the device,
and an out-of-bounds write may allow remote code execution.
CVE ID: CVE-2021-22672 (High)
It has been discovered that Django incorrectly handled certain filenames. A remote attacker
could possibly use this issue to create or overwrite files in unexpected directories.
CVE ID: CVE-2021-31542
It has been discovered that OpenVPN incorrectly handled certain data channel v2 packets, and
deferred authentication. A remote attacker could possibly use this issue to inject packets
using a victim’s peer-id or bypass authentication and access control channel data.
CVE ID: CVE-2020-11810 (Low), CVE-2020-15078
It has been discovered that Exim has multiple vulnerabilities. An attacker could use these
vulnerabilities to cause a denial of service, execute arbitrary code remotely, obtain
sensitive information, or escalate local privileges.
It has been discovered that the NVIDIA GPU display driver for the Linux kernel incorrectly
performed access control, and reference counting. A local attacker could use this issue to
cause a denial of service, expose sensitive information, or escalate privileges.
CVE ID: CVE-2021-1076 (High), CVE-2021-1077 (Medium)
Multiple vulnerabilities have been discovered in various FortiGate products. An attacker
could exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-15706 (Medium), CVE-2021-22126 (High), CVE-2021-24011 (High),
CVE-2021-24023 (High)
Multiple vulnerabilities have been discovered in nodejs for Red Hat Advanced Cluster
Management. Red Hat Advanced Cluster Management for Kubernetes 2.2.3 General Availability
release images, which fix several bugs and security vulnerabilities.
CVE ID: CVE-2021-23358 (High), CVE-2021-28918 (Critical), CVE-2020-28469,
CVE-2021-28092 (High), CVE-2021-29418 (Medium)
It has been discovered that Subversion's mod_authz_svn module crashes if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends
a request for a non-existing repository URL. This can lead to disruption for users of the
service. It is recommended to upgrade the subversion packages.
CVE ID: CVE-2020-17525 (High)
It has been discovered that ClamAV incorrectly handled parsing Excel documents, PDF
documents, and email. A remote attacker could possibly use this issue to cause ClamAV to
hang or crash resulting in a denial of service.
CVE ID: CVE-2021-1252 (High), CVE-2021-1404 (High), CVE-2021-1405 (High)
Multiple vulnerabilities such as use-after-free, buffer overflow, command injection, and
unrestricted uploads have been discovered in Pulse Connect Secure (PCS). An attacker can
exploit these vulnerabilities to gain system access and take control of an affected system.
CVE ID: CVE-2021-22894 (Critical), CVE-2021-22899 (Critical), CVE-2021-22900
(Critical)
A vulnerability discovered in the Microsoft Active Directory integration of Cisco Identity
Services Engine (ISE) which can allow an authenticated, local attacker to elevate privileges
on an affected device. A successful exploit can allow the attacker to obtain root privileges
on an affected device.
CVE ID: CVE-2020-27122 (Medium)
The Android Security Bulletin contains details of security vulnerabilities affecting Android
devices. Security patch levels of 2021-05-05 or later address all of these issues.
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in OpenSSL used by AIX. The affected version
are AIX 7.1, 7.2, and VIOS 3.1. An attacker can exploit some of these vulnerabilities to
take control of an affected system.
CVE ID: CVE-2021-23839 (Medium), CVE-2021-23840 (High), CVE-2021-23841 (High)
A vulnerability has been discovered in libimage-exiftool-perl, a library and program to read
and write meta information in multimedia files, which can result in execution of arbitrary
code if a malformed DjVu file is processed. It is recommended to upgrade the
libimage-exiftool-perl packages.
CVE ID: CVE-2021-22204 (High)
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1223 (Medium), CVE-2021-1488 (Medium)
Codecov released an update containing new detections including Indicators of Compromise
(IOCs) and a non-exhaustive data set of likely compromised environment variables to assist
organisations in determining whether they have been affected.
Multiple vulnerabilities have been discovered in Texas Instruments' Equipment- SimpleLink
Wi-Fi, MSP432, CC13XX, CC26XX, CC32XX, CC3100. Successful exploitation of these
vulnerabilities can result in memory corruption, allowing remote code execution and causing
a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-22677 (High), CVE-2021-22673(High), CVE-2021-22675(High),
CVE-2021-22679(Critical), CVE-2021-22671(Critical)
Path Traversal vulnerability has been discovered in Cassia Networks' Equipment- Access
Controller. Successful exploitation of this vulnerability can allow an attacker to read any
file from the Access Controller server.
CVE ID: CVE-2021-22685 (Medium)
An Off-by-one Error vulnerability has been discovered in Johnson Controls' Equipment-
exacqVision. A local attacker can exploit this vulnerability to obtain “Super User” access
to the underlying Ubuntu Linux operating system.
CVE ID: CVE-2021-3156 (High)
An Integer Overflow or Wraparound vulnerability has been discovered in in multiple Real-Time
Operating Systems (RTOS) and supporting libraries. Successful exploitation of these
vulnerabilities can result in unexpected behavior such as a crash or a remote code
injection/execution.
It has been discovered that composer, a dependency manager for PHP, do not properly sanitize
Mercurial URLs, which can lead to arbitrary code execution. It is recommended to upgrade the
composer packages.
CVE ID: CVE-2021-29472 (High)
Multiple vulnerabilities have been discovered in edk2, firmware for virtual machines.
Integer and stack overflows and uncontrolled resource consumption may lead to a
Denial-of-Service or allow an authenticated local user to potentially enable escalation of
privilege. It is recommended to upgrade the edk2 packages.
A vulnerability has been discovered in Samba- SMB/CIFS file, print, and login server for
Unix. Samba incorrectly handled certain negative idmap cache entries. This issue can result
in certain users gaining unauthorized access to files, contrary to expected behaviour.
CVE ID: CVE-2021-20254
Multiple vulnerabilities have been discovered that Bind-Internet Domain Name Server. A
remote attacker can possibly use this issue to cause Bind to crash, resulting in a denial of
service (DoS).
CVE ID: CVE-2021-25215(High), CVE-2021-25214(Medium), CVE-2021-25216(High)
It has been discovered that BIG-IP Advanced WAF and ASM are missing authorization checks for
file uploads to a specific directory within the REST API. A authenticated attacker with
guest privileges may Create / Overwrite Arbitrary Files.
CVE ID: CVE-2021-23014 (Medium)
It has been discovered that GStreamer Good Plugins incorrectly handled certain files. An
attacker can possibly use this issue to cause access sensitive information, execute
arbitrary code or cause a crash.
CVE ID: CVE-2021-3498 (High) CVE-2021-3497 (High)
It has been discovered that Lack of input validation for items used in system support
functionality may allow users granted either "Resource Administrator" or "Administrator"
roles to execute arbitrary bash commands on several BIG-IP products.
CVE ID: CVE-2021-23012
A vulnerability has been discovered in the CLI of Cisco Firepower Threat Defense (FTD)
Software which allow an authenticated, local attacker to overwrite files on the file system
of an affected device by using directory traversal techniques. A successful exploit can
cause system instability if important system files are overwritten.
CVE ID: CVE-2021-1256, CVE-2021-1402
Multiple vulnerabilities are discovered in plugins for the GStreamer media framework, which
may result in Denial of Service or potentially the execution of arbitrary code if a
malformed media file is opened. It is recommended to upgrade the gst-plugins-base1.0
packages.It has been discovered that the Shibboleth Service Provider is prone to a NULL
pointer dereference flaw in the cookie-based session recovery feature. A remote
unauthenticated attacker can take advantage of this flaw to cause a Denial of Service.
CVE ID: CVE-2021-31826
Multiple vulnerabilities are discovered in plugins for the GStreamer media framework, which
may result in Denial of Service or potentially the execution of arbitrary code if a
malformed media file is opened. It is recommended to upgrade the gst-plugins-base1.0
packages.
Multiple vulnerabilities have been discovered etcd packages - a highly available key-value
store for shared configuration.The affected products are Red Hat Enterprise Linux Server 7
x86_64, Red Hat Enterprise Linux for IBM z Systems 7 s390x & Red Hat Enterprise Linux
for Power, little endian 7 ppc64le. An update for etcd is now available for Red Hat
Enterprise Linux 7 Extras.
CVE ID: CVE-2020-15106(Medium) , CVE-2020-15112(Medium)
A vulnerability has been discovered in Red Hat Fuse 7.8.1. A micro version update (from
7.8.0 to 7.8.1) is now available for Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot
2.
CVE ID: CVE-2020-28052(High)
A vulnerability NULL pointer dereference for unauthenticated packet in slapd has been
discovered in OpenLDAP - an open-source suite of Lightweight Directory Access Protocol
(LDAP) applications and development tools. An update for openldap is now available for Red
Hat Enterprise Linux 7.
CVE ID: CVE-2020-25692(High)
A vulnerability TLS 1.3 CCS flood remote DoS Attack has been discovered Network Security
Services (NSS)- a set of libraries designed to support the cross-platform development of
security-enabled client and server applications. An update for NSS is now available for Red
Hat Enterprise Linux 7.
CVE ID: CVE-2020-25648(High)
Multiple vulnerabilities such as hard link privilege escalation, out-of-bounds read
information disclosure and improper access control have been discovered in Trend Micro
Products. A remote attacker can exploit some of these vulnerabilities to trigger elevation
of privilege, remote code execution and sensitive information disclosure on the targeted
system. The updates are available.
Google has released Chrome version 90.0.4430.93 for Windows, Mac, and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
The Defending Against Software Supply Chain Attacks, released by CISA and the National
Institute of Standards and Technology (NIST), provides an overview of software supply chain
risks and recommendations on how software customers and vendors can use the NIST Cyber
Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development
Framework (SSDF) to identify, assess, and mitigate software supply chain risks.
The Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA have
released a Joint Cyber Security Advisory (CSA) addressing Foreign Intelligence Service cyber
actors also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and
Yttrium continued targeting of U.S and foreign entities. The Foreign Intelligence Service
activity which includes the recent SolarWinds Orion supply chain compromise primarily
targets government networks, think tank and policy analysis organisations, and information
technology companies and seeks to gather intelligence information.
AnySupport (Remote support solution) before 2019.3.21.0 allows directory traversing because
of swprintf function to copy file from a management PC to a client PC, which can lead to
arbitary file execution.
CVE ID: CVE-2020-7861 (Critical)
Multiple vulnerabilities have been discovered in Apple products. A remote attacker can
exploit some of these vulnerabilities to trigger Cross-Site Scripting(XSS), Denial of
Service(DoS) condition, the elevation of privilege, remote code execution, sensitive
information disclosure, data manipulation and security restriction bypass on the targeted
system. Apple has released security updates for these vulnerabilities.
It has been discovered that File Roller-archive manager for GNOME is incorrectly handling
symlinks. An attacker can possibly use this issue to expose sensitive information.
CVE ID: CVE-2020-36314(Low)
Multiple vulnerabilities have been discovered in Firefox. If a user is tricked into opening
a specially crafted website, an attacker can potentially exploit these to cause a Denial of
Service, spoof the browser UI, bypass security restrictions, trick the user into disclosing
confidential information, or execute arbitrary code.
It has been discovered that the REXML gem bundled with Ruby incorrectly parsed and
serialized XML documents. A remote attacker can possibly use this issue to perform an XML
round-trip attack.
CVE ID: CVE-2021-28965
It has been discovered that OpenDMARC, a milter implementation of DMARC, has improper null
termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow
in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause
remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and
its PREV_INUSE flag. For Debian 9 stretch, this problem has been fixed in version
1.3.2-2+deb9u3. It is recommended to upgrade the opendmarc packages.
CVE ID: CVE-2020-12460(Critical)
Multiple vulnerabilities have been discovered in plugins for the GStreamer media framework,
which may result in Denial of Service or potentially the execution of arbitrary code if a
malformed media file is opened.
CVE ID: CVE-2021-3497
A Command Injection vulnerability has been discovered in Tenda G0,G1 and G3 routers. A
remote attacker can execute arbitrary OS commands via a crafted request.
CVE ID: CVE-2021-27692 (Critical) CVE-2021-27691 (Critical)
Multiple exploitable SQL injection vulnerabilities exists in ‘getAssets.jsp’ page of
OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An
attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE ID: CVE-2020-27240(Critical), CVE-2020-27241 (Critical)
A vulnerability has been discovered in Helpcom which can allow an unauthenticated attacker
to execute arbitrary command. This vulnerability exists due to insufficient authentication
validation.
CVE ID: CVE-2020-7856 (Critical)
Multiple vulnerabilities have been discovered in Microsoft Edge, a remote attacker can
exploit some of these vulnerabilities to trigger Denial of Service, remote code execution
and security restriction bypass on the targeted system.
A vulnerability has been discovered in pjproject, a set of libraries for the PJ Project. Due
to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to
crash the server resulting in a Denial of Service. It is recommended to upgrade the
pjproject packages.
CVE ID: CVE-2021-21375(Medium)
Multiple vulnerabilities have been discovered in libspring-java, a modular Java/J2EE
application framework. An attacker may execute code, perform XST attack, issue unauthorized
cross-domain requests or cause a DoS (Denial-of-Service) in specific configurations.
CVE ID: CVE-2018-1270(Critical), CVE-2018-11039(Medium), CVE-2018-11040(Medium),
CVE-2018-15756(High)
Multiple vulnerabilities have been discovered in the Mozilla Firefox web browser, which can
potentially result in the execution of arbitrary code, information disclosure, privilege
escalation or spoofing. It is recommended to upgrade the firefox-esr packages.
Multiple vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in
bypass of sandbox restrictions. It is recommended to upgrade the openjdk-8 packages.
CVE ID: CVE-2021-2161(Medium), CVE-2021-2163(Medium)
An improper authorization vulnerability has been discovered in QNAP NAS running HBS 3 Hybrid
Backup Sync. The vulnerability allows remote attackers to log in to a device.
CVE ID: CVE-2021-28799 (Critical)
A critical unauthenticated remote code execution vulnerability has been found in all recent
versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0.
CVE ID: CVE-2021-27850(critical)
A heap-based buffer overflow vulnerability exists in the configuration server functionality
of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0.An attacker can trigger Remote Code
Execution (RCE) vulnerability by sending a specially crafted JSON object.
CVE ID: CVE-2020-28592 (Critical)
A vulnerability has been discovered in Portofino -an open source web development framework.
Portofino before version 5.2.1 do not properly verify the signature of JSON Web Tokens. This
allows forging a valid JWT.
CVE ID: CVE-2021-29451(Critical)
Drupal has released security updates to address a vulnerability affecting Drupal 7, 8.9,
9.0, and 9.1. An attacker can exploit this vulnerability to take control of an affected
system.
CVE ID: CVE-2020-13672
A Remote code Execution (RCE) vulnerability has been discovered in the unofficial
vscode-rpm-spec extension before 0.3.2 for Visual Studio Code.This vulnerability can be
exploited via a crafted workspace configuration.
CVE ID: CVE-2021-31414 (Critical)
An exploitable SQL injection vulnerability has been discovered in assetStatus, code and
nomenclature parameter ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. An attacker can
exploit this to make an authenticated HTTP request to trigger this vulnerability.
CVE ID: CVE-2020-27237 (Critical) CVE-2020-27238 (Critical), CVE-2020-27239
(Critical)
SonicWall has released security updates to address vulnerabilities in SonicWall Email
Security. An attacker may exploit some of these vulnerabilities to take control of an
affected system.
CVE ID: CVE-2021-20021 (Critical), CVE-2021-20022 (High), CVE-2021-20023 (Medium)
Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities
across multiple products. A remote attacker can exploit some of these vulnerabilities to
take control of an affected system.
An authentication bypass vulnerability has been reported in Pulse Connect Secure 9.0R3/9.1R1
and higher. This vulnerability exposed by the Windows File Share Browser and Pulse Secure
Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to
perform remote arbitrary code execution on the Pulse Connect Secure gateway.
CVE ID: CVE-2021-22893 (Critical)
It has been discovered that LightCMS v1.3.5 contains a remote code execution vulnerability
in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external
images.
CVE ID: CVE-2021-27112 (Critical)
A SQL Injection vulnerability exists in Tribalsystems Zenario CMS 8.8.52729 which allows
remote attackers to access the database or delete the plugin.
CVE ID: CVE-2021-26830 (Critical)
Multiple vulnerabilities such as Out of bound write due to lazy initialization,
Use-after-free in Responsive Design Mode, Arbitrary FTP command execution on FTP servers
using an encoded URL have been fixed in Firefox 78.10.
CVE ID: CVE-2021-29946, CVE-2021-29945, CVE-2021-24002, CVE-2021-23999,
CVE-2021-23998, CVE-2021-23995, CVE-2021-23994, CVE-2021-23961(High)
A privilege escalation vulnerability has been discovered in VMware NSX-T. Successful
exploitation of this vulnerabilty may allow attackers with local guest user account to
assign privileges higher than their own permission level. Updates are available to fix this
issue.
CVE ID: CVE-2021-21981 (High)
A vulnerability has been discovered in mariadb:10.3 and mariadb-devel:10.3 modules. A
writable system variables allows a database user with SUPER privilege to execute arbitrary
code as the system mysql user. Security updates are available.
CVE ID: CVE-2021-27928(High)
A vulnerability has been discovered in OpenSLP-Service Location Protocol library due to
improper validation of URLs. A remote attacker can use this vulnerability to cause OpenSLP
to crash or possibly execute arbitrary code.
CVE ID: CVE-2019-5544(Critical)
It has been discovered that WebSphere Application Server is vulnerable to an XML External
Entity (XXE) Injection vulnerability. A remote attacker can exploit this vulnerability to
expose sensitive information or consume memory resources.The affected products are IBM
WebSphere Application Server 8.0, 8.5, and 9.0
CVE ID: CVE-2021-20453(High)
A command injection vulnerability has been discovered in IBM Resilient SOAR v8.0 which can
allow a privileged user to inject malicious scripts that can be executed as another user.
The updates to prevent this issue are available.
CVE ID: CVE-2021-20527(High)
An SQL injection vulnerability has been discovered in QNAP NAS running Multimedia Console or
the Media Streaming add-on. Successful exploitation of this vulnerability will allow remote
attackers to obtain application information. It is recommanded to update Multimedia Console
or the Media Streaming add-on to the latest version.
CVE ID: CVE-2020-36195 (Critical)
A command injection vulnerability has been discovered in QTS and QuTS hero. An attacker can
exploit this vulnerability to execute arbitrary commands in a compromised application. It is
recommended to update affect QTS and QuTS hero to the latest version.
CVE ID: CVE-2020-2509 (Critical)
A vulnerability has been discovered in Ethernet management interface of Juniper Networks
Junos OS which allows an attacker to trigger a kernel panic, leading to a denial of service
(DoS). This vulnerability affects Junos OS 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1,
19.2, 19.3, 19.4. The updates are available.
CVE ID: CVE-2021-0258 (Medium)
Multiple vulnerabilities such as incorrect conversion between numeric types, out-of-bounds
read and reachable assertion have been discovered in EIPStackGroup OpENer Ethernet/IP.
Successful exploitation of these vulnerabilities can cause a denial-of-service (DoS)
condition and data exposure.
CVE ID: CVE-2021-27500, CVE-2021-27498, CVE-2021-27482, CVE-2021-27478
A Race Condition vulnerability has been discovered in the firewall process of Juniper
Networks Junos OS which allows an attacker to bypass the firewall rule sets applied to the
input loopback filter on any interfaces of a device. This vulnerability affects Junos OS
14.1, 14.1X53, 15.1, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4,
19.1, 19.2 . Affected platforms are PTX and QFX Series. The updates are available.
CVE ID: CVE-2021-0247(Medium)
A XChangeFeedbackControl Integer Underflow Privilege Escalation vulnerability has been
discovered in xorg-x11-server. An update for xorg-x11-server is available.
CVE ID: CVE-2021-3472
Multiple vulnerabilities have been discovered in the Link Layer Discovery Protocol (LLDP)
implementation for CISCO Small Business RV Series Routers. An unauthenticated, adjacent
attacker can exploit these vulnerabilities to execute arbitrary code or cause an affected
router to leak system memory or reload which eventually may cause a Denial of Service (DoS)
condition on an affected device. The updates for these vulnerabilities are available.
CVE ID: CVE-2021-1251(High), CVE-2021-1308 (High), CVE-2021-1309 (High)
Multiple Domain Name System (DNS) implementation vulnerabilities have been discovered in
four popular TCP/IP network stacks. Forescout Research Labs, partnering with JSOF Research,
disclosed a set of Domain Name System (DNS) vulnerabilities that have the potential to cause
either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take
targeted devices offline or to gain control over them. The following stacks are affected
FreeBSD version 12.1,Nucleus NET version 4.3,NetX version 6.0.1 and IPnet version VxWorks
6.6. The updates have been released.
Security update has been released for gnutls and nettle, for Red Hat Enterprise Linux 8
which fixes Out of bounds memory access in signature verification.
CVE ID: CVE-2021-20305 (High)
Security update has been released for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows
which fix NULL pointer dereference in signature_algorithms processing and CA certificate
check bypass with X509_V_FLAG_X509_STRICT vulnerabilities.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450(High)
Security update has been released for Red Hat JBoss Core Services Apache HTTP Server 2.4.37
SP7 which fix NULL pointer dereference in signature_algorithms processing and CA certificate
check bypass with X509_V_FLAG_X509_STRICT vulnerabilities.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450(High)
Multiple vulnerabilities have been discovered in Mozilla Thunderbird-a standalone mail and
newsgroup client. An update for thunderbird is now available for Red Hat Enterprise Linux
8.2 Extended Update Support.
CVE ID: CVE-2021-23991, CVE-2021-23992, CVE-2021-23993
Security update has been released for libldb, for Red Hat Enterprise Linux 8 that fixes Out
of bounds read in AD DC LDAP server.
CVE ID: CVE-2021-20277
Stack-based buffer overflow vulnerabilities have been discovered in QNAP NAS devices running
Surveillance Station. If exploited, these vulnerabilities allows attackers to execute
arbitrary code.
CVE ID: CVE-2020-2501 (Critical), CVE-2021-28797 (Critical)
GitLab releasing updated versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition
(CE) and Enterprise Edition (EE). These versions contain important security fixes.
Cybersecurity and Infrastructure Security Agency (CISA) partners have observed active
exploitation of vulnerabilities in Microsoft Exchange Server products. Successful
exploitation of these vulnerabilities allows an unauthenticated attacker to execute
arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent
system access, as well as access to files and mailboxes on the server and to credentials
stored on that system.
CVE ID: CVE-2021-26855 (Critical) CVE-2021-26857 (High), CVE-2021-26858 (High),
CVE-2021-27065 (High)
A vulnerability has been discovered in MDaemon before 20.0.4. An attacker with
administrative privilege can use remote administration to exploit an arbitrary File Write
vulnerability by creating new files or modifying existing files in any location of the
filesystem.
CVE ID: CVE-2021-27183
A Vulnerability has been discovered in underscore-Javascript’s functional programming helper
library if incorrectly handled certain inputs an attacker can possibly use this issue to
inject arbitrary code.
CVE ID: CVE-2021-23358 (High)
A Vulnerability has been discovered in NetworkManager if incorrectly handled certain
profiles, a local attacker can possibly use this issue to cause NetworkManager to crash,
resulting in a Denial of Service(DoS).
CVE ID: CVE-2021-20297
Security update has been released for clamav that fixes Excel XLM parser infinite loop, PDF
parser buffer over-read, possible crash and mail parser NULL-dereference crash.
CVE ID: CVE-2021-1252 (High), CVE-2021-1404 (High), CVE-2021-1405 (High)
Security updates have been released for Mendix that fix a vulnerability in Mendix
Applications allowing malicious authorized users to escalate their privileges.
CVE ID: CVE-2021-27394 (High)
Multiple Vulnerabilities have been discovered in OpenSSL Affecting Cisco Products that could
allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA
and sign a certificate for an arbitrary organisation, user or device, or to cause a Denial
of Service (DoS) condition.
CVE ID: CVE-2021-3449 (High), CVE-2021-3450 (High)
A vulnerability has been discovered in the Inter Process Communication (IPC) channel of
Cisco AnyConnect Secure Mobility Client which can allow an authenticated local attacker to
cause a Denial of Service (DoS) condition on an affected device.
CVE ID: CVE-2021-1450 (Medium)
Google has updated the stable channel for Chrome to 89.0.4389.128 for Windows, Mac, and
Linux. This version addresses vulnerabilities that an attacker can exploit to take control
of an affected system.
CVE ID: CVE-2021-21206 (High), CVE-2021-21220 (High)
SAP has released security updates to address multiple critical vulnerabilities affecting
several products. An attacker can exploit some of these vulnerabilities to take control of
an affected system.
Adobe has released security updates to address multiple vulnerabilities in multiple Adobe
products. An attacker can exploit these vulnerabilities to take control of an affected
system.
A vulnerability has been discovered in Win32k which can allow a local attacker to obtain
elevated privileges on the targeted system.
CVE ID: CVE-2021-28310 (High)
Microsoft's April 2021 Security Update mitigates significant vulnerabilities affecting
on-premises Exchange Server 2013, 2016, and 2019. An attacker can exploit these
vulnerabilities to gain access and maintain persistence on the target host.
SQL Injection vulnerability has been discovered in PHP-Nuke, in the User Registration
section, leading to Remote Code Execution(RCE). The affected version is PHP-Nuke 8.3.3.
CVE ID: CVE-2021-30177 (Critical)
A vulnerability has been discovered in libpano-build panoramic images from a set of
overlapping images. A format string vulnerability in panoFileOutputNamesCreate() in
libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values.
It is recommended to upgrade the libpano13 packages.
CVE ID: CVE-2021-20307 (Critical)
A vulnerability has been discovered in the id-map crate for Rust. A double free can occur in
remove_set upon a panic in a Drop impl.
CVE ID: CVE-2021-30457 (Critical)
It has been discovered that kramdown, a pure Ruby Markdown parser and converter, performed
insufficient namespace validation of Rouge syntax highlighting formatters. It is recommended
to upgrade the ruby-kramdown packages.
CVE ID: CVE-2021-28834 (Critical)
It has been discovered that when using ConfigurableInternodeAuthHadoopPlugin for
authentication, Apache Solr will forward/proxy distributed requests using server credentials
instead of original client credentials. This will result in incorrect authorization
resolution on the receiving hosts. The affected versions are Apache Solr versions prior to
8.8.2.
CVE ID: CVE-2021-29943
It has been discovered that when starting Apache Solr, configured with the SaslZkACLProvider
or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the
optional read-only user is configured then Solr will not treat that node as a sensitive path
and will allow it to be readable. The affected versions are Apache Solr versions prior to
8.8.2.
CVE ID: CVE-2021-29262
It has been discovered that the ReplicationHandler has a "masterUrl" parameter that is used
to designate another ReplicationHandler on another Solr core to replicate index data into
the local core. To prevent a Server-Side Request Forgery (SSRF) vulnerability, Solr ought to
check these parameters against a similar configuration it uses for the "shards" parameter.
The affected versions are Apache Solr versions prior to 8.8.2.
CVE ID: CVE-2021-27905
It has been discovered that the DBusServer in libdbus, as used in dbus-daemon, leaks file
descriptors when a message exceeds the per-message file descriptor limit. A local attacker
can cause a Denial-of-Service (DoS) attack or threaten the availability of the system. The
affected versions are dbus >= 1.3.0 before 1.12.18.
CVE ID: CVE-2020-12049 (Medium)
It has been discovered that the unofficial GLSL Linting extension for Visual Studio Code
allows remote code execution vulnerability via a crafted glslangValidatorPath in the
workspace configuration. The affected versions are GLSL Linting extension before 1.4.0.
CVE ID: CVE-2021-30503
A vulnerability has been discovered in the HTML editor of Slab Quill, which allows an
attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart
attribute of an IMG element) in a text field. The affected version is Slab Quill 4.8.0.
CVE ID: CVE-2021-3163
An improper input validation vulnerability has been discovered in CA Privileged Access
Manager 2.4.4.4 and earlier which allows remote attackers to execute arbitrary commands.
CVE ID: CVE-2015-4664 (Critical)
An improper authentication vulnerability has been discovered in CA Privileged Access Manager
3.x Web-UI jk-manager and jk-status which allows a remote attacker to gain sensitive
information or alter configuration.
CVE ID: CVE-2019-7392 (Critical)
A out-of-bounds read vulnerability has been discovered QTI’s proprietary code while
accessing DTMF payload due to lack of check of buffer length before copying in Snapdragon
Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon
Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music and
Snapdragon Wearables.
CVE ID: CVE-2020-11251 (Critical)
A stored XSS vulnerability has been found in Web-School ERP V 5.0 via (Add Events) in the
event name and description fields. An attack can inject a JavaScript code that will be
stored in the page. If any visitor sees the events, then the payload will be executed.
CVE ID: CVE-2021-30111 (Medium)
It has been discovered that in the standard library in Rust-Programming Language, the Zip
implementation can report an incorrect size due to an integer overflow. This flaw can lead
to a buffer overflow vulnerability when a consumed Zip iterator is used again. The affected
versions are Rust before 1.52.0.
CVE ID: CVE-2021-28879
A vulnerability has been discovered in libezxml.a of ezXML. The function
ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling,
leading to a NULL pointer dereference while running strcmp() on a NULL pointer. The affected
version is ezXML 0.8.6.
CVE ID: CVE-2021-30485
A type confusion issue has been addressed with improved state handling. This issue has been
fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001
Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. Processing
maliciously crafted web content may lead to arbitrary code execution.
CVE ID: CVE-2021-1789 (High)
A use after free issue has been addressed with improved memory management. This issue has
been fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for
Windows 11.5, Safari 14.0.1, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously
crafted web content may lead to arbitrary code execution.
CVE ID: CVE-2020-27918 (High)
A command execution vulnerability has been discovered in SonicWall GMS which allows a remote
unauthenticated attacker to locally escalate privilege to root. The affected versions are
SonicWall GMS 9.3 and earlier versions.
CVE ID: CVE-2021-20020 (Critical)
Multiple vulnerabilities such as infinite loop while processing transmit descriptors, stack
overflow, integer overflow, and out-of-bounds read/write have been discovered in Quick EMU
(QEMU), a fast processor emulator. It is recommended to upgrade the QEMU packages.
CVE ID: CVE-2021-20257, CVE-2021-20255 (Medium), CVE-2021-20203 (Low), CVE-2021-3416
(Medium)
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for
collaborative work, which can result in incomplete page/blocking protection, Denial of
Service or cross-site scripting. It is recommended to upgrade the mediawiki packages.
Multiple vulnerabilities such as Denial of Service, privilege escalation or memory
disclosure have been discovered in the Xen hypervisor-which allow multiple computer
operating systems to execute on the same computer hardware concurrently. It is recommended
to upgrade the xen packages.
CVE ID: CVE-2021-26933 (Medium), CVE-2021-27379 (High)
It has been discovered that RIOT-OS contains a buffer overflow vulnerability in
/sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c through the _parse_options() function.
The affected version is RIOT-OS 2021.0.
CVE ID: CVE-2021-27698
A vulnerability has been discovered in BIG-IP products. The BIG-IP Client or Server SSL
profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS
connections and may result in a Man-In-The-Middle (MITM)attack on the connections.
CVE ID: CVE-2020-5913 (High)
It has been discovered that lxml- pythonic binding for the libxml2 and libxslt libraries
incorrectly handled certain HTML attributes. A remote attacker can possibly use this issue
to perform Cross-Site Scripting (XSS) attacks.
CVE ID: CVE-2021-28957 (Medium)
A vulnerability has been discovered in Exiv2, a Cross-platform C++ library and a command
line utility to manage image metadata. An improper input validation of the rawData.size
property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer
overflow vulnerability via a crafted JPG image containing malicious EXIF data. The affected
versions are Exiv2 0.27.4-RC1 and prior.
CVE ID: CVE-2021-3482
It has been discovered that Forcepoint Web Security Content Gateway improperly process XML
input, leading to information disclosure vulnerability. The affected versions are Forcepoint
Web Security Content Gateway versions prior to 8.5.4.
CVE ID: CVE-2020-6590
It has been discovered that Apache MyFaces is vulnerable to Cross-Site Request Forgery
(CSRF) caused by improper validation of user-supplied input. By persuading an authenticated
user to visit a malicious web site, a remote attacker can send a malformed HTTP request to
perform unauthorized actions. An attacker can exploit this vulnerability to perform
cross-site scripting attacks, web cache poisoning, and other malicious activities.
CVE ID: CVE-2021-26296 (High)
Multiple vulnerabilities have been discovered in Thunderbird. An attacker can exploit some
of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-23993, CVE-2021-23991
It has been discovered that Squirro Insights Engine is affected by a Reflected Cross-Site
Scripting (XSS) vulnerability. An attacker can exploit this vulnerability to inject
malicious JavaScript code into the application, which can execute within the browser of any
user who views the relevant application content. The affected versions are Squirro Insights
Engine 2.0.0 upto and including 3.2.4.
CVE ID: CVE-2021-27945
A vulnerability has been discovered in Realtek rtl8723de BLE Stack that allows remote
attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message.
The affected versions are Realtek rtl8723de BLE Stack <= 4.1.
CVE ID: CVE-2020-23539
A use-after-free vulnerability has been discovered in Lib3MF, a C++ implementation of the 3D
Manufacturing Format, which can result in the execution of arbitrary code if a malformed
file is opened. It is recommended to upgrade the lib3mf packages.
CVE ID: CVE-2021-21772 (High)
An Integer Underflow vulnerability has been discovered in FATEK Automation's Equipment-
WinProladder. Successful exploitation of this vulnerability can cause execution of arbitrary
code.
CVE ID: CVE-2021-2748 (High)
Multiple vulnerabilities have been discovered in Medtronic's Equipment- MyCareLink Monitor,
CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices.
Successful exploitation of these vulnerabilities may allow an attacker with adjacent
short-range access to one of the affected products to interfere with, generate, modify, or
intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus
telemetry system, potentially impacting product functionality and/or allowing access to
transmitted sensitive data.
CVE ID: CVE-2019-6538 (Critical), CVE-2019-6540 (Medium)
It has been discovered that Nessus Agent leverages third-party software components (OpenSSL
and sqlite) are found to contain vulnerabilities. The updated versions have been made
available.
CVE ID: CVE-2019-16168 (Medium), CVE-2021-3450 (High)
Attackers are leveraging collaboration platforms, such as Discord and Slack which enable
adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in
many network environments for the exfiltration of sensitive information and the transmission
of information from infected systems.
A vulnerability due to improper validation of user-supplied input in the web-based
management interface has been discovered in Cisco Small Business RV110W, RV130, RV130W, and
RV215W routers which allow an unauthenticated, remote attacker to execute arbitrary code on
an affected device.
CVE ID: CVE-2021-1459 (Critical, 9.8)
Multiple vunerabilities have been discovered in Red Hat 3scale API Management Platform. The
affected products are Red Hat 3scale API Management Platform 2 for RHEL 8 x86_64 & Red
Hat 3scale API Management Platform 2 for RHEL 7 x86_64. A security update for Red Hat 3scale
API Management Platform is now available
CVE ID: CVE-2020-9283 (High), CVE-2020-14040(High)
A vulnerability has been discovered in wpa_supplicant and hostapd 2.9, where forging attacks
may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and
tls/x509v3.c
CVE ID: CVE-2021-30004 (Medium)
A vulnerability has been discovered in Google Chrome. The data race in audio in Google
Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap
corruption via a crafted HTML page.
CVE ID: CVE-2021-21166 (High)
Technical details and a proof of concept have been released for denial of service
vulnerability (CVE-2021-24086) affecting IPv6 stacks in all supported versions of the
Windows operating system.
CVE ID: CVE-2021-24086 (High)
Android has released security bulletin containing details of multiple security
vulnerabilities affecting Android devices. The security patch levels of 2021-04-05 or later
address all of these issues have been released.
It has been discovered that in jsrsasign package for Node.js some invalid RSA PKCS#1 v1.5
signatures are mistakenly recognized to be valid. The affected versions are jsrsasign
package through 10.1.1.
CVE ID: CVE-2021-30246
Privilege Escalation vulnerability has been discovered in LiteSpeed Technologies
OpenLiteSpeed web server which allows attackers to gain root terminal access and execute
commands on the host system. The affected version is LiteSpeed Technologies OpenLiteSpeed
web server version 1.7.8.
CVE ID: CVE-2021-26758
Multiple vulnerabilities have been discovered in Jenkins core. An attacker may exploit some
of these vulnerabilities to take control of an affected system.
It has been discovered that IBM WebSphere Application Server is vulnerable to Server-Side
Request Forgery (SSRF). By sending a specially crafted request, a remote authenticated
attacker can exploit this vulnerability to obtain sensitive data. The affected versions are
WebSphere Application Server 7.0, 8.0, and 8.5.
CVE ID: CVE-2021-20480 (Medium)
The advanced virtualization module provides the user-space component for running virtual
machines that use KVM in environments managed by Red Hat products. An out-of-bound heap
buffer access via an interrupt ID field vulnerability has been discovered in qemu. An update
for the virt:8.3 and virt-devel:8.3 modules is now available for Advanced Virtualization for
RHEL 8.3.1.
CVE ID: CVE-2021-20221
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Directus allows remote authenticated users to execute arbitrary
code because file-upload permissions include the ability to upload a .php file to the main
upload directory and/or upload a .php file and a .htaccess file to a subdirectory.
Exploitation succeeds only for certain installations with the Apache HTTP Server and the
local-storage driver. The affected versions are Directus 8 before 8.8.2.
CVE ID: CVE-2021-29641
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids'
Equipment- Relion 670, 650, and SAM600-IO; REB500; RTU500; FOX615 (TEGO1); MSM; GMS600;
PWC600. Successful exploitation of this vulnerability can reboot the device regularly,
resulting in a Denial-of-Service condition. During the reboot phase, the primary
functionality of the device is not available.
CVE ID: CVE-2021-30654
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids'
Equipment- Relion 670, 650, and SAM600-IO; REB500; RTU500; FOX615 (TEGO1); MSM; GMS600;
PWC600. Successful exploitation of this vulnerability can reboot the device regularly,
resulting in a Denial-of-Service condition. During the reboot phase, the primary
functionality of the device is not available.
CVE ID: CVE-2021-27196 (High)
It has been discovered that a specific function in ASUS BMC’s firmware Web management page
(Generate SSL certificate function) does not verify the string length entered by users,
resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote
attackers can use the leakage to abnormally terminate the Web service.
CVE ID: CVE-2021-28196
A cross-site scripting (XSS) vulnerability has been discovered in python-bleach, a
whitelist-based HTML sanitisation library. It is recommended to upgrade the python-bleach
packages.
CVE ID: CVE-2021-23980
It has been discovered that DMA Softlab Radius Manager allows Cross-Site Request Forgery
(CSRF) with impacts such as adding new manager accounts via admin.php. The affected version
is DMA Softlab Radius Manager 4.4.0.
CVE ID: CVE-2021-30147
It has been discovered that Ruby-Rack, modular Ruby webserver interface incorrectly handled
certain paths, and validated cookies. An attacker can possibly use this issue to obtain
sensitive information or forge a secure cookie.
CVE ID: CVE-2020-8161 (High), CVE-2020-8184 (High)
A vulnerability has been discovered in the Linux kernel. The synic_get in
arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC
Hyper-V context, aka CID-919f4ebc5987. The affected versions are Linux kernel through
5.11.11.
CVE ID: CVE-2021-30178
It has been discovered that Django, high-level python web development framework incorrectly
handled certain filenames. A remote attacker can possibly use this vulnerability to create
or overwrite files in unexpected directories.
CVE ID: CVE-2021-28658
It has been discovered that Proofpoint Insider Threat Management Server (formerly ObserveIT
Server) is missing an authorization check on several pages in the Web Console. This enables
a view-only user to change any configuration setting and delete any registered agents. All
versions before 7.11.1 are affected.
CVE ID: CVE-2021-27900 (High)
It has been discovered that a malicious 3rd party with local access to the Windows machine
where MongoDB Compass is installed can execute arbitrary software with the privileges of the
user who is running MongoDB Compass. The affected versions are MongoDB Compass 1.x version
1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.
CVE ID: CVE-2021-20334 (Medium)
It has been discovered that Union Pay, for iOS mobile apps, contains an Improper
Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in
merchants' websites and mobile apps, via a crafted authentication code (MAC) which is
generated based on a secret key which is NULL. The affected versions are Union Pay up to
3.3.12.
CVE ID: CVE-2020-36285
It has been discovered that SAP systems running outdated or misconfigured software are
exposed to increased risks of malicious attacks. An alert has been released detailing
observed threat actor activity and techniques which can lead to full control of unsecured
SAP applications.
The 389 Directory Server is an Lightweight Directory Access Protocol (LDAP) version 3
(LDAPv3) compliant server. An information disclosure vulnerability during the binding of a
DN has been discovered in 389-ds-base. An update for the 389-ds:1.4 module is now available
for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-35518 (Medium)
Multiple vulnerabilities such as out-of-bounds read, and heap buffer overflow have been
discovered in kernel. An update for kpatch-patch is now available for Red Hat Enterprise
Linux 7.
CVE ID: CVE-2021-27364 (High), CVE-2021-27365 (High)
A stack-based buffer overflow vulnerability has been discovered in the HTTPD daemon of
FortiProxy which can allow an authenticated remote attacker to crash the service by sending
a malformed PUT request to the server. The affected versions are FortiProxy versions 2.0.1
and below, FortiProxy versions 1.2.9 and below, FortiProxy versions 1.1.x and 1.0.x.
CVE ID: CVE-2019-17656 (Medium)
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat
Enterprise Linux 8. Kernel-based Virtual Machine (KVM) offers a full virtualization solution
for Linux on numerous hardware platforms. The virt:rhel module contains packages which
provide user-space components used to run virtual machines using KVM. The packages also
provide APIs for managing and interacting with the virtualized systems.
CVE ID: CVE-2021-20295
RedHat OpenShift Container Platform release 4.7.5 is now available with updates to packages
and images that fix several bugs and add enhancements.
CVE ID: CVE-2021-3121 (High), CVE-2021-20206 (High)
The Python3.5 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and
urllib.parse.parse_qs by using a vector called parameter cloaking. It also has a buffer
overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in
certain Python applications that accept floating-point numbers as untrusted input. Running
`pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL
allows to read arbitrary file on the filesystem.
CVE ID: CVE-2021-3177 (Critical), CVE-2021-3426, CVE-2021-23336 (Medium)
Multiple vulnerabilities have been discovered in smarty3, a template engine for PHP. It is
recommended to upgrade the smarty3 packages.
CVE ID: CVE-2018-13982 (High), CVE-2021-26119 (High), CVE-2021-26120 (Critical)
It has been discovered that Nessus contain a privilege escalation vulnerability which can
allow a Nessus administrator user to upload a specially crafted file that can lead to
gaining administrator privileges on the Nessus host. The affected versions are Nessus
versions 8.13.2 and earlier.
CVE ID: CVE-2021-20077 (Medium)
An integer overflow vulnerability has been discovered in the htmldoc, convert HTML files to
PDF or PostScript which can allow attackers to execute arbitrary code and cause a Denial of
Service. The affected versions are htmldoc 1.9.11 and before.
CVE ID: CVE-2021-20308
It has been discovered in Nettle that several Nettle signature verification functions (GOST
DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
function being called with out-of-range scalers, possibly resulting in incorrect results.
This vulnerability allows an attacker to force an invalid signature, causing an assertion
failure or possible validation. The affected versions are Nettle versions prior 3.7.2.
CVE ID: CVE-2021-20305
It has been discovered that Module/Settings/UserExport.php in Friendica allows
settings/userexport to be used by anonymous users, as demonstrated by an attempted access to
an array offset on a value of type null and excessive memory consumption. The affected
versions are Friendica through 2021.01.
CVE ID: CVE-2021-30141
It has been discovered that WordPress Related Posts plugin contains an authenticated
(admin+) stored XSS vulnerability in the title field on the settings page. By exploiting
this vulnerability an attacker can execute JavaScript code in the user's browser.
CVE ID: CVE-2021-24211
It has been discovered that an information disclosure vulnerability in FortiWeb's Web
Vulnerability Scan profile can allow a remote authenticated attacker to read the password
used by the FortiWeb scanner to access the device defined in the scan profile. The affected
versions are FortiWeb version 6.2.3 and below, and FortiWeb version 6.3.4 and below.
CVE ID: CVE-2020-15942 (Medium)
It has been discovered that php-nette, a PHP MVC framework, is vulnerable to a code
injection attack by passing specially formed parameters to URL that can possibly lead to
Remote Code Execution(RCE). It is recommended to upgrade the php-nette packages.
CVE ID: CVE-2020-15227(Critical)
It has been discovered that because of a incorrect escaped exec command in MagpieRSS
/extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary.
This creates a vulnerability in the /scripts/magpie_debug.php and /scripts/magpie_simple.php
page which if user sends a specific https url to the RSS URL field, user is able to execute
arbitrary commands. The affected version is MagpieRSS 0.72.
CVE ID: CVE-2021-28940 (Critical)
Multiple vulnerabilities such as use-after-free, heap corruption, and out-of-bounds read
have been discovered in ldb, a LDAP-like embedded database built on top of TDB. It is
recommended to upgrade the ldb packages.
CVE ID: CVE-2020-10730 (Medium), CVE-2020-27840, CVE-2021-20277
It has been discovered that Advanced Persistent Threat (APT) actors are actively exploiting
known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The APT actors are using any or all of these CVEs to gain access to networks across multiple
critical infrastructure sectors to gain access to key networks as pre-positioning for
follow-on data exfiltration or data encryption attacks.
CVE ID: CVE-2018-13379 (Critical), CVE-2020-12812 (Critical), CVE-2019-5591 (High)
It has been discovered that docsify-generates documentation website on the fly is affected
by Cross Site Scripting (XSS) vulnerability because the search component does not
appropriately encode Code Blocks and mishandles the " character. The affected versions are
docsify 4.12.1.
CVE ID: CVE-2021-30074
It has been discovered that Lightmeter ControlCenter allows anyone who knows the URL of a
publicly available Lightmeter instance to access application settings, possibly including an
SMTP password and a Slack access token, via a settings HTTP query. The affected versions are
Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1.
CVE ID: CVE-2021-30126
A vulnerability has been discovered in prog.cgi of D-Link devices. Because strcat is
misused, there is a stack-based buffer overflow vulnerability that does not require
authentication. The affected versions are D-Link DIR-878 1.30B08.
CVE ID: CVE-2021-30072
It has been discovered that improper input validation of octal strings in netmask npm
package allows unauthenticated remote attackers to perform indeterminate Server-Side Request
Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks on many
of the dependent packages. A remote unauthenticated attacker can bypass packages relying on
netmask to filter IPs and reach critical VPN or LAN hosts. The affected versions are netmask
npm package v1.0.6 and below.
CVE ID: CVE-2021-28918
It has been discovered that an URL on the administrative interface of the VMware Carbon
Black Cloud Workload appliance can be manipulated to bypass authentication. The affected
versions are VMware Carbon Black Cloud Workload appliance 1.0.1 and prior.
CVE ID: CVE-2021-21982 (Critical)
Multiple vulnerabilities such as OS command injection, deserialization of untrusted data,
SQL injection, and improperly restricted functions have been discovered in Rockwell
Automation's Equipment- FactoryTalk AssetCentre. Successful exploitation of these
vulnerabilities can allow unauthenticated attackers to perform arbitrary command execution,
SQL injection, or Remote Code Execution(RCE).
It has been discovered that EikiSoft Archive collectively operation utility contains a
directory traversal vulnerability due to a flaw in the processing of the filenames when
extracting from ZIP archives. An attacker by expanding a malicious ZIP archive can create or
overwrite the arbitrary files with the application's privilege. The affected versions are
Archive collectively operation utility Ver.2.10.1.0 and earlier.
CVE ID: CVE-2021-20692 (Low)
A vulnerability has been discovered in the reorder crate for Rust, a multi-paradigm
programming language. The swap_index can return uninitialized values if an iterator returns
a len() that is too large.
CVE ID: CVE-2021-29942
It has been discovered Advanced Persistent Threat (APT) actors are using fake social media
profiles and legitimate-looking websites to lure security researchers into visiting
malicious websites to steal information, including exploits and zero-day vulnerabilities.
It has been discovered that when BIG-IP is running in Appliance mode, the Traffic Management
User Interface (TMUI) has an authenticated remote command execution vulnerability in
undisclosed pages. The affected versions are BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x
before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and
11.6.x before 11.6.5.3.
CVE ID: CVE-2021-22987 (Critical)
It as been discovered that curl does not strip off user credentials from referrer header
fields, and incorrectly handled session tickets when using an HTTPS proxy. A remote attacker
can possibly use these vulnerabilities to obtain sensitive information or bypass certificate
checks and intercept communications.
CVE ID: CVE-2021-22876, CVE-2021-22890
It has been discovered that Dell Wyse ThinOS contains remediation for an improper management
server validation vulnerability that can be potentially exploited to redirect a client to an
attacker-controlled management server, thus allowing the attacker to change the device
configuration or certificate file. The affected version is Dell Wyse ThinOS 8.6 MR9.
CVE ID: CVE-2021-21532 (Medium)
It has been discovered that BTCPay Server mishandles the policy setting in which users can
register (in Server Settings > Policies). This affects Docker use cases in which a mail
server is configured. The affected versions are BTCPay Server before 1.0.7.1.
CVE ID: CVE-2021-29251
GitLab releasing updated versions 13.10.1, 13.9.5, and 13.8.7 for GitLab Community Edition
(CE) and Enterprise Edition (EE). These versions contain important security fixes.
It has been discovered that Mahara, an open-source e-portfolio management system is affected
by Cross Site Request Forgery (CSRF) vulnerability which allows a remote attacker to remove
inbox-mail on the server. The application fails to validate the CSRF token for a POST
request. The affected version is Mahara 20.10.
CVE ID: CVE-2021-29349
Multiple vulnerabilities such as XML External Entity (XXE) attacks and stored Cross-Site
Scripting (XSS) have been discovered in Jenkins products. An attacker can exploit some of
these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21657 (High), CVE-2021-21658 (Medium), CVE-2021-21659 (High),
CVE-2021-21660 (High)
A remote code injection vulnerability has been discovered in D-link DIR-816 A2 v1.10. A HTTP
request parameter can be used in command string construction in the handler function of the
/goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the
statuscheckpppoeuser parameter.
CVE ID: CVE-2021-26810 (Critical)
Multiple vulnerabilities have been discovered in Zimbra. It is recommended to use Patch 13
for the Zimbra 9.0.0, and Patch 20 for Zimbra 8.8.15.
CVE ID: CVE-2019-9641 (Critical), CVE-2019-9640 (Critical), CVE-2019-0211 (High),
CVE-2019-0217 (High)
Google has released Chrome version 89.0.4389.114 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
Multiple vulnerabilities such as Server Side Request Forgery (SSRF) and arbitrary file write
have been discovered in VMware products. A remote attacker can exploit some of these
vulnerabilities to take control of an affected system. The affected products are VMware
vRealize Operations,VMware Cloud Foundation & vRealize Suite Lifecycle Manager. The
patches and workarounds are available to address these vulnerabilities in impacted VMware
products.
CVE ID: CVE-2021-21975 (High), CVE-2021-21983 (High)
It has been discovered that GistPad allows a crafted workspace folder to change the URL for
the Gist API, which leads to leakage of GitHub access tokens. The affected versions are
GistPad before 0.2.7.
CVE ID: CVE-2021-29642
A security vulnerability in HPE Unified Data Management (UDM) can allow the local disclosure
of privileged information. HPE has provided updates to versions 1.2009.0 and 1.2101.0 of HPE
Unified Data Management (UDM).
CVE ID: CVE-2021-26579
Multiple vulnerabilities have been discovered in Jenkins products. The affected versions are
Build With Parameters Plugin up to and including 1.5, Cloud Statistics Plugin up to and
including 0.26, Extra Columns Plugin up to and including 1.22, Jabber (XMPP) notifier and
control Plugin up to and including 1.41, OWASP Dependency-Track Plugin up to and including
3.1.0,REST List Parameter Plugin up to and including 1.3.0 & Team Foundation Server
Plugin up to and including 5.157.1. All these versions updates are available except Team
Foundation Server Plugin.
Multiple vulnerabilities have been discovered in Citrix Hypervisor which can allow
privileged code in a guest VM to cause the host to crash or become unresponsive. The
affected versions are Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR.
CVE ID: CVE-2021-28038 (Medium), CVE-2021-28688
Multiple vulnerabilities such as session fixation when using FORM authentication and
mishandling of Transfer-Encoding header allows for HTTP request smuggling have been
discovered in tomcat. An update for tomcat is now available for Red Hat Enterprise Linux 7.7
Extended Update Support.
CVE ID: CVE-2019-17563 (High), CVE-2020-1935 (Medium)
It has been discovered that writable system variables allows a database user with SUPER
privilege to execute arbitrary code as the system mysql user in mariadb. An update for
mariadb is now available for Red Hat OpenStack Platform 13 (Queens).
CVE ID: CVE-2021-27928 (High)
Multiple vulnerabilities such as incorrect handling of malformed authority component in
request URLs of apache-httpclient and improper validation of certificate with host mismatch
in SMTP appender of log4j have been discovered in Red Hat Process Automation Manager. An
update is now available for Red Hat Process Automation Manager.
CVE ID: CVE-2020-9488 (Low), CVE-2020-13956 (Medium)
Multiple vulnerabilities such as template injection, potential sensitive information
leakage, path traversal and information disclosure have been discovered in Red Hat build of
Quarkus- a Kubernetes Native Java framework tailored for GraalVM and HotSpot. An update is
now available for Red Hat build of Quarkus.
CVE ID: CVE-2020-25633 (Medium), CVE-2020-25724, CVE-2020-26238 (High),
CVE-2021-20218 (High)
Multiple vulnerabilities have been discovered in the WebKitGTK-Web content engine library
for GTK+ and JavaScript engines. If a user is tricked into viewing a malicious website a
remote attacker can exploit some of these vulnerabilities related to web browser security,
including cross-site scripting attacks, Denial of Service attacks and arbitrary code
execution.
It has been discovered that Squid, Web proxy cache server incorrectly handled certain
content-length headers and incorrectly validated certain input. A remote attacker can
possibly use these vulnerabilities to perform an HTTP request smuggling attack, resulting in
cache poisoning or possibly access services forbidden by the security controls.
CVE ID: CVE-2020-25097 (High), CVE-2020-15049 (High)
A remote execution of arbitrary commands vulnerability has been discovered in many Aruba
Instant Access Point (IAP) products. Aruba has released patches for Aruba Instant which
address this security vulnerability.
CVE ID: CVE-2021-25162
MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions
of a Mule runtime component that may affect both CloudHub and on-premise customers. The
affected versions Mule 3.8.x,3.9.x,4.x runtime.
CVE ID: CVE-2021-1627 (Critical)
Multiple vulnerabilities have been discovered in baserCMS provided by baserCMS Users
Community. The affected products are baserCMS versions prior to 4.4.5. The updates are
available.
CVE ID: CVE-2021-20681 (Medium), CVE-2021-20682 (High), CVE-2021-20683 (Medium)
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected device.
Multiple vulnerabilities such as unvalidated redirects and forwards, Cross-Site Scripting
(XSS) and information leak/disclosure have been discovered in McAfee ePolicy Orchestrator
(ePO). The update to the versions ePO 5.10.0 Update 10 & ePO 5.9.1 HF EPO-937000.
CVE ID: CVE-2021-23888 (Medium), CVE-2021-23889 (Low), CVE-2021-23890 (Medium)
Orion Platform 2020.2.5 has released security updates to address vulnerabilities in previous
releases of Orion Platform. An attacker can exploit some of these vulnerabilities to take
control of an affected system.
CVE ID: CVE-2021-3109 (Medium), CVE-2020-35856 (High)
Storage of sensitive data in a mechanism without access control vulnerability has been
discovered in Philips' Equipment- Gemini PET/CT Family. Successful exploitation of this
vulnerability involving removable media can allow access to sensitive information (including
patient information).
CVE ID: CVE-2021-27456 (Low)
Multiple vulnerabilities have been discovered in jquery's handling of untrusted HTML which
may result in the execution of untrusted code. It is recommended to upgrade the jquery
packages.
CVE ID: CVE-2020-11022 (Medium), CVE-2020-11023 (Medium)
Multiple vulnerabilities have been discovered in OpenSSL. The affected versions are OpenSSL
versions 1.1.1h and 1.1.1. It is recommended to upgrade to OpenSSL 1.1.1k.
CVE ID: CVE-2021-3450 (High), CVE-2021-3449 (High)
It has been discovered that in Apache SpamAssassin (SA) malicious rule configuration (.cf)
files can be configured to run system commands without any output or errors. It is
recommended to upgrade to SA version 3.4.5.
CVE ID: CVE-2020-1946
Multiple vulnerabilities have been discovered in Cisco Jabber for Windows, Cisco Jabber for
MacOS and Cisco Jabber for mobile platforms- Android and iOS which allow an attacker to
execute arbitrary programs with elevated privileges, access sensitive information, intercept
protected network traffic, or cause a denial of service (DoS) condition. Cisco has released
security updates to address vulnerabilities in these Cisco products.
A vulnerability has been discovered in lxml, a pythonic binding for the libxml2 and libxslt
libraries. Due to missing input sanitisation Cross-site Scripting (XSS) is possible for the
HTML5 formaction attribute. It is recommended to upgrade your lxml packages.
CVE ID: CVE-2021-28957 (Medium)
It has been discovered that ldb, when used with Samba, incorrectly handled certain LDAP
attributes and DN strings. A remote attacker can use these vulnerabilities to cause the LDAP
server to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVE ID: CVE-2021-20277, CVE-2020-27840
It has been discovered that DaviewIndy has a Heap-based overflow vulnerability. The
vulnerability is triggered when the user opens a malformed ex.j2c format file which is
mishandled by Daview.exe. Attackers can exploit this for arbitrary code execution.
CVE ID: CVE-2020-7852 (High)
It has been discovered that APKLeaks allows remote attackers to execute arbitrary OS
commands via package name inside application manifest. An attacker can include arguments
which allow unintended commands or code to be executed, allow sensitive data to be read or
modified or can cause other unintended behavior through malicious package name. The affected
versions are APKLeaks prior to v2.0.3. The upgradation to APKLeaks version v2.0.6-dev and
above is recommended.
CVE ID: CVE-2021-21386 (Critical)
Firefox 87 has introduced a new privacy feature called SmartBlock. SmartBlock intelligently
fixes up web pages that are broken by our tracking protections, without compromising user
privacy.
Privilege escalation vulnerability has been discovered in McAfee Data Loss Prevention (DLP)
Endpoint for Windows. The affected versions are DLP Endpoint for Windows Prior to 11.6.100.
It is recommended to install or update DLP Endpoint for Windows 11.6.100.
CVE ID: CVE-2020-7346 (High)
Multiple vulnerabilities such as code injection, improper access control, and cross-site
scripting have been discovered in Weintek's Equipment- cMT. Successful exploitation of these
vulnerabilities can allow an unauthenticated remote attacker to access sensitive information
and execute arbitrary code to gain root privileges.
CVE ID: CVE-2021-27446 (Critical), CVE-2021-27444 (Critical), CVE-2021-27442
(Critical)
Multiple vulnerabilities such as hard-coded password, code injection, and execution with
unnecessary privileges have been discovered in GE's Equipment- Reason DR60, Digital Fault
Recorder(DFR). Successful exploitation of these vulnerabilities can allow an attacker to
take full control of the Digital Fault Recorder (DFR), remotely execute code, or escalate
privileges.
CVE ID: CVE-2021-27440 (Critical), CVE-2021-27438 (High), CVE-2021-27454 (High)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR,
and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Multiple vulnerabilities such as use of hard-coded password, execution with unnecessary
privileges, and inadequate encryption strength have been discovered in GE's Equipment-
MU320E. Successful exploitation of these vulnerabilities can allow an attacker to escalate
unnecessary privileges and use hard-coded credentials to take control of the device.
CVE ID: CVE-2021-27452 (Critical), CVE-2021-27448 (High), CVE-2021-27450 (Low)
Multiple vulnerabilities have been discovered in Ovarro's Equipment- TBoxLT2 (All models),
TBox MS-CPU32, TBox MS-CPU32-S2, TBox RM2 (All models), TBox TG2 (All models), a Remote
Terminal Unit (RTU) Successful exploitation of these vulnerabilities can result in remote
code execution which may cause a denial-of-service condition.
CVE ID: CVE-2021-22646 (High), CVE-2021-22648 (High), CVE-2021-22642 (High),
CVE-2021-22640 (High), CVE-2021-22644 (High)
Buffer Overflow vulnerability has been discovered in Rockwell Automation's Equipment-
MicroLogix 1400 controllers. Successful exploitation of this vulnerability may result in a
denial-of-sservice condition. The affected products are MicroLogix 1400, All series Version
21.6 and below.
CVE ID: CVE-2021-22659 (High)
Improper input validation vulnerability has been discovered in Rockwell Automation's
Equipment- CompactLogix and ControlLogix controllers. Successful exploitation of this
vulnerability may allow an attacker to send specially crafted CIP packet requests to a
controller which may cause denial-of-service conditions in communications with other
products.
CVE ID: CVE-2020-6998 (Medium)
XWiki Platform is a generic wiki platform offering runtime services for applications built
on top of it. It has been discovered that the Rating Script Service(RSS) of XWiki Platform
expose an API to perform SQL requests without escaping the from and where search arguments.
This might lead to an SQL script injection quite easily for any user having Script rights on
XWiki.
CVE ID: CVE-2021-21380 (High)
A remote code execution vulnerability has been discovered in GitHub Enterprise Server which
can be exploited when building a GitHub Pages site. This vulnerability affected all versions
of GitHub Enterprise Server prior to 3.0.3 and is fixed in 3.0.3, 2.22.9, and 2.21.17.
CVE ID: CVE-2021-22864
Multiple vulnerabilities have been discovered in XStream , a Java library to serialize
objects to XML and back again. The affected versions are XStream before version 1.4.16. The
updates are avilable.
CVE ID: CVE-2021-21342 (Critical), CVE-2021-21344 (Critical), CVE-2021-21345
(Critical), CVE-2021-21346 (Critical), CVE-2021-21347 (Critical), CVE-2021-21350 (Critical),
CVE-2021-21351 (Critical)
The unauthenticated path traversal remote directory deletion vulnerability in ManageEngine
OpManager build 125346 has been discovered. The flaw exists in the Spark Gateway component
in ManageEngine OpManager due to improper validation of user-supplied data prior to a
directory deletion operation.
CVE ID: CVE-2021-20078 (Critical)
It has been discovered that Apache OFBiz has unsafe deserialization prior to 17.12.06. An
unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
CVE ID: CVE-2021-26295 (Critical)
Adobe has released security updates to address a vulnerability affecting ColdFusion. An
attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-21087 (Critical)
Multiple vulnerabilities have been discovered in Privoxy, privacy enhancing HTTP Proxy. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
TYPO3 is an open source PHP based web content management system. It has been discovered that
content elements of type menu are vulnerable to cross-site scripting when their referenced
items get previewed in the page module. The affected versions are TYPO3 7.0.0-7.6.50,
8.0.0-8.7.39, 9.0.0-9.5.16, 10.0.0-10.4.1, 11.0.0-11.1.0. It is recommended to update to
TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
CVE ID: CVE-2021-21370 (Medium)
It has been discovered that OpenEMR is vulnerable to Reflected Cross-Site-Scripting (XSS)
due to user input not being validated properly. An attacker can trick a user to click on a
malicious url and execute malicious code. The affected version are OpenEMR 4.2.0 to 6.0.0.
CVE ID: CVE-2021-25922
It has been discovered that cloud-init has the ability to generate and set a randomized
password for system users. This functionality is enabled at runtime by passing cloud-config
data. When used this way, cloud-init logs the raw, unhashed password to a world-readable
local file. It is recommended to upgrade the cloud-init packages.
CVE ID: CVE-2021-3429
Multiple vulnerabilities have been discovered in Linux kernel. A local attacker can use
these vulnerabilities to cause a denial of service (system crash) or possibly execute
arbitrary code.
CVE ID: CVE-2021-20194 (High), CVE-2021-3347 (High), CVE-2021-3348 (High)
It has been discovered that when the Traffic Management Microkernel (TMM) process handles
certain undisclosed traffic, it may start dropping all fragmented IP traffic. TMM
incorrectly determines that the fragment memory limit has been reached and drops all
fragments it receives, disrupting traffic to the BIG-IP system.
CVE ID: CVE-2021-23007
It has been discovered that /etc/passwd is given incorrect privileges in openjdk. The
affected version is OpenJDK Java (for Middleware) 1 x86_64. The Red Hat Build of OpenJDK 8
(container images) is now available from the Red Hat Container Catalog.
CVE ID: CVE-2021-20264
A series of Denial of Service vulnerabilities have been discovered in Pygments, a popular
syntax highlighting library for Python. A number of regular expressions has exponential or
cubic worst-case complexity which can cause a remote Denial of Service (DoS) when provided
with malicious input. It is recommended to upgrade the pygments packages.
CVE ID: CVE-2021-27291
It has been discovered that improper input validation Squid-a caching and forwarding HTTP
web proxy are vulnerable to an HTTP Request smuggling attack. It is recommended to upgrade
the squid3 packages.
CVE ID: CVE-2020-25097
CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA
developed to help network defenders find Indicators of Compromise (IOCs) associated with the
SolarWinds and Active Directory/M365 Compromise.
It has been discovered that Nessus Agent inadvertently capture the IAM role security token
on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2
instance. This can allow a privileged attacker to obtain the token. The affected versions
are Nessus Agent 7.2.0 through 8.2.2.
CVE ID: CVE-2021-23840 (High), CVE-2021-20077, CVE-2021-23841 (High)
It has been discovered that the Shibboleth service provider's template engine used to render
error pages can be abused for phishing attacks. It is recommended to upgrade the
shibboleth-sp packages.
Information Exposure vulnerability has been discovered in Johnson Controls' Equipment-
exacqVision. Successful exploitation of this vulnerability can allow an unauthenticated
attacker to view system-level information about the exacqVision Web Service and the
operating system. The affected products are exacqVision Web Service- All supported versions
up to and including v20.12.02.0.
CVE ID: CVE-2021-27656 (High)
Multiple vulnerabilities have been discovered in Open vSwitch and OVN (Open Virtual
Network). An update for openvswitch2.11 and ovn2.11 is now available for Red Hat OpenStack
Platform 13 (Queens).
CVE ID: CVE-2015-8011 (Critical), CVE-2020-10722 (Medium), CVE-2020-10723 (Medium),
CVE-2020-10724 (Medium)
It has been discovered that a locking flaw in drivers/tty/tty_jobctrl.c can lead to an
use-after-free vulnerability in kernel. An update for kpatch-patch is now available for Red
Hat Enterprise Linux 7.6 Extended Update Support.
CVE ID: CVE-2020-29661 (High)
Multiple vulnerabilities have been discovered in Ruby-Object-oriented scripting language. A
remote attacker can use these vulnerabilities to execute arbitrary code or obtain sensitive
information or bypass a reverse proxy.
CVE ID: CVE-2020-10663 (High), CVE-2020-10933 (Medium), CVE-2020-25613 (High)
Multiple vulnerabilities have been discovered in Hitachi ABB Power Grids' Equipment- eSOMS
Telerik. Successful exploitation of these vulnerabilities can allow an attacker to upload
malicious files to the server, discover sensitive information or execute arbitrary code. The
affected products are eSOMS all versions prior to 6.3 using a version of Telerik software.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been discovered
in Hitachi ABB Power Grids' Equipment- eSOMS. Successful exploitation of this vulnerability
can allow an attacker to gain access to unauthorized information. The affected products are
eSOMS version 6.0.4.2.2, eSOMS version 6.1.4 and eSOMS version 6.3.
CVE ID: CVE-2021-26845 (High)
It has been discovered that in Unisys Stealth (core) the Keycloak password is stored in a
recoverable format that might be accessible by a local attacker, who can gain access to the
Management Server and change the Stealth configuration. The affected versions are Unisys
Stealth (core) before 6.0.025.0.
CVE ID: CVE-2021-3141
It has been discovered that Pion WebRTC do not properly tear down the DTLS Connection when
certificate verification failed. The PeerConnectionState is set to failed, but a user can
ignore that and continue to use the PeerConnection. The affected versions are Pion WebRTC
before 3.0.15.
CVE ID: CVE-2021-28681
It has been discovered that HGiga MailSherlock contains a SQL Injection vulnerability.
Remote attackers can inject SQL syntax and execute SQL commands in a URL parameter of email
pages without privilege.
CVE ID: CVE-2021-22848 (High)
CISA has released a table of Tactics, Techniques & Procedures (TTPs) used by the
Advanced Persistent Threat (APT) actor involved with the recent SolarWinds and Active
Directory/M365 compromise. The table uses the MITRE ATTACK framework to identify APT TTPs
and includes detection recommendations.
GitLab releasing updated versions 13.9.4, 13.8.6, and 13.7.9 for GitLab Community Edition
(CE) and Enterprise Edition (EE). These versions contain important security fixes.
Cisco has released security updates to address a vulnerability in Cisco Small Business
routers. In Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC
VPN Routers web-based management interface do not properly validate user-supplied input. An
attacker can exploit this vulnerability by sending crafted HTTP requests to an affected
device. A successful exploit can allow the attacker to execute arbitrary code as the root
user on the underlying operating system or cause the device to reload, resulting in a denial
of service (DoS) condition on the affected device.
CVE ID: CVE-2021-1287 (High)
It has been discovered that a potential arbitrary code execution vulnerability in velocity,
a Java-based template engine for writing web applications. It can be exploited by
applications which allowed untrusted users to upload/modify templates. It is recommended to
upgrade the velocity packages.
CVE ID: CVE-2020-13936 (High)
Multiple vulnerabilities have been discovered in the shadow suite of login tools. An
attacker can escalate privileges in specific configurations. It is recommended to upgrade
the shadow packages.
CVE ID: CVE-2017-20002, CVE-2017-12424 (Critical)
Cross-site scripting (XSS) vulnerability has been discovered in velocity-tools, a collection
of useful tools for the "Velocity" template engine. It is recommended to upgrade the
velocity-tools packages.
CVE ID: CVE-2020-13959 (Medium)
A potential data leakage vulnerability via malformed memcached keys has been discovered in
python-django, a high-level Python Web framework of Red Hat OpenStack Platform. An update
for python-django is now available for Red Hat OpenStack Platform 16.1(Train).
CVE ID: CVE-2020-13254 (Medium)
It has been discovered that containerd, a daemon to control runC incorrectly handled certain
environment variables. Contrary to expectations, a container can receive environment
variables defined for a different container, possibly containing sensitive information. The
system can be made to expose sensitive information. The updates are now available.
CVE ID: CVE-2021-21334 (Medium)
Cross-site Scripting vulnerability has been discovered in Advantech's Equipment-
WebAccess/SCADA, a browser-based SCADA software package. Successful exploitation of this
vulnerability can allow an unauthorized user to steal a user’s cookie/session token or
redirect an authorized user to a malicious webpage.
CVE ID: CVE-2021-27436 (Medium)
Multiple vulnerabilities have been discovered in XStream, an open-source Java library to
serialise objects to XML and back again. Some of the vulnerabilities can lead to a remote
code execution attack.
Red Hat Identity Management (IdM) is a centralized authentication, identity management, and
authorization solution for both traditional and cloud-based enterprise environments. A
vulnerability has been discovered in jquery of IPA, that passing HTML containing elements
from untrusted sources - even after sanitizing it to one of jQuery's DOM manipulation
methods result in untrusted code execution. The updates is now available.
CVE ID: CVE-2020-11023 (Medium)
It has been discovered that OpenJPEG- JPEG 2000 image compression/decompression library
incorrectly handled certain image data. An attacker can use this vulnerability to cause
OpenJPEG to crash, leading to a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2020-27841 (Medium), CVE-2020-27824, CVE-2020-27814 (High),
CVE-2020-27823, CVE-2020-27845 (Medium)
Multiple vulnerabilities have been discovered in Linux kernel. An attacker can exploit these
vulnerabilities to cause a Denial of Service in the host OS or possibly execute arbitrary
code or bypass NFS access restrictions.
CVE ID: CVE-2020-29569 (High), CVE-2021-3178 (Medium), CVE-2020-36158 (Medium)
Multiple vulnerabilities have been discovered in GE's Equipment- UR Family, protection and
control relays. Successful exploitation of these vulnerabilities can allow an attacker to
access sensitive information, reboot the UR, gain privileged access, or cause a
Denial-of-Service condition.
Infinite Loop vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- AFS
Series. Successful exploitation of this vulnerability using crafted HSR frame can cause a
denial-of-service condition on one of the ports in a HSR ring. The affected products are
AFS660/AFS665 Version 7.0.07 including the variants AFS660-SR and AFS665-SR.
CVE ID: CVE-2020-9307 (Medium)
Multiple vulnerabilities such as Insufficiently Protected Credentials and Security Features
have been discovered in Becton, Dickinson and Company's Equipment- BD Alaris 8015 PC Unit.
Successful exploitation of these vulnerabilities can allow an unauthorized user with
physical access to the affected devices to access the host facility’s wireless network
authentication credentials and other sensitive technical data which may compromise the
confidentiality, integrity, and availability of the device.
CVE ID: CVE-2016-8375 (Medium) , CVE-2016-9355 (Medium)
Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate
portions of both the detection and patching process. Microsoft stated the following along
with the release: "[the tool is intended] to help customers who do not have dedicated
security or IT teams to apply these security updates.
Multiple vulnerabilities have been discovered in XStream, an open-source Java library to
serialise objects to XML and back again. Some of the vulnerabilities can lead to a remote
code execution attack.
Multiple vulnerabilities have been discovered in pki-core. The Public Key Infrastructure
(PKI) core contains fundamental packages required by Red Hat Certificate System. An update
for pki-core is now available for Red Hat Enterprise Linux 7.6 Extended Update Support.
It has been discovered that GLib-library of C routines incorrectly handled certain symlinks
when replacing files. If a user or automated system are tricked into extracting a specially
crafted file with File Roller, a remote attacker can possibly create files outside of the
intended directory.
CVE ID: CVE-2021-28153
It has been discovered that ExpressionEngine allows PHP Code Injection by certain
authenticated users who can leverage Translate::save() to write to an _lang.php file under
the system/user/language directory. The affected version are ExpressionEngine before 5.4.2
and 6.x before 6.0.3.
CVE ID: CVE-2021-27230
It has been discovered that SpringBoot Framework is susceptible to a vulnerability which
when successfully exploited can lead to Remote Code Execution(RCE). All versions of Element
Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management
Node versions through 12.2 contain vulnerable versions of SpringBoot Framework (versions
prior to 1.3.2).
CVE ID: CVE-2021-26987
It has been discovered that a packet of death scenario is possible in mvfst via a specially
crafted message during a QUIC session, which causes a crash via a failed assertion. This
vulnerability affects mvfst versions prior to commit
a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.
CVE ID: CVE-2021-24029
It has been discovered that in moodle when creating a user account, it is possible to verify
the account without having access to the verification email link. The affected versions are
moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE ID: CVE-2021-20282
Cross-site scripting (XSS) vulnerability has been discovered in the Delete Personal Data
page of Cryptshare Server which allows an attacker to inject arbitrary web script or HTML
via the user name. The affected version are Cryptshare Server before 4.8.0. It is
recommended to upgrade to version 4.8.1.
CVE ID: CVE-2021-3150
It has been discovered that the auth_internal plugin in Tiny Tiny RSS (aka tt-rss) allows an
attacker to log in via the OTP code without a valid password. The affected versions are Tiny
Tiny RSS before 2021-03-12.
CVE ID: CVE-2021-28373
Google has released Chrome version 89.0.4389.90 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
CVE ID: CVE-2021-21191 (High), CVE-2021-21192 (High), CVE-2021-21193 (High)
It has been discovered that pygments, a generic syntax highlighter, is vulnerable to a CPU
exhaustion attack via a crafted SML file. It is recommended to upgrade the pygments
packages.
CVE ID: CVE-2021-20270
It has been discovered that sandbox restrictions in Flatpak, an application deployment
framework for desktop apps, can be bypassed via a malicious desktop file. It is recommended
to upgrade the flatpak packages.
CVE ID: CVE-2021-21381 (High)
It has been discovered that in the debug console of Eclipse Theia-an extensible platform to
develop multi-language Cloud and Desktop IDEs with state-of-the-art web technologies there
is no HTML escaping, so arbitrary Javascript code can be injected. The affected versions are
Eclipse Theia versions up to and including 1.8.0.
CVE ID: CVE-2021-28161
Multiple vulnerabilities have been discovered in MuPDF, a lightweight PDF viewer which may
result in denial of service, arbitrary code execution, memory corruption and other potential
consequences. It is recommended to upgrade the mupdf packages.
CVE ID: CVE-2020-26519 (Medium), CVE-2021-3407 (Medium)
Multiple vulnerabilities have been discovered in Red Hat Integration Tech-Preview 3 Camel K.
An update to the Camel K operator image for Red Hat Integration tech-preview is now
available.
CVE ID: CVE-2020-13946 (Medium), CVE-2020-13956 (Medium), CVE-2020-25649 (High)
Multiple vulnerabilities have been discovered in golang of Red Hat OpenShift Container
Platform. The affected products are Red Hat OpenShift Container Platform 4.5 for RHEL 8
x86_64, Red Hat OpenShift Container Platform 4.5 for RHEL 7 x86_64, Red Hat OpenShift
Container Platform for Power 4.5 for RHEL 8 ppc64le, Red Hat OpenShift Container Platform
for Power 4.5 for RHEL 7 ppc64le, Red Hat OpenShift Container Platform for IBM Z and
LinuxONE 4.5 for RHEL 8 s390x, Red Hat OpenShift Container Platform for IBM Z and LinuxONE
4.5 for RHEL 7 s390x. Red Hat OpenShift Container Platform release 4.5.34 is now available
with updates to packages and images that fix several bugs and add enhancements.
CVE ID: CVE-2020-15586 (Medium), CVE-2020-16845 (High)
Multiple vulnerabilities have been discovered in Pillow-Python Imaging Library. The Pillow
incorrectly handled certain Tiff image files, if a user or automated system are tricked into
opening a specially-crafted Tiff file, a remote attacker can cause Pillow to crash,
resulting in a denial of service, or possibly execute arbitrary code.
CVE ID: CVE-2021-25289, CVE-2021-25290, CVE-2021-25291,
CVE-2021-25292,CVE-2021-25293, CVE-2021-27921, CVE-2021-27922
Use-after-free vulnerability has been discovered in P2P provision discovery processing of
wpa_supplicant. An update for wpa_supplicant is now available for Red Hat Enterprise Linux
8.
CVE ID: CVE-2021-27803 (High)
Untrusted search path vulnerability has been discovered in Installer of MagicConnect Client
program distributed before 2021 March 1. It allows an attacker to gain privileges and via a
Trojan horse DLL in an unspecified directory and to execute arbitrary code with the
privilege of the user invoking the installer when a terminal is connected remotely using
Remote desktop.
CVE ID: CVE-2021-20674
It has been discovered that JMS Client for RabbitMQ is vulnerable to unsafe deserialization
that can result in code execution via crafted StreamMessage data. The affected versions are
JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0
CVE ID: CVE-2020-36282
It has been discovered that the session ID is visible in the arguments of the f5vpn.exe
command when VPN is launched from the browser on a Windows system. An attacker with
privileges to view the command line of the process may be able to view the session ID. If
the session ID is exposed to the attacker, they can use this information to launch further
attacks.
CVE ID: CVE-2021-23002
Information exposure through log file vulnerability has been discovered in Cortex XSOAR
software where the secrets configured for the SAML single sign-on (SSO) integration can be
logged to the '/var/log/demisto/' server logs when testing the integration during setup. The
updates are now available.
CVE ID: CVE-2021-3034 (Medium)
F5 has released a security advisory to address Remote Code Execution (RCE) vulnerabilities
impacting BIG-IP and BIG-IQ devices. An attacker can exploit these vulnerabilities to take
control of an affected system.
It has been discovered that Clipper allows remote command execution. A remote attacker may
send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which
invokes the dangerous openExternal API. The affected version are Clipper before 1.0.5.
CVE ID: CVE-2021-28134
A vulnerability has been discovered in MISP-Open Source Threat Intelligence Platform and
Open Standards for Threat Information Sharing. It is recommended to upgrade to MISP 2.4.140.
CVE ID: CVE-2021-27904 (Medium)
It has been discovered that IBM Db2 db2fm is vulnerable to a buffer overflow, caused by
improper bounds checking which can allow a local attacker to execute arbitrary code on the
system with root privileges. The affected products and versions are all fix pack levels of
IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms.
CVE ID: CVE-2020-5025 (High)
Multiple vulnerabilities have been discovered in OpenShift Virtualization, a Red Hat's
virtualization solution designed for Red Hat OpenShift Container Platform. An update is now
available for RHEL-8-CNV-2.6.
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- IGSS
(Interactive Graphical SCADA System) which may cause improper restriction of operations
within the bounds of a memory buffer. Successful exploitation of these vulnerabilities can
result in remote code execution.
CVE ID: CVE-2021-22709 (High), CVE-2021-22710 (High), CVE-2021-22711 (High),
CVE-2021-22712 (High)
An unquoted service path vulnerability has been discovered in McAfee Endpoint Product
Removal (EPR) Tool. This vulnerability allows local administrators to execute arbitrary
code, with higher-level privileges, via execution from a compromised folder. The affected
versions are Endpoint Product Removal (EPR) Tool prior to 21.2.
CVE ID: CVE-2021-23879 (Medium)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker can exploit some of these vulnerabilities to take control of an affected
system.
SAP has released security updates to address vulnerabilities affecting multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. A remote
attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Git incorrectly handled delay-capable clean/smudge filters when
being used on case-insensitive filesystems. A remote attacker can possibly use this issue to
execute arbitrary code.
CVE ID: CVE-2021-21300
A memory corruption vulnerability has been discovered in Apple products iOS 14.4.1 and
iPadOS 14.4.1. The processing of maliciously crafted web content may lead to arbitrary code
execution. The security update is now available.
CVE ID: CVE-2021-1844
A potential privileged host device access from guest vulnerability has been discovered in
virtiofsd for Quick EMUlator (QEMU), a free and open-source emulator and virtualizer . An
update for the virt:8.2 and virt-devel:8.2 modules is now available for Advanced
Virtualization for RHEL 8.2.1.
CVE ID: CVE-2020-35517 (High)
It has been discovered that GLib-library of C routines incorrectly handled certain large
buffers. A remote attacker can use this issue to cause applications linked to GLib to crash,
resulting in a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2021-27218 (High), CVE-2021-27219 (High)
It has been discovered that libupnp, the portable SDK for UPnP Devices allows remote
attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL
pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath
in genlib/service_table/service_table.c. It is recommended to upgrade the libupnp packages.
CVE ID: CVE-2020-13848 (High)
The package github.com/pires/go-proxyproto is vulnerable to denial of service (DoS) via the
parseVersion1() function. Since no limits are implemented in the code, a deliberately
malformed V1 header can be used to exhaust memory in a server process using this code - and
create a DoS. This can be exploited by sending a stream starting with PROXY and continuing
to send data (which does not contain a newline) until the target stops acknowledging.
CVE ID: CVE-2021-23351 (Medium)
A vulnerability has been discovered in the Linux kernel. The
drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged
user to craft Netlink messages. The affected versions are Linux kernel through 5.11.3.
CVE ID: CVE-2021-27364
A vulnerability has been discovered in AfterLogic Aurora and WebMail Pro which allow
directory traversal to read files. The affected versions are AfterLogic Aurora through 7.7.9
and WebMail Pro through 7.7.9.
CVE ID: CVE-2021-26294
Multiple vulnerabilities such as Remote Command Execution(RCE) and Arbitrary Code
Execution(ACE) has been discovered in multiple Xerox products. The updates are available.
CVE ID: CVE-2021-28671, CVE-2021-28672
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- 1734-AENTR
Series B and Series C. Successful exploitation of these vulnerabilities can lead to
unauthorized data modification on the affected devices.
CVE ID: CVE-2020-14504 (High), CVE-2020-14502 (Medium)
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- EcoStruxure
Building Operation. Successful exploitation of these vulnerabilities may allow unauthorized
file uploads and command execution by a remote user which can result in loss of
availability, confidentiality and integrity of the workstation. The affected product are
EcoStruxure Building Operation WebReports v1.9 - v3.1, WebStation v2.0 - v3.1, Enterprise
Server installer v1.9 - v3.1 and Enterprise Central installer v2.0 - v3.1.
Muliple vulnerabilities such as HTTP2 'unknownProtocol' cause DoS by resource exhaustion and
DNS rebinding in --inspect have been discovered in nodejs. An update for the nodejs:10
module is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-22883, CVE-2021-22884
Multiple vulnerabilities such as SQL Injection, Command Injection and Server-Side Request
Forgery have been discovered in Accellion File Transfer Appliance. A remote user can exploit
some of these vulnerabilities to trigger remote code execution, cross-site scripting and
security restriction bypass on the targeted system. The affected products are FTA version
prior to 9.12.444.
An information disclosure vulnerability has been discovered in the web-based management
interface of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and Cisco
Content Security Management Appliance (SMA) which can allow an authenticated, remote
attacker to access sensitive information on an affected device.
CVE ID: CVE-2021-1425 (Medium)
Cisco has released security updates to address vulnerabilities in the multiple Cisco
products which can allow an unauthenticated, adjacent attacker to cause a denial of service
(DoS) condition.
VMware has released a security update to address a vulnerability in View Planner. An
attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-21978 (High)
A vulnerability has been discovered that on Juniper Networks Junos EX series, QFX Series, MX
Series, and SRX branch series devices, a memory leak occurs every time the 802.1X
authenticator port interface flaps which can lead to other processes such as the pfex
process, responsible for packet forwarding to crash and restart. This issue may occur when
the device is configured as 802.1X authenticator port and the interface flaps.
CVE ID: CVE-2021-0215
Trend Micro has released updates for products that utilise either the Virus Scan API (VSAPI)
or Advanced Threat Scan Engine (ATSE) to resolve a memory exhaustion vulnerability which may
lead to denial-of-service or system freeze if exploited.
CVE ID: CVE-2021-25252
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids
Equipment- CompactLogix and ControlLogix controllers. Successful exploitation of this
vulnerability may allow an attacker to send specially crafted CIP packet requests to a
controller, which may cause denial-of-service conditions in communications with other
products.
CVE ID: CVE-2020-6998 (Medium)
Multiple vulnerabilities have been discovered in MB connect line Equipment- mymbCONNECT24
and mbCONNECT24- platform for remote access, data monitoring, alarm management, web-based
visualization and IIoT applications. Successful exploitation of these vulnerabilities can
allow a remote attacker to gain unauthorized access to arbitrary information or allow remote
code execution. The affected products are mymbCONNECT24 v2.6.1 and prior ands mbCONNECT24
v2.6.1 and prior.
Multiple vulnerabilities such as cross-site scripting and user interface misrepresentation
of critical information have been discovered in Hitachi ABB Power Grids' Equipment- Ellipse
Enterprise Asset Management (EAM). Successful exploitation of these vulnerabilities can
allow an attacker to steal sensitive information, hijack a user’s session, or compromise
authentication credentials.The affected products are Ellipse EAM versions prior to and
including 9.0.25.
CVE ID: CVE-2021-27414 (Medium) , CVE-2021-27416 (Medium)
It has been discovered that when responding to new h2c connection requests, Apache Tomcat
can duplicate request headers and a limited amount of request body from one request to
another meaning user A and user B can both see the results of user A's request.
CVE ID: CVE-2021-25122
The podman tool manages pods, container images, and containers. It has been discovered that
the container users permissions are not respected in privileged containers of podman. An
update for podman is now available for Red Hat Enterprise Linux 7 Extras.
CVE ID: CVE-2021-20188 (High)
Multiple vulnerabilities have been discovered in Docker, a Linux container runtime, which
can result in denial of service, an information leak or privilege escalation. It is
recommended to upgrade the docker.io packages.
CVE ID: CVE-2020-15157 (Medium), CVE-2020-15257 (Medium), CVE-2021-21284 (Medium),
CVE-2021-21285 (Medium)
It has been discovered that Google APIs google-oauth-java-client can allow a remote attacker
to bypass security restrictions, caused by no PKCE support implemented. The execution of a
specially-crafted application allows an attacker to exploit this vulnerability for obtaining
the authorisation code, and gain authorisation to the protected resource.
CVE ID: CVE-2020-7692 (High)
External Control of System or Configuration Setting vulnerability has been discovered in
PerFact's Equipment- OpenVPN-Client. Successful exploitation of this vulnerability can allow
for local privilege escalation or remote code execution through a malicious webpage. The
affected products are OpenVPN-Client, Versions 1.4.1.0 and prior.
CVE ID: CVE-2021-27406 (High)
Multiple vulnerabilities have been discovered in Fatek's Equipment- FvDesigner, Fatek
FvDesigner, a software tool used to design and develop FATEK FV HMI series product projects.
Successful exploitation of these vulnerabilities may allow an attacker to read/modify
information, execute arbitrary, and/or crash the application. The affected products are
FvDesigner Version 1.5.76 and prior.
CVE ID: CVE-2021-22662 (High), CVE-2021-22670 (High), CVE-2021-22666 (High),
CVE-2021-22683 (High), CVE-2021-22638 (High)
Insufficiently Protected Credentials vulnerability has been discovered in Rockwell
Automation's Equipment- Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers.
Successful exploitation of this vulnerability can allow a remote unauthenticated attacker to
bypass the verification mechanism and connect with Logix controllers. This vulnerability can
enable an unauthorized third-party tool to alter the controller’s configuration and/or
application code.
CVE ID: CVE-2021-22681 (Critical)
Multiple vulnerabilities have been discovered in SaltStack products. An attacker may exploit
some of these vulnerabilities to take control of an affected system.
It has been discovered that Shibboleth Identity Provider can allow a remote attacker to
bypass security restrictions, caused by an error in the PKIX trust component. An attacker
can exploit this vulnerability using a certificate issued by the shibmd:KeyAuthority trust
anchors to impersonate any entity.
CVE ID: CVE-2015-1796 (Medium)
It has been discovered that LibTIFF-Tag Image File Format (TIFF) library incorrectly handled
certain malformed images. If a user or automated system is tricked into opening a specially
crafted image, a remote attacker can crash the application, leading to a denial of service,
or possibly execute arbitrary code with user privileges.
CVE ID: CVE-2020-35524, CVE-2020-35523
It has been discovered that there are a number of integer overflow vulnerabilities in Redis,
a persistent "NoSQL"-style key-value database. It is recommended to upgrade the redis
packages.
CVE ID: CVE-2021-21309 (Medium)
Multiple vulnerabilities such as improper neutralization of input during web page
generation, cleartext transmission of sensitive information, improper restriction of
excessive authentication attempts, use of a broken or risky cryptographic algorithm and use
of platform-dependent third-party components have been discovered in Advantech's Equipment-
Spectre RT Industrial Routers. Successful exploitation of these vulnerabilities may allow
information disclosure, deletion of files, and remote code execution. The affected versions
of Advantech Spectre RT Industrial Routers are Spectre RT ERT351 firmware Versions 5.1.3 and
prior.
Use of Hard-coded Credentials vulnerability has been discovered in Advantech's Equipment-
BB-ESWGP506-2SFP-T, industrial ethernet switches. Successful exploitation of this
vulnerability can allow an attacker to gain unauthorized access to sensitive information and
execute arbitrary code. The affected products are BB-ESWGP506-2SFP-T industrial ethernet
switches versions 1.01.09 and prior.
CVE ID: CVE-2021-22667 (Critical)
Use of password hash with insufficient computational effort vulnerability has been
discovered in Rockwell Automation's Equipment- FactoryTalk Services. Successful exploitation
of this vulnerability can allow a remote, unauthenticated attacker to create new users in
the FactoryTalk Services Platform administration console. These new users can allow an
attacker to modify or delete configuration and application data in other FactoryTalk
software connected to the FactoryTalk Services Platform. The affected products are
FactoryTalk Services Platform Versions 6.10.00 and 6.11.00.
CVE ID: CVE-2020-14516 (Critical)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR,
and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
Multiple vulnerabilities have been discovered in VMware ESXi, vCenter Server, and Cloud
Foundation. A remote attacker may exploit some of these vulnerabilities to take control of
an affected system.
CVE ID: CVE-2021-21972 (Critical), CVE-2021-21973 (Medium), CVE-2021-21974 (High)
It has been discovered that OpenSSL,Secure Socket Layer (SSL) cryptographic library and
tools incorrectly handled comparing certificates containing a EDIPartyName name type, and
parsing issuer fields. A remote attacker can possibly use these vulnerabilities to cause
OpenSSL to crash, resulting in a denial of service.
CVE ID: CVE-2020-1971 (Medium), CVE-2021-23841
A vulnerability has been discovered in netplex json-smart. An exception is thrown from a
function, but it is not caught, as demonstrated by NumberFormatException.
CVE ID: CVE-2021-27568
A vulnerability has been discovered in Keybase Desktop Client-for keeping everyone's chats
and files safe for Windows, macOS, and Linux. It allows an attacker to obtain potentially
sensitive media (such as private pictures) in the Cache and uploadtemps directories.
CVE ID: CVE-2021-23827
It has been discovered that Smarty, a template engine for PHP allows code injection via an
unexpected function name after a {function name= substring. The affected versions are Smarty
before 3.1.39.
CVE ID: CVE-2021-26120
It has been discovered in Botan, a BSD-licensed cryptographic and TLS library written in
C++11 constant-time computations are not used for certain decoding and encoding operations
(base32, base58, base64, and hex). The affected versions are Botan before 2.17.3.
CVE ID: CVE-2021-24115
It has been discovered that an encoding.c in GNU Screen allows remote attackers to cause a
Denial of Service or possibly have unspecified other impacts via a crafted UTF-8 character
sequence. The affected version is GNU Screen through 4.8.0. It is recommended to upgrade the
screen packages.
CVE ID: CVE-2021-26937 (Critical)
SonicWall has released firmware patches for SMA 100 series products in an update to its
previous alert. A remote attacker can exploit a vulnerability in versions of SMA 10 prior to
10.2.0.5-29sv to take control of an affected system.
It has been discovered that in Visualware MyConnection Server, a solution designed to assess
the risks each published report is not associated with its own access code. The affected
versions are Visualware MyConnection Server before 11.0b build 5382.
CVE ID: CVE-2021-27509
It has been discovered that python django is vulnerable to Web Cache Poisoning via
urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter
cloaking. The affected packages are python/cpython from 0 and before 3.6.13, from 3.7.0 and
before 3.7.10, from 3.8.0 and before 3.8.8 and from 3.9.0 and before 3.9.2. It is
recommended to upgrade the python-django packages.
CVE ID: CVE-2021-23336 (Medium)
A cross-site scripting (XSS) vulnerability has been discovered in the Horde Application
Framework, more precisely its Text Filter API. An attacker may take control of a user's
mailbox by sending a crafted e-mail. It is recommended to upgrade the php-horde-text-filter
packages.
CVE ID: CVE-2021-26929 (Medium)
Google has released Chrome version 88.0.4324.182 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
A vulnerability has been discovered in BIND's GSSAPI security policy negotiation which can
be targeted by a buffer overflow attack. The affected versions are BIND 9.5.0 to 9.11.27,
9.12.0 to 9.16.11, BIND 9.11.3-S1 to 9.11.27-S1, BIND Supported Preview Edition 9.16.8-S1 to
9.16.11-S1 of and 9.17.0 to 9.17.1 of the BIND 9.17 development branch.
CVE ID: CVE-2020-8625 (High)
It has been discovered that a vulnerability in the Inter-Process Communication (IPC) channel
of Cisco AnyConnect Secure Mobility Client for Windows can allow an authenticated, local
attacker to perform a DLL hijacking attack on an affected device if the VPN Posture
(HostScan) Module is installed on the AnyConnect client. Cisco has released software updates
that address this vulnerability.
CVE ID: CVE-2021-1366 (High)
It has been discovered that IBM WebSphere Application Server can allow a remote attacker to
traverse directories. An attacker can send a specially-crafted URL request containing "dot
dot" sequences (/../) to view arbitrary files on the system. The affected products are
WebSphere Application Server 8.0, WebSphere Application Server 8.5 and WebSphere Application
Server 9.0.
CVE ID: CVE-2021-20354 (Medium)
P2P group information processing vulnerability and AP mode PMF disconnection protection
bypass have been discovered in wpa_supplicant. An update that fixes two vulnerabilities is
now available.
CVE ID: CVE-2021-0326 (High), CVE-2019-16275 (Medium)
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Multiple vulnerabilities have been discovered in kernel. An update for kernel is now
available for Red Hat Enterprise Linux 7.7 Extended Update Support.
CVE ID: CVE-2020-24394 (High), CVE-2020-25212 (High)
Multiple vulnerabilities such as Stack-based Buffer Overflow, Type Confusion, Untrusted
Pointer Dereference, Incorrect Type Conversion or Cast, Memory Allocation with Excessive
Size Value have been discovered in Open Design Alliance - Drawings SDK. Successful
exploitation of these vulnerabilities may allow code execution in the context of the current
process or cause a denial-of-service condition.
CVE ID: CVE-2021-25174 (Medium), CVE-2021-25173 (High)
Multiple vulnerabilities have been discovered in Citrix Hypervisor that may allow privileged
code running in a guest VM to cause the host to crash or to become unresponsive.
CVE ID: CVE-2021-26930 (High), CVE-2021-26931 (Medium), CVE-2021-26932
Multiple vulnerabilities such as use of hard-coded credentials and missing XML validation
have been discovered in Hamilton Medical AG's Equipment-Hamilton-T1 Ventilator. Successful
exploitation of these vulnerabilities can allow attackers with physical access to the device
to obtain sensitive information or crash the device being accessed. The affected versions
are T1 Ventilator Versions 2.2.3 and prior.
CVE ID: CVE-2020-27278 (Low), CVE-2020-27282 (Medium), CVE-2020-27290 (Low)
Improper handling of length parameter inconsistency vulnerability has been discovered in
Rockwell Automation's Equipment- Allen-Bradley MicroLogix 1100, a Programmable Logic
Controller. Successful exploitation of this vulnerability can allow a remote,
unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard
Fault. The affected product is Allen-Bradley MicroLogix 1100 revision number 1.0.
CVE ID: CVE-2020-6111 (High)
A permissions, privileges, and access Controls vulnerability has been discovered in ProSoft
Technology's Equipment- ICX35-HWC-A and ICX35-HWC-E. Successful exploitation of this
vulnerability can allow an attacker to change the current user’s password and alter device
configurations. The affected products are ICX35-HWC-A: Versions 1.9.62 and prior and
ICX35-HWC-E: Versions 1.9.62 and prior.
CVE ID: CVE-2021-22661 (High)
Multiple vulnerabilities have been found in rh-nodejs10-nodejs. Successful exploitation of
these vulnerabilities may allow an attacker to execute arbitrary code/commands, cause Denial
of Service, access confidential data. An update for rh-nodejs10-nodejs is now available for
Red Hat Software Collections.
CVE ID: CVE-2020-7754 (High), CVE-2020-7774 (High), CVE-2020-7788 (High),
CVE-2020-8116 (High), CVE-2020-8252 (High), CVE-2020-8265 (High), CVE-2020-8287 (Medium),
CVE-2020-15095 (Medium), CVE-2020-15366 (Medium)
Multiple vulnerabilities have been discovered in IBM SDK. These might affect some
configurations of IBM WebSphere Application Server Traditional, IBM WebSphere Application
Server Liberty and IBM WebSphere Application Server Hypervisor Edition.
CVE ID: CVE-2020-27221 (Critical), CVE-2020-14782 (Low), CVE-2020-14781 (Low),
CVE-2020-2773 (Low)
It has been discovered that a remotely triggerable vulnerability in the mod_authz_svn module
in Subversion, a version control system. When using in-repository authz rules with the
AuthzSVNReposRelativeAccessFile option an unauthenticated remote client can take advantage
of this flaw to cause a denial of service by sending a request for a non-existing repository
URL.
It has been discovered that xterm through Patch #365 allows remote attackers to cause a
denial of service (segmentation fault) or possibly have unspecified other impact via a
crafted UTF-8 character sequence. It is recommended to upgrade the xterm packages.
CVE ID: CVE-2021-27135
It has been discovered that SQLite incorrectly handled certain sub-queries. An attacker
could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly
execute arbitrary code. SQLite could be made to crash or run programs if it processed a
specially crafted query.
CVE ID: CVE-2021-20227
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update
versions 13.8.4, 13.7.7 and 13.6.7 for GitLab Community Edition (CE) and Enterprise Edition
(EE).
Multiple vulnerabilities have been discovered in Wibu-Systems AG's Equipment-
CodeMeter-secure protection and effective license management of software and digital
content. Successful exploitation of these vulnerabilities may allow an attacker to alter and
forge a license file, cause a denial-of-service condition, potentially attain remote code
execution, read heap data and prevent normal operation of third-party software dependent on
the CodeMeter.
Uncontrolled Search Path Element vulnerability has been discovered in Rockwell Automation's
Equipment- DriveTools SP and Drives AOP. Successful exploitation of this vulnerability may
result in privilege escalation and total loss of device confidentiality, integrity and
availability.
CVE ID: CVE-2021-22665 (High)
Use of Insufficiently Random Values vulnerability has been discovered in multiple TCP/IP
Equipment- Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki-OS, uC/TCP-IP, uIP-Contiki-NG,
uIP, picoTCP-NG, picoTCP, MPLAB Net, Nucleus NET, Nucleus ReadyStart. Successful
exploitation of weak initial sequence numbers (ISN) may be used to hijack or spoof TCP
connections, cause denial-of-service conditions, inject malicious data or bypass
authentication.
It has been discovered that PEEL Shopping cart- a free ecommerce CMS in PHP / MySQL allows
utilisateurs/change_params.php address Cross-Site Scripting (XSS). The affected version is
PEEL Shopping cart 9.3.0.
CVE ID: CVE-2021-27190
A vulnerability has been discovered in Qognify Ocularis that allows remote attackers to
execute arbitrary code on affected installations of Qognify Ocularis. The affected version
is Qognify Ocularis 5.9.0.395.
CVE ID: CVE-2020-27868 (Critical)
An EDIPARTYNAME NULL pointer de-reference vulnerability has been discovered in Open SSL. An
update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7.
CVE ID: CVE-2020-1971 (Medium)
A vulnerability has been discovered in the OverlayFS code in firejail, a sandbox program to
restrict the running environment of untrusted applications, which can result in root
privilege escalation. It is recommended to upgrade the firejail packages.
CVE ID: CVE-2021-26910 (High)
It has been discovered that GNOME Autoar- Archive integration support for GNOME can extract
files outside of the intended directory. GNOME Autoar can be made to overwrite files. If a
user were tricked into extracting a specially-crafted archive, a remote attacker may create
files in arbitrary locations, possibly leading to code execution.
CVE ID: CVE-2020-36241 (Medium)
A reflected cross-site scripting (XSS) vulnerability has been discovered in an undisclosed
page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned which
allows an attacker to execute JavaScript in the context of the current logged-in user.
CVE ID: CVE-2021-22979
It has been discovered that zstd- a compression utility temporarily exposed a world-readable
version of its input even if the original file has restrictive permissions. It is
recommended to upgrade the libzstd packages.
A certificate chain building recursion denial of service vulnerability has been discovered
in dotnet. An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-1721
It has been discovered that Wekan- open source kanban board system contains a cross-site
scripting vulnerability. When a logged-in user store malicious value containing Javascript
code to the system that JavaScript code may be executed on another logged-in user's web
browser.
CVE ID: CVE-2021-20654 (Medium)
An improper verification of cryptographic signature vulnerability has been discovered in
Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to
bypass signature validation during SAML authentication by logging in to the Prisma Cloud
Compute console as any authorized user.
CVE ID: CVE-2021-3033 (Critical)
It has been discovered that Open vSwitch incorrectly parsed certain network packets. A
remote attacker may use this vulnerability to cause denial of service or possibly alter
packet classification.
CVE ID: CVE-2020-35498
Multiple vulnerabilities such as clear text storage of sensitive Information, improper
access control, stored cross site scripting and null pointer dereference have been
discovered in McAfee Endpoint. It is recommended to install or update to ENS 10.7.0 and
10.6.1 February 2021 Update.
CVE ID: CVE-2021-23878, CVE-2021-23880 (Medium), CVE-2021-23881 (Medium),
CVE-2021-23882 (Medium), CVE-2021-23883 (Medium)
It has been discovered that IBM WebSphere Application Server is vulnerable to an XML
External Entity Injection (XXE) attack when processing XML data. A remote attacker may
exploit this vulnerability to expose sensitive information or consume memory resources. The
affected versions are WebSphere Application Server 7.0, 8.0, 8.5 and 9.0.
CVE ID: CVE-2021-20353 (High)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker can exploit some of these vulnerabilities to take control of an affected
system.
Apple has released security updates to address vulnerabilities in macOS Big Sur 11.2, macOS
Catalina 10.15.7, and macOS Mojave 10.14.6. An attacker can exploit these vulnerabilities to
take control of an affected system.
CVE ID: CVE-2021-1805, CVE-2021-1806, CVE-2021-3156 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released a security advisory to address an escalation of privileges
vulnerability in Microsoft Win32k. A local attacker can exploit this vulnerability to take
control of an affected system.
CVE ID: CVE-2021-1732 (High)
Multiple vulnerabilities have been discovered in several products of Siemens. A remote
attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as SQL Injection, Path Traversal, and Missing Authentication
for Critical Function have been discovered in Advantech's Equipment- iView. Successful
exploitation of these vulnerabilities may allow an attacker to disclose information,
escalate privileges to the Administrator, perform an arbitrary file read, and remotely
execute commands.
CVE ID: CVE-2021-22654 (High), CVE-2021-22658 (High), CVE-2021-22656 (High),
CVE-2021-22652 (Critical)
It has been discovered that Improper buffer restrictions in firmware for Intel XMM 7360 Cell
Modem may allow an unauthenticated user to potentially enable Denial of Service via network
access. It is recommended to upgrade to the latest version of Intel XMM 7360 Cell Modem.
CVE ID: CVE-2020-24482 (High)
It has been discovered that OpenJDK- a free and open-source implementation of the Java
Platform incorrectly handled the direct buffering of characters. An attacker can use this
vulnerability to cause OpenJDK to crash, resulting in a Denial of Service, or cause other
unspecified impacts.
Multiple vulnerabilities such as use-after-free, and reachable assertion failure have been
discovered in QEMU- a free and open-source emulator and virtualizer. An update for
qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
and Red Hat Virtualization Engine 4.3.
CVE ID: CVE-2020-1983 (Medium), CVE-2020-16092 (Low)
Multiple vulnerabilities have been discovered in Linux kernel. An attacker may exploit some
of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as memory leak per HTTP session, remote code execution and
missing authorization check have been discovered in Red Hat Data Grid. A security update for
Red Hat Data Grid is now available.
CVE ID: CVE-2020-25644 (High), CVE-2020-25711 (Medium), CVE-2020-26217 (High)
Multiple vulnerabilities have been discovered in QEMU- Machine emulator and virtualizer. An
attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in OpenLDAP- Lightweight Directory Access
Protocol. An attacker may exploit some of these vulnerabilities to take control of an
affected system.
It has been discovered that PEAR- PHP Extension and Application Repository incorrectly
handled symbolic links in archives. A remote attacker may possibly use this vulnerability to
execute arbitrary code.
CVE ID: CVE-2020-36193 (High)
Incorrect Permission Assignment for Critical Resource vulnerability has been discovered in
GE Digital's Equipment- HMI/SCADA iFIX. Successful exploitation of these vulnerabilities can
allow an attacker to escalate their privileges.
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR.
An attacker can exploit some of these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in SonicWall SMA 100 series. A remote attacker
leveraging this vulnerability may gain admin credential access. The affected products are
SMA 200, SMA 210, SMA 400, SMA 410 & SMA 500v.
CVE ID: CVE-2021-20016
It has been discovered that WordPress Plugin "Name Directory" contains a cross-site request
forgery vulnerability. If a user with an administrative privilege views a malicious page
while logged in, unintended operations may be performed. The affected versions are Name
Directory 1.17.4 and earlier.
CVE ID: CVE-2021-20652 (Medium)
Google has released Chrome Version 88.0.4324.150 for Windows, Mac and Linux. This version
addresses a vulnerability that an attacker may exploit to take control of an affected
system.
CVE ID: CVE-2021-21148 (High)
Deserialization of Untrusted Data vulnerability has been discovered in M&M Software
GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into
loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Out-of-bounds Read vulnerability has been discovered in Horner Automation's Equipment-
Cscape. Successful exploitation of this vulnerability may allow code execution in the
context of the current process.
CVE ID: CVE-2021-22663 (High)
Multiple vulnerabilities have been discovered in Luxion-KeyShot products, 3D rendering and
animation software. Successful exploitation of these vulnerabilities can allow arbitrary
code execution, the storing of arbitrary scripts into automatic startup folders, and the
attacking of products without sufficient UI warning.
CVE ID: CVE-2021-22647 (High), CVE-2021-22643 (High), CVE-2021-22645 (High),
CVE-2021-22649 (High), CVE-2021-22651 (High)
It has been discovered that Video Insight VMS provided by Panasonic Corporation contains an
arbitrary code execution vulnerability because unencrypted communication exists in the
communication using non-well known ports. The affected versions are Video Insight VMS
versions prior to 7.8.
CVE ID: CVE-2021-20623 (Critical)
It has been discovered that ReadyMedia (MiniDLNA) allowed subscription requests, and remote
code execution. An attacker can use these to hijack smart devices or send a malicious UPnP
HTTP request to the service using HTTP chunked encoding and cause Denial of Service attacks.
CVE ID: CVE-2020-12695 (High), CVE-2020-28926 (Critical)
It has been discovered that Bitcoin Core might allow remote attackers to execute arbitrary
code when another application unsafely passes the -platformpluginpath argument to the
bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop
file or a web browser. The affected versions are Bitcoin Core before 0.19.0.
CVE ID: CVE-2021-3401
Multiple potential security vulnerabilities have been identified in HPE Apollo 70 System BMC
Firmware. These vulnerabilities impact the BMC firmware and may be exploited locally to
allow denial of service, buffer overflow and path traversal.
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco
Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. Successful exploitation
could allow an unauthenticated, remote attacker to execute arbitrary code as the root user
on an affected device. Cisco has released software updates that address these
vulnerabilities. CVE ID: CVE-2021-1289 (Critical), CVE-2021-1290 (Critical), CVE-2021-1291 (Critical),
CVE-2021-1292 (Critical), CVE-2021-1293 (Critical), CVE-2021-1294 (Critical), CVE-2021-1295
(Critical)
It has been discovered that SquaredUp- application centric monitoring allowed Stored XSS. An
user is able to create a dashboard that executed malicious content in iframe or by uploading
an SVG that contained a script. The affected versions are SquaredUp before version 4.6.0.
CVE ID: CVE-2020-9390
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Clustered Data ONTAP is susceptible to a vulnerability which can
allow unauthorized tenant users to discover the names of other Storage Virtual Machines
(SVMs) and filenames on those SVMs. The affected versions are Clustered Data ONTAP prior to
9.3P20 and 9.5P15.
CVE ID: CVE-2020-8589
Multiple vulnerabilities have been discovered in OpenLDAP, a free implementation of the
Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage
of these flaws to cause a Denial of Service (slapd daemon crash, infinite loops) via
specially crafted packets. It is recommended to upgrade the openldap packages.
It has been discovered that the Favorites component for Nagios XI 5.8.0 is vulnerable to
Insecure Direct Object Reference. It is possible to create favorites for any other user
account. The affected versions are Favorites component before 1.0.2.
CVE ID: CVE-2021-26024
It has been discovered that the perf subsystem in the Linux kernel do not properly
deallocate memory in some situations. A privileged attacker can use this to cause a Denial
of Service (kernel memory exhaustion).
CVE ID: CVE-2020-25704 (Medium)
Buffer Overflow vulnerability has been discovered in Rockwell Automation's Equipment-
MicroLogix 1400-Programmable Logic Controller Systems. Successful exploitation of this
vulnerability may result in a Denial-of-Service condition. The affected products are
MicroLogix 1400, all series Version 21.6 and below.
CVE ID: CVE-2021-22659 (High)
Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and
integration platform. Multiple vulnerabilities have been discovered in Red Hat JBoss
Fuse/A-MQ. An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.
CVE ID: CVE-2020-13933 (High), CVE-2020-26217 (High), CVE-2021-26117
Google has released Chrome version 88.0.4324.146 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized
management platform that allows system administrators to view and manage virtual machines. A
vulnerability has been discovered in ovirt-engine which allows a non-admin user to access
other users public SSH key. Updated ovirt-engine packages fix several bugs and add various
enhancements.
CVE ID: CVE-2020-35497 (Medium)
It has been discovered that IBM QRadar SIEM in some configurations may be vulnerable to a
temporary Denial of Service attack when sent particular payloads. The affected versions are
IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch
5.
CVE ID: CVE-2020-5032
It has been discovered that Apport- automatically generated crash reports for debugging
incorrectly parsed certain files in the /proc filesystem, and handled opening certain
special files. A local attacker can use these vulnerabilities to escalate privileges and run
arbitrary code or cause Apport to hang, resulting in a Denial of Service.
CVE ID: CVE-2021-25682, CVE-2021-25683, CVE-2021-25684
Multiple vulnerabilities such as local temporary directory hijacking and buffer not
correctly recycled in Gzip Request inflation have been discovered in jetty of AMQ Broker. An
update for Red Hat AMQ Broker 7.4.6 is now available from the Red Hat Customer Portal.
CVE ID: CVE-2020-27216 (High), CVE-2020-27218 (Medium)
Multiple vulnerabilities such as heap-based buffer overflow and corruption of intermediate
language state have been discovered in perl- a high-level programming language. An update
for perl is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-10543 (High), CVE-2020-10878 (High), CVE-2020-12723 (High)
A heap buffer overflow vulnerability has been discovered in the FortiProxy SSL VPN web
portal, it may cause the SSL VPN web service termination for logged in users or potential
remote code execution on FortiProxy. The affected versions are FortiProxy 2.0.0, FortiProxy
1.2.8 and below, FortiProxy 1.1.6 and below, and FortiProxy 1.0.7 and below.
CVE ID: CVE-2018-13383 (Medium)
The Android Security Bulletin contains details of security vulnerabilities affecting Android
devices. Security patch levels of 2021-02-05 or later address all of these issues. The
affected versions are Android 8.1, 9, 10 & 11.
Apple has released security updates to address vulnerabilities in multiple products. An
attacker can exploit some of these vulnerabilities to take control of an affected system.
Flatpak is a system for building, distributing, and running sandboxed desktop applications
on Linux. A sandbox escapes vulnerability via spawn portal has been discovered in flatpak.
An update for flatpak is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-21261 (High)
Potential Memory leak vulnerability has been discovered in Wildfly-an application server
when using OpenTracing. The affected product is JBoss Enterprise Application Platform.
CVE ID: CVE-2020-27822 (Medium)
It has been discovered that the Django-High level Python web development framework
incorrectly extracted archive files. A remote attacker can possibly use this vulnerability
to extract files outside of their expected location.
CVE ID: CVE-2021-3281
GitLab released security update versions 13.8.2, 13.7.6 and 13.6.6 for GitLab Community
Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes.
Multiple vulnerabilities have been discovered in Oracle Linux kernel. The affected version
is Oracle Linux 7.
CVE ID: CVE-2020-29568 (Medium), CVE-2020-29569 (High), CVE-2020-28374 (High)
It has been discovered that deleteaccount.php in the Delete Account plugin for MyBB allows
XSS vulnerability via the deletereason parameter. The affected version is MyBB Delete
Account plugin 1.4.
CVE ID: CVE-2021-3350
Multiple vulnerabilities have been discovered in MariaDB database server packages. It is
recommended to upgrade the mariadb-10.1 packages.
CVE ID: CVE-2020-14765 (Medium), CVE-2020-14812 (Medium)
It has been discovered that Monal- an open source instant messaging client for iOS and macOS
does not implement proper sender verification on MAM and Message Carbon results. This allows
a remote attacker to inject arbitrary messages into the local history, with full control
over the sender and receiver displayed to the victim. The affected versions are Monal before
4.9.
CVE ID: CVE-2020-26547
libsdl2 is a library for portable low level access to a video framebuffer, audio output,
mouse, and keyboard. Multiple vulnerabilities such as buffer overflow, integer overflow, and
heap-based buffer over-read have been discovered in libsdl2. It is recommended to upgrade
the libsdl2 packages.
It has been discovered that in Oniguruma- a BSD licensed regular expression library an
attacker able to supply a regular expression for compilation, may be able to overflow a
buffer by one byte in concat_opt_exact_str in src/regcomp.c. It is recommended to upgrade
affected package the libonig- a regex library for multi-bytes strings.
CVE ID: CVE-2020-26159 (High)
It has been discovered that an improper neutralization of input vulnerability during web
page generation in FortiWeb GUI interface may allow an unauthenticated, remote attacker to
perform a reflected cross site scripting attack (XSS) by injecting malicious payload in
different vulnerable API end-points. The affected versions are FortiWeb 6.3.7 and below, and
FortiWeb 6.2.3 and below.
CVE ID: CVE-2021-22122 (Medium)
A heap buffer overflow vulnerability has been discovered in libgcrypt-a general-purpose
library of cryptographic building blocks due to an incorrect assumption in the block buffer
management code. Just decrypting some data can overflow a heap buffer with
attacker-controlled data, no verification or signature is validated before the vulnerability
occurs. It is recommended to upgrade to Libgcrypt version 1.9.1.
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment-
FactoryTalk Linx and FactoryTalk Services Platform. Successful exploitation of these
vulnerabilities may result in Denial-of-Service conditions.
CVE ID: CVE-2020-5801 (High), CVE-2020-5802 (High), CVE-2020-5806 (Medium)
Multiple vulnerabilities have been discovered in libxstream-Java -library to serialize
objects to XML and back again. A remote attacker can run arbitrary shell commands or request
data from internal resources or delete arbitrary known files on the host by manipulating the
processed input stream.
CVE ID: CVE-2020-26217 (High), CVE-2020-26258 (High), CVE-2020-26259 (Medium)
It has been discovered that TCMU, TCM-Userspace backend lacked a check for transport-layer
restrictions, allowing remote attackers to read or write files via directory traversal in an
XCOPY request.
CVE ID: CVE-2021-3139 (High)
Multiple vulnerabilities have been discovered in ceph-mon, ceph-mgr daemons, Ceph Object
Gateway and Cephx authentication. An attacker can use these vulnerabilities to gain access
or cause a crash, authenticate via a packet sniffer & perform actions and modify the
configuration.
CVE ID: CVE-2020-10736 (High), CVE-2020-10753 (Medium), CVE-2020-25660 (High)
Multiple vulnerabilities have been discovered in the Simple Linux Utility for Resource
Management (SLURM), a cluster resource management and job scheduling system, which can
result in Denial of Service, information disclosure or privilege escalation. It is
recommended to upgrade the slurm-llnl packages.
CVE ID: CVE-2019-19728 (High), CVE-2020-12693 (High), CVE-2020-27745 (Critical),
CVE-2020-27746 (Low)
Multiple vulnerabilities have been discovered in ansible, a configuration management,
deployment, and task execution system. It is recommended to upgrade the ansible packages.
CVE ID: CVE-2017-7481 (Critical), CVE-2019-10156 (Medium), CVE-2019-14846 (High),
CVE-2019-14904 (High)
It has been discovered that Android App "ELECOM File Manager" contains a directory traversal
vulnerability due to a flaw in the processing of the filenames when extracting the
compressed files. A remote attacker may create an arbitrary file or overwrite an existing
file in a directory which can be accessed with the application privileges.
CVE ID: CVE-2021-20651
It has been discovered that VMware Tanzu Spring Framework can allow a remote attacker to
bypass security restrictions, caused by improper input validation. By using a
specially-crafted jsessionid path parameter, an attacker can exploit this vulnerability to
bypass RFD Protection.
CVE ID: CVE-2020-5421 (Medium)
The cryptsetup packages provide a utility for setting up disk encryption using the dm-crypt
kernel module. An Out-of-bounds write vulnerability exists in cryptsetup when validating
segments. An update for cryptsetup is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
CVE ID: CVE-2020-14382 (High)
It has been discovered that Red Hat Customer Portal password logged and passed as command
line argument, when the user registers through GNOME control center. An update for
gnome-settings-daemon is now available for Red Hat Enterprise Linux 8.2 Extended Update
Support.
CVE ID: CVE-2020-14391
Apple has released security updates to address vulnerabilities in multiple products. An
attacker may exploit some of these vulnerabilities to take control of an affected system.
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR,
and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an
affected system.
A heap-based buffer overflow vulnerability has been discovered in sudo, a program designed
to provide limited super user privileges to specific users in Debian GNU/Linux OS. Any local
user (sudoers and non-sudoers) can exploit this vulnerability for root privilege escalation.
It is recommended to upgrade the sudo packages.
CVE ID: CVE-2021-3156
Multiple vulnerabilities such as Stack-based Buffer Overflow, Out-of-Bounds Read,
Out-of-Bounds Write, Access of Uninitialized Pointer, and Heap-based Buffer Overflow have
been discovered in Fuji Electric's Equipment- Tellus Lite V-Simulator and V-Server Lite.
Successful exploitation of these vulnerabilities may allow an attacker to execute code under
the privileges of the application.
CVE ID: CVE-2021-22637 (High), CVE-2021-22655 (High), CVE-2021-22653 (High),
CVE-2021-22639 (High), CVE-2021-22641 (High)
It has been discovered that due to a time-of-check to time-of-use (TOCTOU) race condition,
the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows
symbolic links to locations outside the directory being browsed in Jenkins. This allows
attackers with Job/Workspace permission and the ability to control workspace contents. The
affected versions are Jenkins 2.275 and LTS 2.263.2.
CVE ID: CVE-2021-21615 (Medium)
It has been discovered that IBM WebSphere Application Server is vulnerable to an XML
External Entity Injection (XXE) attack when processing XML data. A remote attacker can
exploit this vulnerability to expose sensitive information or consume memory resources.
CVE ID: CVE-2020-4949 (High)
Multiple vulnerabilities have been discovered in dnsmasq-a lightweight DNS (Domain Name
Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. An update for
dnsmasq is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support.
CVE ID: CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 (Low)
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application
platform solution designed for on-premise or private cloud deployments. A vulnerability has
been discovered in kubernetes: docker config secrets leaked when file is malformed and
loglevel >= 4. The updates to packages and images of Red Hat OpenShift Container Platform
4.6.13 is now available.
CVE ID: CVE-2020-8564 (Medium)
It has been discovered that the package src:python-bottle, a web framework is vulnerable to
Web Cache Poisoning by using a vector called parameter cloaking. The affected versions are
src:python-bottle before 0.12.19. It is recommended to upgrade the python-bottle packages.
CVE ID: CVE-2020-28473 (Medium)
A vulnerability has been discovered in ClusterLabs crmsh-cluster management shell for the
Pacemaker. Local attackers are able to call "crm history" (when "crm" is run) & able to
execute commands via shell code injection to the crm history command line, potentially
allowing escalation of privileges. It is recommended to upgrade the crmsh packages.
CVE ID: CVE-2020-35459 (High)
Multiple vulnerabilities have been discovered in salt, a powerful remote execution manager.
These vulnerabilities can result in authentication bypass and invocation of Salt SSH,
creation of certificates with weak file permissions via the TLS execution module or shell
injections with the Salt API using the SSH client. It is recommended to upgrade the salt
packages.
CVE ID: CVE-2020-16846 (Critical), CVE-2020-17490 (Medium), CVE-2020-25592 (Critical)
A vulnerability has been discovered in Secure Mobile Access (SMA) appliances of SonicWall
products which can allow a remote attacker to gain the unauthorized access to the remote
devices. The affected version is Secure Mobile Access 100 series.
Multiple vulnerabilities have been discovered in the LLPD implementation of Open vSwitch, a
software-based Ethernet virtual switch, which can result in Denial of Service. It is
recommended to upgrade the openvswitch packages.
CVE ID: CVE-2015-8011 (Critical), CVE-2020-27827
Multiple vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which
can result in information disclosure. It is recommended to upgrade the tomcat9 packages.
CVE ID: CVE-2020-13943 (Medium), CVE-2020-17527 (High)
A vulnerability has been discovered in the VLC media player, which can result in the
execution of arbitrary code or Denial of Service if a malformed media file is opened. It is
recommended to upgrade the vlc packages.
CVE ID: CVE-2020-26664 (High)
Multiple vulnerabilities have been discovered in Matrikon's Equipment- OPC UA Tunneller-a
machine to machine communication protocol for industrial automation. Successful exploitation
of these vulnerabilities may allow an attacker to disclose sensitive information, remotely
execute arbitrary code or crash the device.
CVE ID: CVE-2020-27297 (Critical), CVE-2020-27299 (High), CVE-2020-27274 (High),
CVE-2020-27295 (High)
Multiple vulnerabilities such as Untrusted Pointer Dereference and Out-of-bounds Write have
been discovered in Delta Electronics' Equipment- TPEditor, programming software for Delta
text panels. Successful exploitation of these vulnerabilities may allow an attacker to
execute code under the privileges of the application.
CVE ID: CVE-2020-27288 (High), CVE-2020-27284 (High)
Deserialization of Untrusted Data vulnerability has been discovered in M&M Software
GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into
loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Uncontrolled Resource Consumption vulnerability has been discovered in Mitsubishi Electric's
Equipment- MELFA FR, MELFA CR, MELFA ASSISTA. Successful exploitation of this vulnerability
may cause a denial-of-service condition.
CVE ID: CVE-2021-20586 (High)
A use after free vulnerability has been discovered in Delta Electronics' Equipment- ISPSoft,
a PLC program development tool. Successful exploitation of this vulnerability may allow an
attacker to execute code under the privileges of the application.
CVE ID: CVE-2020-27280 (High)
A stack-based buffer overflow remote code execution security vulnerability has been
discovered in multiple Netgear products specially routers. The updates are now available.
It has been discovered that in Xen HVM guests with PCI pass through devices can mount a
Denial of Service attack affecting the pass through of PCI devices to other guests or the
hardware domain. Xen versions 4.12.3, 4.12.4, and all versions from 4.13.1 onwards are
vulnerable.
It has been discovered that rfc822.c in Mutt- a text-based email client for Unix like
systems through 2.0.4 allows remote attackers to cause a denial of service by sending email
messages with sequences of semicolon characters in RFC822 address fields. A small email
message from the attacker may cause large memory consumption, and the victim may then be
unable to see email messages from other persons. It is recommended to upgrade the mutt
packages.
CVE ID: CVE-2021-3181
Multiple vulnerabilities such as processing of invalid SAML XML documents, and unspecified
xmlsec1 key-type preference have been discovered in pysaml2-a pure python implementation of
SAML(Security Assertion Markup Language ) Version 2 Standard.
CVE ID: CVE-2021-21238 (Medium), CVE-2021-21239 (Medium)
Multiple vulnerabilities have been discovered in MISP-Open Source Threat Intelligence
Platform & Open Standards For Threat Information Sharing. It is recommended to upgrade
to MISP 2.4.137.
CVE ID: CVE-2021-25324 (Medium), CVE-2021-25325 (Medium), CVE-2021-25323,
CVE-2021-3184 (Medium)
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
Vulnerability has been discovered in pear Archive_Tar library used in Drupal. Exploits may
be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and
processes them.
CVE ID: CVE-2020-36193
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform.The
affected products are Red Hat OpenShift Container Platform 3.11 x86_64 & Red Hat
OpenShift Container Platform for Power 3.11 ppc64le. Red Hat OpenShift Container Platform
release 3.11.374 is now available with updates to packages and images that fix several bugs.
CVE ID: CVE-2019-11840 (Medium), CVE-2020-8554, CVE-2020-26137 (Medium)
An unspecified vulnerability has been discovered in Java SE related to the Java SE Security
component that can allow an unauthenticated attacker to cause no confidentiality impact, low
integrity impact, and no availability impact.
CVE ID: CVE-2020-2590 (Low)
Google has released Chrome version 88.0.4324.96 for Windows, Mac and Linux. This version
addresses vulnerabilities which a remote attacker may exploit to trigger remote code
execution, disclose sensitive information, bypass security restriction and Denial of Service
condition on the targeted system.
Oracle has released its Critical Patch Update for January 2021 to address 403
vulnerabilities across multiple products. A remote attacker may exploit some of these
vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as the use of hard-coded cryptographic key and cleartext
transmission of sensitive information have been discovered in Reolink's Equipment- P2P
protocol. Successful exploitation of these vulnerabilities may permit unauthorized access to
sensitive information.
CVE ID: CVE-2020-25173 (High), CVE-2020-25169 (Critical)
Multiple vulnerabilities such as heap-based buffer overflow, insufficient verification of
data authenticity and use of a broken or risky cryptographic algorithm have been discovered
in Dnsmasq's Equipment- Dnsmasq. Successful exploitation of these vulnerabilities may result
in cache poisoning, remote code execution and a denial-of-service condition.
An OS Command Injection vulnerability has been discovered in Philips' Equipment- Philips
Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, ViewForum.
Successful exploitation of this vulnerability makes it possible for someone within the
hospital network to remotely shut down or restart the workstation.
CVE ID: CVE-2020-27298 (Medium)
OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift
Container Platform. It has been discovered that an integer overflow vulnerability leads to
denial of service. Red Hat OpenShift Virtualization release 2.5.3 is now available with
updates to packages and images that fix several bugs and security issues.
CVE ID: CVE-2020-27813 (High)
Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting many Cisco Products.
Exploitation of these vulnerabilities may result in remote code execution or denial of
service (DoS) or may allow an attacker to more easily forge DNS answers that may poison DNS
caches, depending on the specific vulnerability.
The linux-firmware packages contain all of the firmware files that are required by various
devices to operate. A buffer overflow vulnerability has been discovered in bluetooth
firmware. An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
CVE ID: CVE-2020-12321 (High)
The pyxdg is a python library to access freedesktop.org standards. It has been discovered
that PyXDG do not properly sanitize input. An attacker may exploit this vulnerability with a
crafted .menu file to execute arbitrary code.
CVE ID: CVE-2019-12761 (High)
The log4net is a highly configurable logging API for the CLI log4net. It has been discovered
that Apache Log4net incorrectly handled certain configuration files. An attacker may
possibly use this issue to expose sensitive information.
CVE ID: CVE-2018-1285 (Critical)
It has been discovered that GROWI, Team collaboration software using markdown contains a
cross-site scripting vulnerability. An arbitrary script may be executed on the user's web
browser. The affected versions are GROWI versions prior to v4.2.3 (v4.2 Series).
CVE ID: CVE-2021-20619 (Medium)
A buffer overflow vulnerability has been discovered in the H264 support of the GStreamer
multimedia framework which can potentially result in the execution of arbitrary code. It is
recommended to upgrade the gst-plugins-bad1.0 packages.
It has been discovered that icoutils -create and extract MS Windows icons and cursors,
incorrectly handled certain files. An attacker may possibly use this vulnerability to cause
a denial of service or execute arbitrary code or crash or expose sensitive information.
It has been discovered that htmldoc - HTML processor which generates indexed HTML, PS and
PDF incorrectly handled certain HTML files. An attacker may possibly use this vulnerability
to cause a denial of service.
CVE ID: CVE-2019-19630 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform. Red
Hat OpenShift Container Platform release 4.6.12 with updates to packages and images which
fixes these vulnerabilities.
It has been discovered that Pillow-Python Imaging Library incorrectly handled certain PCX
image files, Tiff image files and SGI image files. If a user or an automated system are
tricked into opening a specially-crafted PCX file, Tiff file or SGI file, a remote attacker
may cause Pillow to crash, resulting in a denial of service or possibly execute arbitrary
code.
CVE ID: CVE-2020-35653 (High), CVE-2020-35654 (High), CVE-2020-35655 (Medium)
PostgreSQL is an advanced object-relational database management system (DBMS). Multiple
vulnerabilities have been discovered in postgresql module. An update for the postgresql
module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.
Multiple vulnerabilities such as disclosure of sensitive information, addition or
modification of data and denial of service have been discovered in several NetApp products.
Multiple vulnerabilites such as OOB read, unexpected control flow, crashes, integer overflow
and segfaults have been discovered in wavpack. It is recommended to upgrade the wavpack
packages.
It has been discovered that ruby-redcarpet, a markdown parser, does not properly validate
its input. This would allow an attacker to mount a cross-site scripting attack. It is
recommended to upgrade the ruby-redcarpet packages.
CVE ID: CVE-2020-26298 (Medium)
Multiple vulnerabilities such as SQL injection and XSS have been discovered in Ampache. An
attacker may use these vulnerabilities to disclose sensitive information or force an admin
to create a new privileged user.
CVE ID: CVE-2019-12385 (High), CVE-2019-12386 (Medium)
Juniper Networks has released security updates to address vulnerabilities affecting multiple
products. An attacker may exploit some of these vulnerabilities to take control of an
affected system.
It has been discovered that the LIO SCSI target implementation in the Linux kernel performed
insufficient identifier checking in certain XCOPY requests. An attacker with access to at
least one LUN in a multiple backstore environment can use this to expose sensitive
information or modify data.
CVE ID: CVE-2020-28374
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update
versions 13.7.4, 13.6.5 and 13.5.7 for GitLab Community Edition (CE) and Enterprise Edition
(EE).
Information Disclosure vulnerability has been discovered in Apache Tomcat Window OS. The
root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn
is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some
circumstances.
CVE ID: CVE-2021-24122
A vulnerability has been discovered in processing of certain DHCP packets from adjacent
clients on EX Series and QFX Series switches running Juniper Networks Junos OS with DHCP
local/relay server configured may lead to exhaustion of DMA memory causing a Denial of
Service (DoS).
CVE ID: CVE-2021-0217
It has been discovered that in an Ethernet VPN-Virtual Extensible LAN (EVPN/VXLAN) scenario
if an Integrated Routing and Bridging (IRB) interface with a Virtual Gateway Address (VGA)
is configured on a Provider Edge (PE), a traffic loop may occur upon receipt of specific IP
multicast traffic. The traffic loop will cause interface traffic to increase abnormally,
ultimately leading to a denial of service (DoS) in packet processing. This issue affects all
versions of Junos OS QFX10K Series.
CVE ID: CVE-2021-0221 (Medium)
Multiple vulnerabilities such as XSS, Stored XSS, Reflected XSS, Improper handling of REST
API, Arbitrary file read, Path traversal, Arbitrary file existence check, Excessive memory
allocation, Missing permission check, and Credentials stored in plain text have been
discovered in multiple Jenkins products.
It has been discovered that access controls for the shim’s API socket do not restrict access
to the abstract unix domain socket in some cases. An attacker may use this vulnerability to
run containers with elevated privileges.
It has been discovered that tar-GNU version of the tar archiving utility, incorrectly
handled extracting files resized and certain malformed tar files. An attacker may possibly
use these vulnerabilities to cause a denial of service.
CVE ID: CVE-2018-20482 (Medium), CVE-2019-9923 (High)
It has been discovered that Open vSwitch incorrectly handled certain malformed LLDP packets.
A remote attacker may use this vulnerability to cause Open vSwitch to crash, resulting in a
denial of service or possibly execute arbitrary code.
Multiple vulnerabilities have been discovered in spice-vdagent, a spice guest agent for
enchancing SPICE integeration and experience. It is recommended to upgrade the spice-vdagent
packages.
CVE ID: CVE-2017-15108 (High), CVE-2020-25650 (Medium), CVE-2020-25651 (Medium),
CVE-2020-25652 (Medium), CVE-2020-25653 (Medium)
Multiple vulnerabilities have been discovered in several Palo Alto Networks PAN-OS software
and PAN-OS firewall. The affected Products are PAN-OS 8.1 version earlier than PAN-OS
8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than
PAN-OS 9.1.5 & PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
CVE ID: CVE-2021-3031 (Medium), CVE-2021-3032 (Medium)
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
Remote code execution vulnerability due to insecure XML deserialization when relying on
blocklists has been discovered in xstream of Red Hat Process Automation Manager. An update
is now available for Red Hat Process Automation Manager.
CVE ID: CVE-2020-26217 (High)
It has been discovered that an Use-after-free vulnerability in the Linux kernel is
exploitable by a local attacker due to reuse of a DCCP socket with an attached
dccps_hc_tx_ccid object as a listener after being released.
CVE ID: CVE-2020-16119 (Medium)
It has been discovered in Discourse, an open source Internet forum and mailing list
management software application, a rate-limit bypass vulnerability leads to a bypass of the
2FA requirement for certain forms. The affected versions are Discourse 2.7.0 through beta1.
CVE ID: CVE-2021-3138
Multiple vulnerabilities such as XSS and lack of ACL checks have been discovered in Joomla!,
a free and open-source content management system (CMS) for publishing web content on
websites. The affected versions are Joomla! CMS versions 3.0.0 - 3.9.23. It is recommended
to upgrade to Joomla! CMS version 3.9.24.
CVE ID: CVE-2021-23123 (Low), CVE-2021-23124 (Low), CVE-2021-23125 (Low)
Missing Authorization vulnerability has been discovered in McAfee Agent (MA) for Windows
that allows local users to block McAfee product updates by manipulating a directory used by
MA for temporary files. The affected version is McAfee Agent prior to 5.7.1.
CVE ID: CVE-2020-7343 (Medium)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
remote attacker may exploit some of these vulnerabilities to take control of an affected
system.
SAP has released security updates to address vulnerabilities affecting multiple products. An
attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. A remote
attacker may exploit some of these vulnerabilities to take control of an affected system.
The unrestricted upload of file with dangerous type vulnerability which allow a
use-after-free condition and a stack-based buffer overflow to occur have been discovered in
Schneider Electric's Equipment- EcoStruxure Power Build - Rapsody. Successful exploitation
of this vulnerability can result in remote code execution when a malicious SSD file is
uploaded and improperly parsed.
CVE ID: CVE-2021-22697 (High), CVE-2021-22698 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in SOOIL Developments' Equipment- Diabecare
RS, AnyDana-i and AnyDana-A, the medical mobile applications. Successful exploitation of
these vulnerabilities may allow an attacker to access sensitive information, modify therapy
settings, bypass authentication, or crash the device being accessed.
Multiple vulnerabilities have been discovered in ImageMagick, a suite of image manipulation
programs. An attacker may cause denial of service and execution of arbitrary code when a
crafted image file is processed. It is recommended to upgrade the imagemagick packages.
Mozilla has released security update to address vulnerability in Thunderbird. An attacker
may exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2020-16044 (Critical)
EDIPARTYNAME NULL pointer de-reference vulnerability has been discovered in Openssl. An
update for openssl is now available for Red Hat Enterprise Linux 6 Extended Lifecycle
Support.
CVE ID: CVE-2020-1971 (Medium)
A command injection vulnerability has been discovered in QTS and QuTS hero, an efficient
multi-user access management. If exploited this vulnerability allows attackers to execute
arbitrary commands in a compromised application.
CVE ID: CVE-2020-2508 (Medium)
The libpq package provides the PostgreSQL client library, which allows client programs to
connect to PostgreSQL servers. It has been discovered that reconnection can downgrade
connection security settings, and psql's \gset allows overwriting specially treated
variables in postgresql. An update for libpq is now available for Red Hat Enterprise Linux
8.2 Extended Update Support.
CVE ID: CVE-2020-25694 (High), CVE-2020-25696 (High)
An elevation of privilege vulnerability has been discovered in Android kernel v4l2 video
driver. This vulnerability may be exploited by an attacker to overwrite a kernel memory from
an unprivileged userspace process, leading to privilege escalation.
CVE ID: CVE-2017-13166 (High)
Multiple vulnerabilities such as persistent XSS and email notifications authorization bypass
have been discovered in quay, a private container registry that stores, builds and deploys
container images. The affected product is Red Hat Quay Enterprise 3 x86_64. The updates are
now available.
CVE ID: CVE-2020-27832, CVE-2020-27831
A vulnerability has been discovered in coturn, a TURN and STUN server for VoIP. By default
coturn does not allow peers on the loopback addresses (127.x.x.x and ::1). A remote attacker
may bypass the protection via a specially crafted request using a peer address of 0.0.0.0
and trick coturn in relaying to the loopback interface.
CVE ID: CVE-2020-26262
Multiple vulnerabilities have been discovered in NVIDIA GPU display drivers. A local
attacker may use these vulnerabilities to cause a Denial of Service or escalate privileges
or possibly expose sensitive information.
CVE ID: CVE-2021-1052, CVE-2021-1053, CVE-2021-1056
It has been discovered that Jasper, an open source Java reporting tool incorrectly certain
files JPC encoders and images. An attacker may possibly use these vulnerabilities to cause a
crash or Denial of Service or execute arbitrary code or expose sensitive information.
CVE ID: CVE-2018-18873 (Medium), CVE-2018-19542 (Medium), CVE-2020-27828 (High),
CVE-2017-9782 (Medium)
It has been discovered that python-apt, a Python interface to libapt-pkg incorrectly handled
resources. A local attacker may possibly use this vulnerability to cause python-apt to
consume resources, leading to a Denial of Service.
CVE ID: CVE-2020-27351 (Low)
It has been discovered that Reflected XSS vulnerability in Quest Policy Authority allows
remote attackers to inject malicious code into the browser via a specially crafted link to
the BrowseDirs.do file via the title parameter. The affected version is Quest Policy
Authority 8.1.2.200.
CVE ID: CVE-2020-35727
It has been discovered that SonicWall NetExtender Windows client, the software that enables
remote users to securely connect and run any application on a network is vulnerable to
unquoted service path vulnerability, this allows a local attacker to gain elevated
privileges in the host operating system. This vulnerability impacts SonicWall NetExtender
Windows client version 10.2.300 and earlier. It is recommended to upgrade to 10.2.302 and
higher.
CVE ID: CVE-2020-5147 (Medium)
Multiple vulnerabilities have been discovered in IBM Runtime Environment Java Version 1.8
used by IBM Sterling Secure Proxy. An attacker may exploit some of these vulnerabilities to
take control of an affected system. The affected products and versions are IBM Secure Proxy
version 6.0.0 through 6.0.1.1 iFix 2 and IBM Sterling Secure Proxy version 3.4.3 through
3.4.3.2 iFix 9.
Microsoft has released a security update to address multiple vulnerabilities in Edge
(Chromium-based). An attacker may exploit some of these vulnerabilities to take control of
an affected system.
Multiple vulnerabilities such as exposure of sensitive information and cross-site scripting
have been discovered in several IBM Jazz Foundation and IBM Engineering products.
CVE ID: CVE-2020-4544 (Medium), CVE-2020-4697 (Medium), CVE-2020-4487 (Medium),
CVE-2020-4691 (Medium), CVE-2020-4733 (Medium)
Multiple vulnerabilities have been discovered in Delta Electronics' Equipment- CNCSoft-B, a
software management platform. Successful exploitation of these vulnerabilities may lead to
arbitrary code execution.
CVE ID: CVE-2020-27287 (High), CVE-2020-27291 (High), CVE-2020-27289 (High),
CVE-2020-27293 (High)
Multiple vulnerabilities such as type confusion and out-of-bounds read have been discovered
in Eaton's Equipment- EASYsoft, used to program easy controllers and displays. Successful
exploitation of these vulnerabilities may allow a local attacker to modify or crash the
program.
CVE ID: CVE-2020-6656 (Medium), CVE-2020-6655 (Medium)
Multiple vulnerabilities such as untrusted pointer dereference, stack-based buffer overflow,
and type confusion have been discovered in Omron's Equipment- CX-One, an automation software
suite. Successful exploitation of these vulnerabilities can crash the device being accessed
and a buffer overflow condition may allow remote code execution.
CVE ID: CVE-2020-27259 (Medium), CVE-2020-27261 (High), CVE-2020-27257 (Medium)
Multiple vulnerabilities such as cross-site scripting and improper neutralization of special
elements in output used by a downstream component have been discovered in Innokas Yhtymä
Oy's Equipment- Vital Signs Monitor VC150, a system monitoring the health vital parameters.
Successful exploitation of these vulnerabilities may allow an attacker to modify
communications between downstream devices or cause some features of the affected devices to
become disabled.
CVE ID: CVE-2020-27262 (Medium), CVE-2020-27260 (Medium)
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update
versions 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition
(EE).
CVE ID: CVE-2021-22166 (Medium), CVE-2020-26414 (Medium), CVE-2019-3881 (High)
It has been discovered that Ghostscript, a PostScript and PDF interpreter incorrectly
handled certain image files. If a user or automated system is tricked into processing a
specially crafted file, a remote attacker may use this issue to cause Ghostscript to crash,
resulting in a denial of service or possibly execute arbitrary code.
It has been discovered that OpenJPEG, a PEG 2000 image compression/decompression library
incorrectly handled certain image data. An attacker can use this issue to cause OpenJPEG to
crash, leading to a denial of service, or possibly execute arbitrary code.
It has been discovered that EDK II, an UEFI firmware for virtual machines incorrectly
validated certain signed images and parsed signed PKCS #7 data. An attacker may possibly use
this issue with a specially crafted image to cause EDK II to hang or crash, resulting in a
denial of service or possibly execute arbitrary code.
CVE ID: CVE-2019-14562 (Medium), CVE-2019-14584
It has been discovered that the framebuffer console driver, a text console running on top of
the framebuffer device in the Linux kernel do not properly handle fonts in some conditions.
A local attacker may use this to cause a denial of service (system crash) or possibly expose
sensitive information (kernel memory).
CVE ID: CVE-2020-28974 (Medium)
Google has released Chrome version 87.0.4280.141 for Windows, Mac and Linux. This version
addresses vulnerabilities that an attacker can exploit to take control of an affected
system.
Multiple vulnerabilities discovered in IBM Java SDK affect Liberty for Java October 2020
CPU. A remote/unauthenticated attacker may use these to modify arbitrary files, access
confidential data and denial of service attack. The affected version is Liberty for Java
3.51.
CVE ID: CVE-2020-14792 (Medium), CVE-2020-14797 (Low), CVE-2020-14781 (Low),
CVE-2020-14779 (Low), CVE-2020-14798 (Low), CVE-2020-14796 (Low)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR,
Firefox for Android. An attacker may exploit some of these vulnerabilities to take control
of an affected system.
CVE ID: CVE-2020-16044 (Critical)
A buffer overflow vulnerability has been discovered in the lldp_decode function in
daemon/protocols/lldp.c. An update for openvswitch2.11, ovn2.11,
redhat-release-virtualization-host and redhat-virtualization-host is now available for Red
Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3.
CVE ID: CVE-2015-8011 (Critical)
It has been discovered that WavPack, a free and open-source lossless audio compression
format incorrectly handled certain WAV files. An attacker may possibly use this issue to
execute arbitrary code or cause a crash.
CVE ID: CVE-2020-35738 (Medium)
It has been discovered that Invision Community IPS Community Suite allows XSS during the
quoting of a post or comment. The affected versions are invision Community IPS Community
Suite before 4.5.4.2.
CVE ID: CVE-2021-3026 (Medium)
A vulnerability has been discovered on Samsung mobile devices with O(8.x), P(9.0) and
Q(10.0) software. The quram library allows attackers to execute arbitrary code or cause a
denial of service (memory corruption) during dng decoding.
CVE ID: CVE-2021-22493
A vulnerability has been discovered in the fingerprint scanner on Samsung Note20 mobile
devices with Q(10.0) software. When a screen protector is used, the required image
compensation is not present. Consequently, inversion can occur during fingerprint
enrollment, and a high False Recognition Rate (FRR).
CVE ID: CVE-2021-22494
A vulnerability has been discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0),
and R(11.0) (Exynos chipsets) software. The Mali GPU driver allows out-of-bounds access and
a device reset.
CVE ID: CVE-2021-22495
It has been discovered that there is no write protection for the MTK protect2 partition on
LG mobile devices with Android OS 10 software.
CVE ID: CVE-2021-3022
A spring-boot-actuator-logview adds a simple logfile viewer as spring boot actuator endpoint
in a library. A directory traversal vulnerability has been discovered in
spring-boot-actuator-logview. The affected versions are spring-boot-actuator-logview before
version 0.2.13.
CVE ID: CVE-2021-21234 (High)
Multiple vulnerabilities such as Improper Authentication and Path Traversal have been
discovered in Yokogawa's Equipment- CENTUM, a process control system for plants. Successful
exploitation of these vulnerabilities may allow a remote unauthenticated attacker to send
tampered communication packets or create/overwrite any file and run any commands.
CVE ID: CVE-2020-5608 (High), CVE-2020-5609 (High)
Multiple vulnerabilities such as Stack-based Buffer Overflow, Heap-based Buffer Overflow and
Use After Free have been discovered in PTC's Equipment- Kepware KEPServerEX. Successful
exploitation of these vulnerabilities may lead to a server crashing, a denial-of-service
condition, data leakage or remote code execution.
CVE ID: CVE-2020-27265 (Critical), CVE-2020-27263 (Critical), CVE-2020-27267 (High)
Multiple vulnerabilities have been discovered in ARC Informatique's Equipment- PcVue, a
suite of software and hardware products for visualisation, control, management and data
analysis applications. Successful exploitation of these vulnerabilities may allow an
attacker to execute arbitrary code, expose sensitive data, and prevent legitimate users from
connecting to PcVue services. The affected products are PcVue Versions 8.10 to versions
prior to 12.0.17.
CVE ID: CVE-2020-26867 (Critical), CVE-2020-26868 (High), CVE-2020-26869 (High)
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics'
Equipment- CNCSoft ScreenEditor, a Human-Machine Interface(HMI). Successful exploitation of
this vulnerability may allow arbitrary code execution. The affected products are CNCSoft
ScreenEditor Versions 1.01.26 and prior.
CVE ID: CVE-2020-27281 (High)
Multiple vulnerabilities such as Out-of-bounds Write, and Untrusted Pointer Dereference have
been discovered in Delta Electronics' Equipment- DOPSoft, a software that supports the
DOP-100 series Human-Machine Interface (HMI) screens. Successful exploitation of this
vulnerability may allow arbitrary code execution. The affected products are DOPSoft Version
4.0.8.21 and prior.
CVE ID: CVE-2020-27275 (High), CVE-2020-27277 (High)
Multiple vulnerabilities have been discovered in Red Lion's Equipment- Crimson 3.1, the
DA10D Protocol Converter. Successful exploitation of these vulnerabilities may allow an
attacker to create a denial-of-service condition, read and modify the database, and leak
memory data. The affected products are Crimson 3.1 build versions prior to 3119.001.
CVE ID: CVE-2020-27279 (High), CVE-2020-27285 (Medium), CVE-2020-27283 (Medium)
Multiple vulnerabilities such as Code Injection and Use of Hard-coded Cryptographic Key have
been discovered in GE's Equipment- Reason RT43X Clocks. Successful exploitation of these
vulnerabilities may allow an authenticated remote attacker to execute arbitrary code on the
system or intercept and decrypt encrypted traffic. The affected products are RT430, RT431
and RT434: All firmware versions prior to Version 08A06.
CVE ID: CVE-2020-25197 (Critical), CVE-2020-25193 (Medium)
An out-of-bounds read vulnerability has been discovered in Panasonic's Equipment- FPWIN Pro,
a programming software for all FP Series PLCs. Successful exploitation of this vulnerability
may result in an out-of-bounds read, which may allow remote code execution. The affected
products are FPWIN Pro Version 7.5.0.0 and prior.
CVE ID: CVE-2020-16236 (High)
Multiple vulnerabilities such as Out-of-bounds Read, Out-of-bounds Write, and Classic Buffer
Overflow have been discovered in Schneider Electric's Equipments- Web Server on Modicon
M340, Modicon Quantum and Modicon Premium Legacy. Successful exploitation of these
vulnerabilities may allow write access and the execution of commands, which can result in
data corruption or a web server crash.
CVE ID: CVE-2020-7562 (Medium), CVE-2020-7563 (Medium), CVE-2020-7564 (Medium)
Multiple vulnerabilities such as Information disclosure, SQL injection, stack-based buffer
overflow, format string and OS command injection have been discovered in various FortiGate
products.
CVE ID: CVE-2020-29010 (Medium), CVE-2020-29015 (Medium), CVE-2020-29016 (Medium),
CVE-2020-29019 (Medium), CVE-2020-29018 (Medium), CVE-2020-29017 (High)
Multiple vulnerabilities such as use-after-free, HTTP Request Smuggling, and EDIPARTYNAME
NULL pointer de-reference have been discovered in nodejs. An attacker may exploit some of
these vulnerabilities to take control of an affected system. The affected versions are
nodejs 15.x, 14.x, 12.x 10.x. The updates are now available.
CVE ID: CVE-2020-8265 (High), CVE-2020-8287 (Low), CVE-2020-1971 (High)
It has been discovered that libproxy incorrectly handled certain Proxy Auto-Configuration
(PAC) files. An attacker may possibly use this issue to cause a crash or execute arbitrary
code.
CVE ID: CVE-2020-26154 (Critical)
Multiple vulnerabilities have been discovered in the Dovecot email server of Debian
GNU/Linux OS. It is recommended to upgrade the dovecot packages.
CVE ID: CVE-2020-24386, CVE-2020-25275
Multiple vulnerabilities have been identified in Android, a remote attacker may exploit some
of these vulnerabilities to trigger denial of service condition, elevation of privilege,
remote code execution and sensitive information disclosure on the targeted system.The
affected devices are Android 8.0, 8.1, 9, 10, 11. Security patch levels of 2021-01-05 or
later address all of these issues.
It has been discovered that multiple NEC Products contain authentication bypass
vulnerability in RMCP connection using IPMI over LAN. A logged-in remote attacker may
obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the
product. The affected products are Express5800/T110j,Express5800/T110j-S, Express5800/T110j
(2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti.
CVE ID: CVE-2020-5633 (Medium)
It has been discovered that in IBM WebSphere Application Server (WAS) admin console where
the Rational Asset Manager (RAM) is deployed, vulnerabilities such as allowing a remote
attacker to access the classloader through class property, and an authenticated attacker
obtaining sensitive information caused by improper parameter checking have been discovered.
The affected versions are IBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.x.
CVE ID: CVE-2019-10086 (High), CVE-2020-4329 (Medium)
A local buffer overflow vulnerability has been discovered in ctnetlink_parse_tuple_filter in
net/netfilter/nf_conntrack_netlink.c of kernel. An update for kernel is now available for
Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-25211 (Medium)
A SQL injection vulnerability has been discovered in hibernate-core of Debian GNU/Linux OS .
This vulnerability may allow an attacker to access unauthorized information or possibly
conduct further attacks. It is recommended to upgrade the libhibernate3-java packages.
CVE ID: CVE-2020-25638 (High)
Multiple vulnerabilities have been discovered in the Chromium web browser, which can result
in the execution of arbitrary code, denial of service or information disclosure. It is
recommended to upgrade the chromium packages.
It has been discovered that incorrect validation of JWT tokens in InfluxDB- a time series,
metrics, and analytics database can result in authentication bypass. It is recommended to
upgrade the influxdb packages.
CVE ID: CVE-2019-20933 (Critical)
Multiple vulnerabilities affecting the RPC protocol in p11-kit, a library providing a way to
load and enumerate PKCS#11 modules. It is recommended to upgrade the p11-kit packages.
CVE ID: CVE-2020-29361 (High), CVE-2020-29362 (Critical), CVE-2020-29363 (Critical)
