SUSE has released security update to resolve a vulnerability in Gegl. An attacker can exploit this vulnerability to take control of an affected system. The affected products are SUSE Linux Enterprise Workstation Extension 15-SP3 and SUSE Linux Enterprise Workstation Extension 15-SP2.
CVE ID: CVE-2021-45463
Multiple vulnerabilities have been fixed in FORT RPKI validator, which can result in Denial of Service (DoS) or path traversal. It is recommended to upgrade fort-validator packages.
CVE ID: CVE-2021-3907 (Critical), CVE-2021-3909 (High), CVE-2021-43173 (High), CVE-2021-43114 (High)
A potential product security bypass vulnerability has been discovered in McAfee Application and Change Control (MACC). The affected versions are MACC prior to version 8.3.4. It is recommended to install or update to MACC 8.3.4.
CVE ID: CVE-2021-31833 (High)
QNAP NAS has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-44224, CVE-2021-44790, CVE-2021-34347
Multiple vulnerabilities have been discovered in Moxa's equipment. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are available.
Wireshark has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-4190, CVE-2021-4186, CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, CVE-2021-4181
A Denial of Service (DoS) vulnerability has been discovered in ForeScout -SecureConnector Local Service which can cause the buffer to overflow and override the stack cookie causing the service to crash.
CVE ID: CVE-2021-36724
A vulnerability has been discovered in Stormshield Network Security (SNS) in which, under specific update migration scenario the first SSH password change does not properly clean the old one.
CVE ID: CVE-2021-45885 (High)
A stored XSS vulnerability has been discovered in wiki.js application where a low privileged user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. The affected versions are wiki.js version 2.0.0-beta.147 to 2.5.255.
CVE ID: CVE-2021-25993 (Medium)
Multiple vulnerabilities have been discovered in All-in-One SEO WordPress Plugin which can allow an attacker to gain elevated privileges and perform SQL injection on the targeted system.
CVE ID: CVE-2021-25036 (High), CVE-2021-25037 (High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in HUAWEI WS318n product. Successful exploitation can cause certain information disclosure. It is recommended to update the software.
CVE ID: CVE-2021-40041
Multiple CPU Side-Channel vulnerabilities have been discovered in multiple Huawei products. Huawei has released software updates to resolve these vulnerabilities.
CVE ID: CVE-2018-3615(Medium), CVE-2018-3620 (Medium), CVE-2018-3646 (Medium)
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Schneider Electric products. Schneider Electric has released remediations & mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High), CVE-2021-4104 (High), CVE-2021-44832
It has been discovered that Panorama Mobile One Time Password (MOTP) system’s specific function parameter has insufficient validation for user input. An attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication.
CVE ID: CVE-2021-44161 (High)
SUSE has released security update to resolve a vulnerability in Gegl. An attacker can exploit this vulnerability to take control of an affected system. The affected products are SUSE Linux Enterprise Workstation Extension 12-SP5 and SUSE Linux Enterprise Software Development Kit 12-SP5.
CVE ID: CVE-2021-45463
SUSE has released security update for Permissions. The affected products are SUSE MicroOS 5.1, SUSE MicroOS 5.0, SUSE Linux Enterprise Module for Basesystem 15-SP3 and SUSE Linux Enterprise Module for Basesystem 15-SP2.
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Siemens products. Siemens has released workarounds & mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-44832
Multiple vulnerabilities have been discovered in Moxa's Equipments. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that the vulnerabilities in Apache Log4j affect multiple Huawei products. The updates are available.
CVE ID: CVE-2021-45046 (Critical), CVE-2021-44228 (Critical)
A Remote Code Execution (RCE) vulnerability has been discovered in Gerapy- distributed crawler management framework. Versions prior to 0.9.8 are affected. The vulnerability has been resolved in updated Gerapy version 0.9.8.
CVE ID: CVE-2021-43857 (Critical)
IBM has released security updates to resolve Apache Log4j vulnerabilities in several IBM Products.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45105 (High), CVE-2021-45046 (Critical)
It has been discovered that KONICA MINOLTA multi-function printers (MFP) and printing systems contain multiple vulnerabilities. An attacker can exploit these vulnerabilities to take control of an affected system. Several products and versions are affected.
CVE ID: CVE-2021-20868 (Medium), CVE-2021-20869 (Medium), CVE-2021-20870 (Medium), CVE-2021-20871 (Medium), CVE-2021-20872 (Medium)
It has been discovered that IDEC PLCs (Programmable Logic Controller) contain multiple vulnerabilities. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are available.
CVE ID: CVE-2021-37400 (High), CVE-2021-37401 (High), CVE-2021-20826 (High), CVE-2021-20827 (High)
Two Remote Code Execution (RCE) vulnerabilities have been resolved in Blackmagic Software designed DaVinci Resolve software which allow attackers to gain code execution on unpatched systems.
CVE ID: CVE-2021-40417 (Critical), CVE-2021-40418 (Critical)
Debian has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30887, CVE-2021-30890
All versions of Node.js package docker-cli-js are susceptible to a OS commands injection vulnerability. Successful exploitation of this vulnerability may lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
CVE ID: CVE-2021-23732 (Critical)
The vulnerability affects Grafana versions 8.0 to 8.2.3, when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. This issue has been fixed in Grafana v8.2.4.
CVE ID: CVE-2021-41244 (Critical)
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string.
CVE ID: CVE-2021-42377 (Critical)
Cleartext Transmission of Sensitive Information vulnerability has been identified in Moxa's MGate MB3180/MB3280/MB3480 series. Moxa has developed appropriate solutions to address this vulnerability.
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint cybersecurity advisory in response to multiple vulnerabilities in Apache’s Log4j software library.
CISCO has released list of products that are affected by vulnerabilities in Apache Log4j Library.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High)
Android apps developed using Yappli application development platform fails to restrict custom URL schemes properly, which may be exploited to direct the app to connect to unintended sites. It is recommended to remove the affected version from an application store, until the rebuilt version is published.
CVE ID: CVE-2021-20873
Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. A remote, unauthenticated attacker can exploit these vulnerabilities to gain administrative privileges.
Huawei has released security update to resolve a Copy On Write (COW) vulnerability in Huawei products. An attacker can exploit this vulnerability to gain write access to otherwise read-only memory mappings and thus obtain the highest privileges on the system.
CVE ID: CVE-2016-5195 (High)
Multiple vulnerabilities have been discovered in Netgear Products. A remote attacker can exploit these vulnerabilities to trigger Denial of Service (DoS) condition, Remote Code Execution (RCE), disclose sensitive information and perform Cross-Site Scripting (XSS) on the targeted system.
A vulnerability has been discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. This vulnerability may allow an attacker to leak page content from private wikis or to bypass edit restrictions.
CVE ID: CVE-2021-44858
Multiple vulnerabilities have been discovered in several Agilia Connect Infusion Systems. Successful exploitation of these vulnerabilities can allow an attacker to gain access to sensitive information, modify settings or parameters, or perform arbitrary actions as an authenticated user.
CVE ID: CVE-2021-23236 (High), CVE-2021-31562 (Medium), CVE-2021-41835 (High), CVE-2021-23196 (High), CVE-2021-23233 (High), CVE-2021-23207 (Medium), CVE-2021-33843 (Medium), CVE-2021-23195 (Medium), CVE-2021-33848 (Medium), CVE-2021-44464 (Medium), CVE-2021-33846 (Medium), CVE-2021-43355 (High), CVE-2020-35340 (High)
StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager.
CVE ID: CVE-2021-27006 (Medium)
Apache Log4j vulnerabilities have been discovered in multiple Schneider Electric Products. Schneider Electric has released remediation's & mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical)
Apache Log4j vulnerabilities have been discovered in Siemens Energy Sensformer and multiple Siemens products. Siemens has released workarounds and mitigations to resolve vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-45105 (High)
Multiple vulnerabilities have been discovered in mySCADA's equipment myPRO, an HMI/SCADA system. Successful exploitation of these vulnerabilities can allow an attacker to completely compromise the products.
CVE ID: CVE-2021-43985 (Critical), CVE-2021-43989 (High), CVE-2021-43987 (Critical), CVE-2021-44453 (Critical), CVE-2021-22657 (Critical), CVE-2021-23198 (Critical), CVE-2021-43981 (Critical), CVE-2021-43984 (Critical)
An improper input validation vulnerability has been discovered in Horner Automation's equipment Cscape EnvisionRV that allows an attacker to execute arbitrary code in the context of the current process.
CVE ID: CVE-2021-44462 (High)
Multiple vulnerabilities such as missing authentication for critical function and uncontrolled search path element have been discovered in Emerson's equipment DeltaV Distributed Control System Controllers and Workstations. An attacker can exploit these vulnerabilities to achieve local privilege escalation or restart a controller, resulting in a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-26264 (Medium), CVE-2021-44463 (High)
RedHat released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Debian released security update to resolve several vulnerabilities in xorg-server. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011
A Remote Code Execution (RCE) vulnerability has been discovered in Add Review Function in iResturant 1.0 that allows remote attacker to execute commands remotely.
CVE ID: CVE-2021-43439 (Critical)
Multiple vulnerabilities have been resolved in Thunderbird 91.4.1. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-4126, CVE-2021-44538
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Juniper Networks Products. Juniper Networks has released workarounds & mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical), CVE-2021-4104 (High), CVE-2021-42550 (Medium)
Multiple vulnerabilities such as Server-Side Request Forgery (SSRF) and buffer overflow have been discovered in Apache HTTP server. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-44224, CVE-2021-44790
A critical Out-of-bounds Write vulnerability has been discovered in Apache HTTP Server in which a carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE ID: CVE-2021-44790 (Critical)
Ubuntu has released security update to address multiple vulnerabilities in Firefox and has introduced several minor regressions. The affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
CVE ID: CVE-2021-43536 (Medium), CVE-2021-43537 (High), CVE-2021-43538 (Medium), CVE-2021-43539 (High), CVE-2021-43541, CVE-2021-43542 (Medium), CVE-2021-43543 (Medium), CVE-2021-43545 (Medium), CVE-2021-43546 (Medium)
SUSE has released security update to resolve a vulnerability in Samba. The affected products are SUSE Linux Enterprise Server for SAP 15-SP1, SUSE Linux Enterprise Server 15-SP1-LTSS, SUSE Linux Enterprise Server 15-SP1-BCL, SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS, SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS, SUSE Linux Enterprise High Availability 15-SP1, SUSE Enterprise Storage 6 & SUSE CaaS Platform 4.0.
CVE ID: CVE-2020-25717
SUSE has released security update for Corosync to resolve a security issue that doesn’t recognize isolated nodes when interface is down. The affected product is SUSE Linux Enterprise High Availability 15-SP2.
It has been discovered that the vulnerabilities in Apache Log4j affects Siemens Energy TraceAlertServerPLUS and multiple Siemens products. Siemens has released workarounds & mitigations to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Critical)
It has been discovered that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) does not protects from uncontrolled recursion from self-referential lookups. Successful exploitation of the vulnerability allows control over thread context map data to cause a Denial of Service (DoS) attack when a crafted string is interpreted. This issue is resolved in Log4j 2.17.0. This vulnerability affects products of Debian, CISCO & NetApp.
CVE ID: CVE-2021-45105
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Debian has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Siemens Products. Siemens has released workarounds & mitigations to address the vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-45105 (High)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Cisco Products. Cisco has released patches for multiple products to address these vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-45105
IBM has released security updates to resolve Apache Log4j Remote Code Execution (RCE) vulnerability in several IBM Products.
CVE ID: CVE-2021-44228 (Critical)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Intel Products.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
A vulnerability has been discovered in Chain Sea AI chatbot system's file upload function which has insufficient filtering for special characters in URLs. A remote attacker can by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or terminate service.
CVE ID: CVE-2021-44164 (Critical)
A vulnerability has been discovered in 4MOSAn GCB Doctor's file upload function which has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or Denial of Service (Dos) attack. The affected products are 4MOSAn GCB Doctor version <= 20210811(2.0). The updates are available.
CVE ID: CVE-2021-44159 (Critical)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
An improper input validation vulnerability has been discovered in DataImportHandler of Apache Solr. Successful exploitation may cause Server Message Block (SMB) attack. It is recommended to upgrade to Solr 8.11.1.
CVE ID: CVE-2021-44548 (Medium)
Oracle has released security updates & patch to address multiple vulnerabilities in Apache Log4j.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
VMware has released security updates to address multiple vulnerabilities in several products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22056 (Medium), CVE-2021-22057 (Medium)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Schneider Electric Products. Schneider Electric has released workarounds & mitigations to address the vulnerabilities.
CVE ID: CVE-2021-45046 (Low), CVE-2021-44228 (Critical)
It has been discovered that Apache Log4j Remote Code Execution (RCE) vulnerabilities affects multiple Atlassian Products. Atlassian has released mitigation to resolve the vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-4104(High)
Red Hat has released security updates for OpenShift Container Platform which resolve several vulnerabilities and add enhancements.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low), CVE-2021-4104 (High)
Drupal has released security update to resolve Cross-Site Scripting (XSS) vulnerability in CKEditor library.
CVE ID: CVE-2021-41165 (Medium), CVE-2021-41164 (Medium)
It has been discovered that HTMLDOC, a HTML processor which generates indexed HTML, PS and PDF improperly handled malformed URIs from an input html file. Successful exploitation can cause a Denial of Service (DoS) attack. The affected products are Ubuntu 21.04 and Ubuntu 20.04LTS. The updates are available.
CVE ID: CVE-2021-23180
Ubuntu has released security update to resolve vulnerability in Mumble, a Low latency encrypted VoIP client. If a user is tricked into visiting a malicious website from the public server list, a remote attacker can possibly execute arbitrary code. The affected products are Ubuntu 20.04LTS and Ubuntu 18.04LTS.
CVE ID: CVE-2021-27229 (High)
Multiple vulnerabilities have been discovered in the Apache Log4j Java logging library that affects Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules.
CVE ID: CVE-2021-44228 (Critical) , CVE-2021-45046 (Low)
VMware has released security update to resolve Server Side Request Forgery (SSRF) vulnerability in VMware Workspace ONE UEM console. A malicious actor with network access to UEM can send their requests without authentication and might exploit this issue to gain access to sensitive information.
CVE ID: CVE-2021-22054 (Critical)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipments. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-35683 (High), CVE-2020-35684 (High), CVE-2021-31401 (High), CVE-2021-20606 (Medium), CVE-2021-20607 (Medium), CVE-2021-20608 (Medium), CVE-2020-5668 (High)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Huawei Products. Huawei has released workaround & mitigation to address vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-45046 (Low)
It has been discovered that the vulnerabilities in Apache Log4j affects multiple Juniper Networks Products. For remediation, Juniper Networks has released workaround & mitigation to address vulnerabilities.
CVE ID: CVE-2021-44228 (Critical), CVE-2021-4104 (High)
Microsoft has released security updates to address critical Remote Code Execution (RCE) in multiple products. An attacker may exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-44228 (Critical)
A use of hard-coded credentials vulnerability has been discovered in Xylem AquaView. Successful exploitation of this vulnerability can allow an authenticated local attacker to create users, delete users, disable user groups, and update the system and its security levels. It is recommended to implement new security settings.
CVE ID: CVE-2021-42833 (Critical)
An out-of-bounds read vulnerability has been discovered in Delta Electronics CNCSoft. Successful exploitation of this vulnerability can allow information disclosure or an application crash. It is recommended to upgrade to the latest available patch.
CVE ID: CVE-2021-44768 (Medium)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 22 for the Zimbra 9.0.0 and Patch 29 for Zimbra 8.8.15.
An improper authentication vulnerability has been discovered in eLabFTW versions prior to 4.2.0 which allows an attacker to authenticate as an existing user, if user created using a single sign-on authentication option such as LDAP or SAML.
CVE ID: CVE-2021-43834 (Critical)
CISA has released Apache Log4j vulnerability guidance for organizations running affected products.
It is also recommended to review the official Apache release and upgrade to fixed version or apply mitigations immediately.
Microsoft has released security updates to address multiple vulnerabilities in its products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as arbitrary command execution and Server-Side Request Forgery (SSRF) have been discovered in Zoom. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are available.
CVE ID: CVE-2021-34426 (Medium), CVE-2021-34425 (Medium)
Multiple vulnerabilities have been discovered in several Mitsubishi Electric products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Advantech's R-SeeNet. Successful exploitation of these vulnerabilities could allow authenticated users to perform a local privilege escalation and retrieve any information from the product’s database.
Microsoft has released the latest Microsoft Edge Stable Channel (Version 96.0.1054.57) which incorporates the latest security updates of the Chromium project.
CVE ID: CVE-2021-4102 (High)
Improper Authentication vulnerability in RegistrationMagic WordPress plugin allows an unauthenticated user to log in as any site user, including administrators with a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. The affected versions are equal to and less than, 5.0.1.7.
CVE ID: CVE-2021-4073 (Critical)
Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. The issue has been fixed in Opencast 10.6 and 11.0.
CVE ID: CVE-2021-43821 (Critical)
It has been discovered that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 is incomplete in certain non-default configurations. Successful exploitation of which can lead to a denial of service (DOS) attack. The issue has been fixed in Log4j 2.16.0.
Some attack signatures are missing in BIG-IP with ASM version running 11.x or 12.x. It might be if the software version has reached EoSD (End of Software Development).
It is recommended to update to a software version that has not reached EoSD and receives all the latest attack signatures.
A command injection vulnerability has been identified in Moxa’s NPort W2150A/W2250A Series Serial Device Servers. Affected firmware version is 1.11 or lower.
It is recommended to upgrade to firmware version 2.2 or higher.
Google Chrome stable channel has been updated to 96.0.4664.110 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-4098 (Critical), CVE-2021-4099 (High), CVE-2021-4100 (High), CVE-2021-4101 (High), CVE-2021-4102 (High)
Debian has released security update for privoxy that fixed an XSS and a DOS issue. Fixed version is 3.0.26-3+deb9u3.
CVE ID: CVE-2021-44540, CVE-2021-44543
Vulnerability in Apache Log4j could allow remote unauthenticated attackers to execute code on vulnerable systems. Siemens has released list of affected products.
It has been discovered that Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Multiple vulnerabilities have been discovered in Node.js versions before v14.16.2 that affect the Cordova platform packaged with Rational Developer for i Software.
CVE ID: CVE-2021-3712, CVE-2021-37713, CVE-2021-39134, CVE-2021-37712, CVE-2021-39135
IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms, authentication, and password rules. In addition, IBM Spectrum Copy Data Management is vulnerable to execution of arbitrary commands on the system, obtaining sensitive information, and clickjacking.
CVE ID: CVE-2021-38947, CVE-2021-39052, CVE-2021-39065, CVE-2021-39054, CVE-2021-39053, CVE-2021-39058, CVE-2021-39064
Multiple vulnerabilities in XStream, such as execution of arbitrary code, server-side request forgery, denial of service, bypassing security restrictions, and deletion of arbitrary files affects IBM Spectrum Copy Data Management.
Multiple vulnerabilities have been discovered in Netty and Apache Kafka which are dependency components shipped with the IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library for Message Bus Integrations.
CVE ID: CVE-2021-37137, CVE-2021-37136, CVE-2021-38153
NPM command ci versions 7.x through 7.24.2 and 8.x through 8.1.3 are susceptible to a vulnerability which could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
CVE ID: CVE-2021-43616 (Critical)
A critical vulnerability in Apache Log4j may allow remote code execution in VMware products. VMware has released list of impacted products.
CVE ID: CVE-2021-44228 (Critical)
Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer which could result in denial of service or the execution of arbitrary code.
CVE ID: CVE-2021-22207, CVE-2021-22222, CVE-2021-22235, CVE-2021-39920, CVE-2021-39921, CVE-2021-39922, CVE-2021-39923, CVE-2021-39924, CVE-2021-39925, CVE-2021-39926, CVE-2021-39928, CVE-2021-39929
A stack buffer overflow vulnerability has been discovered in QNAP NAS running Surveillance Station. Successful exploitation of this vulnerability allows attackers to execute arbitrary code.
CVE ID: CVE-2021-38687 (High)
A reflected cross-site scripting (XSS) vulnerability has been discovered in QNAP NAS running Kazoo Server. Successful exploitation of this vulnerability allow remote attackers to inject malicious code.
CVE ID: CVE-2021-38680 (Medium)
An improper authentication vulnerability has been discovered in Android devices running Qfile. Successful exploitation of this vulnerability allows attackers to compromise the app and access private information.
It has been discovered that the ubiquitous java logging library, log4j, has an unauthenticated RCE vulnerability if an user-controlled string is logged. This can allow an attacker to take full control of the affected server.
CVE ID: CVE-2021-44228 (Critical)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43616 (Critical), CVE-2021-0146 (Medium), CVE-2021-0197 (Medium), CVE-2021-0198 (Medium), CVE-2021-0199 (Medium), CVE-2021-0200 (Medium), CVE-2021-33058 (High), CVE-2021-33059 (Medium), CVE-2021-33098, (Medium), CVE-2021-41771 (Medium), CVE-2021-41772 (Medium), CVE-2021-43975 (High), CVE-2021-43976 (Medium)
Cross Site Scripting (XSS) vulnerability has been discovered in McAfee Network Security Manager (NSM). Versions prior to 10.1 Minor 7 are affected by the issue. To remediate this issue, it is recommended to update NSM to 10.1 M7.
CVE ID: CVE-2021-4038
Authentication Bypass Using an Alternate Path or Channel vulnerability has been discovered in Hillrom's Equipment- Welch Allyn Cardio Products. Successful exploitation of this vulnerability can allow an attacker to access privileged accounts.
CVE ID: CVE-2021-43935 (High)
Stack-based Buffer Overflow vulnerability has been discovered in WECON's Equipment- LeviStudioU. Successful exploitation of this vulnerability can allow arbitrary code execution.
CVE ID: CVE-2021-43983 (High)
Dell has released security updates to address multiple vulnerabilities in several products which can be exploited by malicious users to compromise the affected system.
Multiple vulnerabilities have been discovered in the authentication mechanism of FortiWeb's confd, including an instance of concurrent execution that uses shared resource with improper synchronization and one of authentication bypass by capture-replay, can allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.
CVE ID: CVE-2021-41025 (Critical)
An Out-of-bounds read vulnerability has been discovered in Huawei Smartphone. Successful exploitation of this vulnerability can cause out-of-bounds memory access.
CVE ID: CVE-2021-37051 (Critical)
A Heap-based buffer overflow vulnerability has been discovered in Huawei Smartphone. Successful exploitation of this vulnerability can rewrite the memory of adjacent objects.
CVE ID: CVE-2021-37049 (Critical)
A parameter injection vulnerability has been discovered in Huawei Smartphone. Successful exploitation of this vulnerability can cause privilege escalation of files after CIFS share mounting.
CVE ID: CVE-2021-37040 (Critical)
An UAF vulnerability has been discovered in Huawei Smartphone. Successful exploitation of this vulnerability can cause the device to restart unexpectedly and the kernel-mode code to be executed.
CVE ID: CVE-2021-37045 (Critical)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38926 (Medium), CVE-2021-23358 (Critical), CVE-2021-39002 (Medium), CVE-2021-38937 (Medium), CVE-2021-29678 (High), CVE-2021-38917 (High)
A code injection vulnerability has been discovered in the Ivanti EPM Cloud Services Appliance (CSA) which allows an unauthenticated user to execute arbitrary code with limited permissions.
CVE ID: CVE-2021-44529 (Critical)
An authentication bypass by capture-replay vulnerability has been discovered in FortiClient EMS versions 7.0.1 and below and 6.4.4 and below may allow an unauthenticated attacker to impersonate an existing user by intercepting and re-using valid SAML authentication messages.
CVE ID: CVE-2021-41030
Android has released security bulletin to address multiple vulnerabilities affecting several Android devices. Security patch levels of 2021-12-05 or later address all of these issues.
An integer overflow or wraparound vulnerability has been discovered in FortiOS SSLVPN memory allocator which can allow an unauthenticated attacker to corrupt control data on the heap via specifically crafted requests to SSLVPN, resulting in arbitrary code execution.
CVE ID: CVE-2021-26109 (Critical)
It has been discovered that BlueZ incorrectly handled memory when processing SDP attribute requests. A remote attacker can use this vulnerability to cause BlueZ to crash, leading to a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2019-8922
Multiple vulnerabilities such as Memory Leak, and Information Disclosure have been discovered in several Huawei products. An attacker with the ability to access the log file of device can cause the information leak or cause memory exhaust.
CVE ID: CVE-2021-40008 (Medium), CVE-2021-40007 (Medium)
The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4.
CVE ID: CVE-2021-41836 (Medium)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-43082, CVE-2020-1927 (Medium), CVE-2021-23037 (High)
Google has released Chrome Beta channel update 97.0.4692.45 for Windows, Mac and Linux, Beta channel 97.0.4692.44 (Platform version: 14324.33.0) for most Chrome OS devices, and Chrome Beta 97 (97.0.4692.45) for Android.
It has been discovered that a missing bounds check in image blurring code prior to WhatsApp for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 can allow an out-of-bounds write if a user sends a malicious image.
CVE ID: CVE-2021-24041 (Critical)
It has been discovered that PrestaShop prior to 1.7.8.2 is vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem has been resolved in version 1.7.8.2.
CVE ID: CVE-2021-43789 (Critical)
An exposed dangerous function vulnerability has been discovered in Ivanti Avalanche before 6.3.3 that uses inforail Service, which allows Privilege Escalation via Enterprise Server Service.
CVE ID: CVE-2021-42128 (Critical)
A deserialization of untrusted data vulnerability has been discovered in Ivanti Avalanche before 6.3.3 that uses Inforail Service. Successful exploitation allows arbitrary code execution via Data Repository Service.
CVE ID: CVE-2021-42127 (Critical)
It has been discovered that Git-it allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).
CVE ID: CVE-2021-44685 (Critical)
A Denial of Service vulnerability in Database Security (DBS) prior to 4.8.4 allows a remote authenticated administrator to trigger a denial-of-service attack against the DBS server. It is recommended to install or update to Database Security 4.8.4.
CVE ID: CVE-2021-31850 (Medium)
Multiple vulnerabilities such as integer coercion error, and out-of-bounds write have been discovered in FANUC's Equipment- R-30iA and R-30iB series controllers. Successful exploitation of these vulnerabilities can crash the device being accessed and a buffer overflow condition can allow Remote Code Execution (RCE).
CVE ID: CVE-2021-32996 (High), CVE-2021-32998 (High)
Multiple vulnerabilities have been discovered in SonicWall SMA 100 Series. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20038 (Critical), CVE-2021-20039 (High), CVE-2021-20040 (Medium), CVE-2021-20041 (High), CVE-2021-20042 (Medium), CVE-2021-20043 (High), CVE-2021-20044 (High), CVE-2021-20045 (Critical)
A SQL injection vulnerability has been discovered in feature services provided by Esri ArcGIS Server 10.9 and below which allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.
CVE ID: CVE-2021-29114 (Critical)
It was discovered that b2evolution CMS v7.2.3 contains a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary code via a crafted input.
CVE ID: CVE-2021-31632 (Critical)
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in SquaredUp for SCOM 5.2.1.6654. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-40091 (Critical)
It has been discovered that Laravel v5.1 contains a deserialization vulnerability via the component \Mockery\Generator\DefinedTargetClass. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-37298 (Critical)
It has been discovered that ThinkPHP v6.0.8 contains a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-36567 (Critical), CVE-2021-36564 (Critical)
It has been discovered that it is possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.
CVE ID: CVE-2021-39890 (Critical)
It has been discovered that the Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action before using it in a SQL statement that leads to an unauthenticated SQL injection.
CVE ID: CVE-2021-24943 (Critical)
It has been discovered that the Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action before using it in a SQL statement that leads to an SQL injection.
CVE ID: CVE-2021-24931 (Critical)
It has been discovered that the WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before it is used in a SQL statement, leading to a SQL injection vulnerability and arbitrary table deletion.
CVE ID: CVE-2021-24866 (Critical)
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
A missing cryptographic steps vulnerability has been discovered in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox, FortiWeb, FortiADC, and FortiMail. Successful exploitation may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.
CVE ID: CVE-2021-32591
An incorrect permission assignment for a critical resource vulnerability has been discovered in FortiNAC which may allow an authenticated attacker to access sensitive system data and, as a consequence, raise the authenticated user's privilege to admin.
CVE ID: CVE-2021-43065
Multiple vulnerabilities have been discovered in Hitachi Energy Products XMC20 and FOX61x. Successful exploitation of these vulnerabilities can allow an attacker to gain unauthorized access to the Data Communication Network (DCN) routing configuration and cause a disruption to the Network Management (NMS) and Network Element (NE) communication.
CVE ID: CVE-2021-40333 (High), CVE-2021-40334 (High)
Multiple vulnerabilities have been discovered in Hitachi Energy Products RTU500 Series. Successful exploitation of these vulnerabilities can cause a Denial of Service (DoS) condition in the affected version of the RTU500 series product.
CVE ID: CVE-2020-36229 (High), CVE-2020-36230 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-23037 (High), CVE-2021-23043 (Medium), CVE-2020-29573 (High), CVE-2021-20305 (High)
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that bitcoin miner is targeting all QNAP NAS. Successful infected CPU usage becomes unusually high where a process named "[oom_reaper]" can occupy around 50% of the total CPU usage. The updates are available.
HarmonyOS has released security bulletin to address multiple vulnerabilities affecting several HarmonyOS devices. Security patch levels of 2021-12-01 address all of these issues.
Google has released update to resolve multiple vulnerabilities for Stable channel version 96.0.4664.93 for Windows, Mac & Linux and Chrome 96 (96.0.4664.92) for Android.
Debian has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that multiple NetApp products, incorporate Samba versions prior to 4.15.2 are susceptible to vulnerabilities which can cause disclosure of sensitive information & addition or modification of data, or Denial of Service (DoS).
CVE ID: CVE-2016-2124 (Low), CVE-2020-25717 (High), CVE-2020-25718 (High), CVE-2020-25719 (High), CVE-2020-25721 (High), CVE-2020-25722 (high), CVE-2021-23192 (Medium), CVE-2021-3738 (High)
Multiple vulnerabilities have been discovered in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. Successful exploitation can cause code execution , unexpectedly reload and can cause LLDP database corrupt on the affected device. The update is available.
CVE ID: CVE-2021-34779 (High), CVE-2021-34780 (High), CVE-2021-34775 (Medium), CVE-2021-34776 (Medium), CVE-2021-34777 (Medium), CVE-2021-34778 (Medium)
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been resolved in GitLab updated versions 14.5.2, 14.4.4, and 14.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Multiple vulnerabilities have been discovered in Kaseya Unitrends Backup Appliance before 10.5.5. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43035 (Critical), CVE-2021-43033 (Critical), CVE-2021-43036 (High), CVE-2021-43038 (High), CVE-2021-43037 (High), CVE-2021-43040 (High), CVE-2021-43034 (High), CVE-2021-43039 (Medium), CVE-2021-43042 (High), CVE-2021-43041 (Medium), CVE-2021-43043 (High), CVE-2021-43044 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
An Uncontrolled Recursion vulnerability has been discovered in NGINX ModSecurity WAF. An attacker using specifically formatted JSON messages can cause high resource utilization and potentially Denial-of-Service (DoS).
CVE ID: CVE-2021-42717 (Medium)
An authentication bypass vulnerability has been discovered in ManageEngine Desktop Central and Desktop Central MSP. This vulnerability can allow an adversary to bypass authentication and execute arbitrary code.
CVE ID: CVE-2021-44515 (Critical)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-23718 (High), CVE-2021-25742 (High), CVE-2021-3715 (High), CVE-2021-41229 (Medium), CVE-2019-8921 (Medium), CVE-2019-8922 (High)
Multiple vulnerabilities have been discovered in LibreCAD, an application for computer aided design (CAD) in two dimensions. An attacker can trigger code execution through malicious .dwg and .dxf files. It is recommended to upgrade the librecad packages.
CVE ID: CVE-2021-21898, CVE-2021-21899, CVE-2021-21900
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38297 (Critical), CVE-2021-23449 (Critical), CVE-2021-23807 (High), CVE-2021-23214 (High), CVE-2021-2161 (Medium), CVE-2021-20400 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
An exposure of sensitive information to an unauthorized actor vulnerability has been discovered in Johnson Controls' Equipment- Entrapass. Successful exploitation of this vulnerability can allow an unauthorized user to access sensitive data.
Google has released Chrome Beta channel update to 97.0.4692.36 (Platform version: 14324.27.0) for most Chrome OS devices and Chrome Beta 97 (97.0.4692.39) for iOS.
It has been discovered that Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated Remote Code Execution (RCE).
CVE ID: CVE-2021-44077 (Critical)
Multiple vulnerabilities such as authentication bypass by primary weakness and unrestricted upload of file with dangerous type have been discovered in Distributed Data Systems' Equipment- WebHMI. Successful exploitation of these vulnerabilities can allow an administrator account login without password authentication and Remote Code Execution (RCE) with root privileges.
CVE ID: CVE-2021-43931 (Critical), CVE-2021-43936 (Critical)
It has been discovered that D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 contain a stack buffer overflow vulnerability in the function FUN_80046eb4 in /formSetPortTr. This vulnerability can be triggered via a crafted POST request.
CVE ID: CVE-2021-33265 (Critical)
It has been discovered that libretime hv3.0.0-alpha.10 is affected by a path manipulation vulnerability in /blob/master/legacy/application/modules/rest/controllers/ShowImageController.php through the rename function.
CVE ID: CVE-2021-43685 (Critical)
It has been discovered that the Attendance Management System 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.
CVE ID: CVE-2021-44280 (Critical)
It has been discovered that django-helpdesk is vulnerable to improper neutralization of input during Web Page Generation.
CVE ID: CVE-2021-3994 (Critical)
Multiple vulnerabilities have been discovered in Moxa Realtek AP- Router SDK which can allow remote unauthenticated attacker to compromise the target device and execute arbitrary code with the highest level of privilege.
CVE ID: CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395
Multiple vulnerabilities have been discovered in Moxa HCC Embedded’s InterNiche stack and NicheLite. An unauthenticated attacker may use specially crafted network packets to cause a Denial-of-Service (DoS) attack, disclose information, or execute arbitrary code on the target device remotely.
CVE ID: CVE-2020-25767, CVE-2020-25926, CVE-2020-25927, CVE-2020-25928, CVE-2020-35683, CVE-2020-35684, CVE-2020-35685, CVE-2021-27565, CVE-2021-31226, CVE-2021-31227, CVE-2021-31228, CVE-2021-31400, CVE-2021-31401, CVE-2021-36762
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
A stored Cross-Site Scripting (XSS) vulnerability has been resolved in Variation Swatches for WooCommerce, a WordPress plugin which allows an attacker with low-level permissions to inject malicious JavaScript.
CVE ID: CVE-2021-42367 (Medium)
Ubuntu has released security update to address vulnerability in Thunderbird & Network Security Service library. Successful exploitation can cause Denial of Service (DoS) or possibly execute arbitrary code. The affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 , Ubuntu 18.04, Ubuntu 16.04ESM and Ubuntu 14.04ESM.
CVE ID: CVE-2021-43527
A buffer overflow vulnerability has been discovered in DOPRA SSP products. An attacker by sending a specific message to the target device can cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-39999 (Medium)
Dell has released security updates to address multiple vulnerabilities in several products which can be exploited by malicious users to compromise the affected system.
CVE ID: CVE-2021-36320 (High), CVE-2021-36321 (High), CVE-2021-36322 (Medium), CVE-2020-3382, CVE-2020-15379
An improper input validation vulnerability that leads to arbitrary file creation has been discovered in copy method of Nexacro platform. Remote attackers can use copy method to execute arbitrary command after the file creation included malicious code.
CVE ID: CVE-2021-26612 (Critical)
A vulnerability was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]'). The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command.
CVE ID: CVE-2020-7879 (Critical)
It has been discovered that NSS (Network Security Services) with Thunderbird are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
CVE ID: CVE-2021-43527 (Critical)
It has been discovered that the `pygmalion`, `pygmalion-virtualenv` and `refined` themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited.
CVE ID: CVE-2021-3769 (Critical)
It has been discovered that the `rand-quote` and `hitokoto` plugins fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they can trigger command injection.
CVE ID: CVE-2021-3727 (Critical)
It has been discovered that in JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
CVE ID: CVE-2021-43202 (Critical)
Multiple vulnerabilities have been discovered in BIG-IP products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-23039 (Medium), CVE-2021-23025 (High)
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Trend Micro has released a new version of Trend Micro Security. This update resolves the Folder Shield protected folder bypass affecting the Trend Micro Security 2021 family of consumer products.
CVE ID: CVE-2021-43772 (Medium)
An integer overflow or wraparound vulnerability has been discovered in in multiple Real-Time Operating Systems (RTOS) and supporting libraries. Successful exploitation of these vulnerabilities can result in unexpected behavior such as a crash or a Remote Code Execution (RCE) / injection.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics' Equipment- CNCSoft. Successful exploitation of this vulnerability can allow for arbitrary code execution.
CVE ID: CVE-2021-43982 (High)
An off-by-one error vulnerability has been discovered in Johnson Controls' Equipment- CEM Systems AC2000. Successful exploitation of this vulnerability can allow a local attacker to obtain “super user” access on the underlying Linux operating system.
CVE ID: CVE-2021-3156 (High)
A SQL injection vulnerability has been discovered in Xylem's Equipment- Aanderaa GeoView. Successful exploitation of this vulnerability can allow an attacker to manipulate the database server.
CVE ID: CVE-2021-41063 (High)
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Debian has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that NetworkPkg/IScsiDxe has remotely exploitable buffer overflows vulnerability. The update is available.
CVE ID: CVE-2021-38575 (Critical)
Multiple SQL injection vulnerabilities have been discovered in openSIS when MySQL or MariaDB is used as the application database.
CVE ID: CVE-2021-41677 (Critical), CVE-2021-41678 (Critical), CVE-2021-41679 (Critical)
Multiple vulnerabilities have been discovered in Web Applications operating on Business-DNA Solutions. The affected versions are Business-DNA Solutions GmbHâ€s TopEase Platform Version 7.1.27 & prior.
CVE ID: CVE-2021-42115 (Critical), CVE-2021-42544 (Critical)
It has been discovered that the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code can use the `title` function in a way which can be unsafe.
CVE ID: CVE-2021-3726 (Critical)
An unauthenticated SQL Injection vulnerability has been discovered in Rosario Student Information System that allows remote attackers to execute PostgreSQL statements through /Side.php via the syear parameter. The affected products are Rosario Student Information System before 8.1.1.
CVE ID: CVE-2021-44427 (Critical)
It has been discovered that Vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php.
CVE ID: CVE-2021-43693 (Critical)
It has been discovered that the Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery.This can allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
CVE ID: CVE-2021-24915 (Critical)
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Mitsubishi Electric's Equipment- MELSEC series and MELIPC series. A remote attacker can stop the program execution or Ethernet communication of the products by sending specially crafted packets.
CVE ID: CVE-2021-20609 (High), CVE-2021-20610 (High), CVE-2021-20611 (High)
Multiple vulnerabilities have been discovered in WordPress. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42364 (High), CVE-2021-42358 (High), CVE-2021-42365 (Medium)
An unsafe search path vulnerability has been discovered in FortiClient and FortiClient EMS that allows an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path.
CVE ID: CVE-2021-32592 (High)
SUSE has released security updates to resolve several vulnerabilities in multiple products.
CVE ID: CVE-2021-27291, CVE-2021-28704, CVE-2021-28707, CVE-2021-28708, CVE-2021-28705, CVE-2021-28709, CVE-2021-28706
Multiple vulnerabilities have been discovered in ImageMagick. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20312, CVE-2021-20313
Multiple vulnerabilities have been discovered in OpenSC. It is recommended to upgrade the opensc packages.
CVE ID: CVE-2019-15945, CVE-2019-15946, CVE-2019-19479, CVE-2020-26570, CVE-2020-26571, CVE-2020-26572
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40438 (Critical), CVE-2019-17571 (Critical), CVE-2021-39000 (Medium), CVE-2021-2369 (Medium), CVE-2021-38967 (High), CVE-2021-3549 (Medium), CVE-2021-38958 (Medium), CVE-2021-34798 (Medium), CVE-2021-39275 (Low), CVE-2021-35517 (Medium), CVE-2021-36090 (High), CVE-2021-38999 (Medium), CVE-2021-36090 (High)
A Remote Command Execution (RCE) vulnerability has been discovered on the background in zrlog 2.2.2, at the upload avatar function, which can bypass the original limit, upload the JSP file to get a WebShell.
CVE ID: CVE-2021-44093 (Critical)
It has been discovered that HejHome GKW-IC052 IP Camera contained a hard-coded credentials vulnerability. This vulnerability allows remote attackers to operate the IP Camera.
CVE ID: CVE-2021-26611 (Critical)
An use-after-free vulnerability has been discovered in the International Components for Unicode (ICU) library which can result in Denial of Service (DoS) or potentially the execution of arbitrary code. It is recommended to upgrade the icu packages.
CVE ID: CVE-2020-21913
Debian has released security update to address a stack-based buffer over-reads vulnerability for crafted NTLM requests in libntlm, a library that implements Microsoft's NTLM authentication.
CVE ID: CVE-2019-17455
Debian has released security update to resolve multiple vulnerabilities in Bluez. Successful exploitation of vulnerabilities can cause a Denial of Service (DoS) or leak information.
CVE ID: CVE-2019-8921, CVE-2019-8922, CVE-2021-41229
It has been discovered that roundcube does not properly sanitize requests and mail messages. This allows an attacker to perform Cross-Side Scripting (XSS) or SQL injection attacks. It is recommended to upgrade the roundcube packages.
CVE ID: CVE-2021-44025, CVE-2021-44026
Debian has released security update to address several vulnerabilities in libvorbis-a popular library for the Vorbis audio codec.
CVE ID: CVE-2017-14160, CVE-2018-10392, CVE-2018-10393
An out-of-bounds buffer read on truncated key frames in vp8_decode_frame has been resolved in libvpx, a popular library for the VP8 and VP9 video codecs. It is recommended to upgrade the libvpx packages.
CVE ID: CVE-2020-0034
It has been discovered that Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives converts from UTF-8 characters to platform encoding. A remote attacker by sending an overly long string can overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVE ID: CVE-2020-27221 (Critical)
Multiple vulnerabilities such as command injection and improper authentication have been discovered in QVR that affects QNAP VS Series NVR running QVR. Successful exploitation of vulnerabilities can allow remote attackers to run arbitrary commands or compromise the security of the system. The security updates are available.
CVE ID: CVE-2021-38685 (Critical), CVE-2021-38686 (High)
Multiple vulnerabilities such as OS command injection and arbitrary code upload in database restore have been discovered in baserCMS. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-41243 (High), CVE-2021-41279 (Medium)
A vulnerability has been discovered in python urllib3 which can cause a Denial of Service (DoS) if a URL is passed as a parameter or redirected to via an HTTP redirect.
CVE ID: CVE-2021-33503 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37714 (High), CVE-2020-9488 (Low), CVE-2018-15494 (Medium), CVE-2021-40690 (Medium)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43267 (Critical), CVE-2011-1075 (Low), CVE-2021-22096 (Medium), CVE-2021-43057 (High), CVE-2021-41174 (Medium)
Multiple vulnerabilities such as arbitrary code execution and information disclosure have been discovered in Mitsubishi Electric's Equipment- GENESIS64, MELSOFT MC Works64.
CVE ID: CVE-2021-27040 (Low), CVE-2021-27041 (High)
It has been discovered that International Components for Unicode (ICU) library contains a double free vulnerability. An attacker can use this vulnerability to cause a Denial of Service (DoS) or possibly execute arbitrary code. The affected products are Ubuntu 21.04 and Ubuntu 20.04.
CVE ID: CVE-2021-30535 (High)
A cookie prefix spoofing vulnerability has discovered in CGI::Cookie.parse of Ruby. An attacker can exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.
CVE ID: CVE-2021-41819
Multiple vulnerabilities such as buffer overflow and process memory exposure have been discovered in Zoom. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34424 (Medium), CVE-2021-34423 (High)
An out-of-bounds read vulnerability has been discovered in Huawei Products. Successful exploitation of this vulnerability can lead to Denial of Service (DoS).
CVE ID: CVE-2021-39995 (Medium), CVE-2021-22366 (Medium)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-36374 (Medium), CVE-2021-36373 (Medium), CVE-2021-29736 (Medium), CVE-2021-21290 (Low), CVE-2021-21409 (High), CVE-2020-2773 (Low), CVE-2021-21295 (Medium), CVE-2021-32803 (High), CVE-2021-2341 (Low)
Multiple vulnerabilities have been discovered in Apache HTTP Server that affects Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
It has been discovered that WordPress Plugin "Browser and Operating System Finder" contains a Cross-Site Request Forgery (CSRF) vulnerability. If a user with an administrative privilege views a malicious page while logged in, unintended operations can be performed.
CVE ID: CVE-2021-20851 (Medium)
It has been discovered that PowerCMS XMLRPC API allows a remote attacker to execute an arbitrary OS command via unspecified vectors. The affected products are PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series.
CVE ID: CVE-2021-20850
An use after free vulnerability has been discovered in Web Transport of Google Chrome prior to 95.0.4638.69. This vulnerability allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE ID: CVE-2021-38002 (Critical)
It has been discovered that Dell EMC CloudLink contains a hard-coded password vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, can exploit this vulnerability to gain unauthorized access to the system.
CVE ID: CVE-2021-36312 (Critical)
Dell has released security updates to address multiple vulnerabilities in several Dell products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-3723 (Critical), CVE-2021-21510 (Medium), CVE-2021-21513 (High), CVE-2021-21514 (Medium), CVE-2020-26198 (Medium), CVE-2019-3764, CVE-2019-3722 (High), CVE-2019-3720 (Medium), CVE-2019-3721 (Medium)
Multiple Vulnerabilities have been discovered in Hitachi Energy's Equipment- FOX61x, XMC20, RTU500 Series. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40333 (Critical), CVE-2020-35198 (Critical), CVE-2021-40334 (High), CVE-2021-35533 (High), CVE-2020-1968 (Low), CVE-2020-24977 (Medium), CVE-2021-3517 (High), CVE-2020-28895 (High), CVE-2020-36229 (High), CVE-2020-36230 (High)
Multiple vulnerabilities such as unauthorized arbitrary file read and Server-Side Request Forgery (SSRF) have been discovered in VMware vCenter Server. An attacker can exploit these vulnerabilities to take control of an affected system. The affected products are VMware vCenter Server and VMware Cloud Foundation.
CVE ID: CVE-2021-21980 (High), CVE-2021-22049 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38891 (Medium), CVE-2021-38890 (Medium), CVE-2021-32029 (Medium), CVE-2021-3647 (High), CVE-2021-29425 (High), CVE-2021-22960 (Medium), CVE-2021-38873 (Medium), CVE-2021-22959 (Medium), CVE-2021-29060 (High), CVE-2021-23445 (High), CVE-2021-37701 (High), CVE-2021-37712 (High), CVE-2021-37713 (High)
A vulnerability in net/tipc/crypto.c in the Linux kernel before 5.14.16 is affecting F5 product- Traffix SDC. An attacker can exploit this vulnerability to access restricted information, modify files, or cause a Denial of Service (DoS) attack.
CVE ID: CVE-2021-43267
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-25219 (Medium), CVE-2021-42327 (High), CVE-2021-42739 (High), CVE-2021-41182 (Medium), CVE-2021-41183 (Medium), CVE-2021-41184 (Medium), CVE-2021-42252 (High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in Apache JSPWiki that can allow an attacker to execute JavaScript in the victim's browser and get some sensitive information about the victim. The affected products are Apache JSPWiki up to 2.11.0.M8.
CVE ID: CVE-2021-40369
It has been discovered that remote attackers can delete arbitrary files in a system hosting a JSPWiki instance by using a carefully crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. The affected products are Apache JSPWiki up to 2.11.0.M8.
CVE ID: CVE-2021-44140
Multiple vulnerabilities have been discovered in mbed TLS, a lightweight crypto and SSL/TLS library which can result in Denial of Service (DoS), information disclosure or side-channel attacks. It is recommended to upgrade the mbed TLS packages.
CVE ID: CVE-2018-9988, CVE-2018-9989, CVE-2020-36475, CVE-2020-36476, CVE-2020-36478, CVE-2021-24119
Ubuntu has released security updates to resolve several vulnerabilities in BlueZ and FreeRDP. The affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
CVE ID: CVE-2021-3658, CVE-2021-41229, CVE-2021-43400, CVE-2021-41159, CVE-2021-41160
It has been discovered that in x86 HVM and PVH, malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. This vulnerability affects versions Xen 3.4 and above.
CVE ID: CVE-2021-28705, CVE-2021-28709
A heap-based buffer over-read vulnerability has been discovered in Croatia Control Asterix. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-44144 (Critical)
Multiple vulnerabilities have been discovered in Moxa's Equipment- NPort Series, ioLogik Series. An attacker can exploit these vulnerabilities to take control of an affected system.
McAfee has released security update to resolve multiple vulnerabilities in Policy Auditor. It is recommended to Install or update to Policy Auditor 6.5.2.
CVE ID: CVE-2021-31851 (Medium), CVE-2021-31852 (Medium)
It has been discovered that LibreOffice incorrectly handled digital signatures. An attacker can possibly use this vulnerability to create a specially crafted document that can display a validly signed indicator, contrary to expectations.
CVE ID: CVE-2021-25634 (High), CVE-2021-25633 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 21 for the Zimbra 9.0.0 and Patch 28 for Zimbra 8.8.15.
A vulnerability in Linux Kernel is affecting multiple F5 products that can allow unauthorized disclosure of information and disruption of service.
CVE ID: CVE-2017-1000365 (High)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38297 (Critical), CVE-2021-21703 (High), CVE-2021-25219 (Medium), CVE-2021-42327 (High), CVE-2021-41182 (Medium), CVE-2021-41183 (Medium), CVE-2021-41184 (Medium)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
A Remote Code Execution (RCE) vulnerability has been discovered in Microsoft Edge (Chromium-based). An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-43221
Multiple vulnerabilities have been discovered in Salt, a powerful remote execution manager. It is recommended to upgrade the salt packages.
CVE ID: CVE-2021-21996, CVE-2021-31607, CVE-2021-25284, CVE-2021-25283, CVE-2021-25282, CVE-2021-25281, CVE-2021-3197, CVE-2021-3148, CVE-2021-3144, CVE-2020-35662, CVE-2020-28972, CVE-2020-28243
An information disclosure vulnerability evident when a user or an application uploads unprotected private key data as part of an authentication certificate KeyCredential on an Azure AD Application or Service Principal.
CVE ID: CVE-2021-42306 (High)
It has been discovered that HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement.
CVE ID: CVE-2021-43998 (Critical)
It has been discovered that the Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) which allows attackers to inject arbitrary web scripts.
CVE ID: CVE-2021-39353 (High)
Multiple vulnerabilities have been resolved in several QNAP products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34358 (Medium), CVE-2021-38681 (Medium)
Multiple vulnerabilities have been discovered in VISAM's Equipment- VBASE. Successful exploitation of these vulnerabilities can allow an attacker to read the contents of unexpected files, escalate privileges to system level, execute arbitrary code on the targeted system, bypass security mechanisms, and discover the cryptographic key for the web login. The affected products are VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module.
CVE ID: CVE-2020-10599 (Critical), CVE-2020-7008 (High), CVE-2020-7004 (High), CVE-2020-10601 (High), CVE-2020-7000 (High)
A vulnerability has been discovered in IBM MQ that can be used by an attacker to create a Denial of Service (DoS) attack. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-29843 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40130 (Medium), CVE-2021-40129 (Medium), CVE-2021-40131 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- Patient Information Center iX (PICiX); PerformanceBridge Focal Point; IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90; and IntelliVue X2, and X3. Successful exploitation of these vulnerabilities can result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data.
CVE ID: CVE-2020-16214 (Medium), CVE-2020-16218 (Low), CVE-2020-16222 (Medium), CVE-2020-16228 (Medium), CVE-2020-16224 (Medium), CVE-2020-16220 (Low), CVE-2020-16216 (Medium), CVE-2020-16212 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- Patient Information Center iX (PIC iX) and Efficia CM Series. Successful exploitation of these vulnerabilities can allow an attacker unauthorized access to data and create a Denial of Service (DoS) resulting in temporary interruption of viewing physiological data at the central station.
CVE ID: CVE-2021-43548 (Medium), CVE-2021-43552 (Medium), CVE-2021-43550 (Medium)
Multiple vulnerabilities have been discovered in Philips' Equipments- IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of these vulnerabilities can allow an attacker unauthorized access to the IntelliBridge EC40 and80 Hub.
CVE ID: CVE-2021-32993 (High), CVE-2021-33017 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Symbio 700 and Symbio 800 controllers. Successful exploitation of this vulnerability can allow an authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38448 (High)
Red Hat has released security updates to address multiple vulnerabilities in several products.
CVE ID: CVE-2021-42574 (High), CVE-2021-29923 (High), CVE-2021-34558 (Medium)
It has been discovered in netkit-rsh that due to insufficient input validation in path names send by server, a malicious server can do arbitrary file overwrites in the target directory or modify permissions of the target directory. It is recommended to upgrade the netkit-rsh packages.
CVE ID: CVE-2019-7282 (Medium), CVE-2019-7283 (Medium)
Multiple vulnerabilities have been discovered in Apache Ozone. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-36372 (Critical), CVE-2021-39231 (Critical), CVE-2021-39232 (High), CVE-2021-39233 (Critical), CVE-2021-39234 (Medium), CVE-2021-39235 (Medium), CVE-2021-39236 (High), CVE-2021-41532 (Medium)
Trend Micro has released updated versions of the Trend Micro Antivirus for MAC 2021 family of consumer products which resolves an improper access control privilege escalation vulnerability.
CVE ID: CVE-2021-43771 (High)
It has been discovered that the Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts.
CVE ID: CVE-2021-42363 (Medium)
It has been discovered that due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access can extract critical information from the system.
CVE ID: CVE-2021-43362 (Critical)
It has been discovered that due to improper sanitization iPack SCADA Automation software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access can extract critical information from the system.
CVE ID: CVE-2021-3958 (Critical)
Google has released update for Chrome Dev channel version 97.0.4692.20 (Platform version: 14324.13.0) for Chrome OS devices and Chrome Beta 97 (97.0.4692.21) for iOS. These versions address vulnerabilities that an attacker can exploit to take control of an affected system.
Red Hat has released security updates to address multiple vulnerabilities in several products.
CVE ID: CVE-2021-42574, CVE-2021-29923, CVE-2021-34558, CVE-2021-23369, CVE-2021-23383
Ubuntu has released security update to resolve a vulnerability in OpenEXR. The affected products are Ubuntu 18.04 LTS & Ubuntu 16.04 ESM.
CVE ID: CVE-2021-3941
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22940 (High), CVE-2021-39014 (Medium)
A Cross Site Scripting (XSS) vulnerability has been discovered in Drupal. An attacker may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40131 (Medium), CVE-2021-40129 (Medium), CVE-2021-40130 (Medium)
A vulnerability has been discovered in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. The affected versions are Apache ShenYu 2.3.0 and 2.4.0.
CVE ID: CVE-2021-37580 (Critical)
Dell has released security updates to address multiple vulnerabilities in several Dell products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-3762 (High), CVE-2021-21546 (High), CVE-2021-21558 (High), CVE-2021-21559 (High), CVE-2012-6708, CVE-2019-11358, CVE-2019-7317, CVE-2019-2821, CVE-2019-2762, CVE-2019-2769, CVE-2019-2745, CVE-2019-2816, CVE-2019-2842, CVE-2019-2786, CVE-2019-2818, CVE-2019-2766
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Debian has released security update to resolve multiple vulnerabilities in atftp package which can cause Denial of Service (DoS) attack.
CVE ID: CVE-2020-6097 (High), CVE-2021-41054 (High)
Multiple deserialization of untrusted data Remote Code Execution (RCE) vulnerability have been discovered in Veritas Enterprise Vault server. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-44682 (Critical), CVE-2021-44681 (Critical), CVE-2021-44680 (Critical), CVE-2021-44679 (Critical), CVE-2021-44678 (Critical), CVE-2021-44677 (Critical)
Multiple vulnerabilities such as out-of-bounds write, and stack-based buffer overflow have been discovered in FATEK Automation's Equipment- WinProladder. Successful exploitation of these vulnerabilities can allow for arbitrary code execution. The affected products are WinProladder versions 3.30_24518 and prior.
Avast has released its Q3'21 Threat Report that reveals elevated risk for ransomware and RAT attacks, rootkits and exploit kits return by exploiting Certificate Authority.
Ubuntu has released security update to resolve a vulnerability in AccountsService which incorrectly handled memory when performing certain language setting operations. A local attacker can use this issue to escalate privileges.
CVE ID: CVE-2021-3939 (High)
Ubuntu has released security update to resolve a vulnerability in hivex which incorrectly handled certain input. An attacker can use this vulnerability to cause a crash or obtain sensitive information.
CVE ID: CVE-2021-3504 (Medium)
Oracle Solaris has released security update to address multiple vulnerabilities in third party software that is included in Oracle Solaris distributions.
An elevation of privilege vulnerability has been discovered in Windows 10 Update Assistant. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42297 (Medium), CVE-2021-43211 (Medium)
It has been discovered modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks.
CVE ID: CVE: 2021-42114 (Critical)
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in WordPress Plugin "Push Notifications for WordPress (Lite)" provided by Delite Studio. If a user with an administrative privilege views a malicious page while logged in, unintended operations can be performed.
CVE ID: CVE-2021-20846 (Medium)
A Cross-Site Scripting (XSS) vulnerability has been discovered in rwtxt provider Zack Scholl Content Management System (CMS). An arbitrary script can be executed on the web browser of the user who is accessing the website using rwtxt.
CVE ID: CVE-2021-20848 (Medium)
A vulnerability has been discovered in OpenSSL which affects multiple F5 Products. A remote attacker can exploit this vulnerability by triggering an application to create an ASN1_STRING and process it with an affected OpenSSL function to access restricted information or cause a Denial-of-Service (DoS).
CVE ID: CVE-2021-3712 (High)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Products . An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20601 (High), CVE-2021-20587 (High), CVE-2021-20588 (High), CVE-2020-14521
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43560, CVE-2021-43559, CVE-2021-43558, CVE-2021-3943
VigorConnect software has released security update for Windows and Linux Operating System (OS).
CVE ID: CVE-2021-20123 (High), CVE-2021-20124 (High), CVE-2021-20125 (Critical), CVE-2021-20126 (High), CVE-2021-20127 (High), CVE-2021-20128 (Medium), CVE-2021-20129 (High)
Ruby has released security update for a Regular expression Denial of Service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack.
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-43560, CVE-2021-43559, CVE-2021-43558, CVE-2021-3943
Ubuntu has released security update to resolve multiple vulnerabilities in Vim, Vi IMproved. An attacker can exploit these vulnerabilities to take control of an affected system. The affected products are Ubuntu 21.10, Ubuntu 21.04, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Ubuntu 16.04 ESM and Ubuntu 14.04 ESM.
CVE ID: CVE-2021-3928 (High), CVE-2021-3927 (High), CVE-2017-17087(Medium), CVE-2019-20807 (Medium), CVE-2021-3903 (High), CVE-2021-3872 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38882 (Medium), CVE-2020-27221 (Critical), CVE-2021-3711 (Critical), CVE-2021-28165 (High), CVE-2020-27225 (Medium), CVE-2021-38949 (Medium)
A stack buffer overflow vulnerability has been resolved in QNAP NAS running Multimedia Console. This vulnerability can allow attackers to execute arbitrary code. It is recommended to update Multimedia Console to the latest version.
CVE ID: CVE-2021-38684 (High)
Google has released Stable channel 94.0.4606.124 (Platform version: 14150.87.0) for most Chrome OS devices, Chrome 96.0.4664.45 for Windows, Mac and Linux and Chrome 96 (96.0.4664.45) for Android.
Microsoft has released out-of-band updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions of Windows Server and Systems.
Multiple vulnerabilities have been discovered in ffmpeg- tools for transcoding, streaming and playing of multimedia files. It is recommended to upgrade the ffmpeg packages.
CVE ID: CVE-2020-20445, CVE-2020-20446, CVE-2020-20451, CVE-2020-20453, CVE-2020-22037, CVE-2020-22041, CVE-2020-22044, CVE-2020-22046, CVE-2020-22048, CVE-2020-22049, CVE-2020-22054, CVE-2021-38171, CVE-2021-38291
Proofpoint has released security updates to address vulnerabilities in Proofpoint Essentials, and Proofpoint Enterprise Protection (PPS/PoD). An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-31608 (High)
Multiple vulnerabilities such as authenticated arbitrary file upload and authenticated block import to stored XSS have been discovered in WordPress. It is recommended to upgrade the WordPress packages.
CVE ID: CVE-2021-42362 (High), CVE-2021-42360 (High)
It has been discovered that Unlimited Sitemap Generator of XML-Sitemaps contains a Cross-Site Request Forgery (CSRF) vulnerability. If a user views a malicious page while logged in, unintended operations can be performed. The affected versions are Unlimited Sitemap Generator versions prior to v8.2.
CVE ID: CVE-2021-20845 (Medium)
Multiple vulnerabilities have been discovered in Jenkins core. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21699 (High), CVE-2021-21700 (High), CVE-2021-21701 (High), CVE-2021-43576 (High), CVE-2021-43577 (High), CVE-2021-43578 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38979 (Medium), CVE-2021-38972 (Medium), CVE-2021-38976 (Medium), CVE-2021-38978 (Medium), CVE-2021-38982 (Medium), CVE-2021-38977 (Low), CVE-2021-38985 (Medium), CVE-2021-38983 (Medium), CVE-2021-20492 (Medium), CVE-2021-32803 (High), CVE-2021-38974 (Medium), CVE-2021-38973 (Low), CVE-2021-38975 (Medium), CVE-2021-38984 (Low), CVE-2021-38981 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1236 (Medium), CVE-2021-34738 (Medium), CVE-2021-40121 (Medium)
It has been discovered that Apache Tomcat do not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection is closed. This is creating a memory leak that, over time and can lead to a Denial of Service (DoS) via an OutOfMemoryError. It is recommended to upgrade the Tomcat9 packages.
CVE ID: CVE-2021-42340 (High)
A vulnerability has been discovered in Grafana, an open source data visualization platform. F5 has fixed this vulnerability in NGINX Service Mesh 1.2.1.
CVE ID: CVE-2021-39226 (Critical)
Microsoft has observed an increase in the use of HTML smuggling that leverages legitimate HTML5 and JavaScript features by using email campaigns for deploying banking malware, Remote Access Trojans (RATs) and other payloads related to targeted attacks.
It has been discovered that the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. An attacker with privileges to deploy Ingress resources can inject configuration snippets that can allow them to gain access to secrets using the Ingress service account permissions.
CVE ID: CVE-2021-23055
Use of insufficiently random values vulnerability has been discovered in multiple open-source and proprietary TCP/IP stacks Equipment's . Successful exploitation of weak Initial Sequence Numbers (ISN) can be used to hijack or spoof TCP connections, cause Denial of Service (DoS) conditions & can inject malicious data, or bypass authentication.
CVE ID: CVE-2020-27213 (High), CVE-2020-27630 (High), CVE-2020-27631 (High), CVE-2020-27632 (High), CVE-2020-27633 (High), CVE-2020-27634 (High), CVE-2020-27635 (High), CVE-2020-27636 (High), CVE-2020-28388 (Medium)
Multiple vulnerabilities have been discovered in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations Equipment's. Successful exploitation of these vulnerabilities can result in Denial of Service (DoS) or buffer-overflow conditions which can lead to Remote Code Execution (RCE) or information exposure.
Multiple vulnerabilities such as stack-based buffer overflow and out-of-bounds write have been discovered in WECON's Equipment- PLC Editor. Successful exploitation of these vulnerabilities can allow arbitrary code execution.
CVE ID: CVE-2021-42705 (High), CVE-2021-42707 (High)
A Denial of Service (DoS) vulnerability has been discovered in VMware Tanzu Application Service for VMs. Patches and workarounds are available to remediate this vulnerability.
CVE ID: CVE-2021-22101 (High)
Debian has released security update to resolve multiple vulnerabilities in PostgreSQL database system which can cause in Man-In-The-Middle (MITM) attacks.
CVE ID: CVE-2021-23214, CVE-2021-23222
Debian has released security update to address multiple vulnerabilities in node-tar which can be bypassed and allow a malicious Tar archive to symlink into an arbitrary location.
CVE ID: CVE-2021-37701, CVE-2021-37712
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
An authenticated database reset vulnerability has been discovered in WordPress WP Reset PRO Premium Plugin. The affected versions are WordPress WP Reset PRO premium plugin v5.98 and below.
CVE ID: CVE-2021-36909 (High)
Microsoft has released security updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit these vulnerabilities to take control of an affected system.
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges.
CVE ID: CVE-2021-3064 (Critical)
Apple has released security updates to address vulnerabilities in iCloud for Windows. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30852, CVE-2021-30814, CVE-2021-30835, CVE-2021-30847, CVE-2021-30823, CVE-2021-30849
A privilege escalation vulnerability has been discovered in vCenter Server. A malicious actor with non-administrative access to vCenter Server can exploit this vulnerability to elevate privileges to a higher privileged group. The affected products are VMware Center Server and VMware Cloud Foundation.
CVE ID: CVE-2021-22048 (High)
Debian has released security update to resolve multiple vulnerabilities in Salt which allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL certificates.
CVE ID: CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-3144, CVE-2021-3148, CVE-2021-3197, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-31607
Apple has released security update to resolve several vulnerabilities in ImageIO and WebKit of iCloud for Windows 13. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30852, CVE-2021-30814, CVE-2021-30835, CVE-2021-30847, CVE-2021-30823, CVE-2021-308499
A weak secure algorithm vulnerability has been discovered in Huawei product which can cause information leakage. Huawei has released software updates to resolve this vulnerability.
CVE ID: CVE-2021-22356
Debian has released security update to address several vulnerabilities in Icinga2, a general-purpose monitoring application.
CVE ID: CVE-2021-32739 (High), CVE-2021-32743(High), CVE-2021-37698 (High)
Microsoft has released security updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit these vulnerabilities to take control of an affected system.
A pre-authentication buffer overflow vulnerability has been discovered in NETGEAR that requires access via user's local area network to be exploited.
CVE ID: CVE-2021-34991 (High)
Multiple vulnerabilities have been discovered in Zoom. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34422 (High), CVE-2021-34421 (Low), CVE-2021-34420 (Medium), CVE-2021-34419 (Low), CVE-2021-34418 (Medium), CVE-2021-34417 (High)
McAfee has released security update to resolve DLL Search Order Hijacking vulnerability in McAfee Drive Encryption (MDE). It is recommended to update to MDE 7.3.0 HF2.
CVE ID: CVE-2021-31853 (High)
Intel has released security updates to address multiple vulnerabilities in several Intel products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Google has released update for Chrome Dev channel to 97.0.4692.6 (Platform version: 14324.5.0) for most Chrome OS devices, Chrome 96 (96.0.4664.36) for iOS and 97.0.4692.8 for Windows, Mac and Linux.
It has been discovered that compilers permit Unicode control and homoglyph characters that may change the visually apparent meaning of source code. An attacker with the ability to influence source code can introduce undetected ambiguity into source code using this type of attack.
CVE ID: CVE-2021-42574 (Critical), CVE-2021-42694 (Critical)
Samba has released security updates to resolve vulnerabilities in multiple versions of Samba. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192
Multiple vulnerabilities have been discovered in Advantech's Equipment- WebAccess HMI Designer. Successful exploitation of these vulnerabilities can result in memory corruption, code execution, hijacking of user’s cookie/session tokens, and unintended browser action. The affected products are WebAccess HMI Designer Versions prior to 2.1.11.0. The updates are available.
CVE ID: CVE-2021-33000 (High), CVE-2021-33002 (High), CVE-2021-33004 (High)
A Cross-Site Scripting (XSS) vulnerability has been discovered in OSIsoft's Equipment- PI Web API. Successful exploitation of this vulnerability can allow a remote authenticated attacker access to sensitive information or deliver false information. The affected products are all versions of PI Web API 2019 SPI and prior.
Multiple vulnerabilities such as Cross-Site Scripting (XSS) and incorrect authorisation have been discovered in OSIsoft's Equipment- PI Vision. Successful exploitation of these vulnerabilities can lead to information disclosure, modification, or deletion. The affected products are PI Vision all versions prior to 2021.
A relative path traversal vulnerability has been discovered in mySCADA's Equipment- myDESIGNER. Successful exploitation of this vulnerability can allow Remote Code Execution (RCE). The affected versions are myDESIGNER Versions 8.20.0 and prior.
Multiple vulnerabilities have been discovered in several Schneider Electric products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Philips' Equipment- MRI 1.5T and 3T. Successful exploitation of these vulnerabilities can allow an unauthorized attacker access to execute software, modify system configuration, view/update files and export data to an untrusted environment. The affected products are MRI 1.5T version 5.x.x and MRI 3T version 5.x.x
Multiple vulnerabilities have been discovered in several products of Siemens. A remote attacker can exploit these vulnerabilities to take control of an affected system.
Adobe has released security updates to address multiple vulnerabilities in multiple Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42727 (High), CVE-2021-43015 (High), CVE-2021-43016 (Medium), CVE-2021-43017 (Medium)
Citrix has released security updates to address vulnerabilities affecting multiple versions of Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP Edition. Successful exploitation may cause Denial of Service (DoS) and disruption of the Management GUI, Nitro API and RPC communication.
CVE ID: CVE-2021-22955, CVE-2021-22956
SAP has released security updates to address several vulnerabilities affecting multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40501 (Critical), CVE-2021-40502 (High), CVE-2020-6369 (High), CVE-2021-40503 (Medium), CVE-2021-42062 (Medium), CVE-2021-38164 (Medium), CVE-2021-40504 (Medium)
Multiple NetApp products incorporate Systemd. It has been discovered that basic/unit-name.c in systemd is susceptible to a vulnerability which on successful exploitation can lead to Denial of Service (DoS).
CVE ID: CVE-2021-33910 (Medium)
Debian has released security update to address a vulnerability in Botan1.10, a C++ cryptography library, an attacker can use this issue to recover bits of secret exponents with help of cache analysis.
CVE ID: CVE-2017-14737 (Medium)
A vulnerability has been discovered in multiple versions of BIND. Successful exploitation can significantly degrade resolver performance.
CVE ID: CVE-2021-25219 (Medium)
It has been discovered that insufficiently restricted permissions on container root and plugin directories can result in privilege escalation vulnerability. It is recommended to upgrade the containerd packages.
CVE ID: CVE-2021-41103 (High)
Multiple SQL injection vulnerabilities have been discovered in SQLAlchemy, a SQL toolkit and Object Relational Mapper for Python, when the order_by or group_by parameters can be controlled by an attacker. It is recommended to upgrade the sqlalchemy packages.
CVE ID: CVE-2019-7164, CVE-2019-7548
Debian has released security update to address multiple vulnerabilities in Redis which can result in Denial of Service (DoS) or the execution of arbitrary code.
CVE ID: CVE-2021-32626, CVE-2021-32627, CVE-2021-32628, CVE-2021-32672, CVE-2021-32675, CVE-2021-32687, CVE-2021-32762, CVE-2021-41099, CVE-2021-32761
Multiple vulnerabilities have been discovered in src:python3.5, the Python interpreter v3.5. It is recommended to upgrade the python3.5 packages.
CVE ID: CVE-2021-3733, CVE-2021-3737
A vulnerability has been discovered in udisks2-a service to access and manipulate storage devices, which can result in Denial of Service (DoS). It is recommended to upgrade udisks2 packages.
CVE ID: CVE-2021-3802
Improper Access Controls vulnerability has been discovered in Hitachi Energy's Equipment- GMS600, PWC600, and Relion 670/650/SAM600-IO. Successful exploitation of this vulnerability can allow an attacker with user credentials to bypass security controls enforced by the product, which can lead to unauthorized modifications on data/firmware, and/or permanent disabling of the product.
CVE ID: CVE-2021-35534 (High)
It has been discovered that certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, HP PageWide Managed products are vulnerable to potential buffer overflow.
CVE ID: CVE-2021-39238 (Critical)
An improper access control vulnerability has been discovered in Hitachi Energy's Equipment- Retail Operations and Counterparty Settlement and Billing (CSB) Product. Successful exploitation of this vulnerability can allow unauthorized access to data and modification of data inside the affected product.
CVE ID: CVE-2021-35528 (High)
Ubuntu has released security update to address a use after free issue in ICU - International Components for Unicode library. An attacker can use this issue to cause a Denial of Service (DoS) with crafted input. The affected products are Ubuntu 18.04LTS, Ubuntu 16.04ESM and Ubuntu 14.04ESM.
CVE ID: CVE-2020-21913 (Medium)
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker may exploit these vulnerabilities to take control of an affected system.
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Multiple SQL Injection vulnerabilities have been discovered in Philips Tasy EMR HTML5 3.06.1803 and prior which can allow unauthorized access, or create a Denial of Service (DoS) condition. It is recommended to upgrade Tasy EMR HTML5 to Version 3.06.1804 or later.
CVE ID: CVE-2021-39375 (High), CVE-2021-39376 (High)
Multiple vulnerabilities have been discovered in VISAM VBASE Pro-RT/ Server-RT (Web Remote) Version 11.6.0.6. An attacker can exploit these vulnerabilities to take control of an affected system. It is recommended to update to VBASE v11.7.0.2 or later.
CVE ID: CVE-2021-95907 (High), CVE-2021-42535 (Medium), CVE-2021-42537 (Medium), CVE-2021-34803 (Medium), CVE-2020-13699 (Medium), CVE-2019-18988 (Medium), CVE-2018-16550 (Medium), CVE-2018-14333 (Medium), CVE-2005-2475 (Medium)
Multiple vulnerabilities have been discovered in DAQFactory All Versions 18.1 Build 2347 and prior. Successful exploitation of these vulnerabilities can allow code execution, memory corruption, or unauthorized access to user information.
CVE ID: CVE-2021-42543 (High), CVE-2021-42698 (High), CVE-2021-42699 (Medium), CVE-2021-42701 (Medium)
Multiple vulnerabilities have been discovered in Subversion Plugin version 2.15.0 and earlier, Jenkins 2.318 and earlier, Jenkins LTS 2.303.2 and earlier. It is recommended to update to Subversion Plugin version 2.15.1, Jenkins weekly to version 2.319 and Jenkins LTS to version 2.303.3 to resolve vulnerabilities.
Multiple vulnerabilities have been resolved in Thunderbird 91.3 . An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38503 (High), CVE-2021-38504 (High), CVE-2021-38505 (High), CVE-2021-38506 (High), CVE-2021-38507 (High), CVE-2021-38508 , CVE-2021-38509, CVE-2021-38510
Mozilla has released security updates to address vulnerabilities in Firefox ESR and Firefox 94. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in HAProxy, distributed as part of Watson Knowledge Catalog for IBM Cloud Pak for Data. These flaws can allow a remote attacker to bypass security restrictions, caused by improper input validation by the ":method" field.
CVE ID: CVE-2021-39241 (Medium)
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can exploit these vulnerabilities to take control of an affected system.
A Cross-Site Scripting (XSS) vulnerability has been discovered in Sensormatic Electronics' Equipment- VideoEdge . Successful exploitation of vulnerability can allow the execution of untrusted code when viewing the VideoEdge admin graphical user interface. The affected products are VideoEdge all versions prior to v5.7.1 .
CVE ID: CVE-2020-11023 (Medium)
Multiple vulnerabilities have been discovered in WECON s' Equipment-PI Studio. Successful exploitation of these vulnerabilities can allow execution of code and disclose sensitive information under the context of administrator. The affected products are PI Studio HMI Versions 4.1.9 and prior and PI Studio Versions 4.2.125 and prior.
CVE ID: CVE-2018-14818 (High), CVE-2018-14810 (High), CVE-2018-17889 (Medium), CVE-2018-14814 (Low)
Security Update has been released for BIND 9 (Berkeley Internet Name Domain). The vulnerabilities can degrade resolver performance causing resulting in Denial of Service (DoS) or to experience an assertion failure in name.c .
CVE ID: CVE-2018-5740 (High), CVE-2021-25219
Multiple Vulnerabilities in have been discovered in InHand Networks' Equipment- IR615 Router. Successful exploitation of these vulnerabilities can allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords.
CVE ID: CVE-2021-38470 (Critical), CVE-2021-38478 (Critical), CVE-2021-38480 (Critical), CVE-2021-38484 (Critical), CVE-2021-38462 (Critical),CVE-2021-38472 (Low), CVE-2021-38486 (High), CVE-2021-38464 (Medium), CVE-2021-38474 (Medium), CVE-2021-38466 (High), CVE-2021-38482 (High), CVE-2021-38468 (High), CVE-2021-38476 (Medium)
Ubuntu has released security updates to address multiple vulnerabilities in Ceph. The affected products are Ubuntu 21.04 and Ubuntu 18.04 LTS.
CVE ID: CVE-2021-3531 (Medium), CVE-2021-3524 (Medium), CVE-2021-3509 (Medium), CVE-2021-20288 (High), CVE-2020-27781 (High)
Ubuntu has released security updates to resolve multiple vulnerabilities in WebKitGTK Web and JavaScript engines. The affected products are Ubuntu 21.10, Ubuntu 21.04 and Ubuntu 20.04 LTS.
CVE ID: CVE-2021-42762 (Medium), CVE-2021-30846 (High), CVE-2021-30851 (High)
Ubuntu has released security updates to resolve multiple vulnerabilities in mailman - Web-based mailing list manager package. The affected products are Ubuntu 20.04 LTS.
CVE ID: CVE-2020-12108(Medium), CVE-2020-12137(Medium), CVE-2021-42096(Medium), CVE-2020-15011(Medium), CVE-2021-42097 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple security vulnerabilities have been discovered in GlusterFS, a clustered file system. These flaws can cause buffer overflow and path traversal issues which lead to information disclosure, Denial of Service (DoS) or the execution of arbitrary code. It is recommended to upgrade glusterfs Packages.
Android has released security bulletin to address multiple vulnerabilities affecting several Android devices. Security patch levels of 2021-11-06 or later address all of these issues.
A vulnerability has been discovered in Tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code. It is recommended to upgrade tiff packages.
CVE ID: CVE-2020-19143 (Medium)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in the wpewebkit web engine which may lead to arbitrary code execution and sandbox bypassing. It is recommended to upgrade wpewebkit packages.
CVE ID: CVE-2021-30846 (High), CVE-2021-30851, CVE-2021-42762 (Medium)
A vulnerability has been discovered in Snort detection engine due to improper memory resource management while it processes ICMP packets. Multiple Cisco products are affected by this vulnerability. It is recommended to update the vulnerable release of Cisco Softwares.
CVE ID: CVE-2021-40114 (Medium)
A vulnerability has been discovered in the Internet Key Exchange Version 2 (IKEv2) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software due to improper control of a resource. It is recommended to update to the fixed versions.
CVE ID: CVE-2021-40125 (Medium)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 95.0.1020.40) which incorporates the latest security updates of the Chromium project.
CVE ID: CVE-2021-25219 (Medium)
A vulnerability has been discovered affecting multiple versions of the ISC Berkeley Internet Name Domain (BIND) in which exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. It is recommended to upgrade to the patched release.
CVE ID: CVE-2021-25219 (Medium)
Google's Extended Stable channel 94.0.4606.113 for Windows and Mac and Stable channel 95.0.4638.69 for Windows, Mac and Linux has been updated. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
A command injection vulnerability has been resolved in QNAP NAS running the Media Streaming add-on. Successful exploitation may allow remote attackers to run arbitrary commands.
CVE ID: CVE-2021-34362 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics DOPSoft Version 4.00.11 and prior. Successful exploitation of this vulnerability may allow arbitrary code execution. It is recommended to update to DOPSoft v4.00.11.22.
CVE ID: CVE-2021-33019 (High)
A use of hard-coded credentials vulnerability has been discovered in Sensormatic Electronics Victor Versions 5.7 and prior, which can allow unauthorised elevation of privileges. It is recommended to upgrade victor to Version 5.7.1.
CVE ID: CVE-2019-19492 (High)
Multiple vulnerabilities have been resolved in GitLab updated versions 14.4.1, 14.3.4, and 14.2.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
GoCD, an open-source Continuous Integration and Continuous Delivery system has released a security update to address a highly critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0.
Apple has released security updates to address vulnerabilities in Safari 15.1. An attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30887, CVE-2021-30888, CVE-2021-30889, CVE-2021-30890
A Denial-of-Service (DoS) vulnerability has been discovered in MELSEC iQ-R series C Controller Module due to uncontrolled resource consumption. A remote attacker can prevent the module from starting up by sending a large number of packets to the module starting up in a short time.
CVE ID: CVE-2021-20600 (Medium)
Juniper Networks has released security updates to resolve multiple vulnerabilities such as local privilege escalation vulnerability and improper privilege management vulnerability in Juniper Networks Junos OS and Junos OS Evolved.
CVE ID: CVE-2021-31359 (High), CVE-2021-31360 (High)
Juniper Networks has released security update to resolve a buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS which allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
F5 Networks has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-3712 (High), CVE-2021-39226 (Critical), CVE-2019-11811 (Medium)
Google has released Chrome Beta 96 (96.0.4664.27) for Android and iOS, Beta channel 96.0.4664.25 (Platform version: 14268.18.0) for most Chrome OS devices and Beta channel 96.0.4664.27 for Windows, Mac and Linux. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
A null dereference vulnerability has been discovered in mosquitto, MQTT message broker which can lead to crashes for applications using the library. It is recommended to upgrade mosquitto packages.
CVE ID: CVE-2017-7655 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Pulse Connect Secure before 9.1R12.1 which can allow an unauthenticated user to cause a Denial of Service (DoS) when a malicious request is sent to the device.
CVE ID: CVE-2021-22965 (Medium)
Ubuntu has released security update to resolve multiple vulnerabilities in Libslirp. The affected product is Ubuntu 21.10.
CVE ID: CVE-2021-3593 (Low), CVE-2021-3595 (Low), CVE-2021-3594 (Low), CVE-2021-3592 (Low)
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Fuji Electric Tellus Lite V-Simulator and V-Server Lite. It is recommended to update software to the latest version.
CVE ID: CVE-2021-38413 (High), CVE-2021-38419 (High), CVE-2021-38401 (High), CVE-2021-38421 (High), CVE-2021-38409 (High), CVE-2021-38415 (High)
The Federal Bureau of Investigation (FBI) has released Indicators of Compromise (IoCs) associated with attacks using Ranzy Locker, a ransomware variant.
Debian has released security update to address an out-of-bounds read and write vulnerability in the PHP-FPM code of php7.3 and php7.4 which can result in escalation of privileges from local unprivileged user to the root user.
CVE ID: CVE-2021-21703 (High)
Juniper Networks has released security update to resolve a vulnerability in the python cryptographic library used in Juniper Networks Junos OS and Wind River Linux which allows an attacker to perform timing oracle attacks against RSA decryption.
CVE ID: CVE-2020-25659 (Medium)
It has been discovered that threat actor NOBELIUM is attempting to gain access to downstream customers of multiple Cloud Service Providers (CSP), Managed Service Providers (MSP), and other IT services organisations that have been granted administrative or privileged access by other organizations.
McAfee has released security update to resolve multiple vulnerabilities in ePolicy Orchestrator. It is recommended to Install or update to ePO 5.10 CU 11.
CVE ID: CVE-2021-31834, CVE-2021-31835
Multiple vulnerabilities have been discovered in faad2, a freeware Advanced Audio Decoder player. It is recommended to upgrade faad2 packages.
CVE ID: CVE-2018-20199, CVE-2018-20360, CVE-2019-6956, CVE-2021-32274, CVE-2021-32276, CVE-2021-32277, CVE-2021-32278
Multiple vulnerabilities have been discovered in Mailman - Web-based mailing list manager. A remote attacker can use these vulnerabilities to perform Cross-Site Request forgery (CSRF) attack or brute force attack.
CVE ID: CVE-2021-42096, CVE-2021-42097
A vulnerability has been resolved in the proxy service of Cisco AsyncOS for Cisco Web Security Appliance (WSA) which can allow an unauthenticated, remote attacker to exhaust system memory and cause a Denial of Service (DoS) condition on an affected device. The updates are available.
CVE ID: CVE-2021-34698 (High)
Multiple vulnerabilities have been addressed in the Cisco ATA 190 Series Analog Telephone Adapter Software which can allow an attacker to perform a command injection attack resulting in Remote Code Execution (RCE) or cause a Denial of Service (DoS) condition on an affected device. The updates are available.
CVE ID: CVE-2021-34710 (High), CVE-2021-34735 (High)
A command injection vulnerability has been resolved in QNAP NAS running the Media Streaming add-on. This vulnerability can allow remote attackers to run arbitrary commands. It is recommended to update the Media Streaming add-on to the latest version.
CVE ID: CVE-2021-34362 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Libwebp which may cause highest threat to data confidentiality, integrity, and system availability.
CVE ID: CVE-2018-25011 (Critical), CVE-2020-36328 (Critical), CVE-2020-36329 (Critical), CVE-2018-25014 (Critical)
Multiple vulnerabilities have been resolved in Linux kernel. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-3702 (Medium), CVE-2021-3732, CVE-2021-38198 (Medium), CVE-2021-38205 (Low), CVE-2021-40490 (High), CVE-2021-42008 (High)
A Remote Code Execution (RCE) vulnerability has been discovered in Discourse versions 2.7.8 and earlier. This issue is patched in the versions 2.7.9 or later.
CVE ID: CVE-2021-41163 (Critical)
Multiple vulnerabilities have been discovered in McAfee EPolicy Orchestrator. A remote attacker can exploit some of these vulnerabilities to trigger Denial of Service(DoS) condition, sensitive information disclosure, data manipulation and Cross-Site Scripting (XSS) on the targeted system. The updates are available.
CVE ID: CVE-2021-33037, CVE-2021-31835, CVE-2021-31834, CVE-2021-30639, CVE-2021-23840, CVE-2021-3712, CVE-2021-2432, CVE-2021-2161
A Remote Code Execution vulnerability has been discovered in Insight - Asset Management app & Jira Service Management Data Center and Server. It is recommended to upgrade to the latest version.
CVE ID: CVE-2018-10054 (Critical)
Multiple vulnerabilities have been resolved in Linux kernel for Microsoft Azure cloud systems. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-19449 (High), CVE-2020-26541 (Medium), CVE-2020-36311 (Medium), CVE-2021-22543 (High), CVE-2021-3612 (High), CVE-2021-3759, CVE-2021-38199 (Medium)
Multiple vulnerabilities have been fixed in libcaca - text mode graphics utilities. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30498(Critical), CVE-2021-30499(Critical)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 95.0.1020.30) which incorporates the latest security updates of the Chromium project.
Google has released updated Beta channel 96.0.4664.13 (Platform version: 14268.9.0) and Dev Channel 97.0.4669.0 (Platform version: 14295.0.0) for most Chrome OS devices, Chrome Beta 96 (96.0.4664.17) for Android, Dev channel 97.0.4676.0 and Beta channel for Windows, Mac and Linux.
A bug has been discovered in GPS Daemon(GPSD) used by Network Time Protocol (NTP) servers. The bug may rollback the date to 1,024 weeks which may cause systems and services to become unavailable or unresponsive. The affected versions of GPSD are versions 3.20-3.22.
Multiple vulnerabilities have been discovered in B. Braun Infusomat Space Large Volume Pump. Successful exploitation of these vulnerabilities can allow a remote unauthenticated attacker to gain user-level command-line access, send the device malicious data to be used in place of correct data, reconfigure the device from an unknown source, obtain sensitive information, or overwrite critical files. The security updates are available.
CVE ID: CVE-2021-33886 (Medium), CVE-2021-33885 (Critical), CVE-2021-33882 (Medium), CVE-2021-33883 (Medium), CVE-2021-33884 (Medium)
Multiple vulnerabilities have been discovered in Delta Electronics DIALink industrial automation server. An attacker can exploit these vulnerabilities to take control of an affected system. The affected products are DIALink versions 1.2.4.0 and prior.
It has been discovered that Babel.Locale in Babel before 2.9.1 allow attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. It is recommended to upgrade python-babel packages.
CVE ID: CVE-2021-42771
Multiple vulnerabilities such as arbitrary code execution and Denial of Service (DoS) have been discovered in AutoCAD (DWG) file import function and OPC UA SDK respectively installed in GENESIS64 and MC Works64. It is recommended to update the software by using the GENESIS64 and MC Works64 security patches.
CVE ID: CVE-2021-27041 (High), CVE-2021-27432 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
A reflected cross-site scripting (XSS) vulnerability has been discovered in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
CVE ID: CVE-2021-23037 (Critical)
Multiple vulnerabilities such as Out of Bounds Write, Path Traversal, CSV Injection, Multiple Threads Race Condition, and Improper Signature Management have been discovered in several Huawei products. An attacker may exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37129, CVE-2021-37130, CVE-2021-37131, CVE-2021-22340, CVE-2021-37127
It has been discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed. It is recommended to upgrade squashfs-tools packages.
CVE ID: CVE-2021-41072 (High)
It has been discovered that a carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
CVE ID: CVE-2021-36160 (High)
Multiple vulnerabilities have been fixed in Linux kernel. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-42008, CVE-2021-38166, CVE-2021-40490, CVE-2021-3739, CVE-2021-3743, CVE-2021-3753, CVE-2021-3732, CVE-2020-3702
Ubuntu has released security update to address a vulnerability in strongSwan which may cause a Denial of Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2021-41991
Oracle has released critical patch update for October 2021 containsing 419 new security patches for multiple vulnerabilities across multiple products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Oracle Solaris has released security update to address multiple vulnerabilities in third party software that is included in Oracle Solaris distributions.
The Oracle VM Server for x86 has released security bulletin. This Oracle VM Server for x86 Bulletin contains 14 new security patches for the Oracle VM Server for x86.
An information disclosure vulnerability has been discovered in vRealize Operations Tenant App. A malicious actor with network access to port 443 on the vRealize Operations Tenant App may access any set system environment variables. It is recommended to apply the patches.
CVE ID: CVE-2021-22034 (Medium)
Google has released Chrome 95 (95.0.4638.50) for Android, Chrome 95 for Windows, Mac and Linux , and Chrome 95 (95.0.4638.50) for iOS. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in AUVESY Versiondog. Successful exploitation of these vulnerabilities can allow an attacker to achieve remote code execution, and acquire complete remote control over the machine.
A Cross-site Scripting vulnerability has been discovered in Trane's Building Automation Controllers (Tracer SC). Successful exploitation of this vulnerability can allow an attacker to redirect a user to a malicious webpage and steal the user’s cookie.
CVE ID: CVE-2021-42534 (Medium)
Tenable has released Tenable.sc Patch 202110.1 to address multiple vulnerabilities. This patch updates Apache to version 2.4.51 to address the identified vulnerabilities.
CVE ID: CVE-2021-33193, CVE-2021-34798, CVE-2021-40438
Multiple vulnerabilities have been discovered in all versions of Uffizio GPS Tracker software. Successful exploitation of these vulnerabilities can allow an attacker to view sensitive information, gain code execution, cause a redirection to an arbitrary external domain and perform actions on behalf of an unsuspecting user.
CVE ID: CVE-2020-17483, CVE-2020-17485, CVE-2020-17484, CVE-2021-32927, CVE-2021-32929
A heap-based buffer overflow vulnerability has been discovered in all versions of SINUMERIK 808D and all versions prior to v4.95 of SINUMERIK 828D. Successful exploitation of this vulnerability can allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability.
CVE ID: CVE-2021-37199
Multiple vulnerabilities have been discovered in Siemens SCALANCE. Successful exploitation of these vulnerabilities can allow an attacker to inject commands or trigger buffer overflows. It is recommended to upgrade SCALANCE W1750 to Versions 8.7.1.3 or later. Users should apply workarounds and mitigations to reduce the risk.
Multiple vulnerabilities have been discovered in WordPress, a web blogging tool which allow remote attackers to perform Cross-Site Scripting (XSS) attacks or impersonate other users. It is recommended to upgrade the WordPress packages.
CVE ID: CVE-2021-39200, CVE-2021-39201
Red Hat has released security update to address Server-Side Request Forgery (SSRF) vulnerability via a crafted request uri-path containing "unix:" in httpd: 2.4.
CVE ID: CVE-2021-40438
It has been discovered that a stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a Man-In-The-Middle (MITM) attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges.
CVE ID: CVE-2021-3057 (High)
An information exposure vulnerability has been discovered in IBM WebSphere Application Server Liberty which allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. The affected products are all versions of Liberty for Java in IBM Cloud up to and including v3.61.
CVE ID: CVE-2021-29842 (Low)
Multiple vulnerabilities have been discovered in Draytek VigorConnect 1.6.0-B3. An attacker can exploit these vulnerabilities to take control of an affected system. Draytek has released fixes for these issues in VigorConnect 1.6.1.
VMware has released security updates to address multiple vulnerabilities in Cloud Foundation and vRealize products. A remote attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22033 (Low), CVE-2021-22035 (Medium), CVE-2021-22036 (Medium)
ManageEngine has released security updates to address multiple vulnerabilities in OpManger v12.5. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database can cause arbitrary code to execute with SYSTEM privileges on the underlying server. The affected products are all versions prior to 7.11.2.
CVE ID: CVE-2021-40843 (High)
Microsoft has released security updates to resolve multiple vulnerabilities in Microsoft software. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- Data Collector module for IGSS (Interactive Graphical SCADA System) product. Successful exploitation of these vulnerabilities can allow an attacker to gain code execution, read/delete files, and create arbitrary files. The affected products are IGSS Data Collector (dc.exe) V15.0.0.21243 and prior.
CVE ID: CVE-2021-22802 (Critical), CVE-2021-22803 (Critical), CVE-2021-22804 (High), CVE-2021-22805 (Medium)
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as heap-based buffer overflow and stack-based buffer overflow have been discovered in Advantech's Equipment- WebAccess. Successful exploitation of these vulnerabilities can allow an attacker to gain Remote Code Execution (RCE). The affected products are WebAccess Versions 9.02 and prior.
CVE ID: CVE-2021-33023 (Critical), CVE-2021-38389 (Critical)
A missing authorization vulnerability has been discovered in Advantech's Equipment- WebAccess SCADA. Successful exploitation of this vulnerability can allow an attacker to access project names and paths. The affected products are WebAccess/SCADA: Versions 9.0.3 and prior.
CVE ID: CVE-2021-38431 (Medium)
Apple has released security update to address a memory corruption issue in multiple products. An application may be able to execute arbitrary code with kernel privileges.
CVE ID: CVE-2021-30883
Multiple vulnerabilities have been discovered in LibreOffice. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-25633, CVE-2021-25634, CVE-2021-25635
Google has released Chrome 94 (94.0.4606.85) for Android, and Dev channel 96.0.4657.0 (Platform version: 14268.0.0) for most Chrome OS devices. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
A vulnerability has been discovered in Neutron- the OpenStack virtual network service which allows a reconfiguration of dnsmasq via crafted dhcp_extra_opts parameters. It is recommended to upgrade the neutron packages.
CVE ID: CVE-2021-40085
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work which can result in Cross-Site Scripting (XSS), Denial of Service (DoS) and certain unintended API access. It is recommended to upgrade the mediawiki packages.
CVE ID: CVE-2021-35197 (High), CVE-2021-41798, CVE-2021-41799
A vulnerability has been discovered in Libntlm which incorrectly handled specially crafted NTML requests. An attacker can possibly use this vulnerability to cause a Denial of Service (DoS) or another unspecified impact.
CVE ID: CVE-2019-17455
Several vulnerabilities have been discovered in the Apache HTTP server, which can result in Denial of Service (DoS). It is recommended to upgrade apache2 packages.
CVE ID: CVE-2021-34798 (High), CVE-2021-36160 (High), CVE-2021-39275 (Critical), CVE-2021-40438 (Critical)
Cisco has released security updates to resolve several vulnerabilities in multiple products.
CVE ID: CVE-2021-34720(High), CVE-2021-1594(High), CVE-2021-34713 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3757, CVE-2021-31525, CVE-2021-22118, CVE-2021-2388 , CVE-2021-2369 , CVE-2021-2432
It has been discovered that HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine which may cause more privileges than intended.
CVE ID: CVE-2021-42135
A stack-based buffer overflow vulnerability has been discovered in FATEK Automation's Equipment- Communication Server. Successful exploitation of this vulnerability can allow remote code execution. The affected products are Communication Server versions 1.13 and prior.
CVE ID: CVE-2021-38432 (Critical)
Multiple vulnerabilities have been discovered in FATEK Automation's Equipment- WinProladder. Successful exploitation of these vulnerabilities can allow arbitrary code execution, Remote Code Execution (RCE), heap corruption, and unauthorized information disclosure. The affected products are WinProladder: Versions 3.30 and prior.
CVE ID: CVE-2021-38438 (High), CVE-2021-38426 (High), CVE-2021-38434 (High), CVE-2021-38430 (High), CVE-2021-38436 (High), CVE-2021-38442 (High), CVE-2021-38440 (High)
Multiple vulnerabilities have been discovered in InHand Networks' Equipment- IR615 Router. Successful exploitation of these vulnerabilities can allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords. The affected products are IR615 Router: Versions 2.3.0.r4724 and 2.3.0.r4870.
Multiple vulnerabilities have been discovered in Johnson Controls' Equipment- exacqVision Server 32-bit, and exacqVision Server Bundle. Successful exploitation of these vulnerabilities can allow an unauthenticated remote user to exploit an integer overflow in the exacqVision Server with a specially crafted script and cause a Denial of Service (DoS) condition or access credentials stored in the exacqVision Server.
CVE ID: CVE-2021-27665 (High), CVE-2021-27664 (Critical)
Multiple vulnerabilities have been discovered in Mobile Industrial Robots' Equipment- MiR100, MiR200, MiR250, MiR500, MiR1000, MiR Fleet. Successful exploitation of these vulnerabilities can lead to privilege escalation, data exfiltration, control of the robot and Denial of Service (DoS) condition.
Google Chrome stable channel has been updated to 94.0.4606.81 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-37977 (High), CVE-2021-37978 (High), CVE-2021-37979 (High), CVE-2021-37980 (High)
Apache Software Foundation has released security update to address path traversal and Remote Code Execution (RCE) vulnerabilities in Apache HTTP Server 2.4.49 and 2.4.50.
CVE ID: CVE-2021-41773 (Critical), CVE-2021-42013 (Critical)
Cisco has released software updates for Cisco ATA 190 Series to address multiple vulnerabilities. These vulnerabilities can allow an attacker to perform a command injection attack resulting in Remote Code Execution (RCE) or cause a Denial of Service (DoS) condition on an affected device.
CVE ID: CVE-2021-34710 (High), CVE-2021-34735 (High)
A Denial-of-Service (DoS) vulnerability has been discovered in MELSEC iQ-R series C Controller Module due to uncontrolled resource consumption. A remote attacker can prevent the module from starting up by sending a large number of packets to the module starting up in a short time.
CVE ID: CVE-2021-20600 (Medium)
A vulnerability has been discovered in multiple F5 products. The users with non-administrator roles with TMOS Shell (tmsh) access, can run arbitrary commands with elevated privilege using a crafted tmsh command.
CVE ID: CVE-2020-5858 (High)
Multiple vulnerabilities have been fixed in Linux kernel. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22543, CVE-2021-38160, CVE-2021-41073, CVE-2021-3612, CVE-2020-26541, CVE-2021-38199
Cisco has released security updates to address several critical vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Jenkins core. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2014-3577 (Medium), CVE-2021-21683 (Medium), CVE-2021-21684 (High), CVE-2021-21682 (Medium)
Red Hat has released security update to address vulnerability in JBoss Enterprise Web Server which may cause infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine.
CVE ID: CVE-2021-41079 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
A vulnerability has been discovered in Salesforce DX Command Line Interface (CLI) that allows an authenticated user to create an access URL using the CLI interface.
Ubuntu has released security update to address vulnerability in Squid which may cause exposure of sensitive information or result in a Denial of Service (DoS).
CVE ID: CVE-2021-28116 (Medium)
Xen has released security update to address vulnerability in certain PCI devices. Successful exploitation of vulnerability can cause Denial of Service (DoS) and escalation of privilege.
CVE ID: CVE-2021-28702
Mozilla has released security updates to address vulnerabilities in Firefox ESR and Firefox 93. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as improper handling of exceptional conditions and improper input validation have been discovered in Mitsubishi Electric's Equipment- GOT and Tension Controller. The affected products are GOT2000 series all versions, GOT SIMPLE series all versions and LE7-40GU-L all versions.
CVE ID: CVE-2021-20602 (High), CVE-2021-20603 (High), CVE-2021-20604 (High), CVE-2021-20605 (High)
Multiple vulnerabilities have been discovered in Emerson's Equipment- WirelessHART Gateway network communication devices. The affected products are WirelessHART 1410 Gateway-all versions prior to v4.7.94, WirelessHART 1410D Gateway all versions prior to v4.7.94 and WirelessHART 1420 Gateway all versions prior to v4.7.94.
CVE ID: CVE-2021-85337 (High), CVE-2021-03554 (High), CVE-2021-24769 (High), CVE-2021-22439 (High), CVE-2021-81019 (High), CVE-2021-10073 (High)
Multiple vulnerabilities such as cleartext transmission of sensitive information and authentication bypass by capture-replay have been discovered in Medtronic's Equipment - Medtronic MiniMed MMT-500 and MMT-503 Remote Controllers. Successful exploitation of these vulnerabilities can allow an attacker to replay captured wireless communications and cause an insulin (bolus) delivery.
CVE ID: CVE-2018-10634 (Medium), CVE-2018-14781 (Medium)
Multiple vulnerabilities have been discovered in Honeywell's Equipment- Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE Controllers all versions. Successful exploitation of these vulnerabilities can lead to Remote Code Execution (RCE) and Denial of Service (DoS) conditions.
CVE ID: CVE-2021-38397 (Critical), CVE-2021-38395 (Critical), CVE-2021-38399 (High)
It has been discovered that when validating an origin server or peer certificate, Squid can incorrectly classify certain certificates as trusted. This vulnerability allows a remote server to obtain security trust when the trust is not valid and can cause clients to access to unsafe or hijacked services.
CVE ID: CVE-2021-41611 (High)
Apache has released security update to address multiple vulnerabilities in the Apache HTTP server. A remote attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-41524, CVE-2021-41773
Ubuntu has released security update to address vulnerability in docker.io which may cause expose of sensitive information or gain administrative privileges.
CVE ID: CVE-2021-41089 (Low)
Multiple vulnerabilities such as buffer overflow, out-of-bound read, and NULL pointer dereference have been discovered in fig2dev, utilities for converting XFig figure files. These vulnerabilities can lead to a Denial of Service (DoS) or other unspecified impact. It is recommended to upgrade the fig2dev packages.
Ubuntu has released security update to address several vulnerabilities in Mercurial package. An attacker can use these vulnerabilities to write arbitrary files to the target’s filesystem or cause a Denial of Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2019-3902, CVE-2018-17983
Ubuntu has released security update to address vulnerability in MongoDB which incorrectly handled certain wire protocol messages. A remote attacker can possibly use this vulnerability to cause MongoDB to crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2019-20925 (High)
Ubuntu has released security update to address multiple vulnerability in LedgerSMB which incorrectly handled certain inputs. An attacker can use this vulnerability to leak sensitive information, cause Denial of Service (DoS), or execute arbitrary code.
CVE ID: CVE-2021-3693, CVE-2021-3694, CVE-2021-3731 (Medium)
Multiple vulnerabilities have been discovered in QEMU, a fast processor emulator which can result in Denial of Service (DoS) or the the execution of arbitrary code. It is recommended to upgrade the qemu packages.
CVE ID: CVE-2021-3544 (Medium), CVE-2021-3545 (Medium), CVE-2021-3546 (High), CVE-2021-3638, CVE-2021-3682 (High), CVE-2021-3713 (High), CVE-2021-3748
A vulnerability has been discovered in OpenSSL of multiple F5 products. A remote attacker can exploit the vulnerability by triggering an application to create an ASN1_STRING and process it with an affected OpenSSL function to access restricted information or cause a Denial-of-Service (DoS).
CVE ID: CVE-2021-3712 (Medium)
A vulnerability has been discovered in Netty - an open-source asynchronous event-driven network application framework of several F5 products. Successful exploitation may result in HTTP request smuggling.
CVE ID: CVE-2021-21295 (Medium)
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work, which can result in Cross-Site Scripting (XSS), Denial of Service (DoS) and a bypass of restrictions in the replace text extension. It is recommended to upgrade the mediawiki packages.
CVE ID: CVE-2021-35197 (High), CVE-2021-41798, CVE-2021-41799, CVE-2021-41800, CVE-2021-41801
Microsoft has released security updates to address multiple vulnerabilities in Edge (Chromium-based). An attacker may exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37976, CVE-2021-37975, CVE-2021-37974
It has been discovered that a command injection vulnerability affects certain QNAP EOL devices running QVR. Successful exploitation can allow remote attacker to run arbitrary commands. The updates are available.
CVE ID: CVE-2021-34352 (Medium)
Google has released Chrome version 94.0.4606.71 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-37974 (High), CVE-2021-37975 (High), CVE-2021-37976 (Medium)
Multiple vulnerabilities have been discovered in Linux kernel for Raspberry Pi systems. An attacker can use these vulnerabilities to expose sensitive information or cause Denial of Service (DoS).
CVE ID: CVE-2021-33624 (Medium), CVE-2021-3679 (Medium), CVE-2021-38160 (High), CVE-2021-38199 (Medium), CVE-2021-38204 (Medium)
Multiple vulnerabilities have been discovered in TagLib, a library for reading and editing audio meta data. It is recommended to upgrade the taglib packages.
CVE ID: CVE-2017-12678 (High), CVE-2018-11439 (Medium)
Multiple vulnerabilities have been discovered in Boston Scientific's Equipment- ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120. Successful exploitation of these vulnerabilities can allow an attacker with physical access to the affected device to obtain patient protected health information, and/or compromise the integrity of the device.
CVE ID: CVE-2021-38400 (Medium), CVE-2021-38394 (Medium), CVE-2021-38392 (Medium), CVE-2021-38396 (Medium), CVE-2021-38398 (Medium)
Multiple vulnerabilities have been discovered in the chat client WeeChat. It is recommended to upgrade the weechat packages.
CVE ID: CVE-2020-8955, CVE-2020-9759, CVE-2020-9760, CVE-2021-40516
Multiple vulnerabilities have been discovered in MIT Kerberos package krb5, a system for authenticating users and services on a network. It is recommended to upgrade the krb5 packages.
CVE ID: CVE-2018-5729 (Medium), CVE-2018-5730 (Low), CVE-2018-20217 (Medium), CVE-2021-37750 (Medium)
A vulnerability has been discovered in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability can allow an authenticated attacker to impersonate another authorised user when interacting with an application. The update has been released to resolve this vulnerability.
CVE ID: CVE-2021-28091(High)
It has been discovered that the build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint and are vulnerable to MITM attacks that allow the replacement of original binaries with arbitrary ones.
CVE ID: CVE-2021-41034
It has been discovered that the Credova_Financial WordPress plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. The affected versions are Credova_Financial plugin 1.4.8 and below.
CVE ID: CVE-2021-39342 (Medium)
RedHat has released security update to address vulnerability and bug fix for Migration Toolkit for Containers (MTC) 1.6.0 .
CVE ID: CVE-2021-3749 (High)
Ubuntu has released security updates to address several vulnerabilities in Linux kernel and Apache HTTP server. An attacker can exploit these vulnerabilities to take control of an affected system.
Google has released stable channel 93.0.4577.95 (Platform version: 14092.66.0) for most Chrome OS devices, and Chrome Beta 95 (95.0.4638.32) for Android, iOS and Windows, Mac and Linux. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
Huawei has released software updates to address an improper authentication vulnerability in Hero-CT060. Successful exploit can allow an attacker to do certain operations which the user are supposed not to do.
CVE ID: CVE-2021-37123
Google has released Dev channel 96.0.4652.0 (Platform version: 14244.0.0) for Chrome OS devices , 96.0.4655.0 for Linux and 96.0.4655.5 for Mac. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 19 for the Zimbra 9.0.0 and Patch 26 for Zimbra 8.8.15.
RedHat has released security updates to resolve multiple vulnerabilities in fwupd, shim, shim-unsigned-aarch64 and shim-unsigned-x64 .
CVE ID: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233
Multiple file parsing vulnerabilities have been discovered in Solid Edge before SE2021MP8. These flaws can be triggered when the application reads files in IFC, JT or OBJ formats. It is recommended to update to the latest version.
CVE ID: CVE-2021-37202 (High), CVE-2021-37203 (High), CVE-2021-41533 (Low), CVE-2021-41534 (Low), CVE-2021-41535 (High), CVE-2021-41536 (High), CVE-2021-41537 (High), CVE-2021-41538 (Low), CVE-2021-41539 (High), CVE-2021-41540 (High)
Cisco has released security update to address a vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers. Successful exploitation of vulnerability can allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a Denial of Service (DoS) condition for that VLAN. The affected products are Catalyst 9800 Wireless Controllers and Catalyst 9800 Wireless Controllers for Cloud.
CVE ID: CVE-2021-34767 (High)
Multiple vulnerabilities have been discovered in Intel Processor which may allow an authorised user to potentially enable information disclosure via local access.
CVE ID: CVE-2021-0086 (Medium), CVE-2021-0089 (Medium)
Hikvision has released security update to resolve a command injection vulnerability in the web server of some Hikvision product. A remote attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-36260
Ubuntu has released security updates to address several vulnerabilities in Linux kernel and Apache HTTP server. An attacker can exploit these vulnerabilities to take control of an affected system.
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in Streama. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result, attackers can make a logged-in administrator upload arbitrary local files via a CSRF attack and send them to the attacker. The affected versions are Streama v1.10.3 and below.
CVE ID: CVE-2021-41764
A vulnerability has been discovered in the Safari extension bundled with versions 7.7.0 to 7.8.6 of 1Password for Mac. This vulnerability allows a malicious web page to autofill items in certain categories without user interaction when 1Password is unlocked.
CVE ID: CVE-2021-41795
It has been discovered that symlink exchange can allow host filesystem access in Kubernetes for Red Hat OpenShift Container Platform. Red Hat OpenShift Container Platform release 4.8.13 is available with updates to packages and images that fix several bugs and add enhancements.
CVE ID: CVE-2021-25741 (High)
A vulnerability has been discovered in the web filtering features of multiple Cisco products. This vulnerability can allow an unauthenticated remote attacker to bypass web reputation filters and threat detection mechanisms on an affected device and exfiltrate data from a compromised host to a blocked external server.
CVE ID: CVE-2021-34749 (Medium)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22137 (Low), CVE-2021-22135 (Low), CVE-2021-32029 (Medium)
Multiple vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. It is recommended to upgrade the Linux packages.
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker can exploit these vulnerabilities to take control of an affected system.
Google has released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This version addresses a vulnerability CVE-2021-37973 that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-37973 (High)
Multiple vulnerabilities have been discovered in Cisco SD-WAN vEdge Software. These vulnerabilities may allow an attacker to execute arbitrary code as the root user or cause a Denial of Service (DoS) condition on an affected device.
CVE ID: CVE-2021-1509 (High), CVE-2021-1510 (High), CVE-2021-1511 (Medium)
It has been discovered that Node.js y18n module may allows a remote attacker to execute arbitrary code on the system, caused by a prototype pollution vulnerability. By sending a specially-crafted request, an attacker can exploit this vulnerability to execute arbitrary code on the system.
CVE ID: CVE-2020-7774 (High)
It has been discovered that an improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. The affected products are SMA 100 Series 9.0.0.10-28sv & earlier, 10.2.0.7-34sv & earlier and 10.2.1.0-17sv & earlier.
CVE ID: CVE-2021-20034 (Critical)
An uncontrolled search path element privilege escalation vulnerability has been discovered in Trend Micro HouseCall for Home Networks that can lead to arbitrary code execution. The affected versions are HouseCall for Home Networks 5.3.1225 and below.
CVE ID: CVE-2021-32466
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Ovarro's Equipment TBox, a Remote Terminal Unit (RTU). Successful exploitation of these vulnerabilities can result in Remote Code Execution (RCE) which can cause a Denial-of-Service (DoS) condition. The affected products are TBoxLT2 (All models), TBox MS-CPU32, TBox MS-CPU32-S2, TBox RM2 ( All models), TBox TG2 ( All models) and all versions prior to TWinSoft 12.4 and Firmware 1.46.
CVE ID: CVE-2021-22646 (High), CVE-2021-22648 (High), CVE-2021-22642 (High), CVE-2021-22640 (High), CVE-2021-22644 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Symbio 700 and Symbio 800 controllers. Successful exploitation of this vulnerability can allow an authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38448 (High)
A code injection vulnerability has been discovered in Trane's Equipment- Tracer SC, Tracer SC+, and Tracer Concierge. Successful exploitation of this vulnerability can allow an authenticated user to execute arbitrary code on the controller.
CVE ID: CVE-2021-38450 (Critical)
Ubuntu has released security update to resolve CA-certificates issue in Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 21.04.
Ubuntu has released security updates to address several vulnerabilities in EDK II. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-11098 (Medium), CVE-2021-38575, CVE-2021-3712 (High), CVE-2021-23840 (High)
Cisco has released security updates to address several critical vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as server-side request forgery, path traversal, improper file upload control and command injection have been discovered in several Huawei products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-37104, CVE-2021-22440 (Medium), CVE-2021-37105, CVE-2021-37106
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3612 (High), CVE-2021-22543 (High), CVE-2021-38160 (High), CVE-2021-34693 (Medium)
It has been discovered that in Progress WhatsUp Gold- an application endpoint failed to adequately sanitize malicious input which can allow an unauthenticated attacker to execute arbitrary code in a victim’s browser. The affected versions are WhatsUp Gold prior to 21.1.0.
CVE ID: CVE-2021-41318
Multiple vulnerabilities such as improper access control, DLL sideloading and improper privilege management have been discovered in McAfee Agent for Windows prior to 5.7.4. It is recommended to update to McAfee Agent 5.7.4.
CVE ID: CVE-2021-31847 (High), CVE-2021-31841 (High), CVE-2021-31836 (Medium)
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker can exploit these vulnerabilities to take control of an affected system.
Google has released stable channel 94.0.4606.54 and Dev channel 95.0.4638.17 for Windows, Mac and Linux, Chrome 94 (94.0.4606.50) for Android, and Chrome 94 (94.0.4606.52) for iOS. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
NETGEAR has released security updates to address a remote code execution vulnerability in multiple NETGEAR routers. A remote attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-40847 (High)
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected device. The affected products are versions prior to iOS 15, versions prior to iPadOS 15, versions prior to Safari 15, versions prior to tvOS 15, versions prior to watchOS 8, versions prior to iTunes 12.12 for Windows and versions prior to Xcode 13.
Multiple vulnerabilities have been discovered in rh-ruby27-ruby. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-36327 (High), CVE-2021-31799 (High), CVE-2021-31810 (Medium), CVE-2021-32066 (High)
Multiple vulnerabilities have been discovered in Moodle. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-40695, CVE-2021-40694, CVE-2021-40693, CVE-2021-40692, CVE-2021-40691
Multiple vulnerabilities have been discovered in nextcloud desktop client which can result in information disclosure. It is recommended to upgrade the nextcloud-desktop packages.
CVE ID: CVE-2021-22895 (Medium), CVE-2021-32728 (Medium)
It has been discovered that the legacy 1.0 version of OpenSSL fails to validate alternate trust chains in some conditions. It is recommended to upgrade the openssl1.0 packages.
A potential DOM-based Cross Site Scripting (XSS) vulnerability has been discovered in HPE StoreOnce. Successful exploitation of this vulnerability can cause an elevation of privilege which lead to partial impact to confidentiality, availability and integrity. CVE ID: CVE-2021-26587 (Medium)
Ubuntu has released security update to address multiple vulnerabilities in the Linux kernel. CVE ID: CVE-2021-3656, CVE-2021-3653, CVE-2021-34693 (Medium), CVE-2021-3612 (High), CVE-2021-38160 (High)
Apache has released security update to address multiple vulnerabilities in the Apache HTTP server. A remote attacker can exploit these vulnerabilities to take control of an affected system. CVE ID: CVE-2021-33193 (High), CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
Multiple vulnerabilities have been discovered in Moxa's Equipment- MGate Series, MXview Series. An attacker can exploit these vulnerabilities to take control of an affected system. CVE ID: CVE-2021-33823, CVE-2021-33824
McAfee has released security update to address multiple vulnerabilities such as improper privileges management and XML entity expansion injection in McAfee Endpoint Security (ENS) for Windows.
CVE ID: CVE-2021-31843 (High), CVE-2021-31842 (Medium)
Microsoft has released an update to address a Remote Code Execution (RCE) vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker can use this vulnerability to take control of an affected system.
CVE ID: CVE-2021-38647 (Critical)
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
An authentication bypass vulnerability affecting Representational State Transfer (REST) Application Programming Interface (API) URLs has been discovered in Zoho ManageEngine ADSelfService Plus, which can cause Remote Code Execution (RCE). Zoho ManageEngine ADSelfService Plus has released security update to address this vulnerability. The affected versions are Zoho ManageEngine ADSelfService Plus version 6113 and prior.
CVE ID: CVE-2021-40539
Multiple vulnerabilities such as access bypass, and Cross Site Request Forgery(CSRF) have been discovered in Drupal. An attacker can exploit these vulnerabilities to take control of an affected system. The affected products are Drupal 9.2, Drupal 9.1 and Drupal 8.9.
CVE ID: CVE-2020-13673, CVE-2020-13674, CVE-2020-13675, CVE-2020-13676, CVE-2020-13677
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that when Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can be used to trigger an infinite loop resulting in a Denial of Service (DoS). The affected versions are Apache Tomcat 10.0.0-M1 to 10.0.2, 9.0.0-M1 to 9.0.43, and 8.5.0 to 8.5.63.
CVE ID: CVE-2021-41079
A vulnerability has been discovered in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to cause device packet memory to become exhausted or cause the IP SLA process to crash, resulting in a Denial of Service (DoS) condition.
CVE ID: CVE-2021-34720 (High)
Apple has released security update to resolve vulnerability in iTunes U for iOS and iPadOS. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30862
Ubuntu has released security update for Squashfs-Tools which mishandled certain malformed SQUASHFS files. An attacker can use this vulnerability to write arbitrary files to the filesystem.
CVE ID: CVE-2021-41072
A potential unauthorized information security vulnerability has been discovered in Micro Focus Directory and Resource Administrator (DRA). The affected products are all DRA versions prior to 10.1 Patch 1. The updates are available.
CVE ID: CVE-2021-22535 (Medium)
A path traversal vulnerability has been discovered in Schneider Electric's Equipment- EcoStruxure Control Expert, EcoStruxure Process Expert and SCADAPack RemoteConnect for x70. Successful exploitation of this vulnerability can result in code execution on the engineering workstation.
CVE ID: CVE-2021-22796 (High)
Multiple vulnerabilities such as exposure of sensitive information to an unauthorised actor, execution with unnecessary privileges and improper handling of insufficient permissions or privileges have been discovered in Siemens' Equipment- RUGGEDCOM ROX. Successful exploitation of these vulnerabilities can allow an attacker to gain root access to the affected devices.
CVE ID: CVE-2021-37173 (High), CVE-2021-37174 (High), CVE-2021-37175 (Medium)
A Remote Code Execution (RCE) vulnerability has been discovered in Windows WLAN AutoConfig which can allow a remote attacker to execute arbitrary code on the target system.
CVE ID: CVE-2021-36965 (High)
McAfee has released security update to resolve a buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows and DLP Discover.
CVE ID: CVE-2021-31844 (High), CVE-2021-31845 (High)
Adobe has released security updates to address several vulnerabilities in multiple Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
Citrix has released a security update to address a vulnerability affecting Citrix ShareFile storage zones controller. A remote attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-22941
Microsoft has released security updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several Siemens products. An attacker can exploit these vulnerabilities to take control of an affected system.
An improper authentication vulnerability has been discovered in Digi International's Equipment- PortServer TS 16. Successful exploitation of this vulnerability allows write access, which grants control of settings, command execution and access to the command line interface.
CVE ID: CVE-2021-38412 (Critical)
An authentication bypass vulnerability has been discovered in Johnson Controls' Equipment- KT-1 door controllers. Successful exploitation of this vulnerability can allow replay attacks. The affected versions are KT-1 door controllers’ versions up to and including 3.01.
CVE ID: CVE-2021-27662 (High)
Multiple vulnerabilities have been discovered in several products of Schneider Electric. A remote attacker can exploit these vulnerabilities to take control of an affected system.
SAP has released security updates to address several vulnerabilities affecting multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A Denial of Service (DoS) vulnerability has been discovered in Mitsubishi Electric's Equipment- MELSEC iQ-R Series modules. When a module receives a specially crafted SLMP packet from a malicious attacker, the program execution and communication may enter a DoS condition.
CVE ID: CVE-2020-5668 (High)
Apple has released security updates to address two vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30858, CVE-2021-30860
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3653, CVE-2021-3656, CVE-2021-22555 (High), CVE-2021-33909 (High), CVE-2021-40330 (High)
Google has released stable channel 93.0.4577.82 for Windows, Mac and Linux, Chrome 93 (93.0.4577.82) for Android, Dev channel 95.0.4635.0 (Platform version: 14209.0.0) for most Chrome OS devices, and Chrome 93 (93.0.4577.78) for iOS. These versions address several vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that mlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. An attacker can exploit this vulnerability to cause the application to enter into an infinite loop resulting in a Denial of Service (DoS).
CVE ID: CVE-2020-7595
It has been discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system is tricked into processing a specially crafted file, a remote attacker can use this vulnerability to access arbitrary files, execute arbitrary code, or cause a Denial of Service(DoS).
CVE ID: CVE-2021-3781
Multiple vulnerabilities such as certificate validation and NULL pointer dereference have been discovered in OpenSSL that affects multiple Cisco products. Exploitation of these vulnerabilities can allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organisation, user or device or to cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-3450 (High), CVE-2021-3449 (Medium)
Multiple vulnerabilities have been resolved in several QNAP products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28816 (High), CVE-2021-34343 (High), CVE-2021-34344 (Critical), CVE-2021-34345 (Critical), CVE-2021-34346 (Critical), CVE-2021-28813 (High), CVE-2018-19957 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
A DLL hijacking vulnerability has been discovered in AVEVA's Equipment- Platform Common Services (PCS) Portal. Successful exploitation of this vulnerability can allow malicious code execution within context of the PCS Portal application.
CVE ID: CVE-2021-38410 (High)
Multiple vulnerabilities have been discovered in NetApp Products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-38402 (High), CVE-2021-38406 (High), CVE-2021-38404 (High)
Multiple vulnerabilities such as stack-based buffer overflow, out-of-bounds write and heap-based buffer overflow have been discovered in Delta Electronics' Equipment- DOPSoft 2. Successful exploitation of these vulnerabilities may allow arbitrary code execution. The affected products are DOPSoft 2 version 2.00.07 and prior.
CVE ID: CVE-2021-38402 (High), CVE-2021-38406 (High), CVE-2021-38404 (High)
Multiple vulnerabilities have been discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these vulnerabilities for local root privilege escalation. It is recommended to upgrade the ntfs-3g packages.
It has been discovered that Postorius, the administrative web frontend for Mailman 3, do not validate whether a logged-in user owns the email address when unsubscribing. It is recommended to upgrade the postorius packages.
CVE ID: CVE-2021-40347
Microsoft has released the latest Microsoft Edge Stable Channel Version 93.0.961.44 which incorporates the latest Security Updates of the Chromium project.
CVE ID: CVE-2021-38669 (Medium)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Ubuntu has released security update to address multiple vulnerabilities in the Linux kernel.
CVE ID: CVE-2021-3656, CVE-2021-3653, CVE-2021-34693, CVE-2021-3612, CVE-2021-38160
Huawei has released software updates to address an improper authorization vulnerability in some Huawei products. An attacker can exploit this vulnerability by physically accessing the device and implanting malicious code. Successful exploitation can lead to arbitrary code execution in the target device.
CVE ID: CVE-2021-37101
The Stable channel has been updated to 93.0.4577.69 (Platform version: 14092.46.0) for most Chrome OS devices. Systems will be receiving updates over the next several days.
Zoho has released a security update on an authentication bypass vulnerability affecting ManageEngine ADSelfService Plus that can result in Remote Code Execution (RCE). A remote attacker can exploit this vulnerability to take control of an affected system. The affected versions are ManageEngine ADSelfService Plus builds 6113 and below.
CVE ID: CVE-2021-40539
Ubuntu has released security updates to address multiple vulnerabilities in GD Graphics Library. An attacker can possibly use these vulnerabilities to cause a crash or expose sensitive information or Denial of Service (DoS).
CVE ID: CVE-2017-6363 (High), CVE-2021-38115 (Medium), CVE-2021-40145 (High)
Ubuntu has released security updates to address vulnerability in Open vSwitch. A remote attacker can use this vulnerability to cause Open vSwitch to crash resulting in a Denial of Service (DoS) or possibly execute arbitrary code.
CVE ID: CVE-2021-36980 (Medium)
Ubuntu has released security updates to address vulnerability in cpio, a tool to manage archives of files. A remote attacker can use this vulnerability to cause cpio to crash resulting in a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-38185 (High)
Multiple vulnerabilities have been discovered in various Palo Alto Networks products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-10188 (High), CVE-2021-3051 (High), CVE-2021-3052 (High), CVE-2021-3053 (High), CVE-2021-3054 (High), CVE-2021-3055 (Medium), CVE-2021-3049 (Low)
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are available.
It has been discovered that KVM hypervisor implementation for AMD processors in the Linux kernel do not properly prevent a guest VM from enabling AVIC in nested guest VMs. An attacker in a guest VM can use this to write to portions of the host’s physical memory. Ubuntu has released security update for Ubuntu 16.04 and 14.04 to address this vulnerability in Linux kernel .
CVE ID: CVE-2021-3653
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 05 Sep 2021 or later address all of these issues.
Mozilla has released security updates to address multiple vulnerabilities in Firefox, Firefox ESR and Thunderbird. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-26116, CVE-2021-22127, CVE-2021-24017, CVE-2021-24016, CVE-2021-32600, CVE-2019-16151, CVE-2021-36169, CVE-2019-17655 , CVE-2020-29012, CVE-2021-36179 , CVE-2021-36182, CVE-2020-29013
Multiple vulnerabilities have been discovered in MELSEC iQ-R Series CPU Module. Successful exploitation of these vulnerabilities can allow a remote attacker an unauthorized access to legitimate usernames, CPU module access, or the ability to deny access to legitimate users.
CVE ID: CVE-2021-20594 (Medium), CVE-2021-20597 (High), CVE-2021-20598 (Low)
Debian has released security update to address a vulnerability in haproxy which can result in request smuggling attacks or response splitting attacks.
CVE ID: CVE-2021-40346 (Critical)
Tenable has released upgraded version Nessus Agent 8.3.1 which resolve multiple local privilege escalation vulnerabilities in Nessus Agent 8.3.0 and earlier versions.
CVE ID: CVE-2021-20117, CVE-2021-20118
Microsoft has released mitigation and workaround to address a Remote Code Execution (RCE) vulnerability in several Window products.
CVE ID: CVE-2021-40444 (Medium)
A vulnerability has been discovered in Hitachi ABB Power Grids' System Data Manager SDM600 all versions prior to 1.2 FP2 HF6. Successful exploitation of this vulnerability can allow access to sensitive information.
CVE ID: CVE-2021-35526
Multiple DoS vulnerabilities have been discovered in Mitsubishi TCP/IP Protocol Stack of GOT and Tension Controller due to improper handling of exceptional conditions and improper input validation. It is recommended to follow mitigation measures to minimize the risk of exploitations.
Debian has released security update to address XML External Entity (XXE) injection vulnerability in pywps which allows an attacker to view files on the application server filesystem by assigning a path to the entity.
CVE ID: CVE-2021-39371 (High)
CISA has released Insights on Risk Considerations for Managed Service Provider Customers (MSPs), which provides MSP customers a framework for reducing risk. The framework is designed for government and private sector organizations of all sizes, and suggests considerations for IT management planning, best practices, and tools for reducing overall risk.
Cisco has released software updates to resolve a Remote Code Execution (RCE) vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software.
CVE ID: CVE-2021-1518 (Medium)
Multiple vulnerabilities have been discovered in IBM Cloud Private. An attacker can exploit these vulnerabilities to take control of an affected device. The security updates are available.
CVE ID: CVE-2020-7016 (Medium), CVE-2020-7017 (Medium), CVE-2020-7018 (Medium), CVE-2020-7019 (Medium)
Microsoft has released the latest Microsoft Edge Stable Channel (Version 93.0.961.38), which incorporates the latest Security Updates of the Chromium project.
A vulnerability has been discovered in JTEKT TOYOPUC Products. Successful exploitation of this vulnerability can allow a remote attacker to deny ethernet communications between affected devices without authorization.
A vulnerability has been discovered in WebAccess, an HMI platform. Successful exploitation of this vulnerability may allow Remote Code Execution (RCE).
CVE ID: CVE-2021-38408
An identity authentication bypass vulnerability has been discovered in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVE ID: CVE-2021-33044 (High), CVE-2021-33045 (High)
Cisco has released security updates to address a critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) Release 4.5.1. Successful exploitation may allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator.
CVE ID: CVE-2021-34746 (Critical)
Moxa has released security updates to address multiple vulnerabilities in several products of Moxa's TAP-323 Series and WAC-1001/2004 Series Railway Wireless Controllers. As the WAC-2004 Series has been discontinued, Moxa has advised workaround to minimise risk.
Moxa has released security updates to address multiple vulnerabilities in several products of Mox's OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router. As the WDR-3124A Series has been discontinued, Moxa has advised workaround to minimise risk.
Red Hat has released security update to resolve multiple vulnerabilities and bugs in OpenShift Container Platform 4.7.28.
CVE ID: CVE-2021-27218 (High), CVE-2021-22555 (High), CVE-2021-22543 (High), CVE-2021-3609, CVE-2021-3121 (High)
Cisco has released security updates to address several vulnerabilities in multiple Cisco products.
CVE ID: CVE-2021-34746 (Critical), CVE-2021-34733 (Medium), CVE-2021-34732 (Medium), CVE-2021-34759 (Medium), CVE-2021-34765 (Medium)
Multiple vulnerabilities have been discovered in the GPAC multimedia framework which can result in Denial of Service (DoS) or the execution of arbitrary code.
Google Chrome stable channel has been updated to 93.0.4577.63 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
It has been discovered that Squashfs Tools, mishandled certain malformed SQUASHFS files. An attacker can use this vulnerability to write arbitrary files to the filesystem. Ubuntu has released security update to address this vulnerability in Ubuntu 21.04, Ubuntu 20.04 and Ubuntu 18.04.
CVE ID: CVE-2021-40153
GitLab has released version 14.2.2, 14.1.4, and 14.0.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
CVE ID: CVE-2021-22258, CVE-2021-22257, CVE-2021-22238
SUSE has released security updates to address multiple vulnerabilities in mysql-connector-java.
CVE ID: CVE-2020-2875 (Medium), CVE-2020-2933 (Low), CVE-2020-2934 (Medium)
SUSE has released security update to address vulnerability in bind. A truncated TSIG response can lead to an assertion failure.
CVE ID: CVE-2020-8622 (Medium)
Grilo is a framework for discovering and browsing media. It was discovered that grilo incorrectly handled certain TLS certificate verification which attackers can use to perform MITM attacks. The issue can be resolved by updating the packages.
CVE ID: CVE-2021-39365 (Medium)
A heap-based buffer overflow issue was discovered in gthumb. It is recommended to upgrade gthumb packages to fixed version 3:3.4.4.1-5+deb9u2 to resolve the issue.
CVE ID: CVE-2019-20326 (High)
It was discovered that a test was not correctly backported from the latest upstream release of redis, thus binaries were not available on all LTS platforms. The problem has been fixed in this update.
CVE ID: CVE-2021-32761 (High)
Improper Authorization vulnerability has been discovered in Controlled Electronic Management Systems' AC2000. Successful exploitation of this vulnerability could allow a remote attacker access to the system without adequate authorization.
CVE ID: CVE-2021-27663 (High)
Multiple vulnerabilities have been discovered in Delta Electronics' DIAEnergie version 1.7.5 and prior. Successful exploitation of these vulnerabilities could allow an attacker to retrieve passwords in cleartext, remotely execute code, cause a user to carry out an action unintentionally, or log in and use the device with administrative privileges.
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics' DOPSoft version 4.00.11 and prior, which may allow an attacker to execute arbitrary code.
CVE ID: CVE-2021-33019 (High)
It has been discovered that libssh can be made to crash or run programs using specially crafted network traffic. Ubuntu has released security update to address this vulnerability in Ubuntu 21.04 and Ubuntu 20.04 LTS.
CVE ID: CVE-2021-3634
It has been discovered that OpenSSL incorrectly handled certain ASN.1 strings. A remote attacker can use this issue to cause OpenSSL to crash or obtain sensitive information. Ubuntu has released security update to address this vulnerability in Ubuntu 18.04LTS, Ubuntu 16.04 ESM and Ubuntu 14.04 ESM.
CVE ID: CVE-2021-3712
An OGNL injection vulnerability has been discovered in Confluence Server and Data Center. Successful exploitation may allow an authenticated user and in some instances unauthenticated user to execute arbitrary code. Atlassian has released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 to address this vulnerability.
CVE ID: CVE-2021-26084 (Critical)
Red Hat has released security update to address multiple vulnerabilities in several OpenShift Service Mesh.
CVE ID: CVE-2021-32777 (High), CVE-2021-32779 (High), CVE-2021-32781 (High), CVE-2021-39155 (High), CVE-2021-39156 (High)
A vulnerability has been discovered in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud APIC that allows an unauthenticated remote attacker to read or write arbitrary files on an affected system. Cisco has released security update to address vulnerability.
CVE ID: CVE-2021-1577
Firefox released security update USN-5037-1 to resolve multiple vulnerabilities which caused Firefox to repeatedly prompt for a password. Firefox has released fresh update USN-5037-2 to resolve issue.
A Cross-Site Scripting (XSS) vulnerability due to improper user input validation has been discovered in VMware vRealize Log Insight and VMware Cloud Foundation. It is recommended to update affected VMware products to remediate this vulnerability.
CVE ID: CVE-2021-22021 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Joomla! CMS 4.0.0. The media manager does not correctly checks the user's permissions before executing a file deletion command. It is recommended to upgrade to Joomla! CMS version 4.0.1.
CVE ID: CVE-2021-26040 (High)
A SM2 decryption buffer overflow vulnerability has been discovered in OpenSSL versions 1.1.1k and below. It is recommended to upgrade to OpenSSL 1.1.1l.
CVE ID: CVE-2021-3711 (High)
Multiple vulnerabilities have been discovered in several IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Hitachi ABB Power Grids equiment -TropOS and Retail Operations and Counterparty Settlement Billing (CSB) software. An attacker can exploit these vulnerabilities to take control of an affected system.
A heap-based buffer overflow vulnerability has been discovered in Delta Electronics TPEditor. Successful exploitation of this vulnerability may allow for arbitrary code execution.
CVE ID: CVE-2021-33007 (High)
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2020-8277, CVE-2020-1971, CVE-2021-25214, CVE-2020-14364, CVE-2020-13692, CVE-2021-25215
An impersonate vulnerability has been discovered in the TCP protocol stack of multiple Mitsubishi Electric products. An attacker can impersonate a legitimate device and execute arbitrary commands, which may cause information disclosure, information tampering or destruction.
CVE ID: CVE-2020-16226 (Critical)
An integer overflow vulnerability has been discovered in BlackBerry QNX Products which affects Cisco Products. Successful exploitation can allow an attacker to execute arbitrary code or cause a Denial of Service (DoS).
CVE ID: CVE-2021-22156 (Critical)
A vulnerability has been discovered in Java SE related to the Java SE Security component in ITNCM version 6.4.2 product which can allow an unauthenticated attacker to cause a Denial of Service (DoS). It is recommended to upgrade to ITNCM 6.4.2 Fix Pack 14 (6.4.2.14).
CVE ID: CVE-2020-2773 (Low)
An out-of-bounds array read vulnerability in the apr_time_exp*() functions has been resolved in the Apache Portable Runtime 1.6.3 release. The same vulnerability is still not resolved in APR 1.7.x branch.
CVE ID: CVE-2017-12613 (High)
A flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system has been discovered. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in Denial of Service (DoS). It is recommended to upgrade tor packages.
CVE ID: CVE-2021-38385
A vulnerability in tnef, a tool to unpack MIME application/ms-tnef attachments has been resolved. It is recommended to upgrade tnef packages.
CVE ID: CVE-2019-18849 (Medium)
It has been discovered that malicious cyber actors are actively exploiting the ProxyShell vulnerabilities. It is recommended to identify vulnerable systems on the networks and immediately apply Microsoft's Security Update from May 2021 to remediate the vulnerabilities.
CVE ID: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
A vulnerability has been fixed in scrollz, an advanced ircII-based IRC client. A crafted CTCP UTC message could allow an attacker to disconnect the victim from an IRC server due to a segmentation fault and client crash. It is recommended to upgrade scrollz packages.
CVE ID: CVE-2021-29376 (High)
Multiple vulnerabilities such as Heap-based Buffer Overflow, Null Pointer Dereference, and Improper Handling of Exceptional Conditions have been discovered in AVEVA SuiteLink Server. Successful exploitation of these vulnerabilities can allow a malicious entity to crash the server.
CVE ID: CVE-2021-32959, CVE-2021-32963, CVE-2021-32979, CVE-2021-32971, CVE-2021-32987, CVE-2021-32999
Microsoft has released security updates to address multiple vulnerabilities in Microsoft Edge Stable Channel (Version 92.0.902.78). A remote attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30601, CVE-2021-30599, CVE-2021-30598
Schneider Electric has released security bulletin for multiple memory allocation vulnerabilities dubbed as ‘BadAlloc’ that affect a wide range of domains including Industrial Control Systems, Industrial IoT, medical IoT and Operational Technology (OT).
A denial of service vulnerability has been discovered in VMware Workspace ONE UEM console. A malicious actor with access to /API/system/admins/session can cause an API denial of service due to improper rate limiting. To remediate this vulnerability, it is recommended to patch the affected VMware products.
CVE ID: CVE-2021-22029 (Medium)
A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0 SP1). Affected devices allow to modify configuration settings over an unauthenticated channel. This could allow a local attacker to escalate privileges and execute own code on the device. Siemens has released a firmware update for SINEMA Remote Connect Client.
CVE ID: CVE-2021-31338 (High)
A vulnerability has been discovered in Firefox - Mozilla Open Source web browser. This flaw can be exploited by an attacker to conduct header splitting attacks. It is recommended to update package versions .
CVE ID: CVE-2021-29991
A vulnerability has been discovered in Inetutils telnet server which allows remote attackers to execute arbitrary code via short writes or urgent data. It is recommended to update package versions.
CVE ID: CVE-2020-10188 (Critical)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
The Oracle VM Server for x86 has released security bulletin listing all CVEs which have been resolved in Oracle VM Server for x86 Security Advisories (OVMSA). It contains 4 new security patches for the Oracle VM Server for x86.
Oracle has released critical patch update for July 2021 containing 342 new security patches for multiple vulnerabilities across multiple products. A remote attacker can exploit these vulnerabilities to take control of an affected system.
A too-strict assertion check vulnerability has been discovered in BIND. The affected versions are BIND 9.16.19, 9.17.16 and BIND Supported Preview Edition 9.16.19-S1.
CVE ID: CVE-2021-25218 (High)
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker may exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-34716 (Medium), CVE-2021-34715 (Medium), CVE-2021-34734 (Medium), CVE-2021-1561 (Medium), CVE-2021-34749 (Medium), CVE-2021-34730 (Critical), CVE-2021-22156 (Critical)
An OS command injection vulnerability has been discovered in FortiWeb's management interface that can allow a remote authenticated administrator to execute arbitrary commands on the system via the SAML server configuration page. The affected versions are FortiWeb 6.4.0 and below, 6.3.14 and below, and 6.2.4 and below.
CVE ID: CVE-2021-22123 (High)
Ubuntu has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that the wordexp function in the GNU C Library (aka glibc) can crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern. This vulnerability can result in Denial of Service (DoS) or disclosure of information.
CVE ID: CVE-2021-35942 (Critical)
Adobe has released security updates to resolve multiple vulnerabilities in Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
An improper access control vulnerability has been discovered in ThroughTek's Equipment- Kalay P2P SDK. Successful exploitation of this vulnerability can permit Remote Code Execution (RCE) and unauthorized access to sensitive information, such as to camera audio/video feeds.
CVE ID: CVE-2021-28372 (Critical)
An integer overflow or wraparound vulnerability has been discovered in multiple Real-Time Operating Systems (RTOS) & supporting libraries. Successful exploitation of this vulnerability can result in crash or a remote code injection/execution or Denial of Service (DoS) attack.
An improper authentication vulnerability has been discovered in Advantech's Equipment- WebAccess/NMS- a network management system. Successful exploitation of this vulnerability can lead to the exposure of resources or functionality and can result in sensitive information disclosure.
CVE ID: CVE-2021-32951 (Medium)
Multiple vulnerabilities such as Cross-Site Scripting (XSS) and improper input validation have been discovered in xArrow's Equipment- xArrow SCADA/HMI. Successful exploitation of these vulnerabilities can result in Remote Code Execution (RCE).
CVE ID: CVE-2021-33021 (Medium), CVE-2021-33001 (Medium), CVE-2021-33025 (Medium)
It has been discovered that HAProxy- fast and reliable load balancing reverse proxy incorrectly handles the HTTP/2 protocol. A remote attacker can possibly use this vulnerability to bypass restrictions.
Multiple vulnerabilities have been discovered in Exiv2 an EXIF/IPTC/XMP metadata manipulation tool. An attacker can possibly use these vulnerabilities to cause a Denial of Service (DoS) attack.
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
A buffer overflow vulnerability has been discovered in the TCP/IP stack of Juniper Networks Junos OS which allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
Multiple vulnerabilities have been discovered in Moxa's EDR-810 series secure router. Moxa has developed appropriate solutions to address these vulnerabilities.
F5 Networks has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2019-6111, CVE-2019-11331, CVE-2019-10247, CVE-2018-1126, CVE-2018-10675, CVE-2018-1122, CVE-2018-16850, CVE-2019-10208, CVE-2019-10241, CVE-2015-1283, CVE-2017-18344
Mozilla has released security updates to address vulnerability in Firefox and Thunderbird. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-29991 (High)
HPE has released security updates to address multiple vulnerabilities in the BIOS firmware of certain Intel processors in SGI UV 300/3000 series and HPE Integrity MC990 X servers which may cause escalation of privilege.
CVE ID: CVE-2020-12357 (Medium), CVE-2020-12360 (High)
A path traversal vulnerability has been discovered in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user to access sensitive information and alter router configuration.
CVE ID: CVE-2021-20090
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Ubuntu has released security notice to address an out-of-bounds write vulnerability in setsockopt() implementation of netfilter subsystem in the Linux kernel.
CVE ID: CVE-2021-22555 (High)
Apple has released security update to resolve several vulnerabilities in ImageIO of iCloud for Windows 12.5. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30779, CVE-2021-30785
Debian has released security update to resolve a vulnerability in Thunderbird which can result in the execution of arbitrary code.
CVE ID: CVE-2021-29989
It has been discovered that systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (Spectre v2). It is recommended to upgrade amd64-microcode packages.
CVE ID: CVE-2017-5715 (Medium)
An improper input validation vulnerability has been discovered in Apache Commons IO used by IBM Spectrum Scale Transparent Cloud Tiering. An attacker may send a specially-crafted URL request to view arbitrary files on the system.
CVE ID: CVE-2021-29425 (High)
Ubuntu has released security update to resolve MySQL vulnerabilities in MariaDB10.3 and 10.5- open source relational databases.
CVE ID: CVE-2021-2389, CVE-2021-2372
It has been discovered that Eclipse Jetty is susceptible to a vulnerability which when successfully exploited can lead to disclosure of sensitive information or addition or modification of data. The affected versions are Eclipse Jetty through 9.4.40, 10.0.2 and 11.0.2.
CVE ID: CVE-2021-34428 (Low)
Multiple vulnerabilities have been discovered in Apache Traffic Server- a reverse and forward proxy server. These vulnerabilities may result in Denial of Service (DoS) & HTTP request smuggling or cache poisoning. It is recommended to upgrade the Apache Traffic Server packages.
CVE ID: CVE-2021-27577, CVE-2021-32566, CVE-2021-32567, CVE-2021-35474, CVE-2021-32565
Multiple vulnerabilities have been discovered in Exiv2- a C++ library & a command line utility to manage image metadata which can result in Denial of Service(DoS) or the execution of arbitrary code if a malformed file is parsed. It is recommended to upgrade the exiv2 packages.
CVE ID: CVE-2019-20421, CVE-2021-3482, CVE-2021-29457, CVE-2021-29473, CVE-2021-31292
It has been discovered that in Apache Airflow if remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server which can listen on a specific port and also can bind on 0.0.0.0 by default. This logging server has no authentication and can allow reading log files of DAG jobs. The affected version is Apache Airflow below 2.1.2.
CVE ID: CVE-2021-35936
Multiple vulnerabilities have been discovered in VMware Workspace ONE Access, Identity Manager and vRealize Automation. Patches and workarounds are available to address these vulnerabilities in affected VMware products.
CVE ID: CVE-2021-22002 (High), CVE-2021-22003 (Low)
It has been discovered that OpenSSH incorrectly handled certain messages, and requests. An attacker could possibly use these vulnerabilities to cause a denial of service or access sensitive information.
CVE ID: CVE-2016-10708 (High), CVE-2018-15473 (Medium)
It has been discovered that Drupal project uses CKEditor, library for WYSIWYG editing. An attacker may exploit Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access. CKEditor has released a security update to address the flaw.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-29781 (Critical), CVE-2021-29880 (Medium), CVE-2021-20478 (Medium)
It has been discovered that the PostgreSQL planner could create incorrect plans in certain circumstances, and PostgreSQL incorrectly handled certain SSL renegotiation ClientHello messages from clients. A remote attacker could use these vulnerabilities to cause PostgreSQL to crash, resulting in a denial of service, or possibly obtain sensitive information from memory.
CVE ID: CVE-2021-3677, CVE-2021-3449
It has been discovered that the netfilter subsystem in the Linux kernel had an out-of-bounds write vulnerability in its setsockopt() implementation. A local attacker could use this flaw to cause a denial of service (system crash) or possibly execute arbitrary code.
CVE ID: CVE-2021-22555 (High)
Deserialization of Untrusted Data vulnerability has been discovered in Cognex's Equipment- In-Sight OPC Server. Successful exploitation of this vulnerability could allow a remote attacker access to system level permissions and local privilege escalation.
CVE ID: CVE-2021-32935 (High)
Multiple vulnerabilities such as Out-of-bounds Write, Access of Uninitialized Pointer, and Out-of-bounds Read have been discovered in Horner Automation's Equipment- Cscape. Successful exploitation of these vulnerabilities may allow code execution in the context of the current process.
CVE ID: CVE-2021-32995 (High), CVE-2021-33015 (High), CVE-2021-32975 (High)
Improper Input Validation vulnerability has been discovered in Johnson Controls' Equipment- C-CURE 9000. Successful exploitation of this vulnerability could allow remote execution of lower privileged Windows programs.
CVE ID: CVE-2021-27660 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform. Red Hat OpenShift Container Platform release 4.6.42 is now available with updates to packages and images that fix several bugs and add enhancements.
CVE ID: CVE-2021-33195 (High), CVE-2021-33197 (Medium), CVE-2021-33198 (High), CVE-2021-34558 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected device.
Multiple vulnerabilities such as Improper handling of untypical characters in domain names, Use after free, and Incomplete validation of rejectUnauthorized parameter have been discovered in Node.js. An attacker could exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22931 (High), CVE-2021-22940 (High), CVE-2021-22939 (Low)
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco Identity Services Engine (ISE) which could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. Cisco has released software updates that address these vulnerabilities.
CVE ID: CVE-2021-1603 (Medium), CVE-2021-1604 (Medium), CVE-2021-1605 (Medium), CVE-2021-1606 (Medium), CVE-2021-1607 (Medium)
Multiple vulnerabilities have been fixed in Thunderbird 91 which could have out of bounds read or memory corruption and a potentially exploitable crash.
CVE ID: CVE-2021-29986, CVE-2021-29981, CVE-2021-29988, CVE-2021-29984, CVE-2021-29980, CVE-2021-29987, CVE-2021-29985, CVE-2021-29982
A remote code execution vulnerability has been found in the Windows Print Spooler service that improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.
CVE ID: CVE-2021-36958 (Medium)
libspf2 is a library for validating mail senders with SPF. Stack-based buffer overflow vulnerability has been discovered in libspf2 which could result in denial of service, or potential execution of arbitrary code when processing a specially crafted SPF record. It is recommended to upgrade the libspf2 packages.
CVE ID: CVE-2021-20314
Multiple vulnerabilities have been discovered in .NET. An update for .NET Core 3.1 is now available for .NET Core on Red Hat Enterprise Linux.
CVE ID: CVE-2021-26423, CVE-2021-34485, CVE-2021-34532
Multiple vulnerabilities have been discovered in Palo Alto Networks. An attacker could exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3050 (High), CVE-2021-3046 (Medium), CVE-2021-3048 (Medium), CVE-2021-3047 (Medium), CVE-2021-26701
A vulnerability has been discovered in Huawei product which can cause memory use-after-free, compromising normal service. Huawei has released software updates to resolve vulnerability.
CVE ID: CVE-2021-22321 (Medium)
A Denial of Service vulnerability has been discovered in Huawei smartphone. Huawei has released software updates to address vulnerability.
CVE ID: CVE-2021-22364 (Medium)
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Microsoft has released security updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit these vulnerabilities to take control of an affected system.
SAP has released security updates to resolve several vulnerabilities affecting multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Adobe has released security updates to resolve multiple vulnerabilities in Adobe Connect and Adobe Magento. An attacker can exploit these vulnerabilities to take control of an affected system.
Mozilla has released security updates to address multiple vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit these vulnerabilities to take control of an affected system.
Citrix has released a security update to address a vulnerability affecting Citrix ShareFile storage zones controller. An attacker can exploit this vulnerability to obtain access to sensitive information.
CVE ID: CVE-2021-22932
Multiple vulnerabilities have been discovered in several products of Siemens. An attacker can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in c-ares, a library that performs DNS requests and name resolution asynchronously. Missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking). It is recommended to upgrade the c-ares packages.
CVE ID: CVE-2021-3672
Multiple vulnerabilities have been discovered in HCC Embedded's software called InterNiche stack (NicheStack) & NicheLite, which provides TCP/IP networking capability to embedded systems. It is recommended to update to the latest stable version of NicheStack software.
Ubuntu has released security updates to address numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Schneider Electric. A remote attacker may exploit these vulnerabilities to take control of an affected system. The updates are available.
Apple has released security update to resolve several vulnerability in ImageIO of iTunes for Windows. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30779, CVE-2021-30785
MISP- open source threat intelligence platform & open standards for threat information sharing has released MISP- 2.4.148 to resolve multiple vulnerabilities.
CVE ID: CVE-2021-37742 (Medium), CVE-2021-37743 (Medium)
It has been discovered that the PERL Encode library incorrectly handle paths. A local attacker can possibly use this vulnerability to trick the library into executing arbitrary code from the current working directory.
CVE ID: CVE-2021-36770
ReDoS via malicious user-agent header vulnerability has been discovered in nodejs-ua-parser-js of Red Hat OpenShift Jaeger. An update is now available for Red Hat OpenShift Jaeger 1.24.
CVE ID: CVE-2021-27292 (High)
Multiple vulnerabilities have been discovered in the OpenJDK Java runtime resulting in bypass of sandbox restrictions, incorrect validation of signed Jars or information disclosure. It is recommended to upgrade the openjdk-8 packages.
CVE ID: CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
It has been discovered that Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI which allows remote attackers to discover cleartext credentials.
It is recommended to upgrade the lynx packages.
CVE ID: CVE-2021-38165
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
It has been discovered that unarr.go in go-unarr (aka Go bindings for unarr) allows Directory Traversal via ../ in a pathname within a TAR archive. The affected version is go-unarr 0.1.1.
CVE ID: CVE-2021-38197
It has been discovered that Roxy-WI allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication. The affected versions are Roxy-WI through 5.2.2.0.
CVE ID: CVE-2021-38167
Multiple vulnerabilities have been resolved in Ansible version 2.7.7+dfsg-1+deb10u1- a configuration management, deployment and task execution system. These vulnerabilities can result in information disclosure or argument injection. It is recommended to upgrade ansible packages.
Multiple vulnerabilities have been resolved in Bluez version 5.50-1.2~deb10u2, the Linux Bluetooth protocol stack. An attacker can exploit these vulnerabilities to take control of an affected system. It is recommended to upgrade bluez packages.
CVE ID: CVE-2020-26558, CVE-2020-27153, CVE-2021-0129
Ivanti has released Pulse Connect Secure system software version 9.1R12 to address multiple vulnerabilities previous versions. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22937 (Critical), CVE-2021-22933 (High), CVE-2021-22934 (High), CVE-2021-22935 (Critical) , CVE-2021-22936 (High), CVE-2021-22938 (High)
HTTP Request Smuggling vulnerability has been discovered in HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver. An attacker can send a crafted HTTP/2 request with malicious content to bypass network security measures thereby reaching internal protected servers and accessing sensitive data. It is recommended to install vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or rejected.
An authentication bypass vulnerability has been discovered in MELSEC iQ-R series CPU modules. A remote attacker can obtain the credentials and can be able to login to the CPU module unauthorisedly. The affected products & versions are R08/16/32/120SFCPU all versions & R08/16/32/120PSFCPU all versions.
It has been discovered that Apache Tomcat do not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. A remote attacker may be able to bypass security controls and gain access to restricted content. The affected products are Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66.
CVE ID: CVE-2021-33037 (Medium)
VMware has released security updates to address several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to gain access to confidential information.
CVE ID: CVE-2021-22002 (High), CVE-2021-22003 (Low)
Multiple vulnerabilities have been discovered in HCC Embedded's Equipment- InterNiche stack (NicheStack), NicheLite. Successful exploitation of these vulnerabilities may result in unauthorized access to arbitrary information, DNS cache poisoning, Remote Code Execution (RCE), or a Denial-of-Service (DoS) condition. The affected products are InterNiche stack all versions prior to v4.3 and NicheLite all versions prior to v4.3.
Multiple vulnerabilities have been discovered in FATEK Automation's Equipment FvDesigner- a software tool used to design and develop FATEK FV HMI series product projects. Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code. The affected products are FvDesigner Versions 1.5.88 and prior.
CVE ID: CVE-2021-32947 (High), CVE-2021-32939 (High)
Multiple vulnerabilities have been discovered in mySCADA's Equipment myPRO- a professional HMI/SCADA system. Successful exploitation of these vulnerabilities can allow unauthorized users the ability to access sensitive information and upload arbitrary files. The affected products are myPro all versions prior to 8.20.0.
CVE ID: CVE-2021-33013 (High), CVE-2021-33009 (High), CVE-2021-33005 (High), CVE-2021-27505 (High)
Multiple vulnerabilities have been discovered in Advantech's Equipment- WebAccess/SCADA, a browser-based SCADA software package. Successful exploitation of these vulnerabilities can allow an attacker to hijack a user’s cookie/session tokens, gain unauthorized access to files and directories, and execute arbitrary code. The affected products are WebAccess/SCADA versions prior to 8.4.5 and WebAccess/SCADA versions prior to 9.0.1.
CVE ID: CVE-2021-22676 (Medium), CVE-2021-22674 (Medium), CVE-2021-32943 (Critical)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
Multiple vulnerabilities have been resolved in docker.io - Linux container runtime. It is recommended to update system and restart Docker to make all the necessary changes.
A Remote Code Execution (RCE) vulnerability has been discovered in the Cisco Adaptive Security Device Manager (ASDM) Launcher which can allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system.
CVE ID: CVE-2021-1585 (Medium)
Microsoft has released security updates to address multiple vulnerabilities in Microsoft Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30597, CVE-2021-30596, CVE-2021-30594, CVE-2021-30593, CVE-2021-30592, CVE-2021-30591, CVE-2021-30590
Multiple Vulnerabilities such as Denial-of -Service (DoS), unauthorized login and information disclosure have been discovered in MELSEC iQ-R Series CPU Module. A remote attacker may exploit these vulnerabilities to take control of an affected system. The mitigation / workarounds are available.
CVE ID: CVE-2021-20594 (Medium), CVE-2021-20597 (High), CVE-2021-20598 (Low)
Multiple vulnerabilities such as cross-site scripting, information disclosure and privilege escalation or Denial of Service (DoS) have been resolved in Jetty, a Java servlet engine and webserver. It is recommended to upgrade jetty9 packages.
CVE ID: CVE-2019-10241, CVE-2019-10247, CVE-2020-27216, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
It has been discovered that the Perl Database Interface (DBI) module incorrectly handled certain long strings and opened files outside of the folder specified in the data source name. An attacker can possibly use these vulnerabilities to cause the DBI module to crash, resulting in a Denial of Service (DoS) or obtain sensitive information.
CVE ID: CVE-2014-10402, CVE-2020-14393
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in OpenEXR, a library and tools for the OpenEXR high dynamic-range (HDR) image format. An attacker can cause a Denial of Service (DoS) through application crash and possibly execute code. It is recommended to upgrade the OpenEXR packages.
CVE ID: CVE-2021-3605, CVE-2021-20299, CVE-2021-20300, CVE-2021-20302, CVE-2021-20303
A vulnerability has been discovered in the Asterisk telephony system. If the IAX2 channel driver received a packet that contained an unsupported media format a crash can have occurred. It is recommended to upgrade the asterisk packages.
CVE ID: CVE-2021-32558
It has been discovered that a vulnerability in libpam-tacplus (a security module for using the TACACS+ authentication service) allows to share secrets such as private server keys that are being added in the clear to various logs. It is recommended to upgrade the libpam-tacplus packages.
CVE ID: CVE-2020-13881
Siemens has released security updates to address multiple vulnerabilities in Siemens Interniche IP stack, also known as “INFRA:HALT”.
CVE ID: CVE-2020-35683 (High), CVE-2020-35684 (High), CVE-2020-35685 (High), CVE-2021-31401 (High)
An insufficient verification of data authenticity vulnerability has been discovered in Robot Motion Servers. This security bug allows an adjacent attacker to execute arbitrary code.
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, "Kubernetes Hardening Guidance". This report details threats to Kubernetes environments and provides configuration guidance to minimize risk.
Multiple vulnerabilities have been discovered in Swisslog Healthcare's Equipment- Translogic PTS (Pneumatic Tube Systems). Successful exploitation of these vulnerabilities can allow an attacker to gain control of the device, escalate privileges, or execute arbitrary code.
Multiple vulnerabilities such as buffer overflow and NULL-pointer dereference have been discovered in VideoLAN (aka 'vlc'). It is recommended to upgrade the vlc packages.
CVE ID: CVE-2021-25801, CVE-2021-25802, CVE-2021-25803, CVE-2021-25804
Stack corruption and stack-based buffer overflow vulnerability have been discovered in glibc packages consists of standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd). An update for glibc is now available for Red Hat Enterprise Linux 7.7 Extended Update Support.
CVE ID: CVE-2020-29573 (High), CVE-2020-10029 (Medium)
Multiple vulnerabilities such as wrong ciphertext/tag, URLs with invalid userinfo, SSRF bypass, use of freed hash key, URL decoding of cookie names, and NULL pointer dereference have been discovered in PHP. An update for rh-php73-php is now available for Red Hat Software Collections.
CVE ID: CVE-2020-7069, CVE-2020-7071, CVE-2021-21705, CVE-2020-7068, CVE-2020-7070, CVE-2021-21702
Multiple vulnerabilities have been discovered in several Fortinet products. An attacker can exploit these vulnerabilities to take control of an affected system.
Android has released security bulletin to address multiple security vulnerabilities affecting multiple Android devices. Security patch levels of 2021-08-05 or later address all of these issues.
Google has released Chrome version 92.0.4515.131 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
HTTP/2 request smuggling attack via a large content-length header for a POST request has been discovered in Varnish Cache -a high-performance HTTP accelerator. An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.1 Extended Update Support, and Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2021-36740
It has been discovered that GnuTLS library is incorrectly handle sending certain extensions when being used as a client. A remote attacker can use this vulnerability to cause GnuTLS to crash, resulting in a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-20232, CVE-2021-20231
It has been discovered that Exiv2- EXIF/IPTC/XMP metadata manipulation tool incorrectly handled certain images. An attacker can possibly use this vulnerability to cause a Denial of Service (DoS).
CVE ID: CVE-2021-31291
Multiple vulnerabilities named PwnedPiper is affecting Translogicc Pneumatic Tube System (PTS) stations used throughout thousands of hospitial networks. Successful exploitation of these vulnerabilities can result in leakage of sensitive information, enable an adversary to manipulate data, and even compromise the PTS network to carry out a Man-in-the-Middle (MitM) attack and deploy ransomware thereby effectively halting the operations of the hospital.
A XML signature wrapping vulnerability has been resolved in lasso, a library for Liberty Alliance and SAML protocols when parsing SAML responses. It is recommended to apply updates.
CVE ID: CVE-2021-28091 (High)
Ubuntu has released security update to resolve several vulnerabilities in QPDF- tools for transforming and inspecting PDF files . An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-36978(Medium), CVE-2018-18020 (Low)
The Stable channel has been updated to 92.0.4515.130 (Platform version: 13982.69.0) for most Chrome OS devices. Systems will be receiving updates over the next several days.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20227 (Medium), CVE-2020-14040 (High)
It has been discovered that Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory.
Multiple vulnerabilities such as heap-based and stack buffer overflows, use-after-free and infinite loops have been discovered in lrzip, a compression program. These vulnerabilities can allow attackers to cause a Denial of Service (DoS) or possibly other unspecified impact via a crafted file. It is recommended to upgrade the lrzip packages.
It has been discovered that HTCondor- a distributed workload management system has incorrect access control vulnerability. It is possible to use a different authentication method to submit a job than the administrator has specified which may cause reduce security and unauthorised access. It is recommended to upgrade the condor packages.
CVE ID: CVE-2019-18823
It has been discovered that the ptp4l program in linuxptp an implementation of the Precision Time Protocol (PTP) does not validate the messageLength field of incoming messages allowing a remote attacker to cause a Denial of Service (DoS), information leak, or potentially Remote Code Execution (RCE). It is recommended to upgrade the linuxptp packages.
CVE ID: CVE-2021-3570 (High)
A Privilege Escalation Vulnerability has been discovered in configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) which can allow an authenticated, remote attacker to perform command injection and elevate privileges to root.
CVE ID: CVE-2021-1359 (High)
It has been discovered that IBM QRadar User Behavior Analytics is vulnerable to Cross-Site Request Forgery (CSRF) which can allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE ID: CVE-2021-29757 (Medium)
It has been discovered that Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. The affected versions are all versions of the Node.js 16.x, 14.x, and 12.x releases lines. The security updates are now available.
CVE ID: CVE-2021-29757 (Medium)
Buffer over-read vulnerability has been discovered in Wibu-Systems AG's Equipment- CodeMeter Runtime. Successful exploitation of these vulnerabilities can allow an attacker to read data from the heap of the CodeMeter Runtime network server, or crash the CodeMeter Runtime Server.
CVE ID: CVE-2021-20094 (High), CVE-2021-20093 (Critical)
Insufficiently protected credentials vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- Enterprise Shift Operations. Management System (eSOMS). Successful exploitation of this vulnerability can allow access to user credentials that are stored by the browser.
CVE ID: CVE-2021-35527 (High)
It has been discovered that PHP Extension and Application Repository (PEAR) incorrectly handled symbolic links in archives. A remote attacker can possibly use this vulnerability to execute arbitrary code.
CVE ID: CVE-2021-32610
It has been discovered that QPDF- tools for transforming and inspecting PDF files incorrectly handled certain malformed PDF files. A remote attacker can use this issue to cause QPDF to crash or consume resources, resulting in a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2018-18020, CVE-2021-36978
NSA has released the guideline to securing wireless devices in public settings such as public Wi-Fi & Near-Field Communications (NFC), a short-range wireless technology, Buletooth etc.
Red Hat has released security update to resolve multiple vulnerability in Red Hat Single Sign-On 7.4.
CVE ID: CVE-2021-21409(Medium), CVE-2021-3536 (Medium)
Ubuntu has released security notices to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-32610, CVE-2018-18020, CVE-2021-36978, CVE-2021-3246, CVE-2021-3246.
Apple has released security update to address a memory corruption vulnerability in IOMobileFrameBuffer extension exists in both iOS and macOS. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30807
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20417, CVE-2021-20415, CVE-2019-17638, CVE-2021-25215, CVE-2021-29736, CVE-2021-29781
A vulnerability has been discovered in Apache Tomcat which allow an attacker to remotely trigger a Denial of Service (DoS). The affected versions are Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
CVE ID: CVE-2021-30639 (High)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) has released the top 30 Common Vulnerabilities and Exposures (CVEs) exploited by malicious cyber actors in 2020 and being widely exploited thus far in 2021.
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
Multiple Vulnerabilities like Use of Hard-Coded Credentials have been discovered in KUKA KR C4- a powerful, intelligent, safe, and more flexible controller. Successful exploitation of these vulnerabilities can result in unauthorized access to sensitive information and access to shell.
CVE ID: CVE-2021-33016(Critical), CVE-2021-33014(High)
Multiple Vulnerabilities such as missing authentication for critical function, command injection, stack-based buffer overflow have been discovered in Geutebrück G-Cam E2 and G-Code firmware for IP cameras. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-33543 (Critical), CVE-2021-33544 (High), CVE-2021-33545 (High), CVE-2021-33546 (High), CVE-2021-33547 (High), CVE-2021-33548 (High), CVE-2021-33549 (High), CVE-2021-33550 (High), CVE-2021-33551 (High), CVE-2021-33552 (High), CVE-2021-33553 (High), CVE-2021-33554 (High)
Cross-site Scripting (XSS) vulnerability has been discovered in LCDS's Equipment- LAquis SCADA automation platform. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to access sensitive information or execute arbitrary code.
CVE ID: CVE-2021-32989 (Critical)
Multiple vulnerabilities such as type confusion, and out-of-bounds write have discovered in Delta Electronics' Equipment- DIAScreen sofware. Successful exploitation of these vulnerabilities can crash the device being accessed and may allow remote code execution.
CVE ID: CVE-2021-32965 (High), CVE-2021-32969 (High)
An out-of-bounds read vulnerability has been discovered in Delta Electronics' Equipment- DOPSoft a software supporting the DOP-100 series HMI screens. Successful exploitation of these vulnerabilities can allow arbitrary code execution and disclose information.
CVE ID: CVE-2021-27455 (Low), CVE-2021-27412 (High)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipments . An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that Sunhillo SureLine application contained an unauthenticated Operating System (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control of the target system.
CVE ID: CVE-2021-36380 (Critical)
Apple has released security updates to address a memory corruption vulnerability in multiple products. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30807
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22885 (Critical), CVE-2021-31525 (High), CVE-2021-20562 (Medium)
MySQL has released security updates to resolve multiple vulnerabilities . An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-25051
It has been discovered that Aspell- GNU Aspell spell-checker incorrectly handled certain inputs. An attacker can possibly use this issue to execute arbitrary code or cause a crash. The updates are available.
CVE ID: CVE-2019-25051
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 17 for the Zimbra 9.0.0, and Patch 24 for Zimbra 8.8.15.
Ubuntu has released security notices to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Oracle has released critical patch update for July 2021 contains 342 new security patches for multiple vulnerabilities across multiple products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Fake Win 11 downloaders are delivering adware and malware payloads on computers. A standard Windows installation wizard appears, but its main purpose is to download and run the problematic executable which is also an installer and comes with a license agreement and installs sponsored software. Accepting the agreement means different types of malicious software will get installed on the device.
It has been discovered that the Key Distribution Center (KDC) in krb5 the MIT implementation of Kerberos is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a Denial of Service (DoS) by sending maliciously crafted request. It is recommended to upgrade your krb5 packages.
CVE ID: CVE-2021-36222
A Cross Site Scripting (XSS) vulnerability has been discovered in angular.js. To mitigate this vulnerability use a unique and isolated web browser and restrict access of the system to only allow trusted users. The affected versions are angular.js prior to 1.8.0 .
CVE ID: CVE-2020-7676 (Medium)
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
A vulnerability has been resolved in Lemonldap-ng , a Web-SSO system. The vulnerability can result in information disclosure, authentication bypass, or can allow an attacker to increase its authentication level or impersonate another user. It is recommended to upgrade your lemonldap-ng packages.
CVE ID: CVE-2021-35472
A Missing Authentication vulnerability for Ehcache RMI has been discovered in Jira Data Center and Jira Service Management Data Center products. Successful exploitation of this vulnerability may allow an attacker to perform Remote Code Execution (RCE), which may lead to a compromise of the Jira server.
CVE ID: CVE-2020-36239
It has been discovered that the actionpack_page-caching Ruby gem, a static page caching module for Rails, allows an attacker to write arbitrary files to a web server, potentially resulting in Remote Code Execution (RCE) if the attacker can write unescaped ERB to a view. It is recommended to upgrade the ruby-actionpack-page-caching packages.
CVE ID: CVE-2020-8159
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
A vulnerability has been discovered in web-based management interface of Cisco Unified Customer Voice Portal (CVP) which can allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user.
CVE ID: CVE-2021-1599 (Medium)
It has been discovered that multiple modules expose secured values in ansible of ovirt. Updated dependency packages for ovirt-engine and ovirt-host that fix several bugs and add various enhancements are now available.
CVE ID: CVE-2021-3447 (Medium)
SQL injection vulnerability has been discovered in SourceCodester Travel Management System that allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php.
CVE ID: CVE-2021-25213
It has been discovered that by abusing the 'install rpm url' command an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. It is recommended to upgrade to Ivanti MobileIron Core version 11.1.0.0.
CVE ID: CVE-2021-3198
It has been discovered that the restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command.
CVE ID: CVE-2021-31581
Multiple vulnerabilities have been discovered in Curl - HTTP, HTTPS, and FTP client and client libraries. It is recommended to update your system to the latest package versions.
CVE ID: CVE-2021-22898, CVE-2021-22925, CVE-2021-22924
An insufficient input validation vulnerability has been discovered in several Huawei Smartphones due to the lack of parameter validation. An attacker may trick a user into installing a malicious APP.
CVE ID: CVE-2021-22400
Microsoft has released Security Updates to address multiple vulnerabilities in Microsoft Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3450( High), CVE-2021-3449(Medium), CVE-2021-2207(Low) CVE-2020-5258(High)
Argo Workflows is an open-source, container-native workflow engine for orchestrating parallel jobs on Kubernetes. Misconfigured permissions for Argo’s web-facing dashboard allow unauthenticated attackers to run code on Kubernetes targets, including cryptomining containers.
CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 Malware Analysis Reports (MARs) for threat actor Techniques, Tactics and Procedures (TTPs) and Indicators of Compromise (IOCs).
Apple has released security updates to address several vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
Oracle has released critical patch update for July 2021 contains 342 new security patches for multiple vulnerabilities across multiple products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Ubuntu has released security notices to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Cisco has released security updates to address several vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
NULL Pointer Dereference vulnerability has been discovered in Mitsubishi Electric's Equipment- MELSEC-F Series. Successful exploitation of this vulnerability may cause a Denial-of-Service (DoS) condition in communication with the product.
CVE ID: CVE-2021-2059 (High)
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories related to Industrial Control Systems (ICS).
MITRE releases Common Weakness Enumeration (CWE) mentioning 25 most dangerous software weaknesses which are often easy to find, exploit and can allow adversaries to completely take over a system, steal data, or prevent an application from working.
CVE ID: CVE-2021-33910
Adobe has released security updates to address several vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
RedHat has released security updates to address multiple vulnerabilities in several products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
It has been discovered that an attacker-controlled allocation using the alloca() function can result in memory corruption, allowing to crash systemd- a suite of basic building blocks for a Linux system and hence the entire operating system. It is recommended to upgrade your systemd packages.
CVE ID: CVE-2021-33910
Multiple Vulnerabilities have been discovered in Linux kernel that may lead to a privilege escalation, Denial of Service (DoS) or information leaks. It is recommended to upgrade your linux packages.
CVE ID: CVE-2020-36311 (Medium), CVE-2021-3609, CVE-2021-33909, CVE-2021-34693 (Medium)
Oracle Solaris has released security update to address multiple vulnerabilities in third party software that is included in Oracle Solaris distributions.
Juniper has released security bulletin to resolve multiple vulnerabilities in Juniper Networks Junos OS and Junos OS Evolved. These vulnerabilities may allow an attacker to expose information or cause a Denial of Service (DoS) condition.
CVE ID: CVE-2020-8284 (Low), CVE-2020-8286 (High), CVE-2020-8285 (High)
Microsoft has found an elevation of privilege vulnerability in multiple Window products. This exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability can run arbitrary code with SYSTEM privileges and can view, change, or delete data or create new accounts with full user rights.
CVE ID: CVE-2021-36934 (HIgh)
Multiple vulnerabilities have been discovered in Citrix ADC and Citrix Gateway, and Citrix SD-WAN WANOP. These vulnerabilities if exploited can result in uncontrolled resource consumption, improper access control, and session fixation.
CVE ID: CVE-2021-22919, CVE-2021-22920, CVE-2021-22927
A Denial of Service (DoS) vulnerability has been discovered in a ethernet interface block of MELSEC-F series. An attacker may cause DoS condition by sending specially crafted packets. It is recommended to upgrade product versions.
CVE ID: CVE-2021-20596 (High)
A use after free vulnerability has been discovered in FortiManager and FortiAnalyzer fgfmsd daemon that can allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
CVE ID: CVE-2021-32589 (High)
A buffer overflow vulnerability has been discovered in the TCP/IP stack of Juniper Networks Junos OS which allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS).
CVE ID: CVE-2021-0283 (High), CVE-2021-0284 (High)
Multiple vulnerabilities have been discovered in rabbitmq-server, a message-broker software. It is recommended to upgrade the rabbitmq-server packages.
CVE ID: CVE-2017-4965 (Medium), CVE-2017-4966 (High), CVE-2017-4967 (Medium), CVE-2019-11281 (Medium), CVE-2019-11287 (High), CVE-2021-22116 (High)
A Vulnerability has been discovered in nettle- a low level cryptographic library which can result out of bounds memory access in signature verification. It is recommended to upgrade nettle packages.
CVE ID: CVE-2021-20305 (High)
It has been discovered that a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker can use this issue to execute arbitrary code. The updates are available.
CVE ID: CVE-2021-3609
Apple has released security updates to address several vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released Security Updates to address multiple vulnerabilities in Microsoft Edge Stable Channel . A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30559, CVE-2021-30541, CVE-2021-30560, CVE-2021-30561, CVE-2021-30562, CVE-2021-30563, CVE-2021-30564
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-29707 (High), CVE-2021-25215 (High)
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1422 (High), CVE-2018-0155 (High), CVE-2021-1397 (Medium)
Multiple vulnerabilities have been discovered in multiple NetApp Products. An attacker can exploit these vulnerabilities to take control of an affected system.
Google has released Chrome version 91.0.4472.164 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
An elevation of privilege vulnerability has been observed in Windows Print Spooler service while performing privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges which allow attacker to install programs , view, change, or delete data & can create new accounts with full user rights.
CVE ID: CVE-2021-34481 (High)
Juniper Networks has released security updates to address multiple vulnerabilities in several Junos OS products. An attacker can exploit these vulnerabilities to take control of an affected system.
CISA has launched a new website to help public and private organisations to defend against the rise in ransomware. This webpage is an interagency resource that provides organisation with ransomware protection, detection, and response guidance.
Multiple vulnerabilities have been discovered in Ypsomed's Equipment- mylife Cloud & mylife Mobile Application. Successful exploitation of these vulnerabilities can allow an attacker to obtain sensitive application information or modify the integrity of data being transmitted.
CVE ID: CVE-2021-27491 (Medium), CVE-2021-27495 (Medium), CVE-2021-27499 (Medium), CVE-2021-27503 (Medium)
Multiple vulnerabilities have been discovered in QEMU- Machine emulator and virtualiser. An attacker may exploit these vulnerabilities to take control of an affected system. The security updates are available.
It has been discovered that libslirp- a general purpose TCP-IP emulator library incorrectly handled certain header data lengths and udp packets. An attacker inside a guest can possibly use these vulnerabilities to leak sensitive information from the host.
CVE ID: CVE-2020-29129 (Medium), CVE-2020-29130 (Medium), CVE-2021-3592 (Low), CVE-2021-3593 (Low), CVE-2021-3594 (Low), CVE-2021-3595 (Low)
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-3155 (High), CVE-2021-1422 (High)
Multiple vulnerabilities have been discovered in Mozilla. An attacker can exploit these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29978 (Low), CVE-2021-29954 (High)
Multiple vulnerabilities have been discovered in Juniper Networks products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in HPE products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Red Hat OpenShift Container Platform releases 4.6.38 with security updates to packages and images to resolve vulnerability that tricked into adding or modifying properties.
CVE ID: CVE-2020-7598 (Medium)
It has been discovered that threat actors are actively targeting SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and End-Of-Life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.
Multiple vulnerabilities such as privilege escalation and logic error have been discovered in several Huawei products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-22396 (Medium), CVE-2021-22397 (Medium), CVE-2021-22398 (High)
Multiple vulnerabilities such as reflected Cross-Site Scripting (XSS) and Local Privilege Escalation (LPE) have been discovered in Palo Alto Networks Prisma Cloud Compute web console and Cortex XDR agent respectively. An attacker may exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3043 (High), CVE-2021-3042 (High)
Citrix releases security update to address local privilege escalation vulnerability on Windows Virtual Desktop Access (VDA) in Citrix Virtual Apps and Desktops.
CVE ID: CVE-2021-22928
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA has issued emergency directive to mitigate windows print spooler service Remotely Code Execution (RCE) vulnerability. An attacker can exploit RCE vulnerability with system level privileges to quickly compromise the entire identity infrastructure of a targeted organisation.
CVE ID: CVE-2021-34527 (Critical)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as improper authentication and Denial-of-Service (DoS) have been discovered in VMware ESXi, and VMware Cloud Foundation. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are available.
CVE ID: CVE-2021-21994 (High), CVE-2021-21995 (Medium)
CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include Managed Service Providers (MSPs) and their downstream customers.
Adobe has released security updates to address several vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Siemens has released security updates to address multiple vulnerabilities in several Siemens products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Schneider Electric. An attacker can exploit some of these vulnerabilities to take control of an affected system. The updates are available.
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
A RCE vulnerability has been verified by Huawei in Huawei HG532. Successful exploitation by sending malicious packets to port 37215 can lead to the remote execution of arbitrary code.
CVE ID: CVE-2017-17215 (High)
The Man-In-The-Middle (MITM) attack vulnerability has been discovered in Apache Cassandra. The local attacker without access to the Apache Cassandra process or configuration files can capture user names and passwords to access the JMX interface which may cause unauthorized operations and may allow access to sensitive information. The affected products are Apache Cassandra all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2.
CVE ID: CVE-2020-13946 (Medium), CVE-2019-2684 (Medium)
Kaseya has released VSA version 9.5.7a for their VSA On-Premises software. This version addresses vulnerabilities that enabled the ransomware attacks on Kaseya’s customers.
It has been discovered that SOGo- a fully supported and trusted groupware server does not validate the signatures of any Security Assertion Markup Language (SAML) assertions it receives. Any actor with network access to the deployment can impersonate users when SAML is the authentication method. It is recommended to upgrade the sogo packages.
CVE ID: CVE-2021-33054 (High)
Multiple vulnerabilities have been discovered in jetty and netty for AMQ Broker- a high-performance messaging implementation based on ActiveMQ Artemis. The updates are now available.
Multiple vulnerabilities have been discovered in Apache Tomcat. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are now available.
A vulnerability has been discovered in Serv-U Managed File Transfer Server and Serv-U Secured FTP. A threat actor who successfully exploited this vulnerability can run arbitrary code with privileges , install & run malicious programs and may view, change, or delete data on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1 and all prior versions.
CVE ID: CVE-2021-35211
A stored Cross Site Scripting (XXS) vulnerability has been discovered in ArcGIS Server Services Directory that may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory. The affected version are ArcGIS Server Services Directory version 10.8.1 and below.
CVE ID: CVE-2021-29105 (Medium)
It has been discovered that PuTTY proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).
CVE ID: CVE-2021-36367
A vulnerability has been discovered in the XSI-Actions interface of Cisco BroadWorks Application Server that allows an authenticated, remote attacker to access sensitive information on an affected system.
CVE ID: CVE-2021-1562 (Medium)
A reflected cross site scripting (XSS) vulnerability has been discovered in dotAdmin/#/c/links of dotCMS that allows attackers to execute arbitrary commands or HTML via a crafted payload. The affected version is dotCMS 21.05.1.
CVE ID: CVE-2021-35361
Multiple Out-of-Bound read vulnerability in SonicWall Switch when handling LLDP Protocol allows an attacker to cause a system instability or potentially read sensitive information from the memory locations.
CVE ID: CVE-2021-20024 (High)
It has been discovered that the HTTP server of Everything provided by voidtools contains an HTTP header injection vulnerability. On the web browser of a user who accessed a website which uses the product 'Everything' an arbitrary script may be executed or the displayed page may be altered.
CVE ID: CVE-2021-20784 (Medium)
CISA has published a new Malware Analysis Report (MAR) on DarkSide Ransomware and issue updated best practices for preventing business disruption from ransomware attacks.
A vulnerability has been discovered in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco catalyst series switches software which allow an unauthenticated remote attacker to cause a crash of the iosd process, causing a denial of Service (DoS) condition.
CVE ID: CVE-2018-0155 (High)
CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors.
CVE ID: CVE-2020-7008 (High), CVE-2020-7004 (High), CVE-2020-10601 (High), CVE-2020-7000 (High), CVE-2020-10599 (Critical)
Multiple vulnerabilities have been discovered in VISAM's Equipment- VBASE- an automation platform. The successful exploitation of these vulnerabilities can allow an attacker to read the contents of unexpected files, escalate privileges to system level, execute arbitrary code on the targeted system, bypass security mechanisms, and discover the cryptographic key for the web login. The affected products are VBASE Editor, Version 11.5.0.2 and VBASE Web-Remote Module.
CVE ID: CVE-2020-7008 (High), CVE-2020-7004 (High), CVE-2020-10601 (High), CVE-2020-7000 (High), CVE-2020-10599 (Critical)
Multiple vulnerabilities have been discovered in MDT Software's Equipment- MDT AutoSave. The successful exploitation of these vulnerabilities by an attacker with detailed understanding of the product architecture and database structure can lead to full remote execution on the Remote MDT Server without an existing user or password.
An improper input validation vulnerability has been discovered in Rockwell Automation's Equipment- MicroLogix 1100. Successful exploitation of this vulnerability can allow an attacker to create a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-33012 (High)
Multiple vulnerabilities have been discovered in scilab, particularly in ezXML embedded library. It recommend to upgrade the scilab packages.
CVE ID: CVE-2021-30485, CVE-2021-31229, CVE-2021-31347, CVE-2021-31348, CVE-2021-31598
Huawei has released software updates to address DoS vulnerability in the Bluetooth function of some Huawei smartphones. An attacker can install third-party apps to send specific broadcasts, causing the Bluetooth module to crash.
CVE ID: CVE-2021-22399 (Medium)
Android has released security bulletin to address multiple security vulnerabilities affecting multiple Android devices. Security patch levels of 2021-07-05 or later address all of these issues.
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as StartTLS stripping and FTP PASV responses have been discovered in Net::IMAP and NET::FTP respectively of Ruby. The affected versions are Ruby 2.6.7 and earlier, Ruby 2.7.3 and earlier, and Ruby 3.0.1 and earlier.
CVE ID: CVE-2021-32066, CVE-2021-31810
It has been discovered that Avahi incorrectly handled termination signals on the Unix socket and certain hotnames. A local attacker can possibly use these vulnerabilities to cause Avahi to hang or crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2021-3468 (Medium), CVE-2021-3502 (Medium)
Multiple vulnerabilities have been discovered in PHP. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-7068 (Low), CVE-2020-7071 (Medium), CVE-2021-21702, CVE-2021-21704, CVE-2021-21705
A use-after-free vulnerability has been discovered in net/bluetooth/hci_event.c when destroying an hci_chan of kernel. An update is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.
CVE ID: CVE-2021-33034 (High)
Multiple vulnerabilities have been discovered in IBM products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28165 (High), CVE-2021-27568 (Critical), CVE-2021-29711 (Medium), CVE-2021-27223 (High), CVE-2021-26296 (High)
Huawei has released security updates to address CPU vulnerabilities "Meltdown" and "Spectre" in multiple products. A local attacker can exploit these vulnerabilities to read memory information belonging to other processes or other operating system kernel.
CVE ID: CVE-2017-5715 (Medium), CVE-2017-5753 (Medium), CVE-2017-5754 (Medium)
Multiple vulnerabilities have been discovered in multiple Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS) products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has security updates to address a Remote Code Execution (RCE) vulnerability known as PrintNightmare in the Windows Print spooler service.
CVE ID: CVE-2021-34527 (Critical)
Multiple vulnerabilities discovered in OpenSSL affects various Cisco products. Exploitation of these vulnerabilities can allow an attacker to use a valid non-Certificate Authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450 (High)
Multiple vulnerabilities have been discovered in multiple Joomla! products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-26039 (Low), CVE-2021-26038 (Low), CVE-2021-26037 (Low), CVE-2021-26036 (Low), CVE-2021-26035 (Low)
An improper access control vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) certain versions has been resolved. If exploited this vulnerability allows attackers to compromise the security of the operating system.
Multiple vulnerabilities such as information disclosure and OS command injection have been discovered in ELECOM routers. An unauthenticated network-adjacent attacker can possibly obtain sensitive information or execute arbitrary OS commands.
CVE ID: CVE-2021-20738 (Medium), CVE-2021-20739 (Medium)
An out-of-bounds read vulnerability has been discovered in the uv__idna_to_ascii() function of Libuv- an asynchronous event notification library which can result in Denial of Service (DoS) or information disclosure. It is recommended to upgrade the libuv1 packages.
CVE ID: CVE-2021-22918
Multiple vulnerabilities have been discovered in PHP-a widely-used open source general purpose scripting language which can result a Server-Side Request Forgery (SSRF) bypass of the FILTER_VALIDATE_URL check and Denial of Service (DoS) or potentially the execution of arbitrary code in the Firebird PDO. It is recommended to upgrade the php7.3 packages.
CVE ID: CVE-2021-21704, CVE-2021-21705
A vulnerability has been in XStream- a Java library to serialize objects to and from XML which can allow a remote attacker to execute commands of the host only by manipulating the processed input stream. It is recommended to upgrade the libxstream-java packages.
CVE ID: CVE-2021-29505 (High)
A recent supply-chain ransomware attack is leveraging a vulnerability in Kaseya VSA software against multiple Managed Service Providers (MSPs) and their customers. CISA issued guideline to protect Server & End Point against supply chain ransomware attack.
Multiple vulnerabilities have been discovered in OpenEXR, a library and tools for the OpenEXR high dynamic-range (HDR) image format. An attacker can cause a Denial of Service (DoS) through application crash and excessive memory consumption. It is recommended to upgrade the openexr packages.
A vulnerability has been discovered in iconv program of the GNU C Library (aka glibc or libc6) 2.31 and earlier. An attacker can exploit this vulnerability by crafting a sequence of invalid multi-byte input to an application using the iconv program and causing the application to enter an infinite loop, leading to a Denial-of-Service (DoS).
CVE ID: CVE-2016-10228
Multiple vulnerabilities have been discovered in multiple NetApp Products. An attacker can exploit these vulnerabilities to take control of an affected system.
New versions of Azure PowerShell have been released to address a .NET Core remote code execution vulnerability CVE-2021-24112 in PowerShell versions 7.0 and 7.1. It recommend to install the updated versions as soon as possible.
Multiple vulnerabilities have been discovered in multiple QNAP NAS products. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-28802, CVE-2021-28804, CVE-2020-36196, CVE-2021-28803, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686
An use of password hash with insufficient computational effort vulnerability has been discovered in Bachmann Electronic's Equipment- All M-Base Controllers. The successful exploitation of this vulnerability can allow an unauthenticated remote attacker to gain access to the password hashes of the controller if Security Level 4 is not in use as recommended.
CVE ID: CVE-2020-16231 (High)
Multiple vulnerabilities such as incorrect implementation of authentication algorithm, and improper restriction of XML external entity reference have been discovered in Mitsubishi Electric's Equipment- Multiple Air Conditioning Systems. The successful exploitation of these vulnerability may allow an attacker to disclose some of the data and configuration information of the air conditioning system or may cause a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-20593 (High), CVE-2021-20595 (Critical)
An out-of-bounds read vulnerability has been discovered in Delta Electronics' Equipment- DOPSoft, a software supporting the DOP-100 series HMI screen. Successful exploitation of this vulnerabilities can allow arbitrary code execution and disclose information.
CVE ID: CVE-2021-27455 (Low), CVE-2021-27412(High)
An improper input validation vulnerability has been discovered in Sensormatic Electronics' Equipment- C-CURE 9000, a security and event management System . The successful exploitation of this vulnerability can allow remote execution of lower privileged Windows programs. The affected products are C-CURE 9000 all versions prior to 2.80.
CVE ID: CVE-2021-27660 (High)
An improper privilege management vulnerability has been discovered in Johnson Controls' Equipment- Facility Explorer SNC Series Supervisory Controller Version 11. Successful exploitation of this vulnerability can give an authenticated user an unintended level of access to the controller’s file system.
CVE ID: CVE-2021-27661 (High)
It has been discovered that malformed archive can cause panic or memory exhaustion in golang. An update for go-toolset-1.15 and go-toolset-1.15-golang is now available for Red Hat Developer Tools.
CVE ID: CVE-2021-33196
It has been discovered in Grafana- a parts of the HTTP API allow unauthenticated use. This makes it possible to run a Denial of Service (DoS) attack against the server running Grafana.
CVE ID: CVE-2019-15043 (High)
Google has released Chrome version 91.0.4472.147 (Platform version: 13904.77.0) for most Chrome OS devices. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
It has been discovered that the Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
CVE ID: CVE-2021-1675 (High)
CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks.
A vulnerability has been discovered in ipmitool, an utility for IPMI control with kernel driver or LAN interface. Neglecting proper checking of input data might result in buffer overflows and possible remote code execution. It is recommended to upgrade the ipmitool packages.
CVE ID: CVE-2020-5208 (High)
A vulnerability has been discovered in node-bl: a Node.js module to access multiple buffers with buffer interface. By crafted user input uninitialised memory might be exposed due to a buffer over-read . It is recommended to upgrade the node-bl packages.
CVE ID: CVE-2020-8244 (Medium)
Multiple Vulnerabilities have been discovered in jetty and jenkins plugin of OpenShift Container Platform. An update is now available for Red Hat OpenShift Container Platform 3.11.
CVE ID: CVE-2021-21642 (High), CVE-2021-21644 (Medium), CVE-2020-27216 (High), CVE-2020-27218 (Medium), CVE-2020-27223 (Medium), CVE-2021-21643 (Medium), CVE-2021-21645 (Medium)
Red Hat has released security updates to address numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as integer truncation privilege escalation and exposed hazardous function Remote Code Execution (RCE) have been discovered in Trend Micro password manager. These vulnerabilities allow an unprivileged local attacker or client to trigger a buffer overflow or manipulate the registry and escalate privileges on affected installations.
CVE ID: CVE-2021-32461 (High), CVE-2021-32462 (High)
A vulnerability has been discovered in supported versions of Access Management (AM). Using a well-constructed request an attacker may be able to perform Remote Code Execution (RCE) by sending a specially crafted request to an exposed remote endpoint.
CVE ID: CVE-2021-35464
CISA is developing a catalog of bad practices that are exceptionally risky especially in organisations supporting Critical Infrastructure or National Critical Functions (NCFs) such as use of unsupported (or end-of-life) software & use of known/fixed/default passwords and credentials. The presence of these bad practices in organisations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk.
An authentication bypass using an alternate path or channel vulnerability has been discovered in Claroty's Equipment- Secure Remote Access (SRA) Site. The successful exploitation of this vulnerability enables an attacker with local (Linux) system access to bypass access controls for the central configuration file of the SRA Site software.
CVE ID: CVE-2021-32958 (Medium)
An improper restriction of operations within the bounds of a memory buffer vulnerability has been discovered in JTEKT Corporation's Equipment- TOYOPUC PLC. The successful exploitation of this vulnerability can crash the device being accessed.
CVE ID: CVE-2021-27477 (Medium)
An improper restriction of XML external entity reference vulnerability has been discovered in Panasonic's Equipment- FPWIN Pro programming control software. The successful exploitation of this vulnerability can allow a remote attacker to retrieve sensitive information from the file system where affected software is installed. The affected version are FPWIN Pro programming control software all versions 7.5.1.1 and prior.
CVE ID: CVE-2021-32972 (Medium)
A cross-site scripting vulnerability has been discovered in Exacq Technologies'Equipment- exacqVision Enterprise Manager software. The successful exploitation of this vulnerability can allow an attacker to send malicious requests on behalf of the victim. The affected versions are exacqVision Enterprise Manager version 20.12 and prior.
CVE ID: CVE-2021-27658 (Medium)
A cross-site scripting vulnerability has been discovered in Exacq Technologies'Equipment- exacqVision Web Service software. The successful exploitation of this vulnerability can allow an attacker to send malicious requests on behalf of the victim. The affected versions are exacqVision Web Service version 21.03 and prior.
CVE ID: CVE-2021-27659 (Medium)
A XML External Entity (XXE) vulnerability has been discovered in libjdom2-java, a library for reading and manipulating XML documents. An attacker can cause a Denial of Service (DoS) attack via a specially-crafted HTTP request. It is recommended to upgrade the libjdom2-java packages.
CVE ID: CVE-2021-33813 (High)
Multiple vulnerabilities have been discovered in jetty of OpenShift Container Platform 4.6.36. An attacker can exploit these vulnerabilities to take control of an affected system. The updates are now available.
CVE ID: CVE-2020-27216 (High), CVE-2020-27218 (Medium), CVE-2020-27223 (Medium)
A possible heap corruption with LzmaUefiDecompressGetInfo vulnerability has been discovered in EDK2 ( Embedded Development Kit)- a project to enable UEFI support for Virtual Machines (VM). An update for edk2 is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-28211 (Medium)
Multiple vulnerabilities such as privilege escalation and arbitrary file upload have been discovered in ProfilePress Plugin of WordPress. The affected versions are ProfilePress 3.0- 3.1.3.
CVE ID: CVE-2021-34621 (Critical), CVE-2021-34622 (Critical), CVE-2021-34623 (Critical), CVE-2021-34624 (Critical)
A privilege escalation vulnerability has been discovered in Nessus Agent which can allow a Nessus administrator user to upload a specially crafted file that can lead to gaining administrator privileges on the Nessus host. The affected versions are Nessus Agent 8.2.5 and earlier.
CVE ID: CVE-2021-20106 (Medium)
Multiple vulnerabilities have been discovered in the web services interface of Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software which can allow an unauthenticated, remote attacker to conduct Cross-Site Scripting (XSS) attacks against a user of the web services interface of an affected device.
CVE ID: CVE-2020-3580(Medium), CVE-2020-3581(Medium), CVE-2020-3582(Medium)
A memory corruption vulnerability has been discovered in the DMG File Format Handler (FFH) functionality of PowerISO 7.9. A specially crafted DMG file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. The updates are now available.
CVE ID: CVE-2021-21871 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 16 for the Zimbra 9.0.0, and Patch 23 for Zimbra 8.8.15.
CVE ID: CVE-2021-34807, CVE-2021-35209, CVE-2021-35208, CVE-2021-35207
Multiple vulnerabilities have been discovered in klibc that can lead to the execution of arbitrary code, privilege escalation, or Denial of service (DoS). It is recommended to upgrade the klibc packages.
CVE ID: CVE-2021-31870 (Critical), CVE-2021-31871 (High), CVE-2021-31872 (Critical), CVE-2021-31873 (Critical)
It has been discovered that XML parsers used by XMLBeans does not set the properties need to protect the user from malicious XML input. Vulnerabilities include the possibility for XML Entity Expansion attacks which can lead to a Denial-of-Service (DoS). It is recommended to upgrade the xmlbeans packages.
CVE ID: CVE-2021-23926 (Critical)
It has been discovered that some languages in Prism- a syntax highlighting library are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted text, an attacker can craft a string that will take a very very long time to highlight. The affected versions are Prism version before 1.24.0.
CVE ID: CVE-2021-32723
It has been discovered that a cross-site scripting vulnerability in Fudousan plugin allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. The affected versions are udousan plugin ver5.7.0 and earlier, Fudousan Plugin Pro Single-User Type ver5.7.0 and earlier, and Fudousan Plugin Pro Multi-User Type ver5.7.0 and earlier.
CVE ID: CVE-2021-20749
It has been discovered that Inkdrop allows an attacker to execute arbitrary OS commands on the system where it runs by loading a file or code snippet containing an invalid iframe into Inkdrop. The affected versions are Inkdrop versions prior to v5.3.1.
CVE ID: CVE-2021-20745
Multiple vulnerabilities such as Man-In-The-Middle(MITM) attack and information disclosure have been discovered in bluez- a package with Bluetooth tools and daemons . It is recommended to upgrade the bluez packages.
CVE ID: CVE-2020-26558 (Medium), CVE-2021-0129 (Medium)
Security update has been released for some types of Intel CPUs microcode to resolve multiple vulnerabilities which can result in privilege escalation in combination with VT-d and various side channel attacks.
CVE ID: CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
Multiple vulnerabilities have been discovered in AVEVA Software's Equipment- System Platform. Successful exploitation of these vulnerabilities can allow a malicious entity to achieve arbitrary code execution with system privileges or cause a Denial-of-Service (DoS) condition. The security updates are now available.
Multiple Vulnerabilities have been discovered in Ceph- distributed storage and file system. An attacker can use these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-25678 (Medium), CVE-2020-27781 (High), CVE-2020-27839 (Medium), CVE-2021-20288 (High), CVE-2021-3509 (Medium), CVE-2021-3524 (Medium), CVE-2021-3531 (Medium)
NVIDIA has released a software security update for NVIDIA GeForce Experience software that address multiple vulnerabilities such as information disclosure, data tampering or Denial of Service(DoS).
CVE ID: CVE-2021-1073 (High)
Multiple vulnerabilities such as out-of-bounds read, out-of-bounds write and improper restriction of operations within the bounds of a memory buffer have been discovered in FATEK Automation's Equipment- WinProladder- a PLC. Successful exploitation of these vulnerabilities can allow for the execution of arbitrary code.
CVE ID: CVE-2021-32990 (High), CVE-2021-32988 (High), CVE-2021-32992 (High)
A clear text transmission of sensitive information vulnerability has been discovered in Philips' Equipment- Interoperability Solution XDS. Successful exploitation of this vulnerability can allow an attacker to read the LDAP system credentials by gaining access to the network channel used for communication. This risk applies to configurations using LDAP via TLS and where the domain controller returns LDAP referrals.
CVE ID: CVE-2021-32966 (Low)
A vulnerability has been discovered in libgcrypt20, a crypto library. Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt. It is recommended to upgrade the libgcrypt20 packages.
CVE ID: CVE-2021-33560 (High)
Google has released Chrome version 91.0.4472.123/.124 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
It has been discovered that RabbitMQ- AMQP server written in Erlang incorrectly handled certain inputs. An attacker can possibly use this issue to cause a Denial of Service (DoS).
CVE ID: CVE-2021-22116 (High), CVE-2019-11287 (High)
It has been discovered that Emote interactive remote mouse on Windows allows attackers to execute arbitrary programs as administrator by using the Image Transfer Folder (ITF) feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections. The affected version is Emote Interactive Remote Mouse 3.008.
CVE ID: CVE-2021-35448
Dell is releasing remediations for multiple security vulnerabilities affecting the BIOSConnect and HTTPS Boot features such as improper certificate validation and buffer overflow. An attacker may exploit these vulnerabilities using a person-in-the-middle attack which may lead to a Denial of Service (DoS) or run arbitrary code and bypass UEFI restrictions.
CVE ID: CVE-2021-21571 (Medium), CVE-2021-21572 (High), CVE-2021-21573 (High), CVE-2021-21574 (High)
It has been discovered that LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP in kubernetes, this can lead to Man In The Middle (MITM) attack. The security update components for Windows Container Support for Red Hat OpenShift 2.0.1 are now available.
CVE ID: CVE-2021-25736
An out of bound access has been discovered while processing read commands in QEMU. An update for qemu-kvm-rhev is now available for Red Hat Virtualization for Red Hat Virtualization Host 7.
CVE ID: CVE-2020-29443 (Low)
Multiple vulnerabilities have been discovered in Citrix Hypervisor each of which may allow privileged code in a guest VM which cause the host to crash or become unresponsive. The affected version is Citrix Hypervisor 8.2 LTSR.
CVE ID: CVE-2021-3416 (Medium), CVE-2021-20257
Multiple vulnerabilities have been discovered in linux-oem-5.10 , a Linux kernel for OEM systems. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that the blockchain node in FISCO-BCOS may have a vulnerability when dealing with unformatted packet and lead to a crash. The affected version is FISCO-BCOS V2.7.2.
CVE ID: CVE-2021-35041
A vulnerability has been discovered in OpenGrok- a fast and usable source code search and cross reference engine that allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok.
CVE ID: CVE-2021-2322
Multiple vulnerabilities have been discovered in Linux kernel. An attacker can exploit some of these vulnerabilities to take control of an affected system.
An improper input validation vulnerability has been discovered in python flask that can result in large amount of memory usage possibly leading to Denial of Service (DoS). This vulnerability is exploitable via attacker provides JSON data in incorrect encoding.
CVE ID: CVE-2018-1000656 (High)
Red Hat has released security updates to address numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
An improper authorization vulnerability has been discovered in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.
CVE ID: CVE-2021-3044 (Critical)
Multiple Vulnerabilities such as heap-based buffer overflow, out-of-bounds write, and improper restriction of operation within the bounds of a memory buffer have been discovered in Advantech's Equipment. Successful exploitation of these vulnerabilities can result in memory corruption and code execution.
CVE ID: CVE-2021-33000 (High), CVE-2021-33002 (High), CVE-2021-33004 (High)
It has been discovered that VMware Tools for Windows, VMRC for Windows and VMware App Volumes contain a local privilege escalation vulnerability. Updates are available to remediate this vulnerability in affected VMware products.
CVE ID: CVE-2021-21999
It has been discovered that OpenEXR- tools for the OpenEXR image format incorrectly handled certain malformed EXR image files. If a user is tricked into opening a crafted EXR image file, a remote attacker can cause a Denial of Service (DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-3605, CVE-2021-26260 (Medium), CVE-2021-20296 (Medium), CVE-2021-23215 (Medium), CVE-2021-3598
Multiple vulnerabilities have been discovered in Red Hat Virtualization Host. An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-27219 (High), CVE-2021-3501 (High), CVE-2021-3560 (High), CVE-2020-24489
It has been discovered that out-of-bound heap buffer access via an interrupt ID field, and OOB access during mmio operations may lead to DoS in qemu for virt and virt-devel. An update for the virt:8.2 and virt-devel:8.2 modules is now available for Advanced Virtualization for RHEL 8.2.1.
CVE ID: CVE-2020-13754 (Medium), CVE-2021-20221 (Medium)
It has been discovered that the server variable support for Service Provider (SP) module for Microsoft's IIS is implemented incorrectly and vulnerable to header smuggling or spoofing attacks. This vulnerability affects all versions of the SP module since V3.0.0 when the IIS 7+ module is used. The updated version is now available.
Multiple vulnerabilities have been discovered in Zephyr Bluetooth LE Link Layer and L2CAP implementation. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple Vulnerabilities have been discovered in Thunderbird - Mozilla Open Source mail and newsgroup client If a user is tricked into opening a specially crafted website in a browsing context, an attacker can potentially exploit these to cause a Denial of Service (DoS),obtain sensitive information, spoof the UI, bypass security restrictions or execute arbitrary code. . It is recommended to update Thunderbird package versions.
An authentication bypass vulnerability in the VMware Carbon Black App Control management has been discovered Updates are available to remediate this vulnerability in the affected VMware product.
CVE ID: CVE-2021-21998 (Critical)
Huawei has released software updates to resolve an improper permission assignment vulnerability in Huawei LTE USB Dongle products.
CVE ID: CVE-2021-22382
A command injection vulnerability in McAfee MVISION EDR (MVEDR) prior to 3.4.0 has been discovered which allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'. The update is now available.
CVE ID: CVE-2021-31838 (High)
It has been discovered that Lexmark printer software G2 installation package can allow a local attacker to execute arbitrary code on the system, caused by an unquoted service path vulnerability in the LM__bdsvc. By placing a specially-crafted file, an attacker can exploit this vulnerability to execute arbitrary code on the system. The affected version is Lexmark Printer Software G2 Installation Package 1.8.0.0.
Multiple vulnerabilities have been discovered in Dovecot- IMAP and POP3 email server. An attacker can possibly use these vulnerabilities to validate tokens using arbitrary keys or inject plaintext commands before STARTTLS negotiation.
CVE ID: CVE-2021-33515, CVE-2021-29157
A Cross Site Scripting (XSS) vulnerability has been discovered in Hitachi application server in which Help allows a remote attacker to inject an arbitrary script via unspecified vectors. The affected version is Hitachi Application Server V10 Manual version 10-11-01 foe Windows and UNIX.
CVE ID: CVE-2021-20741
A vulnerability has been discovered in eLabFTW- an open source electronic lab notebook for research labs which allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. The affected versions are eLabFTW prior to eLabFTW 4.0.0.
CVE ID: CVE-2021-32698 (Medium)
It has been discovered that Apache Nuttx (incubating) is vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. The affected versions are Apache Nuttx (incubating) versions prior to 10.1.0.
CVE ID: CVE-2021-26461
Multiple vulnerabilities have been discovered in Apache HTTP Server which can allow a remote attacker possibly to use this issue to cause Apache to crash, resulting in a Denial of Service (DoS). It is recommended to update apache2 packages.
CVE ID: CVE-2021-26691, CVE-2020-35452(High), CVE-2021-30641(Medium), CVE-2021-26690(High), CVE-2020-13950(High)
A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure can allow an authenticated, local attacker to identify directories and write arbitrary files to the file system.
CVE ID: CVE-2021-1306 (Medium)
It has been discovered that White Shark System (WSS)- a browser based collaborative office platform has a sensitive information disclosure vulnerability. Remote attackers can obtain username information for all users of the current site. The affected version is White Shark System 1.3.2.
CVE ID: CVE-2020-20472
A deserialization vulnerability has been discovered in Huawei AnyOffice product .An attacker can construct a specific request to exploit this vulnerability. Successful exploitation of vulnerability can execute remote malicious code injection to control the device.
CVE ID: CVE-2021-22439
Multiple vulnerabilities have been discovered in multiple products of NVIDIA Jetson. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Tor- a connection-based low-latency anonymous communication system, which can result in Denial of Service (DoS) or spoofing. It is recommended to upgrade the tor packages.
CVE ID: CVE-2021-34548, CVE-2021-34549, CVE-2021-34550
Red Hat has released security updates to address numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in GRUB 2- GRand Unified Bootloader which can allow an attacker to bypass UEFI Secure Boot restrictions. The updates are available.
CVE ID: CVE-2021-20225(Medium), CVE-2020-14372(High), CVE-2020-25632(High), CVE-2020-27749(Medium), CVE-2020-27779(High), CVE-2021-20233(High)
Multiple vulnerabilities have been discovered in nettle- a low level cryptographic library which can result in Denial of Service (DoS) (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures. It is recommended to upgrade your nettle packages.
CVE ID: CVE-2021-3580, CVE-2021-20305
Apple has released security updates to address vulnerability in iMovie 10.2.4. An attacker can exploit this vulnerability to take control of an affected device.
CVE ID: CVE-2021-30757
Multiple vulnerabilities have been discovered in Cisco Jabber for Windows, Cisco Jabber for Mac, and Cisco Jabber for mobile platforms which can allow an attacker to access sensitive information or cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-1569(Medium), CVE-2021-1570(Medium)
A Denial of Service (DoS) vulnerability has been discovered in VMware Tools for Windows. The updates are available to remediate this vulnerability in affected VMware products.
CVE ID: CVE-2021-21997(Low)
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- ISaGRAF5 Runtime. Successful exploitation of these vulnerabilities may result in Remote Code Execution (RCE), information disclosure, or a Denial-of-Service (DoS) condition.
CVE ID: CVE-2020-25176 (Critical), CVE-2020-25184 (High), CVE-2020-25178 (High), CVE-2020-25182 (Medium), CVE-2020-25180 (Medium)
A deserialization of untrusted data vulnerability has been discovered in M&M Software GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Multiple vulnerabilities such as open redirect, and relative path traversal have been discovered in Advantech's Equipment- WebAccess/SCADA- a browser-based SCADA software package . Successful exploitation of these vulnerabilities can allow an attacker to read files outside the intended directory or redirect a user to a malicious webpage.
CVE ID: CVE-2021-32956 (High), CVE-2021-32954 (Medium)
An improper restriction of operations within the bounds of a memory buffer vulnerability has been discovered in Softing's Equipment- OPC-UA C++ SDK. A remote attacker may be able to crash the device, resulting in a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-32994 (High)
Google has released Chrome version 91.0.4472.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-30554 (High), CVE-2021-30555 (High), CVE-2021-30556 (High), CVE-2021-30557 (High)
It has been discovered that Nettle incorrectly handled RSA decryption, and certain padding oracles. A remote attacker can possibly use these vulnerabilities to perform a variant of the Bleichenbacher attack or cause Nettle to crash, resulting in a Denial of Service (DoS).
CVE ID: CVE-2021-3580, CVE-2018-16869 (Medium)
It has been discovered that in jetty - a Java servlet engine and webserver requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. An attacker can access sensitive information regarding the implementation of a web application. It is recommended to upgrade the jetty9 packages.
CVE ID: CVE-2021-28169 (Medium)
An out of bound read vulnerability has been discovered in Firefox. This vulnerability is only affects Firefox on Windows, the other operating systems are unaffected. The vulnerability has been resolved.
CVE ID: CVE-2021-29968
Cisco has released security updates to address numerous vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system. The affected systems and software are Webex Teams, Jabber, Meeting Server, Cisco ESA & Cisco WSA.
It has been discovered that BlueZ- a Bluetooth tools and daemons incorrectly handled redundant disconnect MGMT events and array indexes, and incorrectly checked certain permissions when pairing. A local attacker can use these vulnerabilities to cause BlueZ to crash, resulting in a Denial of Service (DoS) or possibly execute arbitrary code or obtain sensitive information or impersonate devices.
CVE ID: CVE-2020-26558 (Medium), CVE-2020-27153 (High), CVE-2021-3588
Multiple vulnerabilities have been discovered in prosody- a Jabber (XMPP) server. It is recommended to upgrade the prosody packages.
CVE ID: CVE-2021-32917 (Medium), CVE-2021-32921 (Medium)
It has been discovered that a Cross Site Scripting (XSS) vulnerability in Moodle allows remote attackers to execute arbitrary web script or HTML via the "Description" field. The affected version is Moodle 3.10.3.
CVE ID: CVE-2021-32244
An out of bounds read vulnerability has been discovered on several Huawei Products due to a message-handling function. An attacker can exploit this vulnerability by sending a specific message to the target device, which can cause a Denial of Service (DoS).
CVE ID: CVE-2021-22383
QNAP NAS running myQNAPcloud Link releases security update to resolve the vulnerability which allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.
CVE ID: CVE-2021-28815 (Medium)
An SMB out-of-bounds read vulnerability has been discovered in QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to obtain sensitive information on the system.
CVE ID: CVE-2021-20254 (Medium)
Multiple vulnerabilities have been discovered in the Xen hypervisor which can result in Denial of Service (DoS)or information leaks. The Updates are available.
CVE ID: CVE-2021-0089, CVE-2021-26313(Medium), CVE-2021-28690, CVE-2021-28692
Multiple vulnerabilities have been discovered in OpenClinic GA's Equipment- OpenClinic GA- a product of open-source collaboration on Source Forge. Successful exploitation of these vulnerabilities can allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information and/or execute malicious code.
Multiple vulnerabilities have been discovered in Automation Direct's Equipment- CLICK PLC CPU modules. Successful exploitation of these vulnerabilities can allow an attacker to log in as a currently or previously authenticated user or discover passwords for valid users.
CVE ID: CVE-2021-32980 (Critical), CVE-2021-32984 (Critical), CVE-2021-32986 (Critical), CVE-2021-32982 (High), CVE-2021-32978 (High)
IBM releases security updates to resolve multiple vulnerabilities in several products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Red Hat Ceph Storage. An update for ceph, ceph-ansible, ceph-iscsi, python-waitress, and tcmu-runner is now available for Red Hat Ceph Storage 4.2.
CVE ID: CVE-2021-20288 (High), CVE-2020-27839 (Medium), CVE-2021-3509 (Medium)
Multiple vulnerabilities have been discovered in ImageMagick- Image manipulation programs and library which incorrectly handled certain malformed image files. When a user or automated system using ImageMagick is tricked into opening a specially crafted image can cause a Denial of Service (DoS) or possibly execute arbitrary code with user privilege.
Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library affecting multiple CISCO products. This vulnerability can allow an authenticated attacker to impersonate another authorized user when interacting with an application.
CVE ID: CVE-2021-28091 (High)
A vulnerability has been discovered in Juniper OS, in certain condition the IPv6 Distributed Denial of Service (DDoS) protection might not be affective when it reaches the threshold condition. The DDoS protection allows the device to continue to function while it is under DDoS attack, protecting both the Routing Engine (RE) and the Flexible PIC Concentrator (FPC) during the DDoS attack. The affected products are Junos OS 17.2, 17.2X75, 17.3, 17.4, 18.2, 18.2X75, 18.3 & Affected platforms MX series/EX9200 Series.
CVE ID: CVE-2020-1665 (Medium)
A buffer overflow vulnerability has been discovered in SonicOS which allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE ID: CVE-2021-20027 (High)
Apple has released security updates to address vulnerabilities in iOS 12.5.4. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-30737, CVE-2021-30761, CVE-2021-30762
It has been discovered in openshift logging the plugin/unmarshal/unmarshal.go lacks certain index validation in gogo/protobuf. The security update has been released to resolve vulnerability.
CVE ID: CVE-2021-3121 (High)
Multiple vulnerabilities have been discovered in elFinder - an open-source file manager for web, written in JavaScript using jQuery UI. . These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The affected version is elFinder 2.1.58. The upgrade is available.
CVE ID: CVE-2021-32682 (Critical)
Multiple Vulnerabilities such as Denial of Service (DoS) and Remote Code Execution (RCE) vulnerabilities have been discovered in Mitsubishi Electric products -MC Works 64 and MC Works 32. . An attacker can exploit these vulnerabilities by sending specially crafted data. The updates are available.
A cross-site scripting vulnerability has been discovered in Apache ActiveMQ used by IBM Operations Analytics Predictive Insights. A remote attacker can exploit this vulnerability by using a specially-crafted URL to execute script in web browser & to steal the authentication credentials. The updates are available.
CVE ID: CVE-2020-13947(Medium)
Multiple vulnerabilities such as path traversal and information disclosure have been discovered in Dell Technologies NetWorker. A NetWorker server user with remote access to NetWorker clients may potentially exploit these vulnerabilities and gain access to unauthorized information. The affected versions are Dell Technologies NetWorker 18.x, Dell Technologies NetWorker 19.1.x, 19.2.x, 19.3.x, and 19.4.x versions until 19.4.0.2.
CVE ID: CVE-2021-21569 (Medium), CVE-2021-21570 (Medium)
A potential caching vulnerability has been found in Financial Transaction Manager for Corporate Payment Services. A remote attacker can exploit this vulnerability to expose sensitive information or consume memory resources.
CVE ID: CVE-2020-5003 (Medium)
IBM has released security update to resolve a command injection vulnerability in IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js. By sending a specially-crafted request an attacker can exploit this vulnerability to execute arbitrary commands on the system.
CVE ID: CVE-2021-23337 (High)
An out-of-bounds read vulnerability has been discovered in certain QNAP switches running QSS. If exploited this vulnerability allows attackers to read sensitive information on the system. The updates are available.
CVE ID: CVE-2021-28801(Low)
An inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited this vulnerability allows attackers to read application data. The updates are available.
CVE ID: CVE-2021-28805 (High)
A Cross Site Scripting (XSS) vulnerability has been discovered in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200.It is recommended to update to DLP Endpoint for Windows 11.6.200.
CVE ID: CVE-2021-31832 (Medium)
Multiple Vulnerabilities such as Path Traversal and Cross-Site Scripting (XSS) have been discovered in AGG Software's Equipment- Web Server. Successful exploitation of these vulnerabilities can allow Remote Code Execution (RCE) and exposure of arbitrary system files. The affected products are v4.0.40.1014 and prior (webserver.dll)
CVE ID: CVE-2021-32964 (Medium), CVE-2021-32962 (High)
Multiple Vulnerabilities have been discovered in ZOLL's Equipment- Defibrillator Dashboard- a Defibrillator device management platform. Successful exploitation of these vulnerabilities can allow Remote Code Execution (RCE), allow an attacker to gain access to credentials, or impact confidentiality, integrity, and availability of the application.
CVE ID: CVE-2021-27489 (Critical), CVE-2021-27481 (High), CVE-2021-27487 (High), CVE-2021-27479 (Medium), CVE-2021-27485 (High), CVE-2021-27483 (Medium)
A protection mechanism failure vulnerability has been discovered in Rockwell Automation's Equipment- FactoryTalk Services Platform. Successful exploitation of this vulnerability may allow remote authenticated users to bypass FactoryTalk Security policies that are based on a computer name.
CVE ID: CVE-2021-32960 (High)
IBM releases security updates to resolve multiple vulnerabilities in several products.
CVE ID: CVE-2021-29754 (Medium), CVE-2021-20396 (Medium), CVE-2021-2161 (Medium)
A vulnerability has been discovered in lasso, a library for Liberty Alliance and SAML protocols, which results to a improper verification of a cryptographic signature. It is recommended to upgrade the lasso packages.
CVE ID: CVE-2021-28091 (High)
It has been discovered that rpcbind incorrectly handled certain large data sizes. A remote attacker can use this flaw to cause rpcbind to consume resources, leading to a Denial of Service (DoS). The updates are available.
It has been discovered that the NetworkPolicy resources in servicemesh-operator incorrectly specify ports for ingress resources. An update for servicemesh-operator is now available for OpenShift Service Mesh 2.0.
CVE ID: CVE-2021-3586
Red Hat has released security updates to resolve numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Ubuntu has released security notices to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
The Stable channel has been updated to 91.0.4472.102 (Platform version: 13904.55.0) for most Chrome OS devices. Systems will be receiving updates over the next several days.
It has been discovered that the coredump implementation in the Linux kernel does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs which allows local users to obtain sensitive information, cause a Denial of Service( DoS) or possibly have unspecified other impact by triggering a race condition. The affected versions are Linux kernel before 5.0.10.
CVE ID: CVE-2019-11599 (Medium)
The rise in ransomware attacks has been discovered which targeting critical infrastructure Operational Technology (OT) assets and control systems often connected to Information Technology (IT) networks. All organizations are at risk of being targeted by ransomware and have an urgent responsibility to protect against ransomware threats.
Google has released Chrome version 91.0.4472.101 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
It has been discovered that mrxvt, a lightweight multi-tabbed X terminal emulator, allowed (potentially remote) code execution because of improper handling of certain escape sequences. It is recommended to upgrade the mrxvt packages.
CVE ID: CVE-2021-33477 (High)
A SQL injection vulnerability has been discovered in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This can allow an authenticated attacker to gain unauthorized access to the database.
CVE ID: CVE-2021-33894
A Cross-Site Scripting (XSS) vulnerability has been discovered in the Portal Workflow module's edit process page in Liferay. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the currentURL parameter.
CVE ID: CVE-2021-29049
It has been discovered that an attacker can store malicious code in the User Avatar attribute in Zammad- a web-based, open source user support/ticketing solution. Every time the Avatar will be shown the malicious code will be executed in the session of the current user. It is recommended to upgrade to Zammad 4.0.1, or 4.1.0.
CVE ID: CVE-2021-35303
An improper privilege management vulnerability has been discovered in Schneider Electric's Equipment- Enerlin'X Com’X 510. Successful exploitation of this vulnerability can allow elevation of privileges which can result in unintended disclosure of device configuration information to any authenticated user.
CVE ID: CVE-2021-22769 (High)
A Denial of Service(DoS) vulnerability has been discovered in RabbitMQ, EMQ X, and VerneMQ open source message broker applications. The malformed MQTT messages are discovered that can cause excessive memory consumption in each of the affected message brokers, resulting in the application being terminated by the Operating System (OS).
CVE ID: CVE-2021-22116, CVE-2021-33175 (High), CVE-2021-33176 (High)
Intel has released security updates to address multiple vulnerabilities in several Intel products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
SAP has released security updates to address multiple critical vulnerabilities affecting several products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- ISaGRAF5 Runtime, an automation software. Successful exploitation of these vulnerabilities can result in Remote Code Execution (RCE), information disclosure, or a Denial-of-Service (DoS) condition.
CVE ID: CVE-2020-25176 (Critical), CVE-2020-25184 (High), CVE-2020-25178 (High), CVE-2020-25182 (Medium), CVE-2020-25180 (Medium)
Multiple vulnerabilities have been discovered in Open Design Alliance's Equipment- Drawings SDK, a software development kit for DWG and DGN. Successful exploitation of these vulnerabilities can allow code execution in the context of the current process or cause a Denial-of-Service (DoS) condition.
A clear text storage of sensitive information in memory vulnerability has been discovered in AVEVA Software's Equipment- InTouch 2020 R2 and all prior versions. Successful exploitation of this vulnerability can expose cleartext credentials from InTouch Runtime if an authorized privileged user creates a diagnostic memory dump of the process and saves it to a non-protected location.
CVE ID: CVE-2021-32942 (Medium)
A incomplete cleanup vulnerability has been discovered in Thales' Equipment- Thales Sentinel LDK Run-Time Environment (RTE). The products that have uninstalled software using the Sentinel LDK Run-Time Environment may have a port left open that may allow an attacker to connect. The affected products are Sentinel LDK Run-Time Environment: Versions 7.6 and prior.
CVE ID: CVE-2021-32928 (Critical)
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- IGSS (Interactive Graphical SCADA System) and Modicon X80. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. An attacker can exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that the affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to inject arbitrary HTML or JavaScript. The affected versions are version < 8.5.14 , 8.6.0 ≤ version < 8.13.6 and 8.14.0 ≤ version < 8.16.1.
CVE ID: CVE 2021-26080
A cleartext transmission of sensitive information vulnerability has been discovered in ThroughTek's Equipment- P2P SDK. Successful exploitation of this vulnerability can permit unauthorized access to sensitive information, such as camera audio/video feeds.
CVE ID: CVE-2021-32934 (Critical)
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-06-05 or later address all of these issues.
It has been discovered that an unspecified vulnerability in Java SE related to the Libraries component can allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. The affected versions are DB2 Recovery Expert for Linux- UNIX and Windows 5.5 IF 1, 5.5 IF 2, 5.5.0.1, and 5.5.0.1 IF 1.
CVE ID: CVE-2020-14782 (Low)
A buffer overflow vulnerability has been discovered in NGINX, a small, powerful, scalable web/proxy server, when encountered by the autoindex module. It is recommended to upgrade the nginx packages.
CVE ID: CVE-2017-20005
A role-based privileges escalation vulnerability has been discovered in Cloudforms where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator.
CVE ID: CVE-2020-25716
An XXE vulnerability has been discovered in Nokogiri, a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. It is recommended to upgrade the ruby-nokogiri packages.
CVE ID: CVE-2020-26247 (Medium)
It has been discovered that the aaugustin websockets library for Python has an Observable Timing Discrepancy (OTD) on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. The affected versions are aaugustin websockets library before 9.1.
CVE ID: CVE-2021-33880
It has been discovered that in Invoice Ninja has an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php which may allow an attacker to deserialize arbitrary PHP classes. The affected version are Ninja before 4.4.0.
CVE ID: CVE-2021-33898
Multiple vulnerabilities have been discovered in Django, the Python-based web development framework It is recommended to upgrade the python-django packages.
CVE ID: CVE-2021-33203, CVE-2021-33571
Multiple security vulnerabilities have been discovered in Thunderbird, which can result in the execution of arbitrary code. The updates are available.
CVE ID: CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
A improper privilege management vulnerability has been discovered in Johnson Controls' Equipment- Metasys Servers, Engines, and Tools. Successful exploitation of this vulnerability can give an authenticated Metasys user an unintended level of access to the server file system allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.
CVE ID: CVE-2021-27657 (High)
It has been discovered that OpenVPN access server allows a remote attackers to bypass authentication & access control channel data on servers configured with deferred authentication which can be used to potentially trigger further information leaks. The affected versions are OpenVPN Access Server 2.8.7 and earlier.
CVE ID: CVE-2020-15077
It has been discovered that in bubble fireworks the package- an open source java package relating to Spring Framework do not properly verify the signature of JSON Web Tokens. This allows to forgery of valid JWTs. The affected versions are bubble fireworks before version 2021.
CVE ID: CVE-2021-29500(High)
Multiple vulnerabilities have been resolved in the Linux kernel which allow local attacker to cause a Denial of Service (DoS) (system crash) or possibly execute arbitrary code.
Multiple critical vulnerabilities have been discovered in CODESYS automation software that can be exploited to Remote Code Execution (RCE) on Programmable Logic Controllers (PLCs).
CVE ID: CVE-2021-30189(Critical), CVE-2021-30190(Critical), CVE-2021-30191 (Critical), CVE-2021-30192 (Critical), CVE-2021-30193 (Critical),CVE-2021-30194 (Critical), CVE-2021-30195(High), CVE-2021-30186(High), CVE-2021-30188(High), CVE-2021-30187(Medium)
It has been discovered that the quiz and survey plugin of WordPress does not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This can allow for privilege escalation by inducing a logged in admin to open a malicious link.
CVE ID: CVE-2021-24368
An authentication bypass vulnerability has been discovered in Red Hat package polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process which may be a threat to data confidentiality and integrity
CVE ID: CVE-2021-3560 (High)
Multiple vulnerabilities have been discovered in Zimbra- a WebRTC stream aggregator. It is recommended to use Patch 15 for the Zimbra 9.0.0, and Patch 22 for Zimbra 8.8.15.
It has been discovered that the resolution for CVE-2020-25712 (heap-buffer overflow) in the Xorg X server addressed in DLA-2486-1 causes a regression in caribou making it crash whenever special characters are entered. It is recommended to upgrade the caribou packages.
Microsoft releases the latest Microsoft Edge Stable Channel (Version 91.0.864.41), which incorporates the latest Security Updates of the Chromium project.
CVE ID: CVE-2021-33741(High)
Multiple vulnerabilities have been discovered in Advantech's Equipment- iView. Successful exploitation of these vulnerabilities can allow an attacker to disclose information and perform remote code execution. The affected products are Advantech’s iView versions prior to v5.7.03.6182.
CVE ID: CVE-2021-32930 (High), CVE-2021-32932 (Critical)
Multiple vulnerabilities have been discovered in Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29964, CVE-2021-29967
It has been discovered that the server in Luca allows remote attackers to cause a Denial of Service (insertion of many fake records related to COVID-19) because phone number data lacks a digital signature. The affected versions are Luca through 1.1.14.
CVE ID: CVE-2021-33840
It has been discovered that Foreman-a complete lifecycle management tool for physical and virtual servers is affected by an improper authorization handling Vulnerability. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate Authority (CA) to sign certificate requests that have subject alternative names (SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to `false`. The affected versions are Foreman versions before 2.3.4 and before 2.4.0.
CVE ID: CVE-2021-3469
RedHat has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Ubuntu has released security updates to address numerous vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on June 08, 2021. These updates will address critical vulnerabilities in the software.
IBM has released security updates to resolve several vulnerabilities in multiple products. An attacker can exploit these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as post-authentication reflected XSS, DOM-based XSS, and command injection have been discovered in QNAP NAS products. If exploited these vulnerabilities allows remote attackers to inject malicious code or execute arbitrary commands. The updates are available.
CVE ID: CVE-2021-28807 (High), CVE-2021-28806 (Medium), CVE-2021-28812 (High)
Multiple vulnerabilities have been discovered in the Linux kernel. A local attacker can use these to cause a Denial of Service (DoS) or possibly execute arbitrary code. The updates are available.
An information leak vulnerability has been discovered in Huawei Products. The module does not deal with specific input sufficiently. A high privilege attackers can exploit this vulnerability by sending specially crafted input which leads to an information leak.
CVE ID: CVE-2021-22342
A command injection vulnerability has been discovered in Huawei Products. A attacker can exploit this vulnerability by sending malicious parameters to inject command which compromise normal service.
CVE ID: CVE-2021-22377
A race condition vulnerability has been discovered in Huawei Products. Successful exploit may cause the affected device abnormal.
CVE ID: CVE-2021-22378
CISA has released Best Practices for MITRE ATT&CK Mapping. The guide shows analysts through instructions and examples how to map adversary behavior to the MITRE ATT&CK framework.
It has been discovered that the reference implementation of FUSE, local attacker is able to specify the allow_other option even if forbidden in /etc/fuse.conf, leading to exposure of FUSE filesystems to other users. This vulnerability only affects systems with SELinux active. The affected versions are FUSE before 2.9.8.
CVE ID: CVE-2021-33805
It has been discovered that Froala what-you-see-is-what-you-get (WYSIWYG) Editor is affected by a vulnerability in its HTML sanitization parsing, which allows an attacker to bypass built-in Cross-Site Scripting (XSS) protections and execute arbitrary JavaScript code. The affected version is WYSIWYG Editor 3.2.6.
CVE ID: CVE-2021-28114 (High)
RedHat has released security updates for EAP XP 1 to resolve multiple vulnerabilities in EAP 7.3.x base. There are no changes to the EAP XP1 code base.
Multiple vulnerabilities have been discovered in Firefox. If a user is tricked into opening a specially crafted website an attacker can potentially exploit these to cause a Denial of Service (DoS), re-enable camera devices without an additional permission prompt, spoof the browser UI, or execute arbitrary code. The updates are available.
CVE ID: CVE-2021-29959, CVE-2021-29961,CVE-2021-29966, CVE-2021-29967, CVE-2021-29960
Cisco has released security updates to address numerous vulnerabilities in multiple Cisco products. An attacker can exploit these vulnerabilities to take control of an affected system.
The Stable channel has been updated to 91.0.4472.81 (Platform version: 13904.41.0) for most Chrome OS devices. This build contains a number of features, bug fixes, and security updates.
An Improper permission assignment vulnerability has been discovered in Huawei LTE USB Dongle Products. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. The updates are available.
The BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. This vulnerability allows an authenticated admin user or a user account assigned with an administrator role and no shell access to execute arbitrary system commands as a root user.
CVE ID: CVE-2021-23024
Multiple Vulnerabilities have been discovered in Apache HTTP Server. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-31618
A missing permission check vulnerability has been discovered in Nextcloud Mail App- a mail app for the Nextcloud platform. . This vulnerability allows another authenticated users to access mail metadata of other users. The affected versions are Nextcloud Mail before 1.4.3 and 1.8.2.
CVE ID: CVE-2021-32652(High)
Multiple vulnerabilities have been discovered in HPE Integrated Lights-Out 5 (iLO 5), and HPE Integrated Lights-Out 4 (iLO 4). HPE has made the software update to resolve the vulnerabilities in HPE Integrated Lights-Out 5 (iLO 5) version 2.44 or later, and HPE Integrated Lights-Out4 (iLO 4) version 2.78 or later.
An unauthenticated arbitrary file Upload vulnerability has been discovered in Fancy Product Designer, a WordPress plugin. The affected versions are Fancy Product Designer prior 4.6.9. The update is available.
CVE ID: CVE-2021-24370 (Critical)
Multiple vulnerabilities have been discovered in McAfee Database Security (DBSec). The affected versions are DBSec prior to 4.8.2. It is recommended to upgrade to DBSec 4.8.2.
CVE ID: CVE-2021-23894 (Critical), CVE-2021-23895 (Critical), CVE-2021-23896 (Low), CVE-2021-31830 (Medium), CVE-2021-31831 (Medium)
Multiple vulnerabilities have been discovered in IBM Jazz Team Server. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Korenix Technology, Westermo and Pepperl+Fuchs products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-12500 (Critical), CVE-2020-12501 (Critical), CVE-2020-12501 (High), CVE-2020-12503 (High), CVE-2020-12504 (Critical)
Multiple vulnerabilities such as Out-of-Bounds Write, Out-of-Bounds Read have been discovered in Hillrom's Equipment- Welch Allyn medical device management tools. Successful exploitation of these vulnerabilities can allow an attacker to cause memory corruption and remotely execute arbitrary code.
CVE ID: CVE-2021-27410 (Medium), CVE-2021-27408 (Medium)
Mozilla has released security updates to address vulnerabilities in Firefox for iOS, Firefox ESR, and Firefox 89. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Cisco has released security updates to address vulnerabilities in Cisco Integrated Management Controller (IMC) and Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1397 (Medium), CVE-2021-28091
It has been discovered that a lack of filename validation when unzipping archives prior to WhatsApp for Android and WhatsApp Business for Android can have allowed path traversal attacks that overwrite WhatsApp files. The affected versions are WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13.
CVE ID: CVE-2021-24035
Multiple vulnerabilities have been discovered in various FortiGate products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Python through 3.8.3. In Lib/tarfile.py in Python , an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE ID: CVE-2019-20907 (High)
A vulnerabilty has been discovered in Python3.8. The Python stdlib ipaddress API incorrectly handled octal strings. A remote attacker can possibly use this issue to perform a wide variety of attacks, including by passing certain access restrictions.
CVE ID: CVE-2021-29921 (Critical)
It has been discovered that libwebp - a lossy compression of digital photographic images incorrectly handled certain malformed images. If a user or automated system is tricked into opening a specially crafted image file a remote attacker can use this vulnerability to cause libwebp to crash, resulting in a Denial of Service (DoS) or possibly execute arbitrary code.
It has been discovered that GUPnP- a framework for creating UPnP devices & control points incorrectly filtered local requests. If a user is tricked into visiting a malicious website, a remote attacker can possibly use this issue to perform actions against local UPnP services such as obtaining or altering sensitive information.
CVE ID: CVE-2021-33516 (High)
It has been discovered that the restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact allows remote code execution via a URL variable to an AMI command. The affected versions are Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2.
CVE ID: CVE-2020-10666
It has been discovered that LZ4- extremely fast compression algorithm incorrectly handled certain memory operations. If a user or automated system is tricked into uncompressing a specially-crafted LZ4 file, a remote attacker can use this issue to cause LZ4 to crash, resulting in a Denial of Service(DoS), or possibly execute arbitrary code.
CVE ID: CVE-2021-3520
A security update has been released for Docker that automates the deployment of any application as a lightweight, portable, self-sufficient container which runs virtually anywhere. This update resolve the vulnerability to symlink exchange attack.
CVE ID: CVE-2021-30465
It has been discovered that RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data.
CVE ID: CVE-2021-33790
It has been discovered that rxvt-unicode,a customizable terminal emulator allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. It is recommended to upgrade the rxvt-unicode packages.
CVE ID: CVE-2021-33477 (High)
A vulnerability has been discovered in libxml2, the GNOME XML library. This vulnerability is called "Parameter Laughs"-attack and related to parameter entities expansion. It is recommended to upgrade the libxml2 packages.
CVE ID: CVE-2021-3541
Multiple vulnerabilities have been discovered in Webkit2gtk web engine that leads to arbitrary code execution. The updates are available.
CVE ID: CVE-2021-1788(High), CVE-2021-1844(High), CVE-2021-1871(Critical)
A remote code execution vulnerability has been discovered in the web UI of VoIPmonitor. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. The affected versions are web UI of VoIPmonitor prior 24.61.
CVE ID: CVE-2021-30461
An argument injection vulnerability in the Dragonfly gem for Ruby, suitable for image uploading allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This can lead to code execution. The affected versions are Dragonfly gem prior 1.4.0.
CVE ID: CVE-2021-33564
A vulnerability has been discovered in import functionality of Hyperkitty- the web user interface to access Mailman 3 archives which do not restrict the visibility of private archives during the import.The update is available.
CVE ID: CVE-2021-33038
It has been observed that threat actor is sending spoofed emails that appeared to originate from government organization or IGOs or NGOs. The emails contained a legitimate constant contact link that redirected to a malicious URL from which a malicious ISO file is dropped onto the victim’s machine. The ISO file contains a malicious Dynamic Link Library (DLL), a benign decoy PDF & a malicious shortcut file that executes the Cobalt Strike Beacon loader.
Multiple vulnerabilities are discovered in Samba, SMB/CIFS file, print, and login server for Unix. An attacker can exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Frontier ichris mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS. The affected version are RFrontier ichris through 5.18.
CVE ID: CVE-2021-31702
A memory protection bypass vulnerability has been discovered in SIMATIC S7-1200 and S7-1500 CPU products that can allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.
CVE ID: CVE-2020-15782
It has been discovered that an unspecified vulnerability in Java SE related to the Libraries component can allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVE ID: CVE-2021-2161 (Medium)
A vulnerability has been discovered in the SonicWall NSM On-Prem product that allows an authenticated attacker to perform OS command injection using a crafted HTTP request. This vulnerability affects NSM On-Prem 2.2.0-R10 and earlier versions.
CVE ID: CVE-2021-20026 (High)
Multiple vulnerabilities have been discovered in Mitsubishi Electric's Equipment- MELSEC iQ-R Series, FA engineering software products, Mitsubishi Electric Factory Automation products, and Mitsubishi Electric Factory Automation Engineering products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20591 (Medium), CVE-2021-20587 (High), CVE-2021-20588 (High), CVE-2020-14523 (High), CVE-2020-14521 (High)
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds. This wide-scale email campaign leverages the legitimate service constant contact to send malicious links that are obscured behind the mailing service’s URL
Off-by-one Error vulnerability has been discovered in Sensormatic Electronics Equipment - VideoEdge versions prior to 5.7.0 , LLC, a subsidiary of Johnson Controls. Under specific circumstances, a local authenticated user may be able to exploit this vulnerability to gain administrative access.
CVE ID: CVE-2021-3156 (High)
Heap-based Buffer Overflow vulnerability has been discovered in GENIVI Alliance's Equipment- DLT-Daemon. Successful exploitation of this vulnerability can lead to remote code execution or crash the application. The affected products are DLT-daemon (diagnostic log and trace) versions prior to 2.18.6.
CVE ID: CVE-2020-36244 (Critical)
Multiple vulnerabilities have been discovered in Mesa Labs' Equipment- AmegaView- a continuous monitoring hardware and software platform . Successful exploitation of these vulnerabilities can allow remote code execution or allow access to the device.
CVE ID: CVE-2021-27447 (Critical), CVE-2021-27451 (High), CVE-2021-27453 (High), CVE-2021-27449 (Critical), CVE-2021-27445 (High)
A Vulnerability has been discovered in nginx -small, powerful, scalable web/proxy server that incorrectly handled responses to the DNS resolver. A remote attacker can use this issue to cause nginx to crash, resulting in a Denial of Service(DoS) or possibly execute arbitrary code.
CVE ID: CVE-2021-23017
Multiple vulnerabilities have been discovered in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. This may allow remote attackers to initiate a Denial of Service (DoS) attack and Execute Arbitrary Code (RCE).
A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. Hewlett Packard Enterprise (HPE) has released a security update to address vulnerability. HPE SIM is a remote support automation and management solution for HPE servers, storage, and networking products, including HPE's ProLiant Gen10 and ProLiant Gen9 servers.
CVE ID: CVE-2020-7200(Critical)
Multiple vulnerabilities have been discovered in several products of Codesys. An attacker can exploit some of these vulnerabilities to take control of an affected system.
An improper neutralization of Carriage Return Line Feed (CRLF) sequences in HTTP Headers ('HTTP Response Splitting') weakness has been discovered in J-web of Juniper Networks Junos OS that leads to buffer overflows, segment faults, or other impacts. This allows an attacker to modify the integrity of the device and exfiltration information from the device without authentication.
CVE ID: CVE-2021-0268(High)
Google has released update for Chrome Dev channel to version 2.0.4515.19/20 for Windows 92.0.4515.20 for Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
It has been discovered that a program code used by the ISC DHCP package to read and parse stored leases has a vulnerability that can be exploited by an attacker to cause one of several undesirable outcomes, depending on the component attacked and the way in which it was compiled. The dhcpd and dhclient are affected.
CVE ID: CVE-2021-25217 (High)
It has been discovered that ansible.log file is visible to unprivileged users. An update for tripleo-ansible is now available for Red Hat OpenStack Platform 16.1 (Train).
CVE ID: CVE-2021-31918 (High)
It has been discovered Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML which can lead to an XSS attack. The affected versions are Drupal 8.9, 9.0, and 9.1
Multiple vulnerabilities such as Carriage Return Line Feed (CRLF) injection and Denial of Service via malicious header have been discovered in python-httplib2. An update for python-httplib2 is now available for Red Hat OpenStack Platform 16.1 (Train).
CVE ID: CVE-2020-11078 (Medium), CVE-2021-21240 (High)
Multiple vulnerabilities have been discovered in Luxion KeyShot. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-27488 (High), CVE-2021-27492 (Medium), CVE-2021-27494 (High), CVE-2021-27496 (High), CVE-2021-27490 (High)
It has been discovered that zettlr- the markdown editor contains a Cross-Site Scripting(XSS) vulnerability. The affected versions are zettlr versions from 0.20.0 until 1.8.8.
CVE ID: CVE-2021-20727 (Medium)
Google has released Chrome version 91.0.4472.77 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21985, CVE-2021-21986
The vulnerability has been discovered in Rockwell Automation's Equipment- Micro800, MicroLogix 1400. When an authenticated password change request takes place this vulnerability can allow the attacker to intercept the message that includes the legitimate, new password hash and replace it with an illegitimate hash. The user will no longer be able to authenticate to the controller causing a denial of service (DoS) condition.
CVE ID: CVE-2021-32926 (Medium)
Multiple vulnerabilities have been discovered in Datakit's Equipment- software libraries embedded in Luxion KeyShot software. Successful exploitation of these vulnerabilities can lead to execution of arbitrary code and disclosure of arbitrary files to unauthorized actors.
CVE ID: CVE-2021-27488 (High), CVE-2021-27492 (Medium), CVE-2021-27494 (High), CVE-2021-27496 (High), CVE-2021-27490 (High)
It has been discovered that IBM WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker can exploit this vulnerability to expose sensitive information or consume memory resources.
CVE ID: CVE-2021-20492 (Medium)
Google discovered new vulnerability called Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory. Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses.
It has been discovered that Checkbox Survey insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server. The affected versions are Checkbox Survey prior to version 7.0.
CVE ID: CVE-2021-27852
A critical unauthenticated stored XSS vulnerability has been discovered in the Target First WordPress Plugin v2.0, also previously known as Watcheezy. An attacker can change the license key value through a POST on any URL with the 'weeWzKey' parameter that will be saved as the 'weeID option and is not sanitized.
CVE ID: CVE-2021-24305
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A missing length validation vulnerability has been discovered in various functions provided by libx11. The X11 client-side library, allows to inject X11 protocol commands on X clients which lead to authentication bypass, Denial of Service (DoS) or potentially the execution of arbitrary code. It is recommended to upgrade the libx11 packages.
CVE ID: CVE-2021-31535
A vulnerability has been discovered in Koel- a web-based personal audio streaming service which lacks login throttling & password strength policy and shows whether a failed login attempt has a valid username. This might make brute-force attacks easier. The affected versions are Koel before 5.1.4.
CVE ID: CVE-2021-33563
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Shopizer- an e-commerce solution in Java built for the cloud. The vulnerability allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product. The affected versions are Shopizer prior to 2.17.0.
CVE ID: CVE-2021-33562
It has been discovered that EyesOfNetwork eonweb allows Remote Command Execution (RCE) by authenticated users via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell. The affected versions are EyesOfNetwork eonweb through 5.3-11.
CVE ID: CVE-2021-33525
It has been discovered that Feehi CMS is affected by a Server-Side Request Forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it. The affected version is Feehi CMS 2.1.1.
CVE ID: CVE-2021-30108
A vulnerability discovered in OpenLDAP- an open source implementation of the Lightweight Directory Access Protocol which allows an attacker to process malicious packet by OpenLDAP’s slapd server trigger an assertion failure. The highest threat from this vulnerability is to system availability.
CVE ID: CVE-2020-20178
Multiple vulnerabilities have been discovered in Bluetooth Core and Mesh specifications The devices supporting the Bluetooth Core and Mesh specifications are vulnerable to impersonation attacks and AuthValue disclosure that can allow an attacker to impersonate a legitimate device during pairing.
CVE ID: CVE-2020-26555, CVE-2020-26556, CVE-2020-26557, CVE-2020-26558, CVE-2020-26559, CVE-2020-26560
Untrusted search path vulnerability has been discovered in the installer of Overwolf which allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory. The affected versions are Overwolf 2.168.0.n and earlier.
CVE ID: CVE-2021-20726
An integer overflow vulnerability has been discovered in LZ4-lossless compression algorithm which can result in memory corruption.Security update has been released for LZ4.
CVE ID: CVE-2021-3520
A vulnerability has been discovered in ring- a secure and distributed voice, video and chat platform. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to crash the server resulting in a denial of service(DoS).
CVE ID: CVE-2021-21375 (Medium)
A vulnerability has been discovered in the InterProcess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software which can allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
CVE ID: CVE-2020-3556 (High)
Multiple NetApp products incorporate GNU Binutils- a collection of binary tools. GNU Binutils version 2.35.1 is susceptible to a vulnerability which when successfully exploited can lead to denial of service (DoS).
CVE ID: CVE-2021-20284 (Medium)
It has been discovered that PuTTY on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. The affected versions are PuTTY prior to 0.75.
CVE ID: CVE-2021-33500 (High)
A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1. An attacker can execute arbitrary PHP code via exploitation of client_upgrade_edition.php and Upgrade.php. The affected version is QibosoftX1 v1.0.
CVE ID: CVE-2021-27811
A relative path traversal vulnerability has been discovered in QNAP NAS running QTS and QuTS hero. If exploited this vulnerability allows attackers to modify files which impact system integrity.
CVE ID: CVE-2021-28798 (High)
A vulnerability has been discovered in QNAP NAS. The ransomware Qlocker is exploiting this vulnerability to attack QNAP NAS running certain versions of Hybrid Backup Sync (HBS) 3. Once a NAS is infected, the ransomware moves files on the NAS into password-protected 7z archives. To prevent infection from Qlocker update HBS 3 to the latest version.
CVE ID: CVE-2021-28799 (Critical)
In Trusted Firmware-M which is developed as an Open Source project under an Open Governance Model cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak. The affected versions are Trusted Firmware-M through 1.3.0.
CVE ID: CVE-2021-32032
Multiple vulnerabilities such as Remote Code Execution (RCE), privilege escalation,authenticated remote code execution and information disclosure have been discovered in Nagios XI and Nagios Fusion servers. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Cisco has released security updates to address multiple vulnerabilities in several Cisco products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Google has released update for Chrome Dev channel to version 92.0.4512.3/6 for Windows 92.0.4512.4 for Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
An authorization bypass vulnerability has been discovered when using AUTO_PASSTHROUGH in istio servicemesh. An update for servicemesh is now available for OpenShift Service Mesh 1.1.
CVE ID: CVE-2021-31921
Multiple vulnerabilities have been discovered in keycloak based Red Hat Single Sign-On. New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 6.
CVE ID: CVE-2021-3461, CVE-2021-3424
Denial of Service (DoS) vulnerability has been discovered in some versions of ManageOne- an end-to-end data center management solution.
CVE ID: CVE-2021-22409
A stack overflow vulnerability discovered in libyang can cause a Denial of Service(DoS) through function lyxml_parse_mem(). lyxml_parse_elem() function can be called recursively, which will consume stack space and lead to crash. The affected versions are libyang v1.0.225 and below.
CVE ID: CVE-2021-28903
It has been discovered that Pajbot, a Twitch chat bot, is vulnerable to Cross-Site Request Forgery (CSRF). The affected versions are Pajbot prior to 1.52.
CVE ID: CVE-2021-32632
Multiple vulnerabilities have been discovered in OpenvSwitch which provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. An update for openvswitch is now available in Fast Datapath for Red Hat Enterprise Linux 7.
CVE ID: CVE-2015-8011(Critical), CVE-2020-27827(High), CVE-2020-35498(High)
Multiple vulnerabilities have been discovered in VMware Workstation and Horizon Client for Windows. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products.
CVE ID: CVE-2021-21987, CVE-2021-21988, CVE-2021-21989
Multiple vulnerabilities has been discovered in multiple Real-Time Operating Systems (RTOS) and supporting libraries. Successful exploitation of these vulnerabilities can result in unexpected behavior such as a crash or a remote code injection/execution.
Multiple vulnerabilities have been discovered in redis.The affected products are SUSE Linux Enterprise Module for Server Applications 15-SP3 & SUSE Linux Enterprise Module for Server Applications 15-SP2. The updates are now available.
CVE ID: CVE-2021-21309(High), CVE-2021-29477(High), CVE-2021-29478(High)
A vulnerability has been found in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure which allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. CVE ID: CVE-2021-1306
Multiple vulnerabilities have been found in Cisco DNA Spaces Connector which allow an authenticated, remote attacker to perform a command injection attack on an affected device. CVE ID: CVE-2021-1559, CVE-2021-1560
Multiple vulnerabilities have been discovered in Cisco DNA Spaces Connector that allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. CVE ID: CVE-2021-1557, CVE-2021-1558
A vulnerability has been discovered in the web-based management interface of Cisco Finesse which allow an unauthenticated, remote attacker to redirect a user to an undesired web page. CVE ID: CVE-2021-1358
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco Finesse that allow an authenticated, remote attacker to conduct a Cross-Site Scripting (XSS) attack against a user of the interface. CVE ID: CVE-2021-1254
Multiple Vulnerabilities have been discovered in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points which allow an authenticated, remote attacker to perform command injection attacks against an affected device. CVE ID: CVE-2021-1547, CVE-2021-1548, CVE-2021-1549
A vulnerability has been discovered in the CLI of Cisco NX-OS Software which allow an authenticated, local attacker to access internal services that should be restricted on an affected device. CVE ID: CVE-2019-1726(High)
A vulnerability has been discovered in the web UI of Cisco Modeling Labs that allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the web application on the underlying operating system of an affected Cisco Modeling Labs server. CVE ID: CVE-2021-1531
A vulnerability has been discovered in the web-based management interface of Cisco Prime Infrastructure and EPN Manager which allow an authenticated remote attacker to execute arbitrary commands on an affected system. CVE ID: CVE-2021-1487
It has been discovered that runC incorrectly checked mount targets. An attacker with a malicious container image can possibly mount the host filesystem into the container and escalate privileges. CVE ID: CVE-2021-30465
It has been discovered that pip-Python package installer incorrectly handled unicode separators in git references. A remote attacker can possibly use this issue to install a different revision on a repository.
Multiple Vulnerabilities have been found in Pillow-Python Imaging Library. If a user or automated system are tricked into opening a specially-crafted file, a remote attacker can cause Pillow to crash or hand, resulting in a Denial of Service. CVE ID: CVE-2021-28677, CVE-2021-28675, CVE-2021-28678, CVE-2021-25287, CVE-2021-25288, CVE-2021-28676
A vulnerability has been discovered in Babel-tools for internationalizing python applications. If the user incorrectly handled certain inputs an attacker can possibly use this issue to execute arbitrary code. CVE ID: CVE-2021-20095(High)
Security Update has been released for OpenShift Container Platform 4.7.11 that fixes multiple vulerabilities. The Red Hat OpenShift Container Platform is designed for on-premise or private cloud deployments. CVE ID: CVE-2021-3121, CVE-2021-20206
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application Platform 7.3.7. Security updates are now available for Red Hat JBoss Enterprise Application Platform 7.3 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application Platform 7.3.7 on RHEL 8. Security updates are now available for Red Hat JBoss Enterprise Application Platform 7.3 on RHEL 8 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application Platform 7.3.7 on RHEL 7. Security updates are now available for Red Hat JBoss Enterprise Application Platform 7.3 on RHEL 7 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Multiple vulnerabilities have been discovered in Red Hat JBoss Enterprise Application Platform 7.3.7 on RHEL 6. Security updates are now available for Red Hat JBoss Enterprise Application Platform 7.3 on RHEL 6 CVE ID: CVE-2020-13936(High), CVE-2021-21290(Medium), CVE-2021-21295(Medium)
Security update has been released for Red Hat OpenShift GitOps 1.1 that fixes multiple vulnerabilities. CVE ID: CVE-2020-15586, CVE-2020-16845, CVE-2020-25648, CVE-2020-25692, CVE-2020-28362, CVE-2021-3114, CVE-2021-3557, CVE-2021-20305, CVE-2021-25215
A Denial of Service (DoS) vulnerability has been discovered in Huawei smartphone products HUAWEI Mate 30 & HUAWEI Mate 30 (5G). The module does not verify certain parameters sufficiently and it leads to some exceptions. CVE ID: CVE-2021-22364
A resource management error vulnerability has been discovered in Some Huawei Products. An authenticate attacker can perform specific operations to exploit this vulnerability & due to improper resource management function this can cause service abnormal on affected devices. CVE ID: CVE-2021-22360
A Denial of Service (DoS) Vulnerability has been discovered in Some Huawei Products. An attacker can exploit vulnerability by sending specifically crafted message to a targeted device & due to insufficient input validation, successful exploit can cause DoS. CVE ID: CVE-2021-22359
Multiple Vulnerabilities have been discovered in Linux kernel for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS specifically for Raspberry Pi devices. A local attacker can use these vulnerabilities to cause a Denial of Service (system crash) and gain elevated privileges. CVE ID: CVE-2021-29265(Medium), CVE-2021-28660(High), CVE-2021-30002(Medium), CVE-2020-25639, CVE-2021-28038(Medium), CVE-2021-29650(Medium), CVE-2021-28375(High)
Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Update has been released for squid:4 in Red Hat Enterprise Linux 8 that fixes improper input validation allowing a trusted client to perform HTTP request smuggling.
CVE ID: CVE-2020-25097(High)
Security Update has been released for Red Hat IdM:DL1 in Red Hat Enterprise Linux 8 that fixes NULL dereference (DoS) with specially crafted Binding DN. Red Hat IdM is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
CVE ID: CVE-2021-3480
Security Update has been released for Berkeley Internet Name Domain (BIND)-an implementation of the Domain Name System (DNS) protocols in Red Hat Enterprise Linux 8. The vulnerability can cause an assertion check fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself.
CVE ID: CVE-2021-25215(High)
Security Update has been released for Red Hat OpenShift Serverless 1.10.2 that fixes incorrect operations on the P-224 curve and packages using cgo causing arbitrary code execution at build time.
Persistent Cross-Site Scripting (XSS) vulnerability has been discovered in the web interface of Concerto that allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. The affected versions are Concerto through 2.3.6.
CVE ID: CVE-2021-31930
It has been discovered that HedgeDoc is vulnerable to a cross-site scripting attack using the YAML-metadata of a note. An attacker with write access to a note can embed HTML tags in the Open Graph metadata section of the note, resulting in the frontend rendering the script tag as part of the '<head>' section. The affected versions are HedgeDoc prior to 1.8.2.
CVE ID: CVE-2021-29503 (High)
A cross-site scripting vulnerability has been discovered in Adminer that affects users of MySQL, MariaDB, PgSQL and SQLite. The affected versions are Adminer versions 4.6.1 to 4.8.0
CVE ID: CVE-2021-29625 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Storage. The updates for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8 are now available.
Integer overflow vulnerability via STRALGO LCS command has been discovered in redis- an advanced key-value store. An update for the redis:6 module is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-29477 (High)
NULL dereference (DoS) vulnerability with specially crafted Binding DN has been discovered in slapi-nis. An update for slapi-nis is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2021-3480
Integer overflow vulnerability has been discovered in Intel(R) Graphics Drivers kernel. An update for linux-firmware is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-12362 (High)
Miltiple vulnerabilities such as use-after-free, out-of-bounds write, stack buffer overflow, and heap out-of-bounds have been discovered in grub2 of shim. An update for shim, shim-unsigned-aarch64, and shim-unsigned-x64 is now available for Red Hat Enterprise Linux 8.
It has been discovered that IBM Maximo Asset Management is vulnerable to stored Cross-Site Scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. The affected versions are IBM Maximo Asset Management 7.6.0 and 7.6.1.
CVE ID: CVE-2021-20374 (Medium)
Security Update has been released for Pandoc-a Haskell library for converting from one markup format to another in Red Hat Enterprise Linux 8 that fixes exponential time to parse certain inputs leading to Denial of Service (DoS).
CVE ID: CVE-2020-5238(Medium)
Multiple vulnerabilities have been discovered in Mingw- a free and open source software development environment to create Microsoft Windows applications. Security update has been released for mingw-binutils, mingw-bzip2, mingw-filesystem, and mingw-sqlite for Red Hat Enterprise Linux 8.
CVE ID: CVE-2019-16168(Medium), CVE-2020-13434(Medium) ,CVE-2020-13630(High), CVE-2020-13631(Medium), CVE-2020-13632(Medium)
Multiple vulnerabilities have been discovered in RHEL8 Rust toolset- a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.Security update has been released for Rust-toolset:rhel8 in Red Hat Enterprise Linux 8 that fixes flaws like use-after-free or double free in VecDeque::make_contiguous and memory safety violation in String::retain().
CVE ID: CVE-2020-36317(High), CVE-2020-36318(Critical)
An improper pathname handling vulnerability has been discovered in ruby-rack-cors a middleware that makes Rack-based apps CORS compatible, resulting in access to private resources.
CVE ID: CVE-2019-18978 (Medium)
Multiple Vulnerabilities have been discovered in SUSE MicroOS 5.0 that can allow attacker to obtain sensitive information from kernel memory or Denial of Service (DoS) or take control of affected system.
The Chrome stable channel has been updated to 90.0.4430.218 (Platform version: 13816.80.0) for most Chrome OS devices. This build contains a number of bug fixes and security updates.
Multiple vulnerabilities have been discovered in Emerson's Equipment- Rosemount X-STREAM Gas Analyzer software. Successful exploitation of these vulnerabilities can allow an attacker to obtain sensitive information, modify configuration, or affect the availability of the device.
CVE ID: CVE-2021-27457 (High), CVE-2021-27459 (High), CVE-2021-27461 (High), CVE-2021-27463 (Medium), CVE-2021-27465 (Medium), CVE-2021-27467 (Medium)
Multiple vulnerabilities have been discovered in libvncserver - a C library that enables to implement VNC server functionality . An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2018-21247 (High), CVE-2019-20839 (High), CVE-2020-14397 (High), CVE-2020-14405 (Medium), CVE-2020-25708 (High)
It has been discovered that in bluez double free in gatttool client disconnect callback handler in src/shared/att.c which can lead to Denial of Service (DoS) or Remote Code Execution (RCE). An update for bluez is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-27153 (High)
Multiple vulnerabilities such as heap-based buffer overflow and out of bounds array have been discovered in raptor2- the RDF Parser Toolkit for Redland. . An update for raptor2 is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-25713, CVE-2017-18926 (High)
A symbolic link attack in SELinux-enabled and a possible directory existence test due to race condition have been discovered in sudoedit for sudo. An update for sudo is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-23240 (High), CVE-2021-23239 (Low)
It has been discovered that when effective UID is not equal to its real UID the saved UID is not dropped in bash. An update for bash is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2019-18276 (High)
Multiple vulnerabilities such as out of bounds read, and integer overflow have been discovered in FreeRDP- a free implementation of the Remote Desktop Protocol (RDP) . An update for FreeRDP is now available for Red Hat Enterprise Linux 8.
Multiple vulnerabilities such as use-after-free, buffer overflow, NULL pointer dereference, and division by zero have been discovered in ghostscript- utilities for rendering PostScript and PDF documents. An update for ghostscript is now available for Red Hat Enterprise Linux 8.
Multiple vulnerabilities such as integer overflow, out-of-bounds write, infinite loop, symbolic link traversal, assertion failure and Denial of Service have been discovered in unbound- a validating, recursive, and caching DNS or DNSSEC resolver. An update for unbound is now available for Red Hat Enterprise Linux 8.
An authentication bypass vulnerability in saml authentication in crewjam/saml and XSS vulnerability via a query alias for the Elasticsearch and Testdata datasource have been discovered in grafana- an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. An update for grafana is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-27846 (Critical), CVE-2020-24303 (Medium)
A vulnerability in NetworkManager & libnma has been discovered that Profile with match.path setting triggers crash . An update for NetworkManager and libnma is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-20297
A Denial of Service (DoS) Vulnerability has been found in Mitsubishi Electric MELSEC iQ-R, Q and L series CPU modules due to uncontrolled resource consumption. When the CPU module receives a specially crafted packet from a malicious attacker, Ethernet communication may enter a DoS condition.
CVE ID: CVE-2020-16850 (High)
A Denial of Service (DoS) Vulnerability has been found in Mitsubishi Electric MELSEC iQ-R, Q and L series CPU modules due to uncontrolled resource consumption. When the CPU module receives a specially crafted packet from a malicious attacker, Ethernet communication may enter a DoS condition.
CVE ID: CVE-2020-5652 (High)
A Denial of Service (DoS) Vulnerability has been found in MELSEC iQ-R series modules due to uncontrolled resource consumption. When a module receives a specially crafted SLMP packet from a malicious attacker, the program execution and communication may enter a DoS condition.
CVE ID: CVE-2020-5668 (High)
A Vulnerability has been discovered in Mitsubishi Electric robot controller of MELFA FR Series and CR Series as well as cooperative robot ASSISTA due to a resource management errors. These robot controllers allow an attacker to cause a Denial of Service (DoS) of the execution of the robot program and the Ethernet communication by sending a large amount of packets in burst over a short period of time.
CVE ID: CVE-2021-20586 (High)
Multiple vulnerabilities have been discovered in Siemens' Equipment- JT2Go and Teamcenter Visualization. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A Vulnerability has been discovered in Juniper Networks SRX Series devices that leads to memory leak when querying Aggregated Ethernet (AE) interface statistics. The affected products are Junos OS 17.1 versions 17.1R3 and above prior to 17.3R3-S11, 17.4, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3.
CVE ID: CVE-2021-0230 (High)
A memory corruption issue has been discovered in Apple boot camp 6.1.14. A malicious application may be able to elevate privileges. The affected products are Mac Pro (Late 2013 and later), MacBook Pro (Late 2013 and later), MacBook Air (Mid 2013 and later), Mac mini (Mid 2014 and later), iMac (Mid 2014 and later), MacBook (Early 2015 and later), iMac Pro (Late 2017). Apple security updates are available.
CVE ID: CVE-2021-30675
Twelve vulnerabilities have been discovered in frame aggregation and fragmentation implementations of 802.11 standard in Cisco products, out of which one vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities can allow an attacker to forge encrypted frames, which can in turn enable the exfiltration of sensitive data from a targeted device.
A vulnerability has been discovered in the web-based management interface of Cisco Unified Intelligence Center Software that can allow an unauthenticated, remote attacker to conduct a Cross-Site Scripting (XSS) attack.
CVE ID: CVE-2021-1463(Medium)
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which can be triggered when the products read files in different file formats. If a user is tricked to opening of a malicious file with the affected products, this can lead to application crash, or potentially arbitrary code execution or data extraction on the target host system. The update has been released to fix these vulnerabilities.
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which can be triggered when the products read files in different file formats. If a user is tricked to opening of a malicious file with the affected products, this can lead to application crash, or potentially arbitrary code execution or data extraction on the target host system. The update has been released to fix these vulnerabilities.
Multiple Vulnerabilities have been discovered in JT2Go and Teamcenter Visualization which can be triggered when the products read files in different file formats. If a user is tricked to opening of a malicious file with the affected products, this can lead to application crash, or potentially arbitrary code execution or data extraction on the target host system. The update has been released to fix these vulnerabilities.
A vulnerability has been discovered in Eventlet - concurrent networking library incorrectly handled certain requests. An attacker can possibly use this issue to cause a Denial of Service.
CVE ID: CVE-2021-21419 (Medium)
It has been discovered that the caribou-configurable on screen keyboard with scanning mode can be made to crash when given certain input values. An attacker can use this to bypass screen-locking applications that support using caribou as an input mechanism.
CVE ID: CVE-2020-25712 (High)
A vulnerability has been discovered that in InvoicePlane-a self-hosted open source application for managing quotes, invoices, clients and payments. A misconfigured web server allows unauthenticated directory listing and file download. The affected version is InvoicePlane 1.5.11.
CVE ID: CVE-2021-29024
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. It has been discovered that when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This only impacts the local user while in the process of uploading. The affected versions are Matrix-React-SDK versions prior to 3.21.0.
CVE ID: CVE-2021-32622 (Medium)
Multiple vulnerabilities have been discovered in Intel Microcode processor-a processor microcode for Intel CPUs. A local attacker can possibly use these vulnerabilities to expose sensitive information.
CVE ID: CVE-2020-8695 (Medium), CVE-2020-8696 (Medium), CVE-2020-8698 (Medium)
Multiple vulnerabilities have been discovered in Rust-Pleaser-Please package,a polite regex-first sudo alternative. A local attacker can use these vulnerabilities to cause Please to crash, resulting in a Denial of Service (DoS), or possibly escalate privileges.
CVE ID: CVE-2021-31155, CVE-2021-31154, CVE-2021-31153
DjVuLibre- a DjVu image format library and tools incorrectly handled certain memory operations. If a user or automated system is tricked into processing a specially crafted DjVu file, a remote attacker can cause applications to hang or crash, resulting in a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2021-32493, CVE-2021-32490, CVE-2021-3500, CVE-2021-32492, CVE-2021-32491
Security update has been released for lz4 - lossless compression algorithm that fixes multiple vulnerabilities.
CVE ID: CVE-2021-3520, CVE-2019-17543(High)
Buffer overflow vulnerability has been discovered in the Pulse Connect Secure (PCS) gateway, this allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. The affected versions are PCS 9.0Rx, and 9.1Rx. It is recommended to upgrade the PCS server software version to the 9.1R.11.5.
CVE ID: CVE-2021-22908 (High)
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
An Advanced Persistent Threat (APT) actor added malicious code to multiple versions of SolarWinds Orion. After entering the network, the threat actor bypassed Multi-Factor Authentication (MFA) and moved laterally to Microsoft Cloud systems by compromising federated identity solutions. Eviction guidance for networks affected is available.
Multiple vulnerabilities have been discovered in jetty, a Java servlet engine and webserver. An attacker can reveal cryptographic credentials such as passwords to a local user, disclose installation paths, hijack user sessions or tamper with collocated webapps. It is recommended to upgrade the jetty9 packages.
CVE ID: CVE-2017-9735 (High), CVE-2018-12536 (Medium), CVE-2019-10241 (Medium), CVE-2019-10247 (Medium), CVE-2020-27216 (High)
It has been discovered that the memcpy() implementation for 32 bit ARM processors in the GNU C Library contained an integer underflow vulnerability and the POSIX regex implementation in the GNU C Library do not properly parse alternatives. An attacker can possibly use these to cause a Denial of Service or execute arbitrary code.
CVE ID: CVE-2020-6096 (High), CVE-2009-5155 (High)
Multiple vulnerabilities have been discovered in Cisco products. These vulnerabilities can allow an attacker to forge encrypted frames, which can in turn enable the exfiltration of sensitive data from a targeted device.
Red Hat AMQ Streams 1.6.4 has been released that replaces Red Hat AMQ Streams 1.6.2 and also fixes numerous security vulnerabilities.
CVE ID: CVE-2021-28163(Low), CVE-2021-28164(Medium), CVE-2021-28165(High)
Security update has been released for the Linux Kernel that solves multiple vulnerabilities.
CVE ID: CVE-2020-36310, CVE-2020-36312, CVE-2020-36322, CVE-2021-28950, CVE-2021-29155, CVE-2021-29650
Multiple vulnerabilities related to the functionality of Wi-Fi devices have been found that affect multiple products. Exploitation of these vulnerabilities may result in data exfiltration.
It has been discovered that Dell EMC XtremIO contain a Cross-Site Request Forgery(CSRF) vulnerability in XMS. A non-privileged attacker can potentially exploit this vulnerability, leading to a privileged victim application user being tricked into sending state-changing requests to the vulnerable application, causing unintended server operations. The affected products are Dell EMC XtremIO Versions prior to 6.3.3-8.
CVE ID: CVE-2021-21549 (High)
WordPress versions between 3.7 and 5.7.1 are affected by Object injection vulnerability. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2020-36326 (Critical), CVE-2018-19296 (High)
Exposure of sensitive information to an unauthorised actor vulnerability has been discovered in Unified Automation GmbH's Equipment- .NET applications. Successful exploitation of this vulnerability can allow an unauthenticated attacker to read any file on the file system.
CVE ID: CVE-2021-27434 (High)
Uncontrolled recursion vulnerability has been discovered in OPC Foundation's Equipment- OPC UA Servers. Successful exploitation of this vulnerability can trigger a stack overflow.
CVE ID: CVE-2021-27432 (High)
Off-by-one error vulnerability has been discovered in Johnson Controls' Equipment- Tyco AI. Under specific circumstances, a local attacker can use this vulnerability to obtain super-user access to the underlying openSUSE Linux operating system. The affected products are Tyco AI all versions up to and including v1.2.
CVE ID: CVE-2021-3156 (High)
Deserialization of untrusted data, path traversal, and improper input validation have been discovered in Rockwell Automation's Equipment- Connected Components Workbench. Successful exploitation of these vulnerabilities may allow remote code execution, authentication bypass, or privilege escalation.
CVE ID: CVE-2021-27475 (High), CVE-2021-27471 (High), CVE-2021-27473 (Medium)
Multiple vulnerabilities have been discovered in NetApp products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in PostgreSQL. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
A potential memory corruption vulnerability has been discovered in the lz4 compression algorithm library. It is recommended to upgrade the lz4 packages.
CVE ID: CVE-2021-3520
Privilege escalation vulnerability has been discovered in .NET Core single-file application. An update for rh-dotnet50-dotnet is now available for .NET on Red Hat Enterprise Linux.
CVE ID: CVE-2021-31204
An Authentication Bypass vulnerability has been discovered in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) which can allow an attacker to potentially gain access to the application in the context of the targeted user’s account. The affected versions are BlackBerry Workspaces Server 10.1, 9.1 and earlier.
CVE ID: CVE-2021-22155
It has been discovered that Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a Cross-Site Scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
CVE ID: CVE-2020-28722
A vulnerability has been discovered in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory.
CVE ID: CVE-2021-20202
A vulnerability has been discovered in Endpoint Security for Linux - Threat Prevention and Firewall (ENSL TP/FW) version 10.7.x, 10.6.x &10.5.x . By exploiting a Time Of Check To Time Of Use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.
CVE ID: CVE-2021-23892 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
A vulnerability has been that can result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows.
CVE ID: CVE-2021-22907
Multiple vulnerabilities have been discovered in Juniper Networks Mist Access Points. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Buffer Access with Incorrect Length Value vulnerability has been discovered in Mitsubishi Electric Corporation's Equipment- GOT and Tension Controller. Successful exploitation of this vulnerability may be able to stop the communication function of the products, requiring a reset to regain functionality.
CVE ID: CVE-2021-20589 (Medium)
Stack-based Buffer Overflow vulnerability has been discovered in Omron's Equipment- CX-One. Successful exploitation of this vulnerability may allow arbitrary code execution.
CVE ID: CVE-2021-27413 (High)
Multiple vulnerabilities have been discovered in multiple products of Siemens. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
The kernel packages contain the Linux kernel, the core of any Linux operating system. Multiple vulnerabilities have been discovered in kernel. An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support.
SAP has released security updates to address multiple critical vulnerabilities affecting several products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities have been discovered in the WebKitGTK Web and JavaScript engines. If a user is tricked into viewing a malicious website, a remote attacker can exploit multiple vulnerabilities related to web browser security, including cross-site scripting attacks, Denial of Service attacks, and arbitrary code execution.
CVE ID: CVE-2021-1871 (Critical), CVE-2021-1844 (High), CVE-2021-1788 (High)
A vulnerability has been discovered in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link rather sending the data unencrypted. This allows anyone in between the two endpoints to read the traffic unencrypted data.
CVE ID: CVE-2020-1749 (High)
It has been discovered that PyYAML incorrectly handled untrusted YAML files with the FullLoader loader. A remote attacker can possibly use this issue to execute arbitrary code.
CVE ID: CVE-2020-14343 (Critical)
An out-of-bounds memory access vulnerability has been discovered in Hivex, a library to parse Windows Registry hive files. It is recommended to upgrade the hivex packages.
CVE ID: CVE-2021-3504
Multiple vulnerabilities have been discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which can cause Denial of Service via application crash when parsing specially crafted files. It is recommended to upgrade the libxml2 packages.
CVE ID: CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537
It has been discovered that Exiv2- EXIF/IPTC/XMP metadata manipulation tool incorrectly handled certain images. An attacker can possibly use these vulnerabilities to cause a Denial of Service or execute arbitrary code or cause a crash.
CVE ID: CVE-2021-29457 (High), CVE-2021-3482 (Medium), CVE-2021-29458 (medium), CVE-2021-29470 (Medium)
Insufficient input validation vulnerability has been discovered in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data.
CVE ID: CVE-2021-32471
A vulnerability has been discovered in Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE ID: CVE-2021-31758
A vulnerability has been discovered in Foxit Reader that allows remote attackers to execute arbitrary code. The affected version is Foxit Reader 10.1.1.37576.
CVE ID: CVE-2021-31458
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, is expiring, breaking a chain of trust that can result in widespread problems during HTTPS communication. Any website or application using this certificate will be unreachable with a warning that accessing the website or application can be dangerous.
SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.
CVE ID: CVE-2021-29499 (High)
A vulnerability has been discovered in Emote Remote Mouse. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings. The affected versions are Emote Remote Mouse through 4.0.0.0.
CVE ID: CVE-2021-27574
An integer overflow vulnerability exists in the APIs of the host MCU while trying to connect to a WIFI network can lead to vulnerabilities such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi.
CVE ID: CVE-2021-22677
It has been discovered that HashiCorp vault-action- a tool for secrets management, encryption as a service, and privileged access management allows attackers to obtain sensitive information from log files because a multi-line secret is not correctly registered with GitHub Actions for log masking. The affected version is HashiCorp vault-action before 2.2.0.
CVE ID: CVE-2021-32074
Multiple vulnerabilities have been discovered in Ceph Storage. An update is now available for Red Hat Ceph Storage 3.3 - Extended Life Support on Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-27781 (High), CVE-2020-13379 (High), CVE-2021-3139 (High), CVE-2020-12059 (High)
Multiple vulnerabilities have been discovered in Open Design Alliance's Equipment- Drawings SDK, a software development kit for DWG and DGN. Successful exploitation of these vulnerabilities can allow code execution in the context of the current process or cause a denial-of-service condition.
CVE ID: CVE-2021-25178 (High), CVE-2021-25177 (High), CVE-2021-25176 (High), CVE-2021-25175 (High), CVE-2021-25174 (High), CVE-2021-25173 (High)
Multiple vulnerabilities have been discovered in Unbound-a validating, recursive, caching DNS resolver. Integer overflows, assertion failures, an out-of-bound write and an infinite loop vulnerabilities may lead to a denial-of-service or have a negative impact on data confidentiality. It is recommended to upgrade the unbound1.9 packages.
Multiple vulnerabilities have been discovered in jackson-databind and golang for Openshift Logging. Red Hat OpenShift Logging release 5.0.3 is available with updates to packages and images that fix several bugs and security issues.
Multiple vulnerabilities have been discovered in postgresql-an advanced object-relational Data Base Management System (DBMS). An update for postgresql is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-25694 (High), CVE-2020-25695 (High), CVE-2019-10208 (High)
Multiple vulnerabilities have been discovered in netty for Red Hat AMQ Clients. An update is now available for Red Hat AMQ Clients 2.9.1.
CVE ID: CVE-2021-21290 (Medium), CVE-2021-21295 (Medium), CVE-2021-21409 (Medium)
It has been discovered that GNOME Autoar-archive integration support for GNOME can extract files outside of the intended directory. If a user is tricked into extracting a specially crafted archive, a remote attacker can create files in arbitrary locations, possibly leading to code execution.
CVE ID: CVE-2021-28650 (Medium)
It has been discovered that a proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service.
CVE ID: CVE-2021-29954 (Critical)
Multiple vulnerabilities have been discovered in multiple IBM products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
A remote code execution vulnerability has been discovered in VMware vRealize Business for Cloud. A remote attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-21984 (Critical)
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in Firefox and Firefox for Android. An attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-29953 (Critical), CVE-2021-29952 (High)
Multiple vulnerabilities have been discovered in rh-eclipse-jetty. An update for rh-eclipse-jetty is now available for Red Hat Developer Tools.
CVE ID: CVE-2021-28163 (Low), CVE-2021-28164 (Medium), CVE-2021-28165 (High)
Multiple vulnerabilities have been discovered in mediawiki, a wiki website engine for collaborative work. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20270 (High), CVE-2021-27291 (High), CVE-2021-30152 (Medium), CVE-2021-30155 (Medium), CVE-2021-30158 (Medium), CVE-2021-30159 (Medium)
It has been discovered that ArcGIS GeoEvent Server has a read-only directory path traversal vulnerability that can allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. The affected versions are ArcGIS GeoEvent Server versions 10.8.1 and below.
CVE ID: CVE-2021-29101 (High)
Multiple vulnerabilities have been discovered CGAL-a software project that provides easy access to efficient and reliable geometric algorithms . An attacker can provide malicious input to trigger these vulnerabilities.
CVE ID: CVE-2020-28601 (Critical), CVE-2020-28636 (Critical), CVE-2020-35628 (Critical), CVE-2020-35636 (Critical)
Apple has released security updates to address vulnerabilities in Safari 14.1. An attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-30665, CVE-2021-30663
Use of Hard-coded Credentials vulnerability has been discovered in Advantech's Equipment- WISE-PaaS/RMM. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information.
CVE ID: CVE-2021-27437 (Critical)
Out-of-bounds Write vulnerability has been discovered in Delta Electronics' Equipment- CNCSoft ScreenEditor. Successful exploitation of this vulnerability could crash the device, and an out-of-bounds write may allow remote code execution.
CVE ID: CVE-2021-22672 (High)
It has been discovered that Django incorrectly handled certain filenames. A remote attacker could possibly use this issue to create or overwrite files in unexpected directories.
CVE ID: CVE-2021-31542
It has been discovered that OpenVPN incorrectly handled certain data channel v2 packets, and deferred authentication. A remote attacker could possibly use this issue to inject packets using a victim’s peer-id or bypass authentication and access control channel data.
CVE ID: CVE-2020-11810 (Low), CVE-2020-15078
It has been discovered that Exim has multiple vulnerabilities. An attacker could use these vulnerabilities to cause a denial of service, execute arbitrary code remotely, obtain sensitive information, or escalate local privileges.
It has been discovered that the NVIDIA GPU display driver for the Linux kernel incorrectly performed access control, and reference counting. A local attacker could use this issue to cause a denial of service, expose sensitive information, or escalate privileges.
CVE ID: CVE-2021-1076 (High), CVE-2021-1077 (Medium)
Multiple vulnerabilities have been discovered in various FortiGate products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2019-15706 (Medium), CVE-2021-22126 (High), CVE-2021-24011 (High), CVE-2021-24023 (High)
Multiple vulnerabilities have been discovered in nodejs for Red Hat Advanced Cluster Management. Red Hat Advanced Cluster Management for Kubernetes 2.2.3 General Availability release images, which fix several bugs and security vulnerabilities.
CVE ID: CVE-2021-23358 (High), CVE-2021-28918 (Critical), CVE-2020-28469, CVE-2021-28092 (High), CVE-2021-29418 (Medium)
It has been discovered that Subversion's mod_authz_svn module crashes if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. It is recommended to upgrade the subversion packages.
CVE ID: CVE-2020-17525 (High)
It has been discovered that ClamAV incorrectly handled parsing Excel documents, PDF documents, and email. A remote attacker could possibly use this issue to cause ClamAV to hang or crash resulting in a denial of service.
CVE ID: CVE-2021-1252 (High), CVE-2021-1404 (High), CVE-2021-1405 (High)
Multiple vulnerabilities such as use-after-free, buffer overflow, command injection, and unrestricted uploads have been discovered in Pulse Connect Secure (PCS). An attacker can exploit these vulnerabilities to gain system access and take control of an affected system.
CVE ID: CVE-2021-22894 (Critical), CVE-2021-22899 (Critical), CVE-2021-22900 (Critical)
A vulnerability discovered in the Microsoft Active Directory integration of Cisco Identity Services Engine (ISE) which can allow an authenticated, local attacker to elevate privileges on an affected device. A successful exploit can allow the attacker to obtain root privileges on an affected device.
CVE ID: CVE-2020-27122 (Medium)
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-05-05 or later address all of these issues.
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in OpenSSL used by AIX. The affected version are AIX 7.1, 7.2, and VIOS 3.1. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-23839 (Medium), CVE-2021-23840 (High), CVE-2021-23841 (High)
A vulnerability has been discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which can result in execution of arbitrary code if a malformed DjVu file is processed. It is recommended to upgrade the libimage-exiftool-perl packages.
CVE ID: CVE-2021-22204 (High)
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1223 (Medium), CVE-2021-1488 (Medium)
Codecov released an update containing new detections including Indicators of Compromise (IOCs) and a non-exhaustive data set of likely compromised environment variables to assist organizations in determining whether they have been affected.
Multiple vulnerabilities have been discovered in Texas Instruments' Equipment- SimpleLink Wi-Fi, MSP432, CC13XX, CC26XX, CC32XX, CC3100. Successful exploitation of these vulnerabilities can result in memory corruption, allowing remote code execution and causing a Denial-of-Service (DoS) condition.
CVE ID: CVE-2021-22677 (High), CVE-2021-22673(High), CVE-2021-22675(High), CVE-2021-22679(Critical), CVE-2021-22671(Critical)
Path Traversal vulnerability has been discovered in Cassia Networks' Equipment- Access Controller. Successful exploitation of this vulnerability can allow an attacker to read any file from the Access Controller server.
CVE ID: CVE-2021-22685 (Medium)
An Off-by-one Error vulnerability has been discovered in Johnson Controls' Equipment- exacqVision. A local attacker can exploit this vulnerability to obtain “Super User” access to the underlying Ubuntu Linux operating system.
CVE ID: CVE-2021-3156 (High)
An Integer Overflow or Wraparound vulnerability has been discovered in in multiple Real-Time Operating Systems (RTOS) and supporting libraries. Successful exploitation of these vulnerabilities can result in unexpected behavior such as a crash or a remote code injection/execution.
It has been discovered that composer, a dependency manager for PHP, do not properly sanitize Mercurial URLs, which can lead to arbitrary code execution. It is recommended to upgrade the composer packages.
CVE ID: CVE-2021-29472 (High)
Multiple vulnerabilities have been discovered in edk2, firmware for virtual machines. Integer and stack overflows and uncontrolled resource consumption may lead to a Denial-of-Service or allow an authenticated local user to potentially enable escalation of privilege. It is recommended to upgrade the edk2 packages.
A vulnerability has been discovered in Samba- SMB/CIFS file, print, and login server for Unix. Samba incorrectly handled certain negative idmap cache entries. This issue can result in certain users gaining unauthorized access to files, contrary to expected behaviour.
CVE ID: CVE-2021-20254
Multiple vulnerabilities have been discovered that Bind-Internet Domain Name Server. A remote attacker can possibly use this issue to cause Bind to crash, resulting in a denial of service (DoS).
CVE ID: CVE-2021-25215(High), CVE-2021-25214(Medium), CVE-2021-25216(High)
It has been discovered that BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API. A authenticated attacker with guest privileges may Create / Overwrite Arbitrary Files.
CVE ID: CVE-2021-23014 (Medium)
It has been discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker can possibly use this issue to cause access sensitive information, execute arbitrary code or cause a crash.
CVE ID: CVE-2021-3498 (High) CVE-2021-3497 (High)
It has been discovered that Lack of input validation for items used in system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on several BIG-IP products.
CVE ID: CVE-2021-23012
A vulnerability has been discovered in the CLI of Cisco Firepower Threat Defense (FTD) Software which allow an authenticated, local attacker to overwrite files on the file system of an affected device by using directory traversal techniques. A successful exploit can cause system instability if important system files are overwritten.
CVE ID: CVE-2021-1256, CVE-2021-1402
Multiple vulnerabilities are discovered in plugins for the GStreamer media framework, which may result in Denial of Service or potentially the execution of arbitrary code if a malformed media file is opened. It is recommended to upgrade the gst-plugins-base1.0 packages.It has been discovered that the Shibboleth Service Provider is prone to a NULL pointer dereference flaw in the cookie-based session recovery feature. A remote unauthenticated attacker can take advantage of this flaw to cause a Denial of Service.
CVE ID: CVE-2021-31826
Multiple vulnerabilities are discovered in plugins for the GStreamer media framework, which may result in Denial of Service or potentially the execution of arbitrary code if a malformed media file is opened. It is recommended to upgrade the gst-plugins-base1.0 packages.
Multiple vulnerabilities have been discovered etcd packages - a highly available key-value store for shared configuration.The affected products are Red Hat Enterprise Linux Server 7 x86_64, Red Hat Enterprise Linux for IBM z Systems 7 s390x & Red Hat Enterprise Linux for Power, little endian 7 ppc64le. An update for etcd is now available for Red Hat Enterprise Linux 7 Extras.
CVE ID: CVE-2020-15106(Medium) , CVE-2020-15112(Medium)
A vulnerability has been discovered in Red Hat Fuse 7.8.1. A micro version update (from 7.8.0 to 7.8.1) is now available for Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot 2.
CVE ID: CVE-2020-28052(High)
A vulnerability NULL pointer dereference for unauthenticated packet in slapd has been discovered in OpenLDAP - an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. An update for openldap is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-25692(High)
A vulnerability TLS 1.3 CCS flood remote DoS Attack has been discovered Network Security Services (NSS)- a set of libraries designed to support the cross-platform development of security-enabled client and server applications. An update for NSS is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-25648(High)
Multiple vulnerabilities such as hard link privilege escalation, out-of-bounds read information disclosure and improper access control have been discovered in Trend Micro Products. A remote attacker can exploit some of these vulnerabilities to trigger elevation of privilege, remote code execution and sensitive information disclosure on the targeted system. The updates are available.
Google has released Chrome version 90.0.4430.93 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
The Defending Against Software Supply Chain Attacks, released by CISA and the National Institute of Standards and Technology (NIST), provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.
The Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA have released a Joint Cyber Security Advisory (CSA) addressing Foreign Intelligence Service cyber actors also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium continued targeting of U.S and foreign entities. The Foreign Intelligence Service activity which includes the recent SolarWinds Orion supply chain compromise primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.
AnySupport (Remote support solution) before 2019.3.21.0 allows directory traversing because of swprintf function to copy file from a management PC to a client PC, which can lead to arbitary file execution.
CVE ID: CVE-2020-7861 (Critical)
Multiple vulnerabilities have been discovered in Apple products. A remote attacker can exploit some of these vulnerabilities to trigger Cross-Site Scripting(XSS), Denial of Service(DoS) condition, the elevation of privilege, remote code execution, sensitive information disclosure, data manipulation and security restriction bypass on the targeted system. Apple has released security updates for these vulnerabilities.
It has been discovered that File Roller-archive manager for GNOME is incorrectly handling symlinks. An attacker can possibly use this issue to expose sensitive information.
CVE ID: CVE-2020-36314(Low)
Multiple vulnerabilities have been discovered in Firefox. If a user is tricked into opening a specially crafted website, an attacker can potentially exploit these to cause a Denial of Service, spoof the browser UI, bypass security restrictions, trick the user into disclosing confidential information, or execute arbitrary code.
It has been discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker can possibly use this issue to perform an XML round-trip attack.
CVE ID: CVE-2021-28965
It has been discovered that OpenDMARC, a milter implementation of DMARC, has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag. For Debian 9 stretch, this problem has been fixed in version 1.3.2-2+deb9u3. It is recommended to upgrade the opendmarc packages.
CVE ID: CVE-2020-12460(Critical)
Multiple vulnerabilities have been discovered in plugins for the GStreamer media framework, which may result in Denial of Service or potentially the execution of arbitrary code if a malformed media file is opened.
CVE ID: CVE-2021-3497
A Command Injection vulnerability has been discovered in Tenda G0,G1 and G3 routers. A remote attacker can execute arbitrary OS commands via a crafted request.
CVE ID: CVE-2021-27692 (Critical) CVE-2021-27691 (Critical)
Multiple exploitable SQL injection vulnerabilities exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE ID: CVE-2020-27240(Critical), CVE-2020-27241 (Critical)
A vulnerability has been discovered in Helpcom which can allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE ID: CVE-2020-7856 (Critical)
Multiple vulnerabilities have been discovered in Microsoft Edge, a remote attacker can exploit some of these vulnerabilities to trigger Denial of Service, remote code execution and security restriction bypass on the targeted system.
A vulnerability has been discovered in pjproject, a set of libraries for the PJ Project. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to crash the server resulting in a Denial of Service. It is recommended to upgrade the pjproject packages.
CVE ID: CVE-2021-21375(Medium)
Multiple vulnerabilities have been discovered in libspring-java, a modular Java/J2EE application framework. An attacker may execute code, perform XST attack, issue unauthorized cross-domain requests or cause a DoS (Denial-of-Service) in specific configurations.
CVE ID: CVE-2018-1270(Critical), CVE-2018-11039(Medium), CVE-2018-11040(Medium), CVE-2018-15756(High)
Multiple vulnerabilities have been discovered in the Mozilla Firefox web browser, which can potentially result in the execution of arbitrary code, information disclosure, privilege escalation or spoofing. It is recommended to upgrade the firefox-esr packages.
Multiple vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions. It is recommended to upgrade the openjdk-8 packages.
CVE ID: CVE-2021-2161(Medium), CVE-2021-2163(Medium)
An improper authorization vulnerability has been discovered in QNAP NAS running HBS 3 Hybrid Backup Sync. The vulnerability allows remote attackers to log in to a device.
CVE ID: CVE-2021-28799 (Critical)
A critical unauthenticated remote code execution vulnerability has been found in all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0.
CVE ID: CVE-2021-27850(critical)
A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0.An attacker can trigger Remote Code Execution (RCE) vulnerability by sending a specially crafted JSON object.
CVE ID: CVE-2020-28592 (Critical)
A vulnerability has been discovered in Portofino -an open source web development framework. Portofino before version 5.2.1 do not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT.
CVE ID: CVE-2021-29451(Critical)
Drupal has released security updates to address a vulnerability affecting Drupal 7, 8.9, 9.0, and 9.1. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2020-13672
A Remote code Execution (RCE) vulnerability has been discovered in the unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code.This vulnerability can be exploited via a crafted workspace configuration.
CVE ID: CVE-2021-31414 (Critical)
An exploitable SQL injection vulnerability has been discovered in assetStatus, code and nomenclature parameter ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. An attacker can exploit this to make an authenticated HTTP request to trigger this vulnerability.
CVE ID: CVE-2020-27237 (Critical) CVE-2020-27238 (Critical), CVE-2020-27239 (Critical)
SonicWall has released security updates to address vulnerabilities in SonicWall Email Security. An attacker may exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-20021 (Critical), CVE-2021-20022 (High), CVE-2021-20023 (Medium)
Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
An authentication bypass vulnerability has been reported in Pulse Connect Secure 9.0R3/9.1R1 and higher. This vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.
CVE ID: CVE-2021-22893 (Critical)
It has been discovered that LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
CVE ID: CVE-2021-27112 (Critical)
A SQL Injection vulnerability exists in Tribalsystems Zenario CMS 8.8.52729 which allows remote attackers to access the database or delete the plugin.
CVE ID: CVE-2021-26830 (Critical)
Multiple vulnerabilities such as Out of bound write due to lazy initialization, Use-after-free in Responsive Design Mode, Arbitrary FTP command execution on FTP servers using an encoded URL have been fixed in Firefox 78.10.
CVE ID: CVE-2021-29946, CVE-2021-29945, CVE-2021-24002, CVE-2021-23999, CVE-2021-23998, CVE-2021-23995, CVE-2021-23994, CVE-2021-23961(High)
A privilege escalation vulnerability has been discovered in VMware NSX-T. Successful exploitation of this vulnerabilty may allow attackers with local guest user account to assign privileges higher than their own permission level. Updates are available to fix this issue.
CVE ID: CVE-2021-21981 (High)
A vulnerability has been discovered in mariadb:10.3 and mariadb-devel:10.3 modules. A writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user. Security updates are available.
CVE ID: CVE-2021-27928(High)
A vulnerability has been discovered in OpenSLP-Service Location Protocol library due to improper validation of URLs. A remote attacker can use this vulnerability to cause OpenSLP to crash or possibly execute arbitrary code.
CVE ID: CVE-2019-5544(Critical)
It has been discovered that WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability. A remote attacker can exploit this vulnerability to expose sensitive information or consume memory resources.The affected products are IBM WebSphere Application Server 8.0, 8.5, and 9.0
CVE ID: CVE-2021-20453(High)
A command injection vulnerability has been discovered in IBM Resilient SOAR v8.0 which can allow a privileged user to inject malicious scripts that can be executed as another user. The updates to prevent this issue are available.
CVE ID: CVE-2021-20527(High)
An SQL injection vulnerability has been discovered in QNAP NAS running Multimedia Console or the Media Streaming add-on. Successful exploitation of this vulnerability will allow remote attackers to obtain application information. It is recommanded to update Multimedia Console or the Media Streaming add-on to the latest version.
CVE ID: CVE-2020-36195 (Critical)
A command injection vulnerability has been discovered in QTS and QuTS hero. An attacker can exploit this vulnerability to execute arbitrary commands in a compromised application. It is recommended to update affect QTS and QuTS hero to the latest version.
CVE ID: CVE-2020-2509 (Critical)
A vulnerability has been discovered in Ethernet management interface of Juniper Networks Junos OS which allows an attacker to trigger a kernel panic, leading to a denial of service (DoS). This vulnerability affects Junos OS 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4. The updates are available.
CVE ID: CVE-2021-0258 (Medium)
Multiple vulnerabilities such as incorrect conversion between numeric types, out-of-bounds read and reachable assertion have been discovered in EIPStackGroup OpENer Ethernet/IP. Successful exploitation of these vulnerabilities can cause a denial-of-service (DoS) condition and data exposure.
CVE ID: CVE-2021-27500, CVE-2021-27498, CVE-2021-27482, CVE-2021-27478
A Race Condition vulnerability has been discovered in the firewall process of Juniper Networks Junos OS which allows an attacker to bypass the firewall rule sets applied to the input loopback filter on any interfaces of a device. This vulnerability affects Junos OS 14.1, 14.1X53, 15.1, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2 . Affected platforms are PTX and QFX Series. The updates are available.
CVE ID: CVE-2021-0247(Medium)
A XChangeFeedbackControl Integer Underflow Privilege Escalation vulnerability has been discovered in xorg-x11-server. An update for xorg-x11-server is available.
CVE ID: CVE-2021-3472
Multiple vulnerabilities have been discovered in the Link Layer Discovery Protocol (LLDP) implementation for CISCO Small Business RV Series Routers. An unauthenticated, adjacent attacker can exploit these vulnerabilities to execute arbitrary code or cause an affected router to leak system memory or reload which eventually may cause a Denial of Service (DoS) condition on an affected device. The updates for these vulnerabilities are available.
CVE ID: CVE-2021-1251(High), CVE-2021-1308 (High), CVE-2021-1309 (High)
Multiple Domain Name System (DNS) implementation vulnerabilities have been discovered in four popular TCP/IP network stacks. Forescout Research Labs, partnering with JSOF Research, disclosed a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take targeted devices offline or to gain control over them. The following stacks are affected FreeBSD version 12.1,Nucleus NET version 4.3,NetX version 6.0.1 and IPnet version VxWorks 6.6. The updates have been released.
Security update has been released for gnutls and nettle, for Red Hat Enterprise Linux 8 which fixes Out of bounds memory access in signature verification.
CVE ID: CVE-2021-20305 (High)
Security update has been released for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows which fix NULL pointer dereference in signature_algorithms processing and CA certificate check bypass with X509_V_FLAG_X509_STRICT vulnerabilities.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450(High)
Security update has been released for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 which fix NULL pointer dereference in signature_algorithms processing and CA certificate check bypass with X509_V_FLAG_X509_STRICT vulnerabilities.
CVE ID: CVE-2021-3449 (Medium), CVE-2021-3450(High)
Multiple vulnerabilities have been discovered in Mozilla Thunderbird-a standalone mail and newsgroup client. An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2021-23991, CVE-2021-23992, CVE-2021-23993
Security update has been released for libldb, for Red Hat Enterprise Linux 8 that fixes Out of bounds read in AD DC LDAP server.
CVE ID: CVE-2021-20277
Stack-based buffer overflow vulnerabilities have been discovered in QNAP NAS devices running Surveillance Station. If exploited, these vulnerabilities allows attackers to execute arbitrary code.
CVE ID: CVE-2020-2501 (Critical), CVE-2021-28797 (Critical)
GitLab releasing updated versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes.
Cybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.
CVE ID: CVE-2021-26855 (Critical) CVE-2021-26857 (High), CVE-2021-26858 (High), CVE-2021-27065 (High)
A vulnerability has been discovered in MDaemon before 20.0.4. An attacker with administrative privilege can use remote administration to exploit an arbitrary File Write vulnerability by creating new files or modifying existing files in any location of the filesystem.
CVE ID: CVE-2021-27183
A Vulnerability has been discovered in underscore-Javascript’s functional programming helper library if incorrectly handled certain inputs an attacker can possibly use this issue to inject arbitrary code.
CVE ID: CVE-2021-23358 (High)
A Vulnerability has been discovered in NetworkManager if incorrectly handled certain profiles, a local attacker can possibly use this issue to cause NetworkManager to crash, resulting in a Denial of Service(DoS).
CVE ID: CVE-2021-20297
Security update has been released for clamav that fixes Excel XLM parser infinite loop, PDF parser buffer over-read, possible crash and mail parser NULL-dereference crash.
CVE ID: CVE-2021-1252 (High), CVE-2021-1404 (High), CVE-2021-1405 (High)
Security updates have been released for Mendix that fix a vulnerability in Mendix Applications allowing malicious authorized users to escalate their privileges.
CVE ID: CVE-2021-27394 (High)
Multiple Vulnerabilities have been discovered in OpenSSL Affecting Cisco Products that could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a Denial of Service (DoS) condition.
CVE ID: CVE-2021-3449 (High), CVE-2021-3450 (High)
A vulnerability has been discovered in the Inter Process Communication (IPC) channel of Cisco AnyConnect Secure Mobility Client which can allow an authenticated local attacker to cause a Denial of Service (DoS) condition on an affected device.
CVE ID: CVE-2021-1450 (Medium)
Google has updated the stable channel for Chrome to 89.0.4389.128 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-21206 (High), CVE-2021-21220 (High)
SAP has released security updates to address multiple critical vulnerabilities affecting several products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Adobe has released security updates to address multiple vulnerabilities in multiple Adobe products. An attacker can exploit these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in Win32k which can allow a local attacker to obtain elevated privileges on the targeted system.
CVE ID: CVE-2021-28310 (High)
Microsoft's April 2021 Security Update mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. An attacker can exploit these vulnerabilities to gain access and maintain persistence on the target host.
SQL Injection vulnerability has been discovered in PHP-Nuke, in the User Registration section, leading to Remote Code Execution(RCE). The affected version is PHP-Nuke 8.3.3.
CVE ID: CVE-2021-30177 (Critical)
A vulnerability has been discovered in libpano-build panoramic images from a set of overlapping images. A format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values. It is recommended to upgrade the libpano13 packages.
CVE ID: CVE-2021-20307 (Critical)
A vulnerability has been discovered in the id-map crate for Rust. A double free can occur in remove_set upon a panic in a Drop impl.
CVE ID: CVE-2021-30457 (Critical)
It has been discovered that kramdown, a pure Ruby Markdown parser and converter, performed insufficient namespace validation of Rouge syntax highlighting formatters. It is recommended to upgrade the ruby-kramdown packages.
CVE ID: CVE-2021-28834 (Critical)
It has been discovered that when using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr will forward/proxy distributed requests using server credentials instead of original client credentials. This will result in incorrect authorization resolution on the receiving hosts. The affected versions are Apache Solr versions prior to 8.8.2.
CVE ID: CVE-2021-29943
It has been discovered that when starting Apache Solr, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr will not treat that node as a sensitive path and will allow it to be readable. The affected versions are Apache Solr versions prior to 8.8.2.
CVE ID: CVE-2021-29262
It has been discovered that the ReplicationHandler has a "masterUrl" parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a Server-Side Request Forgery (SSRF) vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. The affected versions are Apache Solr versions prior to 8.8.2.
CVE ID: CVE-2021-27905
It has been discovered that the DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker can cause a Denial-of-Service (DoS) attack or threaten the availability of the system. The affected versions are dbus >= 1.3.0 before 1.12.18.
CVE ID: CVE-2020-12049 (Medium)
It has been discovered that the unofficial GLSL Linting extension for Visual Studio Code allows remote code execution vulnerability via a crafted glslangValidatorPath in the workspace configuration. The affected versions are GLSL Linting extension before 1.4.0.
CVE ID: CVE-2021-30503
A vulnerability has been discovered in the HTML editor of Slab Quill, which allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. The affected version is Slab Quill 4.8.0.
CVE ID: CVE-2021-3163
An improper input validation vulnerability has been discovered in CA Privileged Access Manager 2.4.4.4 and earlier which allows remote attackers to execute arbitrary commands.
CVE ID: CVE-2015-4664 (Critical)
An improper authentication vulnerability has been discovered in CA Privileged Access Manager 3.x Web-UI jk-manager and jk-status which allows a remote attacker to gain sensitive information or alter configuration.
CVE ID: CVE-2019-7392 (Critical)
A out-of-bounds read vulnerability has been discovered QTI’s proprietary code while accessing DTMF payload due to lack of check of buffer length before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables.
CVE ID: CVE-2020-11251 (Critical)
A stored XSS vulnerability has been found in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed.
CVE ID: CVE-2021-30111 (Medium)
It has been discovered that in the standard library in Rust-Programming Language, the Zip implementation can report an incorrect size due to an integer overflow. This flaw can lead to a buffer overflow vulnerability when a consumed Zip iterator is used again. The affected versions are Rust before 1.52.0.
CVE ID: CVE-2021-28879
A vulnerability has been discovered in libezxml.a of ezXML. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running strcmp() on a NULL pointer. The affected version is ezXML 0.8.6.
CVE ID: CVE-2021-30485
A type confusion issue has been addressed with improved state handling. This issue has been fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE ID: CVE-2021-1789 (High)
A use after free issue has been addressed with improved memory management. This issue has been fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, Safari 14.0.1, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.
CVE ID: CVE-2020-27918 (High)
A command execution vulnerability has been discovered in SonicWall GMS which allows a remote unauthenticated attacker to locally escalate privilege to root. The affected versions are SonicWall GMS 9.3 and earlier versions.
CVE ID: CVE-2021-20020 (Critical)
Multiple vulnerabilities such as infinite loop while processing transmit descriptors, stack overflow, integer overflow, and out-of-bounds read/write have been discovered in Quick EMU (QEMU), a fast processor emulator. It is recommended to upgrade the QEMU packages.
CVE ID: CVE-2021-20257, CVE-2021-20255 (Medium), CVE-2021-20203 (Low), CVE-2021-3416 (Medium)
Multiple vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work, which can result in incomplete page/blocking protection, Denial of Service or cross-site scripting. It is recommended to upgrade the mediawiki packages.
Multiple vulnerabilities such as Denial of Service, privilege escalation or memory disclosure have been discovered in the Xen hypervisor-which allow multiple computer operating systems to execute on the same computer hardware concurrently. It is recommended to upgrade the xen packages.
CVE ID: CVE-2021-26933 (Medium), CVE-2021-27379 (High)
It has been discovered that RIOT-OS contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c through the _parse_options() function. The affected version is RIOT-OS 2021.0.
CVE ID: CVE-2021-27698
A vulnerability has been discovered in BIG-IP products. The BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a Man-In-The-Middle (MITM)attack on the connections.
CVE ID: CVE-2020-5913 (High)
It has been discovered that lxml- pythonic binding for the libxml2 and libxslt libraries incorrectly handled certain HTML attributes. A remote attacker can possibly use this issue to perform Cross-Site Scripting (XSS) attacks.
CVE ID: CVE-2021-28957 (Medium)
A vulnerability has been discovered in Exiv2, a Cross-platform C++ library and a command line utility to manage image metadata. An improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow vulnerability via a crafted JPG image containing malicious EXIF data. The affected versions are Exiv2 0.27.4-RC1 and prior.
CVE ID: CVE-2021-3482
It has been discovered that Forcepoint Web Security Content Gateway improperly process XML input, leading to information disclosure vulnerability. The affected versions are Forcepoint Web Security Content Gateway versions prior to 8.5.4.
CVE ID: CVE-2020-6590
It has been discovered that Apache MyFaces is vulnerable to Cross-Site Request Forgery (CSRF) caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious web site, a remote attacker can send a malformed HTTP request to perform unauthorized actions. An attacker can exploit this vulnerability to perform cross-site scripting attacks, web cache poisoning, and other malicious activities.
CVE ID: CVE-2021-26296 (High)
Multiple vulnerabilities have been discovered in Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected device.
CVE ID: CVE-2021-23993, CVE-2021-23991
It has been discovered that Squirro Insights Engine is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application, which can execute within the browser of any user who views the relevant application content. The affected versions are Squirro Insights Engine 2.0.0 upto and including 3.2.4.
CVE ID: CVE-2021-27945
A vulnerability has been discovered in Realtek rtl8723de BLE Stack that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message. The affected versions are Realtek rtl8723de BLE Stack <= 4.1.
CVE ID: CVE-2020-23539
A use-after-free vulnerability has been discovered in Lib3MF, a C++ implementation of the 3D Manufacturing Format, which can result in the execution of arbitrary code if a malformed file is opened. It is recommended to upgrade the lib3mf packages.
CVE ID: CVE-2021-21772 (High)
An Integer Underflow vulnerability has been discovered in FATEK Automation's Equipment- WinProladder. Successful exploitation of this vulnerability can cause execution of arbitrary code.
CVE ID: CVE-2021-2748 (High)
Multiple vulnerabilities have been discovered in Medtronic's Equipment- MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices. Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.
CVE ID: CVE-2019-6538 (Critical), CVE-2019-6540 (Medium)
It has been discovered that Nessus Agent leverages third-party software components (OpenSSL and sqlite) are found to contain vulnerabilities. The updated versions have been made available.
CVE ID: CVE-2019-16168 (Medium), CVE-2021-3450 (High)
Attackers are leveraging collaboration platforms, such as Discord and Slack which enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments for the exfiltration of sensitive information and the transmission of information from infected systems.
A vulnerability due to improper validation of user-supplied input in the web-based management interface has been discovered in Cisco Small Business RV110W, RV130, RV130W, and RV215W routers which allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
CVE ID: CVE-2021-1459 (Critical, 9.8)
Multiple vunerabilities have been discovered in Red Hat 3scale API Management Platform. The affected products are Red Hat 3scale API Management Platform 2 for RHEL 8 x86_64 & Red Hat 3scale API Management Platform 2 for RHEL 7 x86_64. A security update for Red Hat 3scale API Management Platform is now available
CVE ID: CVE-2020-9283 (High), CVE-2020-14040(High)
A vulnerability has been discovered in wpa_supplicant and hostapd 2.9, where forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
CVE ID: CVE-2021-30004 (Medium)
A vulnerability has been discovered in Google Chrome. The data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE ID: CVE-2021-21166 (High)
Technical details and a proof of concept have been released for denial of service vulnerability (CVE-2021-24086) affecting IPv6 stacks in all supported versions of the Windows operating system.
CVE ID: CVE-2021-24086 (High)
Android has released security bulletin containing details of multiple security vulnerabilities affecting Android devices. The security patch levels of 2021-04-05 or later address all of these issues have been released.
It has been discovered that in jsrsasign package for Node.js some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. The affected versions are jsrsasign package through 10.1.1.
CVE ID: CVE-2021-30246
Privilege Escalation vulnerability has been discovered in LiteSpeed Technologies OpenLiteSpeed web server which allows attackers to gain root terminal access and execute commands on the host system. The affected version is LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8.
CVE ID: CVE-2021-26758
Multiple vulnerabilities have been discovered in Jenkins core. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker can exploit this vulnerability to obtain sensitive data. The affected versions are WebSphere Application Server 7.0, 8.0, and 8.5.
CVE ID: CVE-2021-20480 (Medium)
The advanced virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. An out-of-bound heap buffer access via an interrupt ID field vulnerability has been discovered in qemu. An update for the virt:8.3 and virt-devel:8.3 modules is now available for Advanced Virtualization for RHEL 8.3.1.
CVE ID: CVE-2021-20221
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Directus allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver. The affected versions are Directus 8 before 8.8.2.
CVE ID: CVE-2021-29641
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- Relion 670, 650, and SAM600-IO; REB500; RTU500; FOX615 (TEGO1); MSM; GMS600; PWC600. Successful exploitation of this vulnerability can reboot the device regularly, resulting in a Denial-of-Service condition. During the reboot phase, the primary functionality of the device is not available.
CVE ID: CVE-2021-30654
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- Relion 670, 650, and SAM600-IO; REB500; RTU500; FOX615 (TEGO1); MSM; GMS600; PWC600. Successful exploitation of this vulnerability can reboot the device regularly, resulting in a Denial-of-Service condition. During the reboot phase, the primary functionality of the device is not available.
CVE ID: CVE-2021-27196 (High)
It has been discovered that a specific function in ASUS BMC’s firmware Web management page (Generate SSL certificate function) does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers can use the leakage to abnormally terminate the Web service.
CVE ID: CVE-2021-28196
A cross-site scripting (XSS) vulnerability has been discovered in python-bleach, a whitelist-based HTML sanitisation library. It is recommended to upgrade the python-bleach packages.
CVE ID: CVE-2021-23980
It has been discovered that DMA Softlab Radius Manager allows Cross-Site Request Forgery (CSRF) with impacts such as adding new manager accounts via admin.php. The affected version is DMA Softlab Radius Manager 4.4.0.
CVE ID: CVE-2021-30147
It has been discovered that Ruby-Rack, modular Ruby webserver interface incorrectly handled certain paths, and validated cookies. An attacker can possibly use this issue to obtain sensitive information or forge a secure cookie.
CVE ID: CVE-2020-8161 (High), CVE-2020-8184 (High)
A vulnerability has been discovered in the Linux kernel. The synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987. The affected versions are Linux kernel through 5.11.11.
CVE ID: CVE-2021-30178
It has been discovered that Django, high-level python web development framework incorrectly handled certain filenames. A remote attacker can possibly use this vulnerability to create or overwrite files in unexpected directories.
CVE ID: CVE-2021-28658
It has been discovered that Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected.
CVE ID: CVE-2021-27900 (High)
It has been discovered that a malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. The affected versions are MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.
CVE ID: CVE-2021-20334 (Medium)
It has been discovered that Union Pay, for iOS mobile apps, contains an Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. The affected versions are Union Pay up to 3.3.12.
CVE ID: CVE-2020-36285
It has been discovered that SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks. An alert has been released detailing observed threat actor activity and techniques which can lead to full control of unsecured SAP applications.
The 389 Directory Server is an Lightweight Directory Access Protocol (LDAP) version 3 (LDAPv3) compliant server. An information disclosure vulnerability during the binding of a DN has been discovered in 389-ds-base. An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-35518 (Medium)
Multiple vulnerabilities such as out-of-bounds read, and heap buffer overflow have been discovered in kernel. An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2021-27364 (High), CVE-2021-27365 (High)
A stack-based buffer overflow vulnerability has been discovered in the HTTPD daemon of FortiProxy which can allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. The affected versions are FortiProxy versions 2.0.1 and below, FortiProxy versions 1.2.9 and below, FortiProxy versions 1.1.x and 1.0.x.
CVE ID: CVE-2019-17656 (Medium)
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.
CVE ID: CVE-2021-20295
RedHat OpenShift Container Platform release 4.7.5 is now available with updates to packages and images that fix several bugs and add enhancements.
CVE ID: CVE-2021-3121 (High), CVE-2021-20206 (High)
The Python3.5 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. It also has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.
CVE ID: CVE-2021-3177 (Critical), CVE-2021-3426, CVE-2021-23336 (Medium)
Multiple vulnerabilities have been discovered in smarty3, a template engine for PHP. It is recommended to upgrade the smarty3 packages.
CVE ID: CVE-2018-13982 (High), CVE-2021-26119 (High), CVE-2021-26120 (Critical)
It has been discovered that Nessus contain a privilege escalation vulnerability which can allow a Nessus administrator user to upload a specially crafted file that can lead to gaining administrator privileges on the Nessus host. The affected versions are Nessus versions 8.13.2 and earlier.
CVE ID: CVE-2021-20077 (Medium)
An integer overflow vulnerability has been discovered in the htmldoc, convert HTML files to PDF or PostScript which can allow attackers to execute arbitrary code and cause a Denial of Service. The affected versions are htmldoc 1.9.11 and before.
CVE ID: CVE-2021-20308
It has been discovered in Nettle that several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This vulnerability allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The affected versions are Nettle versions prior 3.7.2.
CVE ID: CVE-2021-20305
It has been discovered that Module/Settings/UserExport.php in Friendica allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null and excessive memory consumption. The affected versions are Friendica through 2021.01.
CVE ID: CVE-2021-30141
It has been discovered that WordPress Related Posts plugin contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting this vulnerability an attacker can execute JavaScript code in the user's browser.
CVE ID: CVE-2021-24211
It has been discovered that an information disclosure vulnerability in FortiWeb's Web Vulnerability Scan profile can allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile. The affected versions are FortiWeb version 6.2.3 and below, and FortiWeb version 6.3.4 and below.
CVE ID: CVE-2020-15942 (Medium)
It has been discovered that php-nette, a PHP MVC framework, is vulnerable to a code injection attack by passing specially formed parameters to URL that can possibly lead to Remote Code Execution(RCE). It is recommended to upgrade the php-nette packages.
CVE ID: CVE-2020-15227(Critical)
It has been discovered that because of a incorrect escaped exec command in MagpieRSS /extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary. This creates a vulnerability in the /scripts/magpie_debug.php and /scripts/magpie_simple.php page which if user sends a specific https url to the RSS URL field, user is able to execute arbitrary commands. The affected version is MagpieRSS 0.72.
CVE ID: CVE-2021-28940 (Critical)
Multiple vulnerabilities such as use-after-free, heap corruption, and out-of-bounds read have been discovered in ldb, a LDAP-like embedded database built on top of TDB. It is recommended to upgrade the ldb packages.
CVE ID: CVE-2020-10730 (Medium), CVE-2020-27840, CVE-2021-20277
It has been discovered that Advanced Persistent Threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The APT actors are using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks.
CVE ID: CVE-2018-13379 (Critical), CVE-2020-12812 (Critical), CVE-2019-5591 (High)
It has been discovered that docsify-generates documentation website on the fly is affected by Cross Site Scripting (XSS) vulnerability because the search component does not appropriately encode Code Blocks and mishandles the " character. The affected versions are docsify 4.12.1.
CVE ID: CVE-2021-30074
It has been discovered that Lightmeter ControlCenter allows anyone who knows the URL of a publicly available Lightmeter instance to access application settings, possibly including an SMTP password and a Slack access token, via a settings HTTP query. The affected versions are Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1.
CVE ID: CVE-2021-30126
A vulnerability has been discovered in prog.cgi of D-Link devices. Because strcat is misused, there is a stack-based buffer overflow vulnerability that does not require authentication. The affected versions are D-Link DIR-878 1.30B08.
CVE ID: CVE-2021-30072
It has been discovered that improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. The affected versions are netmask npm package v1.0.6 and below.
CVE ID: CVE-2021-28918
It has been discovered that an URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. The affected versions are VMware Carbon Black Cloud Workload appliance 1.0.1 and prior.
CVE ID: CVE-2021-21982 (Critical)
Multiple vulnerabilities such as OS command injection, deserialization of untrusted data, SQL injection, and improperly restricted functions have been discovered in Rockwell Automation's Equipment- FactoryTalk AssetCentre. Successful exploitation of these vulnerabilities can allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or Remote Code Execution(RCE).
It has been discovered that EikiSoft Archive collectively operation utility contains a directory traversal vulnerability due to a flaw in the processing of the filenames when extracting from ZIP archives. An attacker by expanding a malicious ZIP archive can create or overwrite the arbitrary files with the application's privilege. The affected versions are Archive collectively operation utility Ver.2.10.1.0 and earlier.
CVE ID: CVE-2021-20692 (Low)
A vulnerability has been discovered in the reorder crate for Rust, a multi-paradigm programming language. The swap_index can return uninitialized values if an iterator returns a len() that is too large.
CVE ID: CVE-2021-29942
It has been discovered Advanced Persistent Threat (APT) actors are using fake social media profiles and legitimate-looking websites to lure security researchers into visiting malicious websites to steal information, including exploits and zero-day vulnerabilities.
It has been discovered that when BIG-IP is running in Appliance mode, the Traffic Management User Interface (TMUI) has an authenticated remote command execution vulnerability in undisclosed pages. The affected versions are BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3.
CVE ID: CVE-2021-22987 (Critical)
It as been discovered that curl does not strip off user credentials from referrer header fields, and incorrectly handled session tickets when using an HTTPS proxy. A remote attacker can possibly use these vulnerabilities to obtain sensitive information or bypass certificate checks and intercept communications.
CVE ID: CVE-2021-22876, CVE-2021-22890
It has been discovered that Dell Wyse ThinOS contains remediation for an improper management server validation vulnerability that can be potentially exploited to redirect a client to an attacker-controlled management server, thus allowing the attacker to change the device configuration or certificate file. The affected version is Dell Wyse ThinOS 8.6 MR9.
CVE ID: CVE-2021-21532 (Medium)
It has been discovered that BTCPay Server mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker use cases in which a mail server is configured. The affected versions are BTCPay Server before 1.0.7.1.
CVE ID: CVE-2021-29251
GitLab releasing updated versions 13.10.1, 13.9.5, and 13.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes.
It has been discovered that Mahara, an open-source e-portfolio management system is affected by Cross Site Request Forgery (CSRF) vulnerability which allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. The affected version is Mahara 20.10.
CVE ID: CVE-2021-29349
Multiple vulnerabilities such as XML External Entity (XXE) attacks and stored Cross-Site Scripting (XSS) have been discovered in Jenkins products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21657 (High), CVE-2021-21658 (Medium), CVE-2021-21659 (High), CVE-2021-21660 (High)
A remote code injection vulnerability has been discovered in D-link DIR-816 A2 v1.10. A HTTP request parameter can be used in command string construction in the handler function of the /goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser parameter.
CVE ID: CVE-2021-26810 (Critical)
Multiple vulnerabilities have been discovered in Zimbra. It is recommended to use Patch 13 for the Zimbra 9.0.0, and Patch 20 for Zimbra 8.8.15.
CVE ID: CVE-2019-9641 (Critical), CVE-2019-9640 (Critical), CVE-2019-0211 (High), CVE-2019-0217 (High)
Google has released Chrome version 89.0.4389.114 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities such as Server Side Request Forgery (SSRF) and arbitrary file write have been discovered in VMware products. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. The affected products are VMware vRealize Operations,VMware Cloud Foundation & vRealize Suite Lifecycle Manager. The patches and workarounds are available to address these vulnerabilities in impacted VMware products.
CVE ID: CVE-2021-21975 (High), CVE-2021-21983 (High)
It has been discovered that GistPad allows a crafted workspace folder to change the URL for the Gist API, which leads to leakage of GitHub access tokens. The affected versions are GistPad before 0.2.7.
CVE ID: CVE-2021-29642
A security vulnerability in HPE Unified Data Management (UDM) can allow the local disclosure of privileged information. HPE has provided updates to versions 1.2009.0 and 1.2101.0 of HPE Unified Data Management (UDM).
CVE ID: CVE-2021-26579
Multiple vulnerabilities have been discovered in Jenkins products. The affected versions are Build With Parameters Plugin up to and including 1.5, Cloud Statistics Plugin up to and including 0.26, Extra Columns Plugin up to and including 1.22, Jabber (XMPP) notifier and control Plugin up to and including 1.41, OWASP Dependency-Track Plugin up to and including 3.1.0,REST List Parameter Plugin up to and including 1.3.0 & Team Foundation Server Plugin up to and including 5.157.1. All these versions updates are available except Team Foundation Server Plugin.
Multiple vulnerabilities have been discovered in Citrix Hypervisor which can allow privileged code in a guest VM to cause the host to crash or become unresponsive. The affected versions are Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR.
CVE ID: CVE-2021-28038 (Medium), CVE-2021-28688
Multiple vulnerabilities such as session fixation when using FORM authentication and mishandling of Transfer-Encoding header allows for HTTP request smuggling have been discovered in tomcat. An update for tomcat is now available for Red Hat Enterprise Linux 7.7 Extended Update Support.
CVE ID: CVE-2019-17563 (High), CVE-2020-1935 (Medium)
It has been discovered that writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user in mariadb. An update for mariadb is now available for Red Hat OpenStack Platform 13 (Queens).
CVE ID: CVE-2021-27928 (High)
Multiple vulnerabilities such as incorrect handling of malformed authority component in request URLs of apache-httpclient and improper validation of certificate with host mismatch in SMTP appender of log4j have been discovered in Red Hat Process Automation Manager. An update is now available for Red Hat Process Automation Manager.
CVE ID: CVE-2020-9488 (Low), CVE-2020-13956 (Medium)
Multiple vulnerabilities such as template injection, potential sensitive information leakage, path traversal and information disclosure have been discovered in Red Hat build of Quarkus- a Kubernetes Native Java framework tailored for GraalVM and HotSpot. An update is now available for Red Hat build of Quarkus.
CVE ID: CVE-2020-25633 (Medium), CVE-2020-25724, CVE-2020-26238 (High), CVE-2021-20218 (High)
Multiple vulnerabilities have been discovered in the WebKitGTK-Web content engine library for GTK+ and JavaScript engines. If a user is tricked into viewing a malicious website a remote attacker can exploit some of these vulnerabilities related to web browser security, including cross-site scripting attacks, Denial of Service attacks and arbitrary code execution.
It has been discovered that Squid, Web proxy cache server incorrectly handled certain content-length headers and incorrectly validated certain input. A remote attacker can possibly use these vulnerabilities to perform an HTTP request smuggling attack, resulting in cache poisoning or possibly access services forbidden by the security controls.
CVE ID: CVE-2020-25097 (High), CVE-2020-15049 (High)
A remote execution of arbitrary commands vulnerability has been discovered in many Aruba Instant Access Point (IAP) products. Aruba has released patches for Aruba Instant which address this security vulnerability.
CVE ID: CVE-2021-25162
MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. The affected versions Mule 3.8.x,3.9.x,4.x runtime.
CVE ID: CVE-2021-1627 (Critical)
Multiple vulnerabilities have been discovered in baserCMS provided by baserCMS Users Community. The affected products are baserCMS versions prior to 4.4.5. The updates are available.
CVE ID: CVE-2021-20681 (Medium), CVE-2021-20682 (High), CVE-2021-20683 (Medium)
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected device.
Multiple vulnerabilities such as unvalidated redirects and forwards, Cross-Site Scripting (XSS) and information leak/disclosure have been discovered in McAfee ePolicy Orchestrator (ePO). The update to the versions ePO 5.10.0 Update 10 & ePO 5.9.1 HF EPO-937000.
CVE ID: CVE-2021-23888 (Medium), CVE-2021-23889 (Low), CVE-2021-23890 (Medium)
Orion Platform 2020.2.5 has released security updates to address vulnerabilities in previous releases of Orion Platform. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-3109 (Medium), CVE-2020-35856 (High)
Storage of sensitive data in a mechanism without access control vulnerability has been discovered in Philips' Equipment- Gemini PET/CT Family. Successful exploitation of this vulnerability involving removable media can allow access to sensitive information (including patient information).
CVE ID: CVE-2021-27456 (Low)
Multiple vulnerabilities have been discovered in jquery's handling of untrusted HTML which may result in the execution of untrusted code. It is recommended to upgrade the jquery packages.
CVE ID: CVE-2020-11022 (Medium), CVE-2020-11023 (Medium)
Multiple vulnerabilities have been discovered in OpenSSL. The affected versions are OpenSSL versions 1.1.1h and 1.1.1. It is recommended to upgrade to OpenSSL 1.1.1k.
CVE ID: CVE-2021-3450 (High), CVE-2021-3449 (High)
It has been discovered that in Apache SpamAssassin (SA) malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. It is recommended to upgrade to SA version 3.4.5.
CVE ID: CVE-2020-1946
Multiple vulnerabilities have been discovered in Cisco Jabber for Windows, Cisco Jabber for MacOS and Cisco Jabber for mobile platforms- Android and iOS which allow an attacker to execute arbitrary programs with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. Cisco has released security updates to address vulnerabilities in these Cisco products.
A vulnerability has been discovered in lxml, a pythonic binding for the libxml2 and libxslt libraries. Due to missing input sanitisation Cross-site Scripting (XSS) is possible for the HTML5 formaction attribute. It is recommended to upgrade your lxml packages.
CVE ID: CVE-2021-28957 (Medium)
It has been discovered that ldb, when used with Samba, incorrectly handled certain LDAP attributes and DN strings. A remote attacker can use these vulnerabilities to cause the LDAP server to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVE ID: CVE-2021-20277, CVE-2020-27840
It has been discovered that DaviewIndy has a Heap-based overflow vulnerability. The vulnerability is triggered when the user opens a malformed ex.j2c format file which is mishandled by Daview.exe. Attackers can exploit this for arbitrary code execution.
CVE ID: CVE-2020-7852 (High)
It has been discovered that APKLeaks allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker can include arguments which allow unintended commands or code to be executed, allow sensitive data to be read or modified or can cause other unintended behavior through malicious package name. The affected versions are APKLeaks prior to v2.0.3. The upgradation to APKLeaks version v2.0.6-dev and above is recommended.
CVE ID: CVE-2021-21386 (Critical)
Firefox 87 has introduced a new privacy feature called SmartBlock. SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy.
Privilege escalation vulnerability has been discovered in McAfee Data Loss Prevention (DLP) Endpoint for Windows. The affected versions are DLP Endpoint for Windows Prior to 11.6.100. It is recommended to install or update DLP Endpoint for Windows 11.6.100.
CVE ID: CVE-2020-7346 (High)
Multiple vulnerabilities such as code injection, improper access control, and cross-site scripting have been discovered in Weintek's Equipment- cMT. Successful exploitation of these vulnerabilities can allow an unauthenticated remote attacker to access sensitive information and execute arbitrary code to gain root privileges.
CVE ID: CVE-2021-27446 (Critical), CVE-2021-27444 (Critical), CVE-2021-27442 (Critical)
Multiple vulnerabilities such as hard-coded password, code injection, and execution with unnecessary privileges have been discovered in GE's Equipment- Reason DR60, Digital Fault Recorder(DFR). Successful exploitation of these vulnerabilities can allow an attacker to take full control of the Digital Fault Recorder (DFR), remotely execute code, or escalate privileges.
CVE ID: CVE-2021-27440 (Critical), CVE-2021-27438 (High), CVE-2021-27454 (High)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as use of hard-coded password, execution with unnecessary privileges, and inadequate encryption strength have been discovered in GE's Equipment- MU320E. Successful exploitation of these vulnerabilities can allow an attacker to escalate unnecessary privileges and use hard-coded credentials to take control of the device.
CVE ID: CVE-2021-27452 (Critical), CVE-2021-27448 (High), CVE-2021-27450 (Low)
Multiple vulnerabilities have been discovered in Ovarro's Equipment- TBoxLT2 (All models), TBox MS-CPU32, TBox MS-CPU32-S2, TBox RM2 (All models), TBox TG2 (All models), a Remote Terminal Unit (RTU) Successful exploitation of these vulnerabilities can result in remote code execution which may cause a denial-of-service condition.
CVE ID: CVE-2021-22646 (High), CVE-2021-22648 (High), CVE-2021-22642 (High), CVE-2021-22640 (High), CVE-2021-22644 (High)
Buffer Overflow vulnerability has been discovered in Rockwell Automation's Equipment- MicroLogix 1400 controllers. Successful exploitation of this vulnerability may result in a denial-of-sservice condition. The affected products are MicroLogix 1400, All series Version 21.6 and below.
CVE ID: CVE-2021-22659 (High)
Improper input validation vulnerability has been discovered in Rockwell Automation's Equipment- CompactLogix and ControlLogix controllers. Successful exploitation of this vulnerability may allow an attacker to send specially crafted CIP packet requests to a controller which may cause denial-of-service conditions in communications with other products.
CVE ID: CVE-2020-6998 (Medium)
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It has been discovered that the Rating Script Service(RSS) of XWiki Platform expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki.
CVE ID: CVE-2021-21380 (High)
A remote code execution vulnerability has been discovered in GitHub Enterprise Server which can be exploited when building a GitHub Pages site. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.3 and is fixed in 3.0.3, 2.22.9, and 2.21.17.
CVE ID: CVE-2021-22864
Multiple vulnerabilities have been discovered in XStream , a Java library to serialize objects to XML and back again. The affected versions are XStream before version 1.4.16. The updates are avilable.
CVE ID: CVE-2021-21342 (Critical), CVE-2021-21344 (Critical), CVE-2021-21345 (Critical), CVE-2021-21346 (Critical), CVE-2021-21347 (Critical), CVE-2021-21350 (Critical), CVE-2021-21351 (Critical)
The unauthenticated path traversal remote directory deletion vulnerability in ManageEngine OpManager build 125346 has been discovered. The flaw exists in the Spark Gateway component in ManageEngine OpManager due to improper validation of user-supplied data prior to a directory deletion operation.
CVE ID: CVE-2021-20078 (Critical)
It has been discovered that Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
CVE ID: CVE-2021-26295 (Critical)
Adobe has released security updates to address a vulnerability affecting ColdFusion. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-21087 (Critical)
Multiple vulnerabilities have been discovered in Privoxy, privacy enhancing HTTP Proxy. An attacker can exploit some of these vulnerabilities to take control of an affected system.
TYPO3 is an open source PHP based web content management system. It has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. The affected versions are TYPO3 7.0.0-7.6.50, 8.0.0-8.7.39, 9.0.0-9.5.16, 10.0.0-10.4.1, 11.0.0-11.1.0. It is recommended to update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
CVE ID: CVE-2021-21370 (Medium)
It has been discovered that OpenEMR is vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker can trick a user to click on a malicious url and execute malicious code. The affected version are OpenEMR 4.2.0 to 6.0.0.
CVE ID: CVE-2021-25922
It has been discovered that cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data. When used this way, cloud-init logs the raw, unhashed password to a world-readable local file. It is recommended to upgrade the cloud-init packages.
CVE ID: CVE-2021-3429
Multiple vulnerabilities have been discovered in Linux kernel. A local attacker can use these vulnerabilities to cause a denial of service (system crash) or possibly execute arbitrary code.
CVE ID: CVE-2021-20194 (High), CVE-2021-3347 (High), CVE-2021-3348 (High)
It has been discovered that when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic. TMM incorrectly determines that the fragment memory limit has been reached and drops all fragments it receives, disrupting traffic to the BIG-IP system.
CVE ID: CVE-2021-23007
It has been discovered that /etc/passwd is given incorrect privileges in openjdk. The affected version is OpenJDK Java (for Middleware) 1 x86_64. The Red Hat Build of OpenJDK 8 (container images) is now available from the Red Hat Container Catalog.
CVE ID: CVE-2021-20264
A series of Denial of Service vulnerabilities have been discovered in Pygments, a popular syntax highlighting library for Python. A number of regular expressions has exponential or cubic worst-case complexity which can cause a remote Denial of Service (DoS) when provided with malicious input. It is recommended to upgrade the pygments packages.
CVE ID: CVE-2021-27291
It has been discovered that improper input validation Squid-a caching and forwarding HTTP web proxy are vulnerable to an HTTP Request smuggling attack. It is recommended to upgrade the squid3 packages.
CVE ID: CVE-2020-25097
CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find Indicators of Compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise.
It has been discovered that Nessus Agent inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. This can allow a privileged attacker to obtain the token. The affected versions are Nessus Agent 7.2.0 through 8.2.2.
CVE ID: CVE-2021-23840 (High), CVE-2021-20077, CVE-2021-23841 (High)
It has been discovered that the Shibboleth service provider's template engine used to render error pages can be abused for phishing attacks. It is recommended to upgrade the shibboleth-sp packages.
Information Exposure vulnerability has been discovered in Johnson Controls' Equipment- exacqVision. Successful exploitation of this vulnerability can allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. The affected products are exacqVision Web Service- All supported versions up to and including v20.12.02.0.
CVE ID: CVE-2021-27656 (High)
Multiple vulnerabilities have been discovered in Open vSwitch and OVN (Open Virtual Network). An update for openvswitch2.11 and ovn2.11 is now available for Red Hat OpenStack Platform 13 (Queens).
CVE ID: CVE-2015-8011 (Critical), CVE-2020-10722 (Medium), CVE-2020-10723 (Medium), CVE-2020-10724 (Medium)
It has been discovered that a locking flaw in drivers/tty/tty_jobctrl.c can lead to an use-after-free vulnerability in kernel. An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.6 Extended Update Support.
CVE ID: CVE-2020-29661 (High)
Multiple vulnerabilities have been discovered in Ruby-Object-oriented scripting language. A remote attacker can use these vulnerabilities to execute arbitrary code or obtain sensitive information or bypass a reverse proxy.
CVE ID: CVE-2020-10663 (High), CVE-2020-10933 (Medium), CVE-2020-25613 (High)
Multiple vulnerabilities have been discovered in Hitachi ABB Power Grids' Equipment- eSOMS Telerik. Successful exploitation of these vulnerabilities can allow an attacker to upload malicious files to the server, discover sensitive information or execute arbitrary code. The affected products are eSOMS all versions prior to 6.3 using a version of Telerik software.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- eSOMS. Successful exploitation of this vulnerability can allow an attacker to gain access to unauthorized information. The affected products are eSOMS version 6.0.4.2.2, eSOMS version 6.1.4 and eSOMS version 6.3.
CVE ID: CVE-2021-26845 (High)
It has been discovered that in Unisys Stealth (core) the Keycloak password is stored in a recoverable format that might be accessible by a local attacker, who can gain access to the Management Server and change the Stealth configuration. The affected versions are Unisys Stealth (core) before 6.0.025.0.
CVE ID: CVE-2021-3141
It has been discovered that Pion WebRTC do not properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState is set to failed, but a user can ignore that and continue to use the PeerConnection. The affected versions are Pion WebRTC before 3.0.15.
CVE ID: CVE-2021-28681
It has been discovered that HGiga MailSherlock contains a SQL Injection vulnerability. Remote attackers can inject SQL syntax and execute SQL commands in a URL parameter of email pages without privilege.
CVE ID: CVE-2021-22848 (High)
CISA has released a table of Tactics, Techniques & Procedures (TTPs) used by the Advanced Persistent Threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATTACK framework to identify APT TTPs and includes detection recommendations.
GitLab releasing updated versions 13.9.4, 13.8.6, and 13.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes.
Cisco has released security updates to address a vulnerability in Cisco Small Business routers. In Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers web-based management interface do not properly validate user-supplied input. An attacker can exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit can allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition on the affected device.
CVE ID: CVE-2021-1287 (High)
It has been discovered that a potential arbitrary code execution vulnerability in velocity, a Java-based template engine for writing web applications. It can be exploited by applications which allowed untrusted users to upload/modify templates. It is recommended to upgrade the velocity packages.
CVE ID: CVE-2020-13936 (High)
Multiple vulnerabilities have been discovered in the shadow suite of login tools. An attacker can escalate privileges in specific configurations. It is recommended to upgrade the shadow packages.
CVE ID: CVE-2017-20002, CVE-2017-12424 (Critical)
Cross-site scripting (XSS) vulnerability has been discovered in velocity-tools, a collection of useful tools for the "Velocity" template engine. It is recommended to upgrade the velocity-tools packages.
CVE ID: CVE-2020-13959 (Medium)
A potential data leakage vulnerability via malformed memcached keys has been discovered in python-django, a high-level Python Web framework of Red Hat OpenStack Platform. An update for python-django is now available for Red Hat OpenStack Platform 16.1(Train).
CVE ID: CVE-2020-13254 (Medium)
It has been discovered that containerd, a daemon to control runC incorrectly handled certain environment variables. Contrary to expectations, a container can receive environment variables defined for a different container, possibly containing sensitive information. The system can be made to expose sensitive information. The updates are now available.
CVE ID: CVE-2021-21334 (Medium)
Cross-site Scripting vulnerability has been discovered in Advantech's Equipment- WebAccess/SCADA, a browser-based SCADA software package. Successful exploitation of this vulnerability can allow an unauthorized user to steal a user’s cookie/session token or redirect an authorized user to a malicious webpage.
CVE ID: CVE-2021-27436 (Medium)
Multiple vulnerabilities have been discovered in XStream, an open-source Java library to serialise objects to XML and back again. Some of the vulnerabilities can lead to a remote code execution attack.
Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. A vulnerability has been discovered in jquery of IPA, that passing HTML containing elements from untrusted sources - even after sanitizing it to one of jQuery's DOM manipulation methods result in untrusted code execution. The updates is now available.
CVE ID: CVE-2020-11023 (Medium)
It has been discovered that OpenJPEG- JPEG 2000 image compression/decompression library incorrectly handled certain image data. An attacker can use this vulnerability to cause OpenJPEG to crash, leading to a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2020-27841 (Medium), CVE-2020-27824, CVE-2020-27814 (High), CVE-2020-27823, CVE-2020-27845 (Medium)
Multiple vulnerabilities have been discovered in Linux kernel. An attacker can exploit these vulnerabilities to cause a Denial of Service in the host OS or possibly execute arbitrary code or bypass NFS access restrictions.
CVE ID: CVE-2020-29569 (High), CVE-2021-3178 (Medium), CVE-2020-36158 (Medium)
Multiple vulnerabilities have been discovered in GE's Equipment- UR Family, protection and control relays. Successful exploitation of these vulnerabilities can allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a Denial-of-Service condition.
Infinite Loop vulnerability has been discovered in Hitachi ABB Power Grids' Equipment- AFS Series. Successful exploitation of this vulnerability using crafted HSR frame can cause a denial-of-service condition on one of the ports in a HSR ring. The affected products are AFS660/AFS665 Version 7.0.07 including the variants AFS660-SR and AFS665-SR.
CVE ID: CVE-2020-9307 (Medium)
Multiple vulnerabilities such as Insufficiently Protected Credentials and Security Features have been discovered in Becton, Dickinson and Company's Equipment- BD Alaris 8015 PC Unit. Successful exploitation of these vulnerabilities can allow an unauthorized user with physical access to the affected devices to access the host facility’s wireless network authentication credentials and other sensitive technical data which may compromise the confidentiality, integrity, and availability of the device.
CVE ID: CVE-2016-8375 (Medium) , CVE-2016-9355 (Medium)
Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: "[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates.
Multiple vulnerabilities have been discovered in XStream, an open-source Java library to serialise objects to XML and back again. Some of the vulnerabilities can lead to a remote code execution attack.
Multiple vulnerabilities have been discovered in pki-core. The Public Key Infrastructure (PKI) core contains fundamental packages required by Red Hat Certificate System. An update for pki-core is now available for Red Hat Enterprise Linux 7.6 Extended Update Support.
It has been discovered that GLib-library of C routines incorrectly handled certain symlinks when replacing files. If a user or automated system are tricked into extracting a specially crafted file with File Roller, a remote attacker can possibly create files outside of the intended directory.
CVE ID: CVE-2021-28153
It has been discovered that ExpressionEngine allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. The affected version are ExpressionEngine before 5.4.2 and 6.x before 6.0.3.
CVE ID: CVE-2021-27230
It has been discovered that SpringBoot Framework is susceptible to a vulnerability which when successfully exploited can lead to Remote Code Execution(RCE). All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework (versions prior to 1.3.2).
CVE ID: CVE-2021-26987
It has been discovered that a packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. This vulnerability affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.
CVE ID: CVE-2021-24029
It has been discovered that in moodle when creating a user account, it is possible to verify the account without having access to the verification email link. The affected versions are moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE ID: CVE-2021-20282
Cross-site scripting (XSS) vulnerability has been discovered in the Delete Personal Data page of Cryptshare Server which allows an attacker to inject arbitrary web script or HTML via the user name. The affected version are Cryptshare Server before 4.8.0. It is recommended to upgrade to version 4.8.1.
CVE ID: CVE-2021-3150
It has been discovered that the auth_internal plugin in Tiny Tiny RSS (aka tt-rss) allows an attacker to log in via the OTP code without a valid password. The affected versions are Tiny Tiny RSS before 2021-03-12.
CVE ID: CVE-2021-28373
Google has released Chrome version 89.0.4389.90 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
CVE ID: CVE-2021-21191 (High), CVE-2021-21192 (High), CVE-2021-21193 (High)
It has been discovered that pygments, a generic syntax highlighter, is vulnerable to a CPU exhaustion attack via a crafted SML file. It is recommended to upgrade the pygments packages.
CVE ID: CVE-2021-20270
It has been discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, can be bypassed via a malicious desktop file. It is recommended to upgrade the flatpak packages.
CVE ID: CVE-2021-21381 (High)
It has been discovered that in the debug console of Eclipse Theia-an extensible platform to develop multi-language Cloud and Desktop IDEs with state-of-the-art web technologies there is no HTML escaping, so arbitrary Javascript code can be injected. The affected versions are Eclipse Theia versions up to and including 1.8.0.
CVE ID: CVE-2021-28161
Multiple vulnerabilities have been discovered in MuPDF, a lightweight PDF viewer which may result in denial of service, arbitrary code execution, memory corruption and other potential consequences. It is recommended to upgrade the mupdf packages.
CVE ID: CVE-2020-26519 (Medium), CVE-2021-3407 (Medium)
Multiple vulnerabilities have been discovered in Red Hat Integration Tech-Preview 3 Camel K. An update to the Camel K operator image for Red Hat Integration tech-preview is now available.
CVE ID: CVE-2020-13946 (Medium), CVE-2020-13956 (Medium), CVE-2020-25649 (High)
Multiple vulnerabilities have been discovered in golang of Red Hat OpenShift Container Platform. The affected products are Red Hat OpenShift Container Platform 4.5 for RHEL 8 x86_64, Red Hat OpenShift Container Platform 4.5 for RHEL 7 x86_64, Red Hat OpenShift Container Platform for Power 4.5 for RHEL 8 ppc64le, Red Hat OpenShift Container Platform for Power 4.5 for RHEL 7 ppc64le, Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 8 s390x, Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 7 s390x. Red Hat OpenShift Container Platform release 4.5.34 is now available with updates to packages and images that fix several bugs and add enhancements.
CVE ID: CVE-2020-15586 (Medium), CVE-2020-16845 (High)
Multiple vulnerabilities have been discovered in Pillow-Python Imaging Library. The Pillow incorrectly handled certain Tiff image files, if a user or automated system are tricked into opening a specially-crafted Tiff file, a remote attacker can cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVE ID: CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292,CVE-2021-25293, CVE-2021-27921, CVE-2021-27922
Use-after-free vulnerability has been discovered in P2P provision discovery processing of wpa_supplicant. An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-27803 (High)
Untrusted search path vulnerability has been discovered in Installer of MagicConnect Client program distributed before 2021 March 1. It allows an attacker to gain privileges and via a Trojan horse DLL in an unspecified directory and to execute arbitrary code with the privilege of the user invoking the installer when a terminal is connected remotely using Remote desktop.
CVE ID: CVE-2021-20674
It has been discovered that JMS Client for RabbitMQ is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data. The affected versions are JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0
CVE ID: CVE-2020-36282
It has been discovered that the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. An attacker with privileges to view the command line of the process may be able to view the session ID. If the session ID is exposed to the attacker, they can use this information to launch further attacks.
CVE ID: CVE-2021-23002
Information exposure through log file vulnerability has been discovered in Cortex XSOAR software where the secrets configured for the SAML single sign-on (SSO) integration can be logged to the '/var/log/demisto/' server logs when testing the integration during setup. The updates are now available.
CVE ID: CVE-2021-3034 (Medium)
F5 has released a security advisory to address Remote Code Execution (RCE) vulnerabilities impacting BIG-IP and BIG-IQ devices. An attacker can exploit these vulnerabilities to take control of an affected system.
It has been discovered that Clipper allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API. The affected version are Clipper before 1.0.5.
CVE ID: CVE-2021-28134
A vulnerability has been discovered in MISP-Open Source Threat Intelligence Platform and Open Standards for Threat Information Sharing. It is recommended to upgrade to MISP 2.4.140.
CVE ID: CVE-2021-27904 (Medium)
It has been discovered that IBM Db2 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which can allow a local attacker to execute arbitrary code on the system with root privileges. The affected products and versions are all fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms.
CVE ID: CVE-2020-5025 (High)
Multiple vulnerabilities have been discovered in OpenShift Virtualization, a Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. An update is now available for RHEL-8-CNV-2.6.
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- IGSS (Interactive Graphical SCADA System) which may cause improper restriction of operations within the bounds of a memory buffer. Successful exploitation of these vulnerabilities can result in remote code execution.
CVE ID: CVE-2021-22709 (High), CVE-2021-22710 (High), CVE-2021-22711 (High), CVE-2021-22712 (High)
An unquoted service path vulnerability has been discovered in McAfee Endpoint Product Removal (EPR) Tool. This vulnerability allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The affected versions are Endpoint Product Removal (EPR) Tool prior to 21.2.
CVE ID: CVE-2021-23879 (Medium)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Git incorrectly handled delay-capable clean/smudge filters when being used on case-insensitive filesystems. A remote attacker can possibly use this issue to execute arbitrary code.
CVE ID: CVE-2021-21300
A memory corruption vulnerability has been discovered in Apple products iOS 14.4.1 and iPadOS 14.4.1. The processing of maliciously crafted web content may lead to arbitrary code execution. The security update is now available.
CVE ID: CVE-2021-1844
A potential privileged host device access from guest vulnerability has been discovered in virtiofsd for Quick EMUlator (QEMU), a free and open-source emulator and virtualizer . An update for the virt:8.2 and virt-devel:8.2 modules is now available for Advanced Virtualization for RHEL 8.2.1.
CVE ID: CVE-2020-35517 (High)
It has been discovered that GLib-library of C routines incorrectly handled certain large buffers. A remote attacker can use this issue to cause applications linked to GLib to crash, resulting in a Denial of Service, or possibly execute arbitrary code.
CVE ID: CVE-2021-27218 (High), CVE-2021-27219 (High)
It has been discovered that libupnp, the portable SDK for UPnP Devices allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c. It is recommended to upgrade the libupnp packages.
CVE ID: CVE-2020-13848 (High)
The package github.com/pires/go-proxyproto is vulnerable to denial of service (DoS) via the parseVersion1() function. Since no limits are implemented in the code, a deliberately malformed V1 header can be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging.
CVE ID: CVE-2021-23351 (Medium)
A vulnerability has been discovered in the Linux kernel. The drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. The affected versions are Linux kernel through 5.11.3.
CVE ID: CVE-2021-27364
A vulnerability has been discovered in AfterLogic Aurora and WebMail Pro which allow directory traversal to read files. The affected versions are AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9.
CVE ID: CVE-2021-26294
Multiple vulnerabilities such as Remote Command Execution(RCE) and Arbitrary Code Execution(ACE) has been discovered in multiple Xerox products. The updates are available.
CVE ID: CVE-2021-28671, CVE-2021-28672
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- 1734-AENTR Series B and Series C. Successful exploitation of these vulnerabilities can lead to unauthorized data modification on the affected devices.
CVE ID: CVE-2020-14504 (High), CVE-2020-14502 (Medium)
Multiple vulnerabilities have been discovered in Schneider Electric's Equipment- EcoStruxure Building Operation. Successful exploitation of these vulnerabilities may allow unauthorized file uploads and command execution by a remote user which can result in loss of availability, confidentiality and integrity of the workstation. The affected product are EcoStruxure Building Operation WebReports v1.9 - v3.1, WebStation v2.0 - v3.1, Enterprise Server installer v1.9 - v3.1 and Enterprise Central installer v2.0 - v3.1.
Muliple vulnerabilities such as HTTP2 'unknownProtocol' cause DoS by resource exhaustion and DNS rebinding in --inspect have been discovered in nodejs. An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-22883, CVE-2021-22884
Multiple vulnerabilities such as SQL Injection, Command Injection and Server-Side Request Forgery have been discovered in Accellion File Transfer Appliance. A remote user can exploit some of these vulnerabilities to trigger remote code execution, cross-site scripting and security restriction bypass on the targeted system. The affected products are FTA version prior to 9.12.444.
An information disclosure vulnerability has been discovered in the web-based management interface of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) which can allow an authenticated, remote attacker to access sensitive information on an affected device.
CVE ID: CVE-2021-1425 (Medium)
Cisco has released security updates to address vulnerabilities in the multiple Cisco products which can allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.
VMware has released a security update to address a vulnerability in View Planner. An attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-21978 (High)
A vulnerability has been discovered that on Juniper Networks Junos EX series, QFX Series, MX Series, and SRX branch series devices, a memory leak occurs every time the 802.1X authenticator port interface flaps which can lead to other processes such as the pfex process, responsible for packet forwarding to crash and restart. This issue may occur when the device is configured as 802.1X authenticator port and the interface flaps.
CVE ID: CVE-2021-0215
Trend Micro has released updates for products that utilise either the Virus Scan API (VSAPI) or Advanced Threat Scan Engine (ATSE) to resolve a memory exhaustion vulnerability which may lead to denial-of-service or system freeze if exploited.
CVE ID: CVE-2021-25252
Improper Input Validation vulnerability has been discovered in Hitachi ABB Power Grids Equipment- CompactLogix and ControlLogix controllers. Successful exploitation of this vulnerability may allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products.
CVE ID: CVE-2020-6998 (Medium)
Multiple vulnerabilities have been discovered in MB connect line Equipment- mymbCONNECT24 and mbCONNECT24- platform for remote access, data monitoring, alarm management, web-based visualization and IIoT applications. Successful exploitation of these vulnerabilities can allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution. The affected products are mymbCONNECT24 v2.6.1 and prior ands mbCONNECT24 v2.6.1 and prior.
Multiple vulnerabilities such as cross-site scripting and user interface misrepresentation of critical information have been discovered in Hitachi ABB Power Grids' Equipment- Ellipse Enterprise Asset Management (EAM). Successful exploitation of these vulnerabilities can allow an attacker to steal sensitive information, hijack a user’s session, or compromise authentication credentials.The affected products are Ellipse EAM versions prior to and including 9.0.25.
CVE ID: CVE-2021-27414 (Medium) , CVE-2021-27416 (Medium)
It has been discovered that when responding to new h2c connection requests, Apache Tomcat can duplicate request headers and a limited amount of request body from one request to another meaning user A and user B can both see the results of user A's request.
CVE ID: CVE-2021-25122
The podman tool manages pods, container images, and containers. It has been discovered that the container users permissions are not respected in privileged containers of podman. An update for podman is now available for Red Hat Enterprise Linux 7 Extras.
CVE ID: CVE-2021-20188 (High)
Multiple vulnerabilities have been discovered in Docker, a Linux container runtime, which can result in denial of service, an information leak or privilege escalation. It is recommended to upgrade the docker.io packages.
CVE ID: CVE-2020-15157 (Medium), CVE-2020-15257 (Medium), CVE-2021-21284 (Medium), CVE-2021-21285 (Medium)
It has been discovered that Google APIs google-oauth-java-client can allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. The execution of a specially-crafted application allows an attacker to exploit this vulnerability for obtaining the authorisation code, and gain authorisation to the protected resource.
CVE ID: CVE-2020-7692 (High)
External Control of System or Configuration Setting vulnerability has been discovered in PerFact's Equipment- OpenVPN-Client. Successful exploitation of this vulnerability can allow for local privilege escalation or remote code execution through a malicious webpage. The affected products are OpenVPN-Client, Versions 1.4.1.0 and prior.
CVE ID: CVE-2021-27406 (High)
Multiple vulnerabilities have been discovered in Fatek's Equipment- FvDesigner, Fatek FvDesigner, a software tool used to design and develop FATEK FV HMI series product projects. Successful exploitation of these vulnerabilities may allow an attacker to read/modify information, execute arbitrary, and/or crash the application. The affected products are FvDesigner Version 1.5.76 and prior.
CVE ID: CVE-2021-22662 (High), CVE-2021-22670 (High), CVE-2021-22666 (High), CVE-2021-22683 (High), CVE-2021-22638 (High)
Insufficiently Protected Credentials vulnerability has been discovered in Rockwell Automation's Equipment- Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers. Successful exploitation of this vulnerability can allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. This vulnerability can enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.
CVE ID: CVE-2021-22681 (Critical)
Multiple vulnerabilities have been discovered in SaltStack products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Shibboleth Identity Provider can allow a remote attacker to bypass security restrictions, caused by an error in the PKIX trust component. An attacker can exploit this vulnerability using a certificate issued by the shibmd:KeyAuthority trust anchors to impersonate any entity.
CVE ID: CVE-2015-1796 (Medium)
It has been discovered that LibTIFF-Tag Image File Format (TIFF) library incorrectly handled certain malformed images. If a user or automated system is tricked into opening a specially crafted image, a remote attacker can crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
CVE ID: CVE-2020-35524, CVE-2020-35523
It has been discovered that there are a number of integer overflow vulnerabilities in Redis, a persistent "NoSQL"-style key-value database. It is recommended to upgrade the redis packages.
CVE ID: CVE-2021-21309 (Medium)
Multiple vulnerabilities such as improper neutralization of input during web page generation, cleartext transmission of sensitive information, improper restriction of excessive authentication attempts, use of a broken or risky cryptographic algorithm and use of platform-dependent third-party components have been discovered in Advantech's Equipment- Spectre RT Industrial Routers. Successful exploitation of these vulnerabilities may allow information disclosure, deletion of files, and remote code execution. The affected versions of Advantech Spectre RT Industrial Routers are Spectre RT ERT351 firmware Versions 5.1.3 and prior.
Use of Hard-coded Credentials vulnerability has been discovered in Advantech's Equipment- BB-ESWGP506-2SFP-T, industrial ethernet switches. Successful exploitation of this vulnerability can allow an attacker to gain unauthorized access to sensitive information and execute arbitrary code. The affected products are BB-ESWGP506-2SFP-T industrial ethernet switches versions 1.01.09 and prior.
CVE ID: CVE-2021-22667 (Critical)
Use of password hash with insufficient computational effort vulnerability has been discovered in Rockwell Automation's Equipment- FactoryTalk Services. Successful exploitation of this vulnerability can allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console. These new users can allow an attacker to modify or delete configuration and application data in other FactoryTalk software connected to the FactoryTalk Services Platform. The affected products are FactoryTalk Services Platform Versions 6.10.00 and 6.11.00.
CVE ID: CVE-2020-14516 (Critical)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in VMware ESXi, vCenter Server, and Cloud Foundation. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-21972 (Critical), CVE-2021-21973 (Medium), CVE-2021-21974 (High)
It has been discovered that OpenSSL,Secure Socket Layer (SSL) cryptographic library and tools incorrectly handled comparing certificates containing a EDIPartyName name type, and parsing issuer fields. A remote attacker can possibly use these vulnerabilities to cause OpenSSL to crash, resulting in a denial of service.
CVE ID: CVE-2020-1971 (Medium), CVE-2021-23841
A vulnerability has been discovered in netplex json-smart. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException.
CVE ID: CVE-2021-27568
A vulnerability has been discovered in Keybase Desktop Client-for keeping everyone's chats and files safe for Windows, macOS, and Linux. It allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories.
CVE ID: CVE-2021-23827
It has been discovered that Smarty, a template engine for PHP allows code injection via an unexpected function name after a {function name= substring. The affected versions are Smarty before 3.1.39.
CVE ID: CVE-2021-26120
It has been discovered in Botan, a BSD-licensed cryptographic and TLS library written in C++11 constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex). The affected versions are Botan before 2.17.3.
CVE ID: CVE-2021-24115
It has been discovered that an encoding.c in GNU Screen allows remote attackers to cause a Denial of Service or possibly have unspecified other impacts via a crafted UTF-8 character sequence. The affected version is GNU Screen through 4.8.0. It is recommended to upgrade the screen packages.
CVE ID: CVE-2021-26937 (Critical)
SonicWall has released firmware patches for SMA 100 series products in an update to its previous alert. A remote attacker can exploit a vulnerability in versions of SMA 10 prior to 10.2.0.5-29sv to take control of an affected system.
It has been discovered that in Visualware MyConnection Server, a solution designed to assess the risks each published report is not associated with its own access code. The affected versions are Visualware MyConnection Server before 11.0b build 5382.
CVE ID: CVE-2021-27509
It has been discovered that python django is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. The affected packages are python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8 and from 3.9.0 and before 3.9.2. It is recommended to upgrade the python-django packages.
CVE ID: CVE-2021-23336 (Medium)
A cross-site scripting (XSS) vulnerability has been discovered in the Horde Application Framework, more precisely its Text Filter API. An attacker may take control of a user's mailbox by sending a crafted e-mail. It is recommended to upgrade the php-horde-text-filter packages.
CVE ID: CVE-2021-26929 (Medium)
Google has released Chrome version 88.0.4324.182 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
A vulnerability has been discovered in BIND's GSSAPI security policy negotiation which can be targeted by a buffer overflow attack. The affected versions are BIND 9.5.0 to 9.11.27, 9.12.0 to 9.16.11, BIND 9.11.3-S1 to 9.11.27-S1, BIND Supported Preview Edition 9.16.8-S1 to 9.16.11-S1 of and 9.17.0 to 9.17.1 of the BIND 9.17 development branch.
CVE ID: CVE-2020-8625 (High)
It has been discovered that a vulnerability in the Inter-Process Communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows can allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. Cisco has released software updates that address this vulnerability.
CVE ID: CVE-2021-1366 (High)
It has been discovered that IBM WebSphere Application Server can allow a remote attacker to traverse directories. An attacker can send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. The affected products are WebSphere Application Server 8.0, WebSphere Application Server 8.5 and WebSphere Application Server 9.0.
CVE ID: CVE-2021-20354 (Medium)
P2P group information processing vulnerability and AP mode PMF disconnection protection bypass have been discovered in wpa_supplicant. An update that fixes two vulnerabilities is now available.
CVE ID: CVE-2021-0326 (High), CVE-2019-16275 (Medium)
The kernel packages contain the Linux kernel, the core of any Linux operating system. Multiple vulnerabilities have been discovered in kernel. An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support.
CVE ID: CVE-2020-24394 (High), CVE-2020-25212 (High)
Multiple vulnerabilities such as Stack-based Buffer Overflow, Type Confusion, Untrusted Pointer Dereference, Incorrect Type Conversion or Cast, Memory Allocation with Excessive Size Value have been discovered in Open Design Alliance - Drawings SDK. Successful exploitation of these vulnerabilities may allow code execution in the context of the current process or cause a denial-of-service condition.
CVE ID: CVE-2021-25174 (Medium), CVE-2021-25173 (High)
Multiple vulnerabilities have been discovered in Citrix Hypervisor that may allow privileged code running in a guest VM to cause the host to crash or to become unresponsive.
CVE ID: CVE-2021-26930 (High), CVE-2021-26931 (Medium), CVE-2021-26932
Multiple vulnerabilities such as use of hard-coded credentials and missing XML validation have been discovered in Hamilton Medical AG's Equipment-Hamilton-T1 Ventilator. Successful exploitation of these vulnerabilities can allow attackers with physical access to the device to obtain sensitive information or crash the device being accessed. The affected versions are T1 Ventilator Versions 2.2.3 and prior.
CVE ID: CVE-2020-27278 (Low), CVE-2020-27282 (Medium), CVE-2020-27290 (Low)
Improper handling of length parameter inconsistency vulnerability has been discovered in Rockwell Automation's Equipment- Allen-Bradley MicroLogix 1100, a Programmable Logic Controller. Successful exploitation of this vulnerability can allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. The affected product is Allen-Bradley MicroLogix 1100 revision number 1.0.
CVE ID: CVE-2020-6111 (High)
A permissions, privileges, and access Controls vulnerability has been discovered in ProSoft Technology's Equipment- ICX35-HWC-A and ICX35-HWC-E. Successful exploitation of this vulnerability can allow an attacker to change the current user’s password and alter device configurations. The affected products are ICX35-HWC-A: Versions 1.9.62 and prior and ICX35-HWC-E: Versions 1.9.62 and prior.
CVE ID: CVE-2021-22661 (High)
Multiple vulnerabilities have been found in rh-nodejs10-nodejs. Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code/commands, cause Denial of Service, access confidential data. An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections.
CVE ID: CVE-2020-7754 (High), CVE-2020-7774 (High), CVE-2020-7788 (High), CVE-2020-8116 (High), CVE-2020-8252 (High), CVE-2020-8265 (High), CVE-2020-8287 (Medium), CVE-2020-15095 (Medium), CVE-2020-15366 (Medium)
Multiple vulnerabilities have been discovered in IBM SDK. These might affect some configurations of IBM WebSphere Application Server Traditional, IBM WebSphere Application Server Liberty and IBM WebSphere Application Server Hypervisor Edition.
CVE ID: CVE-2020-27221 (Critical), CVE-2020-14782 (Low), CVE-2020-14781 (Low), CVE-2020-2773 (Low)
It has been discovered that a remotely triggerable vulnerability in the mod_authz_svn module in Subversion, a version control system. When using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option an unauthenticated remote client can take advantage of this flaw to cause a denial of service by sending a request for a non-existing repository URL.
It has been discovered that xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. It is recommended to upgrade the xterm packages.
CVE ID: CVE-2021-27135
It has been discovered that SQLite incorrectly handled certain sub-queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. SQLite could be made to crash or run programs if it processed a specially crafted query.
CVE ID: CVE-2021-20227
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update versions 13.8.4, 13.7.7 and 13.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Multiple vulnerabilities have been discovered in Wibu-Systems AG's Equipment- CodeMeter-secure protection and effective license management of software and digital content. Successful exploitation of these vulnerabilities may allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter.
Uncontrolled Search Path Element vulnerability has been discovered in Rockwell Automation's Equipment- DriveTools SP and Drives AOP. Successful exploitation of this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity and availability.
CVE ID: CVE-2021-22665 (High)
Use of Insufficiently Random Values vulnerability has been discovered in multiple TCP/IP Equipment- Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki-OS, uC/TCP-IP, uIP-Contiki-NG, uIP, picoTCP-NG, picoTCP, MPLAB Net, Nucleus NET, Nucleus ReadyStart. Successful exploitation of weak initial sequence numbers (ISN) may be used to hijack or spoof TCP connections, cause denial-of-service conditions, inject malicious data or bypass authentication.
It has been discovered that PEEL Shopping cart- a free ecommerce CMS in PHP / MySQL allows utilisateurs/change_params.php address Cross-Site Scripting (XSS). The affected version is PEEL Shopping cart 9.3.0.
CVE ID: CVE-2021-27190
A vulnerability has been discovered in Qognify Ocularis that allows remote attackers to execute arbitrary code on affected installations of Qognify Ocularis. The affected version is Qognify Ocularis 5.9.0.395.
CVE ID: CVE-2020-27868 (Critical)
An EDIPARTYNAME NULL pointer de-reference vulnerability has been discovered in Open SSL. An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7.
CVE ID: CVE-2020-1971 (Medium)
A vulnerability has been discovered in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which can result in root privilege escalation. It is recommended to upgrade the firejail packages.
CVE ID: CVE-2021-26910 (High)
It has been discovered that GNOME Autoar- Archive integration support for GNOME can extract files outside of the intended directory. GNOME Autoar can be made to overwrite files. If a user were tricked into extracting a specially-crafted archive, a remote attacker may create files in arbitrary locations, possibly leading to code execution.
CVE ID: CVE-2020-36241 (Medium)
A reflected cross-site scripting (XSS) vulnerability has been discovered in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned which allows an attacker to execute JavaScript in the context of the current logged-in user.
CVE ID: CVE-2021-22979
It has been discovered that zstd- a compression utility temporarily exposed a world-readable version of its input even if the original file has restrictive permissions. It is recommended to upgrade the libzstd packages.
A certificate chain building recursion denial of service vulnerability has been discovered in dotnet. An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-1721
It has been discovered that Wekan- open source kanban board system contains a cross-site scripting vulnerability. When a logged-in user store malicious value containing Javascript code to the system that JavaScript code may be executed on another logged-in user's web browser.
CVE ID: CVE-2021-20654 (Medium)
An improper verification of cryptographic signature vulnerability has been discovered in Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to bypass signature validation during SAML authentication by logging in to the Prisma Cloud Compute console as any authorized user.
CVE ID: CVE-2021-3033 (Critical)
It has been discovered that Open vSwitch incorrectly parsed certain network packets. A remote attacker may use this vulnerability to cause denial of service or possibly alter packet classification.
CVE ID: CVE-2020-35498
Multiple vulnerabilities such as clear text storage of sensitive Information, improper access control, stored cross site scripting and null pointer dereference have been discovered in McAfee Endpoint. It is recommended to install or update to ENS 10.7.0 and 10.6.1 February 2021 Update.
CVE ID: CVE-2021-23878, CVE-2021-23880 (Medium), CVE-2021-23881 (Medium), CVE-2021-23882 (Medium), CVE-2021-23883 (Medium)
It has been discovered that IBM WebSphere Application Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker may exploit this vulnerability to expose sensitive information or consume memory resources. The affected versions are WebSphere Application Server 7.0, 8.0, 8.5 and 9.0.
CVE ID: CVE-2021-20353 (High)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Apple has released security updates to address vulnerabilities in macOS Big Sur 11.2, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. An attacker can exploit these vulnerabilities to take control of an affected system.
CVE ID: CVE-2021-1805, CVE-2021-1806, CVE-2021-3156 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Microsoft has released a security advisory to address an escalation of privileges vulnerability in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2021-1732 (High)
Multiple vulnerabilities have been discovered in several products of Siemens. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as SQL Injection, Path Traversal, and Missing Authentication for Critical Function have been discovered in Advantech's Equipment- iView. Successful exploitation of these vulnerabilities may allow an attacker to disclose information, escalate privileges to the Administrator, perform an arbitrary file read, and remotely execute commands.
CVE ID: CVE-2021-22654 (High), CVE-2021-22658 (High), CVE-2021-22656 (High), CVE-2021-22652 (Critical)
It has been discovered that Improper buffer restrictions in firmware for Intel XMM 7360 Cell Modem may allow an unauthenticated user to potentially enable Denial of Service via network access. It is recommended to upgrade to the latest version of Intel XMM 7360 Cell Modem.
CVE ID: CVE-2020-24482 (High)
It has been discovered that OpenJDK- a free and open-source implementation of the Java Platform incorrectly handled the direct buffering of characters. An attacker can use this vulnerability to cause OpenJDK to crash, resulting in a Denial of Service, or cause other unspecified impacts.
Multiple vulnerabilities such as use-after-free, and reachable assertion failure have been discovered in QEMU- a free and open-source emulator and virtualizer. An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3.
CVE ID: CVE-2020-1983 (Medium), CVE-2020-16092 (Low)
Multiple vulnerabilities have been discovered in Linux kernel. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as memory leak per HTTP session, remote code execution and missing authorization check have been discovered in Red Hat Data Grid. A security update for Red Hat Data Grid is now available.
CVE ID: CVE-2020-25644 (High), CVE-2020-25711 (Medium), CVE-2020-26217 (High)
Multiple vulnerabilities have been discovered in QEMU- Machine emulator and virtualizer. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in OpenLDAP- Lightweight Directory Access Protocol. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that PEAR- PHP Extension and Application Repository incorrectly handled symbolic links in archives. A remote attacker may possibly use this vulnerability to execute arbitrary code.
CVE ID: CVE-2020-36193 (High)
Incorrect Permission Assignment for Critical Resource vulnerability has been discovered in GE Digital's Equipment- HMI/SCADA iFIX. Successful exploitation of these vulnerabilities can allow an attacker to escalate their privileges.
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A vulnerability has been discovered in SonicWall SMA 100 series. A remote attacker leveraging this vulnerability may gain admin credential access. The affected products are SMA 200, SMA 210, SMA 400, SMA 410 & SMA 500v.
CVE ID: CVE-2021-20016
It has been discovered that WordPress Plugin "Name Directory" contains a cross-site request forgery vulnerability. If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. The affected versions are Name Directory 1.17.4 and earlier.
CVE ID: CVE-2021-20652 (Medium)
Google has released Chrome Version 88.0.4324.150 for Windows, Mac and Linux. This version addresses a vulnerability that an attacker may exploit to take control of an affected system.
CVE ID: CVE-2021-21148 (High)
Deserialization of Untrusted Data vulnerability has been discovered in M&M Software GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Out-of-bounds Read vulnerability has been discovered in Horner Automation's Equipment- Cscape. Successful exploitation of this vulnerability may allow code execution in the context of the current process.
CVE ID: CVE-2021-22663 (High)
Multiple vulnerabilities have been discovered in Luxion-KeyShot products, 3D rendering and animation software. Successful exploitation of these vulnerabilities can allow arbitrary code execution, the storing of arbitrary scripts into automatic startup folders, and the attacking of products without sufficient UI warning.
CVE ID: CVE-2021-22647 (High), CVE-2021-22643 (High), CVE-2021-22645 (High), CVE-2021-22649 (High), CVE-2021-22651 (High)
It has been discovered that Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability because unencrypted communication exists in the communication using non-well known ports. The affected versions are Video Insight VMS versions prior to 7.8.
CVE ID: CVE-2021-20623 (Critical)
It has been discovered that ReadyMedia (MiniDLNA) allowed subscription requests, and remote code execution. An attacker can use these to hijack smart devices or send a malicious UPnP HTTP request to the service using HTTP chunked encoding and cause Denial of Service attacks.
CVE ID: CVE-2020-12695 (High), CVE-2020-28926 (Critical)
It has been discovered that Bitcoin Core might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser. The affected versions are Bitcoin Core before 0.19.0.
CVE ID: CVE-2021-3401
Multiple potential security vulnerabilities have been identified in HPE Apollo 70 System BMC Firmware. These vulnerabilities impact the BMC firmware and may be exploited locally to allow denial of service, buffer overflow and path traversal.
Multiple vulnerabilities have been discovered in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. Successful exploitation could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. Cisco has released software updates that address these vulnerabilities. CVE ID: CVE-2021-1289 (Critical), CVE-2021-1290 (Critical), CVE-2021-1291 (Critical), CVE-2021-1292 (Critical), CVE-2021-1293 (Critical), CVE-2021-1294 (Critical), CVE-2021-1295 (Critical)
It has been discovered that SquaredUp- application centric monitoring allowed Stored XSS. An user is able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script. The affected versions are SquaredUp before version 4.6.0.
CVE ID: CVE-2020-9390
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that Clustered Data ONTAP is susceptible to a vulnerability which can allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs. The affected versions are Clustered Data ONTAP prior to 9.3P20 and 9.5P15.
CVE ID: CVE-2020-8589
Multiple vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a Denial of Service (slapd daemon crash, infinite loops) via specially crafted packets. It is recommended to upgrade the openldap packages.
It has been discovered that the Favorites component for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference. It is possible to create favorites for any other user account. The affected versions are Favorites component before 1.0.2.
CVE ID: CVE-2021-26024
It has been discovered that the perf subsystem in the Linux kernel do not properly deallocate memory in some situations. A privileged attacker can use this to cause a Denial of Service (kernel memory exhaustion).
CVE ID: CVE-2020-25704 (Medium)
Buffer Overflow vulnerability has been discovered in Rockwell Automation's Equipment- MicroLogix 1400-Programmable Logic Controller Systems. Successful exploitation of this vulnerability may result in a Denial-of-Service condition. The affected products are MicroLogix 1400, all series Version 21.6 and below.
CVE ID: CVE-2021-22659 (High)
Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Multiple vulnerabilities have been discovered in Red Hat JBoss Fuse/A-MQ. An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.
CVE ID: CVE-2020-13933 (High), CVE-2020-26217 (High), CVE-2021-26117
Google has released Chrome version 88.0.4324.146 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. A vulnerability has been discovered in ovirt-engine which allows a non-admin user to access other users public SSH key. Updated ovirt-engine packages fix several bugs and add various enhancements.
CVE ID: CVE-2020-35497 (Medium)
It has been discovered that IBM QRadar SIEM in some configurations may be vulnerable to a temporary Denial of Service attack when sent particular payloads. The affected versions are IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5.
CVE ID: CVE-2020-5032
It has been discovered that Apport- automatically generated crash reports for debugging incorrectly parsed certain files in the /proc filesystem, and handled opening certain special files. A local attacker can use these vulnerabilities to escalate privileges and run arbitrary code or cause Apport to hang, resulting in a Denial of Service.
CVE ID: CVE-2021-25682, CVE-2021-25683, CVE-2021-25684
Multiple vulnerabilities such as local temporary directory hijacking and buffer not correctly recycled in Gzip Request inflation have been discovered in jetty of AMQ Broker. An update for Red Hat AMQ Broker 7.4.6 is now available from the Red Hat Customer Portal.
CVE ID: CVE-2020-27216 (High), CVE-2020-27218 (Medium)
Multiple vulnerabilities such as heap-based buffer overflow and corruption of intermediate language state have been discovered in perl- a high-level programming language. An update for perl is now available for Red Hat Enterprise Linux 7.
CVE ID: CVE-2020-10543 (High), CVE-2020-10878 (High), CVE-2020-12723 (High)
A heap buffer overflow vulnerability has been discovered in the FortiProxy SSL VPN web portal, it may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiProxy. The affected versions are FortiProxy 2.0.0, FortiProxy 1.2.8 and below, FortiProxy 1.1.6 and below, and FortiProxy 1.0.7 and below.
CVE ID: CVE-2018-13383 (Medium)
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-02-05 or later address all of these issues. The affected versions are Android 8.1, 9, 10 & 11.
Apple has released security updates to address vulnerabilities in multiple products. An attacker can exploit some of these vulnerabilities to take control of an affected system.
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A sandbox escapes vulnerability via spawn portal has been discovered in flatpak. An update for flatpak is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2021-21261 (High)
Potential Memory leak vulnerability has been discovered in Wildfly-an application server when using OpenTracing. The affected product is JBoss Enterprise Application Platform.
CVE ID: CVE-2020-27822 (Medium)
It has been discovered that the Django-High level Python web development framework incorrectly extracted archive files. A remote attacker can possibly use this vulnerability to extract files outside of their expected location.
CVE ID: CVE-2021-3281
GitLab released security update versions 13.8.2, 13.7.6 and 13.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes.
Multiple vulnerabilities have been discovered in Oracle Linux kernel. The affected version is Oracle Linux 7.
CVE ID: CVE-2020-29568 (Medium), CVE-2020-29569 (High), CVE-2020-28374 (High)
It has been discovered that deleteaccount.php in the Delete Account plugin for MyBB allows XSS vulnerability via the deletereason parameter. The affected version is MyBB Delete Account plugin 1.4.
CVE ID: CVE-2021-3350
Multiple vulnerabilities have been discovered in MariaDB database server packages. It is recommended to upgrade the mariadb-10.1 packages.
CVE ID: CVE-2020-14765 (Medium), CVE-2020-14812 (Medium)
It has been discovered that Monal- an open source instant messaging client for iOS and macOS does not implement proper sender verification on MAM and Message Carbon results. This allows a remote attacker to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim. The affected versions are Monal before 4.9.
CVE ID: CVE-2020-26547
libsdl2 is a library for portable low level access to a video framebuffer, audio output, mouse, and keyboard. Multiple vulnerabilities such as buffer overflow, integer overflow, and heap-based buffer over-read have been discovered in libsdl2. It is recommended to upgrade the libsdl2 packages.
It has been discovered that in Oniguruma- a BSD licensed regular expression library an attacker able to supply a regular expression for compilation, may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c. It is recommended to upgrade affected package the libonig- a regex library for multi-bytes strings.
CVE ID: CVE-2020-26159 (High)
It has been discovered that an improper neutralization of input vulnerability during web page generation in FortiWeb GUI interface may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points. The affected versions are FortiWeb 6.3.7 and below, and FortiWeb 6.2.3 and below.
CVE ID: CVE-2021-22122 (Medium)
A heap buffer overflow vulnerability has been discovered in libgcrypt-a general-purpose library of cryptographic building blocks due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs. It is recommended to upgrade to Libgcrypt version 1.9.1.
Multiple vulnerabilities have been discovered in Rockwell Automation's Equipment- FactoryTalk Linx and FactoryTalk Services Platform. Successful exploitation of these vulnerabilities may result in Denial-of-Service conditions.
CVE ID: CVE-2020-5801 (High), CVE-2020-5802 (High), CVE-2020-5806 (Medium)
Multiple vulnerabilities have been discovered in libxstream-Java -library to serialize objects to XML and back again. A remote attacker can run arbitrary shell commands or request data from internal resources or delete arbitrary known files on the host by manipulating the processed input stream.
CVE ID: CVE-2020-26217 (High), CVE-2020-26258 (High), CVE-2020-26259 (Medium)
It has been discovered that TCMU, TCM-Userspace backend lacked a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request.
CVE ID: CVE-2021-3139 (High)
Multiple vulnerabilities have been discovered in ceph-mon, ceph-mgr daemons, Ceph Object Gateway and Cephx authentication. An attacker can use these vulnerabilities to gain access or cause a crash, authenticate via a packet sniffer & perform actions and modify the configuration.
CVE ID: CVE-2020-10736 (High), CVE-2020-10753 (Medium), CVE-2020-25660 (High)
Multiple vulnerabilities have been discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which can result in Denial of Service, information disclosure or privilege escalation. It is recommended to upgrade the slurm-llnl packages.
CVE ID: CVE-2019-19728 (High), CVE-2020-12693 (High), CVE-2020-27745 (Critical), CVE-2020-27746 (Low)
Multiple vulnerabilities have been discovered in ansible, a configuration management, deployment, and task execution system. It is recommended to upgrade the ansible packages.
CVE ID: CVE-2017-7481 (Critical), CVE-2019-10156 (Medium), CVE-2019-14846 (High), CVE-2019-14904 (High)
It has been discovered that Android App "ELECOM File Manager" contains a directory traversal vulnerability due to a flaw in the processing of the filenames when extracting the compressed files. A remote attacker may create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges.
CVE ID: CVE-2021-20651
It has been discovered that VMware Tanzu Spring Framework can allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker can exploit this vulnerability to bypass RFD Protection.
CVE ID: CVE-2020-5421 (Medium)
The cryptsetup packages provide a utility for setting up disk encryption using the dm-crypt kernel module. An Out-of-bounds write vulnerability exists in cryptsetup when validating segments. An update for cryptsetup is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2020-14382 (High)
It has been discovered that Red Hat Customer Portal password logged and passed as command line argument, when the user registers through GNOME control center. An update for gnome-settings-daemon is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2020-14391
Apple has released security updates to address vulnerabilities in multiple products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system.
A heap-based buffer overflow vulnerability has been discovered in sudo, a program designed to provide limited super user privileges to specific users in Debian GNU/Linux OS. Any local user (sudoers and non-sudoers) can exploit this vulnerability for root privilege escalation. It is recommended to upgrade the sudo packages.
CVE ID: CVE-2021-3156
Multiple vulnerabilities such as Stack-based Buffer Overflow, Out-of-Bounds Read, Out-of-Bounds Write, Access of Uninitialized Pointer, and Heap-based Buffer Overflow have been discovered in Fuji Electric's Equipment- Tellus Lite V-Simulator and V-Server Lite. Successful exploitation of these vulnerabilities may allow an attacker to execute code under the privileges of the application.
CVE ID: CVE-2021-22637 (High), CVE-2021-22655 (High), CVE-2021-22653 (High), CVE-2021-22639 (High), CVE-2021-22641 (High)
It has been discovered that due to a time-of-check to time-of-use (TOCTOU) race condition, the file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins. This allows attackers with Job/Workspace permission and the ability to control workspace contents. The affected versions are Jenkins 2.275 and LTS 2.263.2.
CVE ID: CVE-2021-21615 (Medium)
It has been discovered that IBM WebSphere Application Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker can exploit this vulnerability to expose sensitive information or consume memory resources.
CVE ID: CVE-2020-4949 (High)
Multiple vulnerabilities have been discovered in dnsmasq-a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. An update for dnsmasq is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support.
CVE ID: CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 (Low)
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. A vulnerability has been discovered in kubernetes: docker config secrets leaked when file is malformed and loglevel >= 4. The updates to packages and images of Red Hat OpenShift Container Platform 4.6.13 is now available.
CVE ID: CVE-2020-8564 (Medium)
It has been discovered that the package src:python-bottle, a web framework is vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. The affected versions are src:python-bottle before 0.12.19. It is recommended to upgrade the python-bottle packages.
CVE ID: CVE-2020-28473 (Medium)
A vulnerability has been discovered in ClusterLabs crmsh-cluster management shell for the Pacemaker. Local attackers are able to call "crm history" (when "crm" is run) & able to execute commands via shell code injection to the crm history command line, potentially allowing escalation of privileges. It is recommended to upgrade the crmsh packages.
CVE ID: CVE-2020-35459 (High)
Multiple vulnerabilities have been discovered in salt, a powerful remote execution manager. These vulnerabilities can result in authentication bypass and invocation of Salt SSH, creation of certificates with weak file permissions via the TLS execution module or shell injections with the Salt API using the SSH client. It is recommended to upgrade the salt packages.
CVE ID: CVE-2020-16846 (Critical), CVE-2020-17490 (Medium), CVE-2020-25592 (Critical)
A vulnerability has been discovered in Secure Mobile Access (SMA) appliances of SonicWall products which can allow a remote attacker to gain the unauthorized access to the remote devices. The affected version is Secure Mobile Access 100 series.
Multiple vulnerabilities have been discovered in the LLPD implementation of Open vSwitch, a software-based Ethernet virtual switch, which can result in Denial of Service. It is recommended to upgrade the openvswitch packages.
CVE ID: CVE-2015-8011 (Critical), CVE-2020-27827
Multiple vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which can result in information disclosure. It is recommended to upgrade the tomcat9 packages.
CVE ID: CVE-2020-13943 (Medium), CVE-2020-17527 (High)
A vulnerability has been discovered in the VLC media player, which can result in the execution of arbitrary code or Denial of Service if a malformed media file is opened. It is recommended to upgrade the vlc packages.
CVE ID: CVE-2020-26664 (High)
Multiple vulnerabilities have been discovered in Matrikon's Equipment- OPC UA Tunneller-a machine to machine communication protocol for industrial automation. Successful exploitation of these vulnerabilities may allow an attacker to disclose sensitive information, remotely execute arbitrary code or crash the device.
CVE ID: CVE-2020-27297 (Critical), CVE-2020-27299 (High), CVE-2020-27274 (High), CVE-2020-27295 (High)
Multiple vulnerabilities such as Untrusted Pointer Dereference and Out-of-bounds Write have been discovered in Delta Electronics' Equipment- TPEditor, programming software for Delta text panels. Successful exploitation of these vulnerabilities may allow an attacker to execute code under the privileges of the application.
CVE ID: CVE-2020-27288 (High), CVE-2020-27284 (High)
Deserialization of Untrusted Data vulnerability has been discovered in M&M Software GmbH's Equipment- fdtCONTAINER. If an attacker can socially engineer a valid user into loading a manipulated project file, malicious code can be executed without notice.
CVE ID: CVE-2020-12525 (High)
Uncontrolled Resource Consumption vulnerability has been discovered in Mitsubishi Electric's Equipment- MELFA FR, MELFA CR, MELFA ASSISTA. Successful exploitation of this vulnerability may cause a denial-of-service condition.
CVE ID: CVE-2021-20586 (High)
A use after free vulnerability has been discovered in Delta Electronics' Equipment- ISPSoft, a PLC program development tool. Successful exploitation of this vulnerability may allow an attacker to execute code under the privileges of the application.
CVE ID: CVE-2020-27280 (High)
A stack-based buffer overflow remote code execution security vulnerability has been discovered in multiple Netgear products specially routers. The updates are now available.
It has been discovered that in Xen HVM guests with PCI pass through devices can mount a Denial of Service attack affecting the pass through of PCI devices to other guests or the hardware domain. Xen versions 4.12.3, 4.12.4, and all versions from 4.13.1 onwards are vulnerable.
It has been discovered that rfc822.c in Mutt- a text-based email client for Unix like systems through 2.0.4 allows remote attackers to cause a denial of service by sending email messages with sequences of semicolon characters in RFC822 address fields. A small email message from the attacker may cause large memory consumption, and the victim may then be unable to see email messages from other persons. It is recommended to upgrade the mutt packages.
CVE ID: CVE-2021-3181
Multiple vulnerabilities such as processing of invalid SAML XML documents, and unspecified xmlsec1 key-type preference have been discovered in pysaml2-a pure python implementation of SAML(Security Assertion Markup Language ) Version 2 Standard.
CVE ID: CVE-2021-21238 (Medium), CVE-2021-21239 (Medium)
Multiple vulnerabilities have been discovered in MISP-Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing. It is recommended to upgrade to MISP 2.4.137.
CVE ID: CVE-2021-25324 (Medium), CVE-2021-25325 (Medium), CVE-2021-25323, CVE-2021-3184 (Medium)
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Vulnerability has been discovered in pear Archive_Tar library used in Drupal. Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
CVE ID: CVE-2020-36193
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform.The affected products are Red Hat OpenShift Container Platform 3.11 x86_64 & Red Hat OpenShift Container Platform for Power 3.11 ppc64le. Red Hat OpenShift Container Platform release 3.11.374 is now available with updates to packages and images that fix several bugs.
CVE ID: CVE-2019-11840 (Medium), CVE-2020-8554, CVE-2020-26137 (Medium)
An unspecified vulnerability has been discovered in Java SE related to the Java SE Security component that can allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE ID: CVE-2020-2590 (Low)
Google has released Chrome version 88.0.4324.96 for Windows, Mac and Linux. This version addresses vulnerabilities which a remote attacker may exploit to trigger remote code execution, disclose sensitive information, bypass security restriction and Denial of Service condition on the targeted system.
Oracle has released its Critical Patch Update for January 2021 to address 403 vulnerabilities across multiple products. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as the use of hard-coded cryptographic key and cleartext transmission of sensitive information have been discovered in Reolink's Equipment- P2P protocol. Successful exploitation of these vulnerabilities may permit unauthorized access to sensitive information.
CVE ID: CVE-2020-25173 (High), CVE-2020-25169 (Critical)
Multiple vulnerabilities such as heap-based buffer overflow, insufficient verification of data authenticity and use of a broken or risky cryptographic algorithm have been discovered in Dnsmasq's Equipment- Dnsmasq. Successful exploitation of these vulnerabilities may result in cache poisoning, remote code execution and a denial-of-service condition.
An OS Command Injection vulnerability has been discovered in Philips' Equipment- Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, ViewForum. Successful exploitation of this vulnerability makes it possible for someone within the hospital network to remotely shut down or restart the workstation.
CVE ID: CVE-2020-27298 (Medium)
OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. It has been discovered that an integer overflow vulnerability leads to denial of service. Red Hat OpenShift Virtualization release 2.5.3 is now available with updates to packages and images that fix several bugs and security issues.
CVE ID: CVE-2020-27813 (High)
Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting many Cisco Products. Exploitation of these vulnerabilities may result in remote code execution or denial of service (DoS) or may allow an attacker to more easily forge DNS answers that may poison DNS caches, depending on the specific vulnerability.
The linux-firmware packages contain all of the firmware files that are required by various devices to operate. A buffer overflow vulnerability has been discovered in bluetooth firmware. An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.
CVE ID: CVE-2020-12321 (High)
The pyxdg is a python library to access freedesktop.org standards. It has been discovered that PyXDG do not properly sanitize input. An attacker may exploit this vulnerability with a crafted .menu file to execute arbitrary code.
CVE ID: CVE-2019-12761 (High)
The log4net is a highly configurable logging API for the CLI log4net. It has been discovered that Apache Log4net incorrectly handled certain configuration files. An attacker may possibly use this issue to expose sensitive information.
CVE ID: CVE-2018-1285 (Critical)
It has been discovered that GROWI, Team collaboration software using markdown contains a cross-site scripting vulnerability. An arbitrary script may be executed on the user's web browser. The affected versions are GROWI versions prior to v4.2.3 (v4.2 Series).
CVE ID: CVE-2021-20619 (Medium)
A buffer overflow vulnerability has been discovered in the H264 support of the GStreamer multimedia framework which can potentially result in the execution of arbitrary code. It is recommended to upgrade the gst-plugins-bad1.0 packages.
It has been discovered that icoutils -create and extract MS Windows icons and cursors, incorrectly handled certain files. An attacker may possibly use this vulnerability to cause a denial of service or execute arbitrary code or crash or expose sensitive information.
It has been discovered that htmldoc - HTML processor which generates indexed HTML, PS and PDF incorrectly handled certain HTML files. An attacker may possibly use this vulnerability to cause a denial of service.
CVE ID: CVE-2019-19630 (High)
Multiple vulnerabilities have been discovered in Red Hat OpenShift Container Platform. Red Hat OpenShift Container Platform release 4.6.12 with updates to packages and images which fixes these vulnerabilities.
It has been discovered that Pillow-Python Imaging Library incorrectly handled certain PCX image files, Tiff image files and SGI image files. If a user or an automated system are tricked into opening a specially-crafted PCX file, Tiff file or SGI file, a remote attacker may cause Pillow to crash, resulting in a denial of service or possibly execute arbitrary code.
CVE ID: CVE-2020-35653 (High), CVE-2020-35654 (High), CVE-2020-35655 (Medium)
PostgreSQL is an advanced object-relational database management system (DBMS). Multiple vulnerabilities have been discovered in postgresql module. An update for the postgresql module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.
Multiple vulnerabilities such as disclosure of sensitive information, addition or modification of data and denial of service have been discovered in several NetApp products.
Multiple vulnerabilites such as OOB read, unexpected control flow, crashes, integer overflow and segfaults have been discovered in wavpack. It is recommended to upgrade the wavpack packages.
It has been discovered that ruby-redcarpet, a markdown parser, does not properly validate its input. This would allow an attacker to mount a cross-site scripting attack. It is recommended to upgrade the ruby-redcarpet packages.
CVE ID: CVE-2020-26298 (Medium)
Multiple vulnerabilities such as SQL injection and XSS have been discovered in Ampache. An attacker may use these vulnerabilities to disclose sensitive information or force an admin to create a new privileged user.
CVE ID: CVE-2019-12385 (High), CVE-2019-12386 (Medium)
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
It has been discovered that the LIO SCSI target implementation in the Linux kernel performed insufficient identifier checking in certain XCOPY requests. An attacker with access to at least one LUN in a multiple backstore environment can use this to expose sensitive information or modify data.
CVE ID: CVE-2020-28374
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update versions 13.7.4, 13.6.5 and 13.5.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Information Disclosure vulnerability has been discovered in Apache Tomcat Window OS. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
CVE ID: CVE-2021-24122
A vulnerability has been discovered in processing of certain DHCP packets from adjacent clients on EX Series and QFX Series switches running Juniper Networks Junos OS with DHCP local/relay server configured may lead to exhaustion of DMA memory causing a Denial of Service (DoS).
CVE ID: CVE-2021-0217
It has been discovered that in an Ethernet VPN-Virtual Extensible LAN (EVPN/VXLAN) scenario if an Integrated Routing and Bridging (IRB) interface with a Virtual Gateway Address (VGA) is configured on a Provider Edge (PE), a traffic loop may occur upon receipt of specific IP multicast traffic. The traffic loop will cause interface traffic to increase abnormally, ultimately leading to a denial of service (DoS) in packet processing. This issue affects all versions of Junos OS QFX10K Series.
CVE ID: CVE-2021-0221 (Medium)
Multiple vulnerabilities such as XSS, Stored XSS, Reflected XSS, Improper handling of REST API, Arbitrary file read, Path traversal, Arbitrary file existence check, Excessive memory allocation, Missing permission check, and Credentials stored in plain text have been discovered in multiple Jenkins products.
It has been discovered that access controls for the shim’s API socket do not restrict access to the abstract unix domain socket in some cases. An attacker may use this vulnerability to run containers with elevated privileges.
It has been discovered that tar-GNU version of the tar archiving utility, incorrectly handled extracting files resized and certain malformed tar files. An attacker may possibly use these vulnerabilities to cause a denial of service.
CVE ID: CVE-2018-20482 (Medium), CVE-2019-9923 (High)
It has been discovered that Open vSwitch incorrectly handled certain malformed LLDP packets. A remote attacker may use this vulnerability to cause Open vSwitch to crash, resulting in a denial of service or possibly execute arbitrary code.
Multiple vulnerabilities have been discovered in spice-vdagent, a spice guest agent for enchancing SPICE integeration and experience. It is recommended to upgrade the spice-vdagent packages.
CVE ID: CVE-2017-15108 (High), CVE-2020-25650 (Medium), CVE-2020-25651 (Medium), CVE-2020-25652 (Medium), CVE-2020-25653 (Medium)
Multiple vulnerabilities have been discovered in several Palo Alto Networks PAN-OS software and PAN-OS firewall. The affected Products are PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5 & PAN-OS 10.0 versions earlier than PAN-OS 10.0.1.
CVE ID: CVE-2021-3031 (Medium), CVE-2021-3032 (Medium)
Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Remote code execution vulnerability due to insecure XML deserialization when relying on blocklists has been discovered in xstream of Red Hat Process Automation Manager. An update is now available for Red Hat Process Automation Manager.
CVE ID: CVE-2020-26217 (High)
It has been discovered that an Use-after-free vulnerability in the Linux kernel is exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released.
CVE ID: CVE-2020-16119 (Medium)
It has been discovered in Discourse, an open source Internet forum and mailing list management software application, a rate-limit bypass vulnerability leads to a bypass of the 2FA requirement for certain forms. The affected versions are Discourse 2.7.0 through beta1.
CVE ID: CVE-2021-3138
Multiple vulnerabilities such as XSS and lack of ACL checks have been discovered in Joomla!, a free and open-source content management system (CMS) for publishing web content on websites. The affected versions are Joomla! CMS versions 3.0.0 - 3.9.23. It is recommended to upgrade to Joomla! CMS version 3.9.24.
CVE ID: CVE-2021-23123 (Low), CVE-2021-23124 (Low), CVE-2021-23125 (Low)
Missing Authorization vulnerability has been discovered in McAfee Agent (MA) for Windows that allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The affected version is McAfee Agent prior to 5.7.1.
CVE ID: CVE-2020-7343 (Medium)
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in several products of Siemens. A remote attacker may exploit some of these vulnerabilities to take control of an affected system.
The unrestricted upload of file with dangerous type vulnerability which allow a use-after-free condition and a stack-based buffer overflow to occur have been discovered in Schneider Electric's Equipment- EcoStruxure Power Build - Rapsody. Successful exploitation of this vulnerability can result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
CVE ID: CVE-2021-22697 (High), CVE-2021-22698 (High)
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities have been discovered in SOOIL Developments' Equipment- Diabecare RS, AnyDana-i and AnyDana-A, the medical mobile applications. Successful exploitation of these vulnerabilities may allow an attacker to access sensitive information, modify therapy settings, bypass authentication, or crash the device being accessed.
Multiple vulnerabilities have been discovered in ImageMagick, a suite of image manipulation programs. An attacker may cause denial of service and execution of arbitrary code when a crafted image file is processed. It is recommended to upgrade the imagemagick packages.
Mozilla has released security update to address vulnerability in Thunderbird. An attacker may exploit this vulnerability to take control of an affected system.
CVE ID: CVE-2020-16044 (Critical)
EDIPARTYNAME NULL pointer de-reference vulnerability has been discovered in Openssl. An update for openssl is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support.
CVE ID: CVE-2020-1971 (Medium)
A command injection vulnerability has been discovered in QTS and QuTS hero, an efficient multi-user access management. If exploited this vulnerability allows attackers to execute arbitrary commands in a compromised application.
CVE ID: CVE-2020-2508 (Medium)
The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers. It has been discovered that reconnection can downgrade connection security settings, and psql's \gset allows overwriting specially treated variables in postgresql. An update for libpq is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
CVE ID: CVE-2020-25694 (High), CVE-2020-25696 (High)
An elevation of privilege vulnerability has been discovered in Android kernel v4l2 video driver. This vulnerability may be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace process, leading to privilege escalation.
CVE ID: CVE-2017-13166 (High)
Multiple vulnerabilities such as persistent XSS and email notifications authorization bypass have been discovered in quay, a private container registry that stores, builds and deploys container images. The affected product is Red Hat Quay Enterprise 3 x86_64. The updates are now available.
CVE ID: CVE-2020-27832, CVE-2020-27831
A vulnerability has been discovered in coturn, a TURN and STUN server for VoIP. By default coturn does not allow peers on the loopback addresses (127.x.x.x and ::1). A remote attacker may bypass the protection via a specially crafted request using a peer address of 0.0.0.0 and trick coturn in relaying to the loopback interface.
CVE ID: CVE-2020-26262
Multiple vulnerabilities have been discovered in NVIDIA GPU display drivers. A local attacker may use these vulnerabilities to cause a Denial of Service or escalate privileges or possibly expose sensitive information.
CVE ID: CVE-2021-1052, CVE-2021-1053, CVE-2021-1056
It has been discovered that Jasper, an open source Java reporting tool incorrectly certain files JPC encoders and images. An attacker may possibly use these vulnerabilities to cause a crash or Denial of Service or execute arbitrary code or expose sensitive information.
CVE ID: CVE-2018-18873 (Medium), CVE-2018-19542 (Medium), CVE-2020-27828 (High), CVE-2017-9782 (Medium)
It has been discovered that python-apt, a Python interface to libapt-pkg incorrectly handled resources. A local attacker may possibly use this vulnerability to cause python-apt to consume resources, leading to a Denial of Service.
CVE ID: CVE-2020-27351 (Low)
It has been discovered that Reflected XSS vulnerability in Quest Policy Authority allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter. The affected version is Quest Policy Authority 8.1.2.200.
CVE ID: CVE-2020-35727
It has been discovered that SonicWall NetExtender Windows client, the software that enables remote users to securely connect and run any application on a network is vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impacts SonicWall NetExtender Windows client version 10.2.300 and earlier. It is recommended to upgrade to 10.2.302 and higher.
CVE ID: CVE-2020-5147 (Medium)
Multiple vulnerabilities have been discovered in IBM Runtime Environment Java Version 1.8 used by IBM Sterling Secure Proxy. An attacker may exploit some of these vulnerabilities to take control of an affected system. The affected products and versions are IBM Secure Proxy version 6.0.0 through 6.0.1.1 iFix 2 and IBM Sterling Secure Proxy version 3.4.3 through 3.4.3.2 iFix 9.
Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker may exploit some of these vulnerabilities to take control of an affected system.
Multiple vulnerabilities such as exposure of sensitive information and cross-site scripting have been discovered in several IBM Jazz Foundation and IBM Engineering products.
CVE ID: CVE-2020-4544 (Medium), CVE-2020-4697 (Medium), CVE-2020-4487 (Medium), CVE-2020-4691 (Medium), CVE-2020-4733 (Medium)
Multiple vulnerabilities have been discovered in Delta Electronics' Equipment- CNCSoft-B, a software management platform. Successful exploitation of these vulnerabilities may lead to arbitrary code execution.
CVE ID: CVE-2020-27287 (High), CVE-2020-27291 (High), CVE-2020-27289 (High), CVE-2020-27293 (High)
Multiple vulnerabilities such as type confusion and out-of-bounds read have been discovered in Eaton's Equipment- EASYsoft, used to program easy controllers and displays. Successful exploitation of these vulnerabilities may allow a local attacker to modify or crash the program.
CVE ID: CVE-2020-6656 (Medium), CVE-2020-6655 (Medium)
Multiple vulnerabilities such as untrusted pointer dereference, stack-based buffer overflow, and type confusion have been discovered in Omron's Equipment- CX-One, an automation software suite. Successful exploitation of these vulnerabilities can crash the device being accessed and a buffer overflow condition may allow remote code execution.
CVE ID: CVE-2020-27259 (Medium), CVE-2020-27261 (High), CVE-2020-27257 (Medium)
Multiple vulnerabilities such as cross-site scripting and improper neutralization of special elements in output used by a downstream component have been discovered in Innokas Yhtymä Oy's Equipment- Vital Signs Monitor VC150, a system monitoring the health vital parameters. Successful exploitation of these vulnerabilities may allow an attacker to modify communications between downstream devices or cause some features of the affected devices to become disabled.
CVE ID: CVE-2020-27262 (Medium), CVE-2020-27260 (Medium)
Multiple vulnerabilities have been discovered in GitLab. It is recommended to update versions 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
CVE ID: CVE-2021-22166 (Medium), CVE-2020-26414 (Medium), CVE-2019-3881 (High)
It has been discovered that Ghostscript, a PostScript and PDF interpreter incorrectly handled certain image files. If a user or automated system is tricked into processing a specially crafted file, a remote attacker may use this issue to cause Ghostscript to crash, resulting in a denial of service or possibly execute arbitrary code.
It has been discovered that OpenJPEG, a PEG 2000 image compression/decompression library incorrectly handled certain image data. An attacker can use this issue to cause OpenJPEG to crash, leading to a denial of service, or possibly execute arbitrary code.
It has been discovered that EDK II, an UEFI firmware for virtual machines incorrectly validated certain signed images and parsed signed PKCS #7 data. An attacker may possibly use this issue with a specially crafted image to cause EDK II to hang or crash, resulting in a denial of service or possibly execute arbitrary code.
CVE ID: CVE-2019-14562 (Medium), CVE-2019-14584
It has been discovered that the framebuffer console driver, a text console running on top of the framebuffer device in the Linux kernel do not properly handle fonts in some conditions. A local attacker may use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory).
CVE ID: CVE-2020-28974 (Medium)
Google has released Chrome version 87.0.4280.141 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker can exploit to take control of an affected system.
Multiple vulnerabilities discovered in IBM Java SDK affect Liberty for Java October 2020 CPU. A remote/unauthenticated attacker may use these to modify arbitrary files, access confidential data and denial of service attack. The affected version is Liberty for Java 3.51.
CVE ID: CVE-2020-14792 (Medium), CVE-2020-14797 (Low), CVE-2020-14781 (Low), CVE-2020-14779 (Low), CVE-2020-14798 (Low), CVE-2020-14796 (Low)
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, Firefox for Android. An attacker may exploit some of these vulnerabilities to take control of an affected system.
CVE ID: CVE-2020-16044 (Critical)
A buffer overflow vulnerability has been discovered in the lldp_decode function in daemon/protocols/lldp.c. An update for openvswitch2.11, ovn2.11, redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3.
CVE ID: CVE-2015-8011 (Critical)
It has been discovered that WavPack, a free and open-source lossless audio compression format incorrectly handled certain WAV files. An attacker may possibly use this issue to execute arbitrary code or cause a crash.
CVE ID: CVE-2020-35738 (Medium)
It has been discovered that Invision Community IPS Community Suite allows XSS during the quoting of a post or comment. The affected versions are invision Community IPS Community Suite before 4.5.4.2.
CVE ID: CVE-2021-3026 (Medium)
A vulnerability has been discovered on Samsung mobile devices with O(8.x), P(9.0) and Q(10.0) software. The quram library allows attackers to execute arbitrary code or cause a denial of service (memory corruption) during dng decoding.
CVE ID: CVE-2021-22493
A vulnerability has been discovered in the fingerprint scanner on Samsung Note20 mobile devices with Q(10.0) software. When a screen protector is used, the required image compensation is not present. Consequently, inversion can occur during fingerprint enrollment, and a high False Recognition Rate (FRR).
CVE ID: CVE-2021-22494
A vulnerability has been discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) (Exynos chipsets) software. The Mali GPU driver allows out-of-bounds access and a device reset.
CVE ID: CVE-2021-22495
It has been discovered that there is no write protection for the MTK protect2 partition on LG mobile devices with Android OS 10 software.
CVE ID: CVE-2021-3022
A spring-boot-actuator-logview adds a simple logfile viewer as spring boot actuator endpoint in a library. A directory traversal vulnerability has been discovered in spring-boot-actuator-logview. The affected versions are spring-boot-actuator-logview before version 0.2.13.
CVE ID: CVE-2021-21234 (High)
Multiple vulnerabilities such as Improper Authentication and Path Traversal have been discovered in Yokogawa's Equipment- CENTUM, a process control system for plants. Successful exploitation of these vulnerabilities may allow a remote unauthenticated attacker to send tampered communication packets or create/overwrite any file and run any commands.
CVE ID: CVE-2020-5608 (High), CVE-2020-5609 (High)
Multiple vulnerabilities such as Stack-based Buffer Overflow, Heap-based Buffer Overflow and Use After Free have been discovered in PTC's Equipment- Kepware KEPServerEX. Successful exploitation of these vulnerabilities may lead to a server crashing, a denial-of-service condition, data leakage or remote code execution.
CVE ID: CVE-2020-27265 (Critical), CVE-2020-27263 (Critical), CVE-2020-27267 (High)
Multiple vulnerabilities have been discovered in ARC Informatique's Equipment- PcVue, a suite of software and hardware products for visualisation, control, management and data analysis applications. Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, expose sensitive data, and prevent legitimate users from connecting to PcVue services. The affected products are PcVue Versions 8.10 to versions prior to 12.0.17.
CVE ID: CVE-2020-26867 (Critical), CVE-2020-26868 (High), CVE-2020-26869 (High)
A stack-based buffer overflow vulnerability has been discovered in Delta Electronics' Equipment- CNCSoft ScreenEditor, a Human-Machine Interface(HMI). Successful exploitation of this vulnerability may allow arbitrary code execution. The affected products are CNCSoft ScreenEditor Versions 1.01.26 and prior.
CVE ID: CVE-2020-27281 (High)
Multiple vulnerabilities such as Out-of-bounds Write, and Untrusted Pointer Dereference have been discovered in Delta Electronics' Equipment- DOPSoft, a software that supports the DOP-100 series Human-Machine Interface (HMI) screens. Successful exploitation of this vulnerability may allow arbitrary code execution. The affected products are DOPSoft Version 4.0.8.21 and prior.
CVE ID: CVE-2020-27275 (High), CVE-2020-27277 (High)
Multiple vulnerabilities have been discovered in Red Lion's Equipment- Crimson 3.1, the DA10D Protocol Converter. Successful exploitation of these vulnerabilities may allow an attacker to create a denial-of-service condition, read and modify the database, and leak memory data. The affected products are Crimson 3.1 build versions prior to 3119.001.
CVE ID: CVE-2020-27279 (High), CVE-2020-27285 (Medium), CVE-2020-27283 (Medium)
Multiple vulnerabilities such as Code Injection and Use of Hard-coded Cryptographic Key have been discovered in GE's Equipment- Reason RT43X Clocks. Successful exploitation of these vulnerabilities may allow an authenticated remote attacker to execute arbitrary code on the system or intercept and decrypt encrypted traffic. The affected products are RT430, RT431 and RT434: All firmware versions prior to Version 08A06.
CVE ID: CVE-2020-25197 (Critical), CVE-2020-25193 (Medium)
An out-of-bounds read vulnerability has been discovered in Panasonic's Equipment- FPWIN Pro, a programming software for all FP Series PLCs. Successful exploitation of this vulnerability may result in an out-of-bounds read, which may allow remote code execution. The affected products are FPWIN Pro Version 7.5.0.0 and prior.
CVE ID: CVE-2020-16236 (High)
Multiple vulnerabilities such as Out-of-bounds Read, Out-of-bounds Write, and Classic Buffer Overflow have been discovered in Schneider Electric's Equipments- Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy. Successful exploitation of these vulnerabilities may allow write access and the execution of commands, which can result in data corruption or a web server crash.
CVE ID: CVE-2020-7562 (Medium), CVE-2020-7563 (Medium), CVE-2020-7564 (Medium)
Multiple vulnerabilities such as Information disclosure, SQL injection, stack-based buffer overflow, format string and OS command injection have been discovered in various FortiGate products.
CVE ID: CVE-2020-29010 (Medium), CVE-2020-29015 (Medium), CVE-2020-29016 (Medium), CVE-2020-29019 (Medium), CVE-2020-29018 (Medium), CVE-2020-29017 (High)
Multiple vulnerabilities such as use-after-free, HTTP Request Smuggling, and EDIPARTYNAME NULL pointer de-reference have been discovered in nodejs. An attacker may exploit some of these vulnerabilities to take control of an affected system. The affected versions are nodejs 15.x, 14.x, 12.x 10.x. The updates are now available.
CVE ID: CVE-2020-8265 (High), CVE-2020-8287 (Low), CVE-2020-1971 (High)
It has been discovered that libproxy incorrectly handled certain Proxy Auto-Configuration (PAC) files. An attacker may possibly use this issue to cause a crash or execute arbitrary code.
CVE ID: CVE-2020-26154 (Critical)
Multiple vulnerabilities have been discovered in the Dovecot email server of Debian GNU/Linux OS. It is recommended to upgrade the dovecot packages.
CVE ID: CVE-2020-24386, CVE-2020-25275
Multiple vulnerabilities have been identified in Android, a remote attacker may exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege, remote code execution and sensitive information disclosure on the targeted system.The affected devices are Android 8.0, 8.1, 9, 10, 11. Security patch levels of 2021-01-05 or later address all of these issues.
It has been discovered that multiple NEC Products contain authentication bypass vulnerability in RMCP connection using IPMI over LAN. A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product. The affected products are Express5800/T110j,Express5800/T110j-S, Express5800/T110j (2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti.
CVE ID: CVE-2020-5633 (Medium)
It has been discovered that in IBM WebSphere Application Server (WAS) admin console where the Rational Asset Manager (RAM) is deployed, vulnerabilities such as allowing a remote attacker to access the classloader through class property, and an authenticated attacker obtaining sensitive information caused by improper parameter checking have been discovered. The affected versions are IBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.x.
CVE ID: CVE-2019-10086 (High), CVE-2020-4329 (Medium)
A local buffer overflow vulnerability has been discovered in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c of kernel. An update for kernel is now available for Red Hat Enterprise Linux 8.
CVE ID: CVE-2020-25211 (Medium)
A SQL injection vulnerability has been discovered in hibernate-core of Debian GNU/Linux OS . This vulnerability may allow an attacker to access unauthorized information or possibly conduct further attacks. It is recommended to upgrade the libhibernate3-java packages.
CVE ID: CVE-2020-25638 (High)
Multiple vulnerabilities have been discovered in the Chromium web browser, which can result in the execution of arbitrary code, denial of service or information disclosure. It is recommended to upgrade the chromium packages.
It has been discovered that incorrect validation of JWT tokens in InfluxDB- a time series, metrics, and analytics database can result in authentication bypass. It is recommended to upgrade the influxdb packages.
CVE ID: CVE-2019-20933 (Critical)
Multiple vulnerabilities affecting the RPC protocol in p11-kit, a library providing a way to load and enumerate PKCS#11 modules. It is recommended to upgrade the p11-kit packages.
CVE ID: CVE-2020-29361 (High), CVE-2020-29362 (Critical), CVE-2020-29363 (Critical)