Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-1682 1 Microsoft 3 Windows 10, Windows Server 2016, Windows Server 2019 2021-03-02 4.6 MEDIUM 7.8 HIGH
Windows Kernel Elevation of Privilege Vulnerability
CVE-2021-23337 1 Lodash 1 Lodash 2021-03-01 6.5 MEDIUM 7.2 HIGH
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
CVE-2020-11253 1 Qualcomm 346 Aqt1000, Aqt1000 Firmware, Pm3003a and 343 more 2021-03-01 7.2 HIGH 7.8 HIGH
Arbitrary memory write issue in video driver while setting the internal buffers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
CVE-2020-25690 1 Fontforge 1 Fontforge 2021-03-01 6.8 MEDIUM 8.8 HIGH
An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-22112 1 Pivotal Software 1 Spring Security 2021-03-01 9.0 HIGH 8.8 HIGH
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
CVE-2020-11996 1 Apache 1 Tomcat 2021-03-01 5.0 MEDIUM 7.5 HIGH
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
CVE-2020-13898 1 Meetecho 1 Janus 2021-03-01 5.0 MEDIUM 7.5 HIGH
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_process in sdp.c has a NULL pointer dereference.
CVE-2020-13899 1 Meetecho 1 Janus 2021-03-01 5.0 MEDIUM 7.5 HIGH
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_process_incoming_request in janus.c discloses information from uninitialized stack memory.
CVE-2020-13900 1 Meetecho 1 Janus 2021-03-01 5.0 MEDIUM 7.5 HIGH
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer dereference.
CVE-2021-26681 1 Arubanetworks 1 Clearpass Policy Manager 2021-03-01 9.0 HIGH 7.2 HIGH
A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
CVE-2021-26593 1 Rangerstudio 1 Directus 2021-03-01 5.0 MEDIUM 7.5 HIGH
** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a lot of information about the user (such as email address, first name, and last name) but also the secret for 2FA if one exists. This secret can be regenerated. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2021-26594 1 Rangerstudio 1 Directus 2021-03-01 6.5 MEDIUM 8.8 HIGH
** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2019-18945 1 Microfocus 1 Solutions Business Manager 2021-03-01 5.2 MEDIUM 8.0 HIGH
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.
CVE-2021-23336 3 Debian, Fedoraproject, Python 3 Debian Linux, Fedora, Python 2021-03-01 5.8 MEDIUM 7.1 HIGH
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVE-2021-3410 1 Libcaca Project 1 Libcaca 2021-03-01 4.6 MEDIUM 7.8 HIGH
A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.
CVE-2019-18943 1 Microfocus 1 Solutions Business Manager 2021-03-01 5.2 MEDIUM 8.0 HIGH
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
CVE-2020-9484 6 Apache, Canonical, Debian and 3 more 6 Tomcat, Ubuntu Linux, Debian Linux and 3 more 2021-03-01 4.4 MEDIUM 7.0 HIGH
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
CVE-2020-9494 2 Apache, Debian 2 Traffic Server, Debian Linux 2021-03-01 5.0 MEDIUM 7.5 HIGH
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.
CVE-2021-20659 1 Contec 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware 2021-03-01 6.5 MEDIUM 8.8 HIGH
SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to upload arbitrary files via unspecified vectors. If the file is PHP script, an attacker may execute arbitrary code.
CVE-2020-11203 1 Qualcomm 286 Apq8009w, Apq8009w Firmware, Apq8064au and 283 more 2021-03-01 3.6 LOW 7.1 HIGH
Stack overflow may occur if GSM/WCDMA broadcast config size received from user is larger than variable length array in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables