| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-25371 | 0.12 | — | 0.01 | KEV | Mar 26, 2021 | A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP. | ||
| CVE-2021-25370 | 0.12 | — | 0.01 | KEV | Mar 26, 2021 | An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic. | ||
| CVE-2021-25369 | 0.12 | — | 0.01 | KEV | Mar 26, 2021 | An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. | ||
| CVE-2021-22506 | 0.13 | — | 0.26 | KEV | Mar 26, 2021 | Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage. | ||
| CVE-2021-21193 | 0.13 | — | 0.10 | KEV | Mar 16, 2021 | Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2021-27059 | 0.12 | — | 0.03 | KEV | Mar 11, 2021 | Microsoft Office Remote Code Execution Vulnerability | ||
| CVE-2021-27085 | 0.12 | — | 0.04 | KEV | Mar 11, 2021 | Internet Explorer Remote Code Execution Vulnerability | ||
| CVE-2021-26411 | 0.25 | — | 0.81 | KEV | Mar 11, 2021 | Internet Explorer Memory Corruption Vulnerability | ||
| CVE-2021-21166 | 0.15 | — | 0.27 | KEV | Mar 9, 2021 | Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2021-25337 | 0.12 | — | 0.03 | KEV | Mar 4, 2021 | Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files. | ||
| CVE-2021-22681 | 0.13 | — | 0.25 | KEV | Mar 3, 2021 | Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580;… | ||
| CVE-2021-27065 | 0.29 | — | 1.00 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-26858 | 0.24 | — | 0.90 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-26855 | 0.29 | — | 1.00 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-26857 | 0.21 | — | 0.94 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-27877 | 0.24 | — | 0.65 | KEV | Mar 1, 2021 | An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely… | ||
| CVE-2021-27878 | 0.21 | — | 0.24 | KEV | Mar 1, 2021 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an… | ||
| CVE-2021-27876 | 0.21 | — | 0.13 | KEV | Mar 1, 2021 | An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an… | ||
| CVE-2021-1732 | 0.28 | — | 0.78 | KEV | Feb 25, 2021 | Windows Win32k Elevation of Privilege Vulnerability | ||
| CVE-2021-21972 | 0.29 | — | 1.00 | KEV | Feb 24, 2021 | The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter… | ||
| CVE-2021-21973 | 0.19 | — | 0.88 | KEV | Feb 24, 2021 | The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin… | ||
| CVE-2021-27104 | 0.19 | — | 0.57 | KEV | Feb 16, 2021 | Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later. | ||
| CVE-2021-27103 | 0.18 | — | 0.11 | KEV | Feb 16, 2021 | Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later. | ||
| CVE-2021-27102 | 0.18 | — | 0.04 | KEV | Feb 16, 2021 | Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later. | ||
| CVE-2021-27101 | 0.18 | — | 0.06 | KEV | Feb 16, 2021 | Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later. | ||
| CVE-2021-21315 | 0.12 | — | 0.90 | KEV | Feb 16, 2021 | The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was… | ||
| CVE-2021-25297 | 0.22 | — | 0.43 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead… | ||
| CVE-2021-25296 | 0.22 | — | 0.72 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which… | ||
| CVE-2021-25298 | 0.21 | — | 0.75 | KEV | Feb 15, 2021 | Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can… | ||
| CVE-2021-21311 | — | 0.12 | — | 0.90 | KEV | Feb 11, 2021 | Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version… | |
| CVE-2021-21017 | 0.19 | — | 0.86 | KEV | Feb 11, 2021 | Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code… | ||
| CVE-2021-23874 | 0.12 | — | 0.01 | KEV | Feb 10, 2021 | Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense. | ||
| CVE-2021-21148 | 0.14 | — | 0.20 | KEV | Feb 9, 2021 | Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2021-22502 | 0.23 | — | 0.97 | KEV | Feb 8, 2021 | Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server. | ||
| CVE-2021-20016 | 0.24 | — | 0.40 | KEV | Feb 3, 2021 | A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x. | ||
| CVE-2020-2506 | 0.13 | — | 0.02 | KEV | Feb 3, 2021 | The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP… | ||
| CVE-2020-25506 | 0.20 | — | 1.00 | KEV | Feb 2, 2021 | D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | ||
| CVE-2020-29557 | 0.19 | — | 0.54 | KEV | Jan 29, 2021 | An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution. | ||
| CVE-2021-3156 | 0.22 | — | 0.99 | KEV | Jan 26, 2021 | Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. | ||
| CVE-2020-36193 | — | 0.11 | — | 0.71 | KEV | Jan 18, 2021 | Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | |
| CVE-2020-6572 | 0.14 | — | 0.11 | KEV | Jan 14, 2021 | Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | ||
| CVE-2021-1647 | 0.18 | — | 0.40 | KEV | Jan 12, 2021 | Microsoft Defender Remote Code Execution Vulnerability | ||
| CVE-2021-3129 | — | 0.22 | — | 1.00 | KEV | Jan 12, 2021 | Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. | |
| CVE-2020-16017 | 0.14 | — | 0.03 | KEV | Jan 8, 2021 | Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | ||
| CVE-2020-16013 | 0.14 | — | 0.03 | KEV | Jan 8, 2021 | Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2020-17519 | — | 0.23 | — | 0.98 | KEV | Jan 5, 2021 | A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager… | |
| CVE-2020-10148 | 0.20 | — | 0.92 | KEV | Dec 29, 2020 | The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds… | ||
| CVE-2020-35730 | 0.10 | — | 0.33 | KEV | Dec 28, 2020 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | ||
| CVE-2020-29583 | 0.20 | — | 0.90 | KEV | Dec 22, 2020 | Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin… | ||
| CVE-2020-29574 | 0.13 | — | 0.05 | KEV | Dec 11, 2020 | An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. |
- risk 0.12cvss —epss 0.01
A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP.
- risk 0.12cvss —epss 0.01
An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.
- risk 0.12cvss —epss 0.01
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
- risk 0.13cvss —epss 0.26
Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.
- risk 0.13cvss —epss 0.10
Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.12cvss —epss 0.03
Microsoft Office Remote Code Execution Vulnerability
- risk 0.12cvss —epss 0.04
Internet Explorer Remote Code Execution Vulnerability
- risk 0.25cvss —epss 0.81
Internet Explorer Memory Corruption Vulnerability
- risk 0.15cvss —epss 0.27
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.12cvss —epss 0.03
Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
- risk 0.13cvss —epss 0.25
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580;…
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.24cvss —epss 0.90
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.21cvss —epss 0.94
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.24cvss —epss 0.65
An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely…
- risk 0.21cvss —epss 0.24
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an…
- risk 0.21cvss —epss 0.13
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an…
- risk 0.28cvss —epss 0.78
Windows Win32k Elevation of Privilege Vulnerability
- risk 0.29cvss —epss 1.00
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter…
- risk 0.19cvss —epss 0.88
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin…
- risk 0.19cvss —epss 0.57
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
- risk 0.18cvss —epss 0.11
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
- risk 0.18cvss —epss 0.04
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.
- risk 0.18cvss —epss 0.06
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
- risk 0.12cvss —epss 0.90
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was…
- risk 0.22cvss —epss 0.43
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead…
- risk 0.22cvss —epss 0.72
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…
- risk 0.21cvss —epss 0.75
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…
- risk 0.12cvss —epss 0.90
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version…
- risk 0.19cvss —epss 0.86
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code…
- risk 0.12cvss —epss 0.01
Arbitrary Process Execution vulnerability in McAfee Total Protection (MTP) prior to 16.0.30 allows a local user to gain elevated privileges and execute arbitrary code bypassing MTP self-defense.
- risk 0.14cvss —epss 0.20
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.23cvss —epss 0.97
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
- risk 0.24cvss —epss 0.40
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.
- risk 0.13cvss —epss 0.02
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP…
- risk 0.20cvss —epss 1.00
D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
- risk 0.19cvss —epss 0.54
An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.
- risk 0.22cvss —epss 0.99
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
- risk 0.11cvss —epss 0.71
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
- risk 0.14cvss —epss 0.11
Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
- risk 0.18cvss —epss 0.40
Microsoft Defender Remote Code Execution Vulnerability
- risk 0.22cvss —epss 1.00
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
- risk 0.14cvss —epss 0.03
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
- risk 0.14cvss —epss 0.03
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.23cvss —epss 0.98
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager…
- risk 0.20cvss —epss 0.92
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds…
- risk 0.10cvss —epss 0.33
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
- risk 0.20cvss —epss 0.90
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin…
- risk 0.13cvss —epss 0.05
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.