120 matches found
GSD-2021-1002385 iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v4.9.293 by commit...
Design/Logic Flaw
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to...
CVE-2021-20330
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to...
CVE-2021-20330 Specific replication command with malformed oplog entries can crash secondaries
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to...
Security Bulletin: IBM Aspera High-Speed Transfer Server, Endpoint, and Desktop Client are vulnerable to libcurl vulnerabilities (CVE-2021-22901, CVE-2021-22898)
Summary The following libcurl security vulnerabilities have been addressed for Aspera High-Speed Tranfer Server HSTS , Aspera High-Speed Transfer Endpoint HSTE, and Deskstop Client. Vulnerability Details CVEID: CVE-2021-22901 DESCRIPTION: cURL libcurl could allow a remote attacker to execute...
CVE-2021-36000
CVE-2021-36000 affects Adobe Character Animator versions 4.2 and earlier. The issue is a memory corruption vulnerability triggered while parsing a specially crafted file, allowing an unauthenticated attacker to achieve arbitrary code execution in the user’s context. Exploitation requires user int...
CVE-2021-20333
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.1...
Design/Logic Flaw
An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover...
Cross site scripting
Stored cross-site scripting vulnerability in Admin Page of GROWI v4.2 Series versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors...
Cross site scripting
Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI v4.2 Series versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors...
CVE-2021-20673
CVE-2021-20673 is a stored cross-site scripting vulnerability in GROWI (v4.2 Series) Admin Page, affecting versions v4.2.0 through v4.2.7. The issue allows a remote authenticated attacker to inject arbitrary script into a logged-in user’s browser via unspecified vectors. Affected product: GROWI (...
CVE-2021-20672
The CVE-2021-20672 entry applies to GROWI (WESEEK) versions in the 4.2.x series, specifically 4.2.0–4.2.7. The underlying issue is insufficient verification/validation of URL query parameters, causing a reflected cross-site scripting (XSS) vulnerability. Attackers can inject arbitrary scripts tha...
CVE-2021-20619
Cross-site scripting vulnerability in GROWI v4.2 Series versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors...
CVE-2021-20619
Cross-site scripting vulnerability in GROWI v4.2 Series versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors...
JVN#94169589: Multiple vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Denial-of-service DoS due to improper verification of input values CWE-400 - CVE-2020-5682 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L| Base Score: 5.3 CVSS v2|...
Invariant in IndexBoundsBuilder
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2...
Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2...
CVE-2020-7927 Potential privilege escalation in Ops Manager API
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions prior to and including 4.2.17, MongoDB Ops Manager v4.3 versions prior to and including 4.3.9 an...
CVE-2019-20924
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2...
Input validation
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc12; MongoDB Server v4.2 version...