CVE Notify
19.3K subscribers
4 photos
206K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2021-21118
Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-29443
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-20247
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-17380
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-8021
a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2019-0233
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-8020
A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-21311
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-0371
In nci_proc_rf_management_ntf of nci_hrcv.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-164440989

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-26873
Windows User Profile Service Elevation of Privilege Vulnerability

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-23879
Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path. Local admin privileges are required to place the files in the required location.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-29553
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-3150
A cross-site scripting (XSS) vulnerability on the Delete Personal Data page in Cryptshare Server before 4.8.0 allows an attacker to inject arbitrary web script or HTML via the user name. The issue is fixed with the version 4.8.1

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-26872
Windows Event Tracing Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26898, CVE-2021-26901.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-26871
Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26885.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-0399
In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-176919394References: Upstream kernel

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-0396
In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-160610106

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-0397
In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174052148

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-0398
In bindServiceLocked of ActiveServices.java, there is a possible foreground service launch due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173516292

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2021-20667
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.

๐ŸŽ–@cveNotify