0% found this document useful (0 votes)

62 views206 pages

NCIIPC Fortnightly CVE Report For 16-30 Jun 2021

The National Critical Information Infrastructure Protection Centre's CVE Report for June 16-30, 2021, details various vulnerabilities across multiple applications, including Accellion Kiteworks, Advantech WebAccess/SCADA, and Apache CXF. Each entry includes the vulnerability type, publish date, CVSS score, description, and CVE ID. The report emphasizes the importance of applying patches to mitigate these security risks.

Uploaded by

amitdhawan1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

62 views206 pages

NCIIPC Fortnightly CVE Report For 16-30 Jun 2021

Uploaded by

amitdhawan1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 206

National Critical Information Infrastructure Protection Centre

Common Vulnerabilities and Exposures(CVE) Report

https://nciipc.gov.in
16 - 30 Jun 2021 Vol. 08 No. 12
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Application
Accellion
kiteworks
Accellion Kiteworks before
7.3.1 allows a user with https://githu
Admin privileges to escalate b.com/accelli
Improper
their privileges by generating on/CVEs/blo A-ACC-KITE-
Privilege 23-Jun-21 4.6
SSH passwords that allow b/main/CVE- 020721/1
Management
local access. 2021-
31585.txt
CVE ID : CVE-2021-31585
Improper
Neutralizatio
Accellion Kiteworks before https://githu
n of Special
7.4.0 allows an authenticated b.com/accelli
Elements
user to perform SQL Injection on/CVEs/blo A-ACC-KITE-
used in an 23-Jun-21 6.5
via LDAPGroup Search. b/main/CVE- 020721/2
SQL
2021-
Command CVE ID : CVE-2021-31586 31586.txt
('SQL
Injection')
admincolumns
admin_columns
The Admin Columns Free
WordPress plugin before 4.3
Improper and Admin Columns Pro https://wpsc
Neutralizatio WordPress plugin before an.com/vuln
n of Input 5.5.1, rendered input on the erability/054 A-ADM-
During Web posted pages with improper
21-Jun-21 3.5 27156-4d5c- ADMI-
Page input validation on the value 4aeb-add8- 020721/3
Generation passed into the field 'Label' 1c574fda5c2
('Cross-site parameter, by taking this as 8
Scripting') an advantage an
authenticated attacker can
supply a crafted arbitrary

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 1 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
script and execute it.
CVE ID : CVE-2021-24366
Advantech
webaccess\\/scada
Advantech
WebAccess/SCADA Versions
9.0.1 and prior is vulnerable
to a directory traversal, A-ADV-
Relative Path
18-Jun-21 6.8 which may allow an attacker N/A WEBA-
Traversal
to remotely read arbitrary 020721/4
files on the file system.
CVE ID : CVE-2021-32954
Advantech
WebAccess/SCADA Versions
URL 9.0.1 and prior is vulnerable
Redirection to redirection, which may A-ADV-
to Untrusted 18-Jun-21 5.8 allow an attacker to send a N/A WEBA-
Site ('Open maliciously crafted URL that 020721/5
Redirect') could result in redirecting a
user to a malicious webpage.
CVE ID : CVE-2021-32956
Ampache
ampache

Ampache is an open source https://githu

web based audio/video b.com/ampa
streaming application and file che/ampach
manager. Due to a lack of e/security/a
Improper
input filtering versions 4.x.y dvisories/GH
Neutralizatio
are vulnerable to code SA-vqpj-
n of Input
injection in random.php. The xgw2-r54q, A-AMP-
During Web
22-Jun-21 3.5 attack requires user https://githu AMPA-
Page
authentication to access the b.com/ampa 020721/6
Generation
random.php page unless the che/ampach
('Cross-site
site is running in demo mode. e/commit/c9
Scripting')
This issue has been resolved 453841e1b5
in 4.4.3. 17a1660c3d
a1efd1fe5d6
CVE ID : CVE-2021-32644 23c93a5
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 2 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Apache
cxf
http://cxf.ap
ache.org/sec
urity-
A vulnerability in the advisories.da
JsonMapObjectReaderWriter ta/CVE-
of Apache CXF allows an 2021-
attacker to submit malformed 30468.txt.asc
JSON to a web service, which ,
Uncontrolled results in the thread getting https://lists.
stuck in an infinite loop, A-APA-CXF-
Resource 16-Jun-21 5 apache.org/t
consuming CPU indefinitely. 020721/7
Consumption hread.html/r
This issue affects Apache CXF 4a4b6bc052
versions prior to 3.4.4; 0b69c18d2a
Apache CXF versions prior to 59daa6af84a
3.3.11. e49f0c22164
CVE ID : CVE-2021-30468 dccb853879
4459@%3Cd
ev.cxf.apache
.org%3E
nuttx
Apache Nuttx Versions prior https://lists.
to 10.1.0 are vulnerable to apache.org/t
integer wrap-around in hread.html/r
functions malloc, realloc and 806fccf8b00
memalign. This improper 3ae812d807
Integer memory assignment can lead A-APA-
c6c7d97950
Overflow or 21-Jun-21 7.5 to arbitrary memory NUTT-
d44ed29b27
Wraparound allocation, resulting in 020721/8
13418cbe3f2
unexpected behavior such as bddd%40%3
a crash or a remote code Cdev.nuttx.a
injection/execution. pache.org%3
CVE ID : CVE-2021-26461 E

Apereo
opencast
Improper 16-Jun-21 4 Opencast is a free and open https://githu A-APE-
Restriction source solution for b.com/openc OPEN-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 3 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
of Recursive automated video capture and ast/opencast 020721/9
Entity distribution. Versions of /commit/8ae
References Opencast prior to 9.6 are 27da5a6f658
in DTDs vulnerable to the billion 011a5741b3
('XML Entity laughs attack, which allows 210e715b0d
Expansion') an attacker to easily execute a c6213e,
(seemingly permanent) https://githu
denial of service attack, b.com/openc
essentially taking down ast/opencast
Opencast using a single HTTP /security/ad
request. To exploit this, users visories/GHS
need to have ingest A-9gwx-
privileges, limiting the group 9cwp-5c2m
of potential attackers The
problem has been fixed in
Opencast 9.6. There is no
known workaround for this
issue.
CVE ID : CVE-2021-32623
apollosapp
data-connector-rock
Apollos Apps is an open https://githu
source platform for launching b.com/Apoll
church-related apps. In osProject/ap
Apollos Apps versions prior ollos-
to 2.20.0, new user apps/release
registrations are able to s/tag/v2.20.
access anyone's account by 0,
only knowing their basic https://githu
Improper profile information (name, b.com/Apoll A-APO-
Authenticati 16-Jun-21 7.5 birthday, gender, etc). This osProject/ap DATA-
on includes all app functionality ollos- 020721/10
within the app, as well as any apps/commi
authenticated links to Rock- t/cb5f8f1c0b
based webpages (such as 24f1b215b2
giving and events). There is a bb5eb6f9a8e
patch in version 2.20.0. As a 16d728ce2,
workaround, one can patch https://githu
one's server by overriding b.com/Apoll
the `create` data source osProject/ap
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 4 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
method on the `People` class. ollos-
CVE ID : CVE-2021-32691 apps/securit
y/advisories
/GHSA-r578-
pj6f-r4ff
asken
asken
Improper authorization in
handler for custom URL
scheme vulnerability in
URL ????????? (asken diet) for https://ww
Redirection Android versions from v.3.0.0 w.asken.jp/s A-ASK-ASKE-
to Untrusted 22-Jun-21 5.8 to v.4.2.x allows a remote /login/?to=/i 020721/11
Site ('Open attacker to lead a user to nformation
Redirect') access an arbitrary website
via the vulnerable App.
CVE ID : CVE-2021-20733
Automattic
jetpack
https://wpsc
The Jetpack Carousel module an.com/vuln
of the JetPack WordPress erability/08a
plugin before 9.8 allows users 8a51c-49d3-
to create a "carousel" type 4bce-b7e0-
image gallery and allows e365af1d8f3
Exposure of users to comment on the 3,
Resource to images. A security https://jetpa A-AUT-JETP-
21-Jun-21 5 vulnerability was found
Wrong ck.com/2021 020721/12
Sphere within the Jetpack Carousel /06/01/jetp
module by nguyenhg_vcs that ack-9-8-
allowed the comments of engage-your-
non-published page/posts to audience-
be leaked. with-
CVE ID : CVE-2021-24374 wordpress-
stories/
autoptimize
autoptimize

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 5 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
The Autoptimize WordPress
plugin before 2.7.8 attempts
to delete malicious files (such
as .php) form the uploaded
archive via the "Import
Settings" feature, after its
extraction. However, the https://wpsc
Unrestricted extracted folders are not an.com/vuln
Upload of checked and it is possible to erability/93e A-AUT-
File with 21-Jun-21 7.5 upload a zip which contained dcc23-894a- AUTO-
Dangerous a directory with PHP file in it 46c2-84d2- 020721/13
Type and then it is not removed 407dcb64ba
from the disk. It is a bypass of 1e
CVE-2020-24948 which
allows sending a PHP file via
the "Import Settings"
functionality to achieve
Remote Code Execution.
CVE ID : CVE-2021-24376
The Autoptimize WordPress
plugin before 2.7.8 attempts
to remove potential malicious
Concurrent files from the extracted
Execution archive uploaded via the https://wpsc
using Shared 'Import Settings' feature, an.com/vuln
Resource however this is not sufficient erability/85c A-AUT-
with 21-Jun-21 6.8 to protect against RCE as a 0a564-2e56- AUTO-
Improper race condition can be 413d-bc3a- 020721/14
Synchronizat achieved in between the 1039343207
ion ('Race moment the file is extracted e4
Condition') on the disk but not yet
removed. It is a bypass of
CVE-2020-24948.
CVE ID : CVE-2021-24377
Improper The Autoptimize WordPress https://wpsc
Neutralizatio plugin before 2.7.8 does not an.com/vuln A-AUT-
n of Input 21-Jun-21 3.5 check for malicious files such erability/375 AUTO-
During Web as .html in the archive bd694-1a30- 020721/15
Page uploaded via the 'Import 41af-bbd4-
Generation Settings' feature. As a result, 8a8ee54f0db
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 6 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
('Cross-site it is possible for a high f
Scripting') privilege user to upload a
malicious file containing
JavaScript code inside an
archive which will execute
when a victim visits
index.html inside the plugin
directory.
CVE ID : CVE-2021-24378
Avaya
aura_utility_services
** UNSUPPORTED WHEN
ASSIGNED ** An information
disclosure vulnerability was
discovered in the directory
and file management of
Avaya Aura Utility Services.
This vulnerability may https://supp
potentially allow any local ort.avaya.co A-AVA-
N/A 24-Jun-21 2.1 user to access system m/css/P8/d AURA-
functionality and ocuments/1 020721/16
configuration information 01072728
that should only be available
to a privileged user. Affects
all 7.x versions of Avaya Aura
Utility Services.
CVE ID : CVE-2021-25649
** UNSUPPORTED WHEN
ASSIGNED ** A privilege
escalation vulnerability was
discovered in Avaya Aura https://supp
Improper Utility Services that may ort.avaya.co A-AVA-
Privilege 24-Jun-21 4.6 potentially allow a local user m/css/P8/d AURA-
Management to execute specially crafted ocuments/1 020721/17
scripts as a privileged user. 01072728
Affects all 7.x versions of
Avaya Aura Utility Services.
CVE ID : CVE-2021-25650

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 7 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
** UNSUPPORTED WHEN
ASSIGNED ** A privilege
escalation vulnerability was
discovered in Avaya Aura https://supp
Improper Utility Services that may ort.avaya.co A-AVA-
Privilege 24-Jun-21 4.6 potentially allow a local user m/css/P8/d AURA-
Management to escalate privileges. Affects ocuments/1 020721/18
all 7.x versions of Avaya Aura 01072728
Utility Services.
CVE ID : CVE-2021-25651
ayecode
getpaid
In the GetPaid WordPress
plugin before 2.3.4, users
with the contributor role and
above can create a new
Payment Form, however the
Improper Label and Help Text input
fields were not getting https://wpsc
Neutralizatio
sanitized properly. So it was an.com/vuln
n of Input
possible to inject malicious erability/1d1
During Web A-AYE-GETP-
21-Jun-21 3.5 content such as img tags, a731b-78f7-
Page 020721/19
leading to a Stored Cross-Site 4d97-b40d-
Generation
Scripting issue which is 80f66700eda
('Cross-site
triggered when the form will e
Scripting')
be edited, for example when
an admin reviews it and
could lead to privilege
escalation.
CVE ID : CVE-2021-24369
location_manager
Improper In the Location Manager https://wpg
Neutralizatio WordPress plugin before eodirectory.c
n of Special 2.1.0.10, the AJAX action om/downloa
Elements 21-Jun-21 7.5 gd_popular_location_list did ds/location- A-AYE-LOCA-
used in an not properly sanitise or manager/, 020721/20
SQL validate some of its POST https://wpsc
Command parameters, which are then an.com/vuln
('SQL used in a SQL statement, erability/5aff
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 8 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Injection') leading to unauthenticated 50fc-ac96-
SQL Injection issues. 4076-a07c-
CVE ID : CVE-2021-24361 bb145ae370
25
ballerina
ballerina
Ballerina is an open source
programming language and https://githu
platform for cloud application b.com/baller
programmers. Ballerina ina-
versions 1.2.x and SL releases platform/bal
up to alpha 3 have a potential lerina-
for a supply chain attack via lang/security
MiTM against users. Http /advisories/
Missing connections did not make use GHSA-f5qg-
Authenticati of TLS and certificate fqrw-v5ww,
checking was ignored. The A-BAL-BALL-
on for 22-Jun-21 5.8 https://githu
vulnerability allows an 020721/21
Critical b.com/baller
Function attacker to substitute or ina-
modify packages retrieved platform/bal
from BC thus allowing to lerina-
inject malicious code into lang/commit
ballerina executables. This /4609ffee17
has been patched in Ballerina 44ecd16aac0
1.2.14 and Ballerina 9303b1783b
SwanLake alpha4. f0a525816
CVE ID : CVE-2021-32700
swan_lake
Ballerina is an open source https://githu
programming language and b.com/baller
platform for cloud application ina-
Missing programmers. Ballerina platform/bal
Authenticati versions 1.2.x and SL releases lerina- A-BAL-
on for 22-Jun-21 5.8 up to alpha 3 have a potential lang/security SWAN-
Critical for a supply chain attack via /advisories/ 020721/22
Function MiTM against users. Http GHSA-f5qg-
connections did not make use fqrw-v5ww,
of TLS and certificate https://githu
checking was ignored. The b.com/baller

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 9 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vulnerability allows an ina-
attacker to substitute or platform/bal
modify packages retrieved lerina-
from BC thus allowing to lang/commit
inject malicious code into /4609ffee17
ballerina executables. This 44ecd16aac0
has been patched in Ballerina 9303b1783b
1.2.14 and Ballerina f0a525816
SwanLake alpha4.
CVE ID : CVE-2021-32700
bindata_project
bindata
In the bindata RubyGem
before version 2.4.10 there is
a potential denial-of-service
vulnerability. In affected https://githu
versions it is very slow for b.com/rubys
certain classes in BinData to ec/ruby-
be created. For example advisory-
BinData::Bit100000, db/issues/4
BinData::Bit100001, 76,
Uncontrolled
BinData::Bit100002, https://githu A-BIN-BIND-
Resource 24-Jun-21 4.3
BinData::Bit<N>. In b.com/dmen 020721/23
Consumption
combination with del/bindata/
<user_input>.constantize commit/d99f
there is a potential for a CPU- 050b883375
based DoS. In version 2.4.10 59be2cb359
bindata improved the 06c1f8da495
creation time of Bits and 31323
Integers.
CVE ID : CVE-2021-32823
checksec
canopy

Improper CheckSec Canopy before 3.5.2

Neutralizatio allows XSS attacks against the A-CHE-
n of Input 18-Jun-21 3.5 login page via the N/A CANO-
During Web LOGIN_PAGE_DISCLAIMER 020721/24
Page parameter.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 10 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Generation CVE ID : CVE-2021-34815
('Cross-site
Scripting')
Cisco
anyconnect_secure_mobility_client
A vulnerability in the DLL
loading mechanism of Cisco
AnyConnect Secure Mobility
Client for Windows could
allow an authenticated, local
attacker to perform a DLL
hijacking attack on an
affected device if the VPN
Posture (HostScan) Module is
installed on the AnyConnect
client. This vulnerability is https://tools.
due to a race condition in the cisco.com/se
Time-of- signature verification process curity/center
check Time- for DLL files that are loaded /content/Cis
of-use on an affected device. An coSecurityAd A-CIS-ANYC-
16-Jun-21 6.2
(TOCTOU) attacker could exploit this visory/cisco- 020721/25
Race vulnerability by sending a sa-
Condition series of crafted interprocess anyconnect-
communication (IPC) pos-dll-
messages to the AnyConnect ff8j6dFv
process. A successful exploit
could allow the attacker to
execute arbitrary code on the
affected device with SYSTEM
privileges. To exploit this
vulnerability, the attacker
must have valid credentials
on the Windows system.
CVE ID : CVE-2021-1567
Memory A vulnerability in Cisco https://tools.
Allocation AnyConnect Secure Mobility cisco.com/se A-CIS-ANYC-
with 16-Jun-21 2.1 Client for Windows could curity/center 020721/26
Excessive allow an authenticated, local /content/Cis
Size Value attacker to cause a denial of coSecurityAd

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 11 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
service (DoS) condition on an visory/cisco-
affected system. This sa-
vulnerability is due to anyconnect-
uncontrolled memory dos-
allocation. An attacker could hMhyDfb8
exploit this vulnerability by
copying a crafted file to a
specific folder on the system.
A successful exploit could
allow the attacker to crash
the VPN Agent service when
the affected application is
launched, causing it to be
unavailable to all users of the
system. To exploit this
vulnerability, the attacker
must have valid credentials
on a multiuser Windows
system.
CVE ID : CVE-2021-1568
email_security_appliance
A vulnerability in the Cisco
Advanced Malware
Protection (AMP) for
Endpoints integration of
Cisco AsyncOS for Cisco Email
Security Appliance (ESA) and https://tools.
Cisco Web Security Appliance cisco.com/se
(WSA) could allow an curity/center
Improper unauthenticated, remote /content/Cis
A-CIS-EMAI-
Certificate 16-Jun-21 5.8 attacker to intercept traffic coSecurityAd
020721/27
Validation between an affected device visory/cisco-
and the AMP servers. This sa-esa-wsa-
vulnerability is due to cert-vali-
improper certificate n8L97RW
validation when an affected
device establishes TLS
connections. A man-in-the-
middle attacker could exploit
this vulnerability by sending

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 12 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
a crafted TLS packet to an
affected device. A successful
exploit could allow the
attacker to spoof a trusted
host and then extract
sensitive information or alter
certain API requests.
CVE ID : CVE-2021-1566
jabber
Multiple vulnerabilities in
Cisco Jabber for Windows,
Cisco Jabber for Mac, and
Cisco Jabber for mobile https://tools.
platforms could allow an cisco.com/se
attacker to access sensitive curity/center
information or cause a denial /content/Cis A-CIS-JABB-
N/A 16-Jun-21 4
of service (DoS) condition. coSecurityAd 020721/28
For more information about visory/cisco-
these vulnerabilities, see the sa-jabber-
Details section of this GuC5mLwG
advisory.
CVE ID : CVE-2021-1569
Multiple vulnerabilities in
Cisco Jabber for Windows,
Cisco Jabber for Mac, and
Cisco Jabber for mobile https://tools.
platforms could allow an cisco.com/se
attacker to access sensitive curity/center
Improper
information or cause a denial /content/Cis A-CIS-JABB-
Input 16-Jun-21 4
of service (DoS) condition. coSecurityAd 020721/29
Validation
For more information about visory/cisco-
these vulnerabilities, see the sa-jabber-
Details section of this GuC5mLwG
advisory.
CVE ID : CVE-2021-1570
meeting_server

Improper 16-Jun-21 4 A vulnerability in the API of https://tools. A-CIS-MEET-

Input Cisco Meeting Server could cisco.com/se 020721/30

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 13 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Validation allow an authenticated, curity/center
remote attacker to cause a /content/Cis
denial of service (DoS) coSecurityAd
condition on an affected visory/cisco-
device. This vulnerability sa-
exists because requests that meetingserv
are sent to the API are not er-dos-
properly validated. An NzVWMMQT
attacker could exploit this
vulnerability by sending a
malicious request to the API.
A successful exploit could
allow the attacker to cause all
participants on a call to be
disconnected, resulting in a
DoS condition.
CVE ID : CVE-2021-1524
web_security_appliance
A vulnerability in the Cisco
Advanced Malware
Protection (AMP) for
Endpoints integration of
Cisco AsyncOS for Cisco Email
Security Appliance (ESA) and
Cisco Web Security Appliance https://tools.
(WSA) could allow an cisco.com/se
unauthenticated, remote curity/center
Improper attacker to intercept traffic /content/Cis
between an affected device A-CIS-WEB_-
Certificate 16-Jun-21 5.8 coSecurityAd
and the AMP servers. This 020721/31
Validation visory/cisco-
vulnerability is due to sa-esa-wsa-
improper certificate cert-vali-
validation when an affected n8L97RW
device establishes TLS
connections. A man-in-the-
middle attacker could exploit
this vulnerability by sending
a crafted TLS packet to an
affected device. A successful
exploit could allow the

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 14 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
attacker to spoof a trusted
host and then extract
sensitive information or alter
certain API requests.
CVE ID : CVE-2021-1566
Citrix
cloud_connector
Citrix Cloud Connector before
6.31.0.62192 suffers from
insecure storage of sensitive
information due to sensitive
information being stored in
the Citrix Cloud Connector
installation log files. Such
information could be used by
an malicious actor to access a
Citrix Cloud environment.
Insecure This issue affects all versions https://supp
Storage of of Citrix Cloud Connector that ort.citrix.com A-CIT-CLOU-
16-Jun-21 5
Sensitive were installed by passing /article/CTX 020721/32
Information secure client parameters for 316690
installation via the command
line. The issue does not affect
Citrix Cloud Connector if it
was installed using the
interactive installer or where
a parameter file was used
with the command-line
installer.
CVE ID : CVE-2021-22914
cleo
lexicom
Improper An issue was discovered in
Limitation of Cleo LexiCom 5.5.0.0. Within
a Pathname the AS2 message, the sender A-CLE-LEXI-
18-Jun-21 7.5 N/A
to a can specify a filename. This 020721/33
Restricted filename can include path-
Directory traversal characters, allowing

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 15 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
('Path the file to be written to an
Traversal') arbitrary location on disk.
CVE ID : CVE-2021-33576
An issue was discovered in
Cleo LexiCom 5.5.0.0. The
requirement for the sender of
an AS2 message to identify
Incorrect themselves (via encryption A-CLE-LEXI-
Authorizatio 18-Jun-21 5 and signing of the message) N/A
020721/34
n can be bypassed by changing
the Content-Type of the
message to text/plain.
CVE ID : CVE-2021-33577
Codecabin
wp_google_maps
The WP Google Maps
Improper WordPress plugin before
8.1.12 did not sanitise, https://wpsc
Neutralizatio
validate of escape the Map an.com/vuln
n of Input
Name when output in the erability/127 A-COD-
During Web
21-Jun-21 3.5 Map List of the admin 0588c-53fe- WP_G-
Page
dashboard, leading to an 447e-b83c- 020721/35
Generation
authenticated Stored Cross- 1b877dc7a9
('Cross-site
Site Scripting issue 54
Scripting')
CVE ID : CVE-2021-24383
collne
welcart

Improper Cross-site scripting

Neutralizatio vulnerability in Welcart e-
n of Input Commerce versions prior to https://ww
2.2.4 allows remote attackers A-COL-
During Web w.welcart.co
22-Jun-21 4.3 to inject arbitrary script or WELC-
Page m/archives/
HTML via unspecified 020721/36
Generation 14039.html
('Cross-site vectors.
Scripting') CVE ID : CVE-2021-20734
color-string_project
color-string
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 16 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
https://githu
b.com/yeting
li/PoCs/blob
A Regular Expression Denial /main/CVE-
of Service (ReDOS) 2021-

Allocation of vulnerability was discovered 29060/Color

in Color-String version 1.5.5 -String.md,
Resources A-COL-
and below which occurs https://githu
Without 21-Jun-21 5 COLO-
when the application is b.com/Qix-
Limits or 020721/37
Throttling provided and checks a crafted /color-
invalid HWB string. string/comm
it/0789e212
CVE ID : CVE-2021-29060 84c33d89eb
c4ab4ca6f75
9b9375ac9d
3
connectwise
automate
https://ww
w.connectwi
se.com/com
pany/trust/s
Improper
An XXE vulnerability exists in ecurity-
Restriction
ConnectWise Automate bulletins, A-CON-
of XML
21-Jun-21 7.5 before 2021.0.6.132. https://hom AUTO-
External
e.connectwis 020721/38
Entity CVE ID : CVE-2021-35066 e.com/securi
Reference
tyBulletin/6
0cc8c63508a
120001cb6e
8d
connectwise_automate
Improper An issue was discovered in https://hom
Neutralizatio ConnectWise Automate e.connectwis
n of Special before 2021.5. A blind SQL e.com/securi A-CON-
Elements 17-Jun-21 5 injection vulnerability exists tyBulletin/6 CONN-
used in an in core agent inventory 09a9dd75cb 020721/39
SQL communication that can 8450001e85
Command enable an attacker to extract 369,

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 17 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
('SQL database information or https://ww
Injection') administrative credentials w.connectwi
from an instance via crafted se.com/com
monitor status responses. pany/trust/s
CVE ID : CVE-2021-32582 ecurity-
bulletins
Contao
contao
https://githu
b.com/conta
o/contao/sec
Contao 4.5.x through 4.9.x urity/adviso
Improper before 4.9.16, and 4.10.x ries/GHSA-
Neutralizatio through 4.11.x before 4.11.5, h58v-c6rf-
n of Input allows XSS. It is possible to g9f7,
A-CON-
During Web inject code into the tl_log https://cont
23-Jun-21 4.3 CONT-
Page table that will be executed in ao.org/en/se
020721/40
Generation the browser when the system curity-
('Cross-site log is called in the back end. advisories/cr
Scripting') oss-site-
CVE ID : CVE-2021-35210 scripting-in-
the-system-
log-
2021.html
djvulibre_project
djvulibre
A flaw was found in djvulibre-
3.5.28 and earlier. An out of
bounds write in function
Out-of- DJVU::filter_bv() via crafted A-DJV-DJVU-
bounds 24-Jun-21 6.8 djvu file may lead to N/A
020721/41
Write application crash and other
consequences.
CVE ID : CVE-2021-32490

Integer A flaw was found in djvulibre-

3.5.28 and earlier. An integer N/A A-DJV-DJVU-
Overflow or 24-Jun-21 6.8
overflow in function render() 020721/42
Wraparound
in tools/ddjvu via crafted

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 18 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
djvu file may lead to
application crash and other
consequences.
CVE ID : CVE-2021-32491
A flaw was found in djvulibre-
3.5.28 and earlier. An out of
bounds read in function
Out-of- DJVU::DataPool::has_data() A-DJV-DJVU-
24-Jun-21 6.8 via crafted djvu file may lead N/A
bounds Read 020721/43
to application crash and other
consequences.
CVE ID : CVE-2021-32492
A flaw was found in djvulibre-
3.5.28 and earlier. A heap
buffer overflow in function
Out-of- DJVU::GBitmap::decode() via A-DJV-DJVU-
bounds 24-Jun-21 6.8 crafted djvu file may lead to N/A
020721/44
Write application crash and other
consequences.
CVE ID : CVE-2021-32493
A flaw was found in djvulibre-
3.5.28 and earlier. A Stack
overflow in function
Out-of- DJVU::DjVuDocument::get_djv A-DJV-DJVU-
bounds 24-Jun-21 6.8 u_file() via crafted djvu file N/A
020721/45
Write may lead to application crash
and other consequences.
CVE ID : CVE-2021-3500
Ec-cube
business_form_output
Improper Cross-site scripting
Neutralizatio vulnerability in EC-CUBE
n of Input Business form output plugin
During Web (for EC-CUBE 3.0 series) A-EC--BUSI-
22-Jun-21 4.3 N/A
Page versions prior to version 020721/46
Generation 1.0.1 allows a remote
('Cross-site attacker to inject an arbitrary
Scripting') script via unspecified vector.
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 19 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-20742
Cross-site scripting
vulnerability in EC-CUBE
Improper Category contents plugin (for
Neutralizatio EC-CUBE 3.0 series) versions https://ww
n of Input prior to version 1.0.1 allows a w.ec-
During Web remote attacker to inject an cube.net/pro A-EC--BUSI-
22-Jun-21 4.3
Page arbitrary script by leading an ducts/detail. 020721/47
Generation administrator or a user to a php?product
('Cross-site specially crafted page and to _id=1070
Scripting') perform a specific operation.
CVE ID : CVE-2021-20744
ec-cube
Cross-site scripting
Improper vulnerability in EC-CUBE
Neutralizatio Business form output plugin
n of Input (for EC-CUBE 3.0 series)
During Web versions prior to version A-EC--EC-C-
22-Jun-21 4.3 N/A
Page 1.0.1 allows a remote 020721/48
Generation attacker to inject an arbitrary
('Cross-site script via unspecified vector.
Scripting')
CVE ID : CVE-2021-20742
Cross-site scripting
vulnerability in EC-CUBE
Improper Email newsletters
Neutralizatio management plugin (for EC-
n of Input CUBE 3.0 series) versions
During Web prior to version 1.0.4 allows a A-EC--EC-C-
22-Jun-21 4.3 remote attacker to inject an N/A
Page 020721/49
Generation arbitrary script by leading a
('Cross-site user to a specially crafted
Scripting') page and to perform a
specific operation.
CVE ID : CVE-2021-20743
Improper Cross-site scripting https://ww
Neutralizatio vulnerability in EC-CUBE w.ec- A-EC--EC-C-
22-Jun-21 4.3
n of Input Category contents plugin (for cube.net/pro 020721/50
During Web EC-CUBE 3.0 series) versions ducts/detail.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 20 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Page prior to version 1.0.1 allows a php?product
Generation remote attacker to inject an _id=1070
('Cross-site arbitrary script by leading an
Scripting') administrator or a user to a
specially crafted page and to
perform a specific operation.
CVE ID : CVE-2021-20744
email_newsletters_management
Cross-site scripting
vulnerability in EC-CUBE
Improper Email newsletters
Neutralizatio management plugin (for EC-
n of Input CUBE 3.0 series) versions
During Web prior to version 1.0.4 allows a A-EC--EMAI-
22-Jun-21 4.3 remote attacker to inject an N/A
Page 020721/51
Generation arbitrary script by leading a
('Cross-site user to a specially crafted
Scripting') page and to perform a
specific operation.
CVE ID : CVE-2021-20743
Eclipse
jetty
For Eclipse Jetty versions <=
9.4.40, <= 10.0.2, <= 11.0.2, if
an exception is thrown from
the
SessionListener#sessionDest
royed() method, then the https://githu
session ID is not invalidated b.com/eclips
Insufficient in the session ID manager. On e/jetty.proje
A-ECL-JETT-
Session 22-Jun-21 3.6 deployments with clustered ct/security/a
020721/52
Expiration sessions and multiple dvisories/GH
contexts this can result in a SA-m6cp-
session not being invalidated. vxjx-65j6
This can result in an
application used on a shared
computer being left logged in.
CVE ID : CVE-2021-34428

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 21 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
eic
e-document_system
An issue was discovered in
EXCELLENT INFOTEK
CORPORATION (EIC) E-
document System 3.0. A
remote attacker can use
kw/auth/bbs/asp/get_user_e
Exposure of mail_info_bbs.asp to obtain
Sensitive the contact information https://ww
Information (name and e-mail address) of w.eic.com.tw A-EIC-E-DO-
16-Jun-21 5
to an everyone in the entire /eicHome/pr 020721/53
Unauthorize organization. This o00.html
d Actor information can allow remote
attackers to perform social
engineering or brute force
attacks against the system
login page.
CVE ID : CVE-2021-34683
elabftw
elabftw
https://githu
eLabFTW is an open source b.com/elabft
electronic lab notebook for w/elabftw/c
research labs. This ommit/3d2d
vulnerability allows an b4d3ad90b0
attacker to make GET 915f29f05ae
Server-Side
requests on behalf of the ba41eaaf6a7
Request A-ELA-ELAB-
21-Jun-21 4 server. It is "blind" because c726,
Forgery 020721/54
the attacker cannot see the https://githu
(SSRF)
result of the request. Issue b.com/elabft
has been patched in w/elabftw/s
eLabFTW 4.0.0. ecurity/advis
ories/GHSA-
CVE ID : CVE-2021-32698 mh6g-62p8-
26m4
expresstech
quiz_and_survey_master

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 22 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
The Quiz And Survey Master
â€“ Best Quiz, Exam and
Survey Plugin WordPress
Improper plugin before 7.1.18 did not
sanitise or escape its result_id https://wpsc
Neutralizatio
parameter when displaying an.com/vuln
n of Input
an existing quiz result page, erability/7f2
During Web A-EXP-QUIZ-
20-Jun-21 4.3 leading to a reflected Cross- fda5b-45a5-
Page 020721/55
Site Scripting issue. This 4fc6-968f-
Generation
could allow for privilege 90bc9674c9
('Cross-site
escalation by inducing a 99
Scripting')
logged in admin to open a
malicious link
CVE ID : CVE-2021-24368
F-secure
cloud_protection_for_salesforce
A Denial-of-Service (DoS)
vulnerability was discovered
in F-Secure Linux Security
whereby the FSAVD https://ww
component used in certain F- w.f-
Secure products can crash secure.com/
NULL while scanning larger en/business/ A-F-S-CLOU-
Pointer 21-Jun-21 4 packages/fuzzed files. The support-and- 020721/56
Dereference exploit can be triggered downloads/s
remotely by an attacker. A ecurity-
successful attack will result in advisories
Denial-of-Service (DoS) of the
Anti-Virus engine.
CVE ID : CVE-2021-33572
elements_for_microsoft_365
A Denial-of-Service (DoS)
https://ww
vulnerability was discovered
w.f-
NULL in F-Secure Linux Security
secure.com/ A-F-S-ELEM-
Pointer 21-Jun-21 4 whereby the FSAVD
en/business/ 020721/57
Dereference component used in certain F-
support-and-
Secure products can crash
downloads/s
while scanning larger
ecurity-
packages/fuzzed files. The
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 23 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
exploit can be triggered advisories
remotely by an attacker. A
successful attack will result in
Denial-of-Service (DoS) of the
Anti-Virus engine.
CVE ID : CVE-2021-33572
endpoint_protection
A Denial-of-Service (DoS)
vulnerability was discovered
in F-Secure Linux Security
whereby the FSAVD https://ww
component used in certain F- w.f-
Secure products can crash secure.com/
NULL while scanning larger en/business/ A-F-S-ENDP-
Pointer 21-Jun-21 4 packages/fuzzed files. The support-and- 020721/58
Dereference exploit can be triggered downloads/s
remotely by an attacker. A ecurity-
successful attack will result in advisories
Denial-of-Service (DoS) of the
Anti-Virus engine.
CVE ID : CVE-2021-33572
linux_security
A Denial-of-Service (DoS)
vulnerability was discovered
in F-Secure Linux Security
whereby the FSAVD https://ww
component used in certain F- w.f-
Secure products can crash secure.com/
NULL while scanning larger en/business/ A-F-S-LINU-
Pointer 21-Jun-21 4 packages/fuzzed files. The support-and- 020721/59
Dereference exploit can be triggered downloads/s
remotely by an attacker. A ecurity-
successful attack will result in advisories
Denial-of-Service (DoS) of the
Anti-Virus engine.
CVE ID : CVE-2021-33572
fisco-bcos
fisco-bcos

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 24 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
The blockchain node in
FISCO-BCOS V2.7.2 may have
a bug when dealing with
unformatted packet and lead
to a crash. A malicious node
can send a packet
continuously. The packet is in https://githu
an incorrect format and b.com/FISCO
Uncontrolled cannot be decoded by the - A-FIS-FISC-
Resource 24-Jun-21 5 node correctly. As a result, BCOS/FISCO- 020721/60
Consumption the node may consume the BCOS/issues
memory sustainably and /1951
crash. More details are shown
at:
https://github.com/FISCO-
BCOS/FISCO-
BCOS/issues/1951
CVE ID : CVE-2021-35041
Fogproject
fogproject
Unrestricted FOGProject v1.5.9 is affected
Upload of by a File Upload RCE A-FOG-
File with 16-Jun-21 6.5 (Authenticated). N/A FOGP-
Dangerous 020721/61
Type CVE ID : CVE-2021-32243

Foxitsoftware
foxit_reader
This vulnerability allows
remote attackers to execute
arbitrary code on affected
Access of installations of Foxit https://ww
Resource PhantomPDF 10.1.3.37598. w.foxit.com/
Using User interaction is required support/sec A-FOX-FOXI-
16-Jun-21 6.8
Incompatible to exploit this vulnerability in urity- 020721/62
Type ('Type that the target must visit a bulletins.htm
Confusion') malicious page or open a l
malicious file. The specific
flaw exists within the
handling of XFA templates.
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 25 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
The issue results from the
lack of proper validation of
user-supplied data, which can
result in a type confusion
condition. An attacker can
leverage this vulnerability to
execute code in the context of
the current process. Was ZDI-
CAN-13531.
CVE ID : CVE-2021-31476
phantompdf
This vulnerability allows
remote attackers to execute
arbitrary code on affected
installations of Foxit
PhantomPDF 10.1.3.37598.
User interaction is required
to exploit this vulnerability in
that the target must visit a
Access of malicious page or open a https://ww
Resource malicious file. The specific w.foxit.com/
flaw exists within the A-FOX-
Using support/sec
16-Jun-21 6.8 handling of XFA templates. PHAN-
Incompatible urity-
The issue results from the 020721/63
Type ('Type bulletins.htm
Confusion') lack of proper validation of l
user-supplied data, which can
result in a type confusion
condition. An attacker can
leverage this vulnerability to
execute code in the context of
the current process. Was ZDI-
CAN-13531.
CVE ID : CVE-2021-31476
Get-simple
getsimplecms
Unrestricted Remote Code Execution
Upload of vulnerability in A-GET-GETS-
23-Jun-21 6.5 N/A
File with GetSimpleCMS before 3.3.16 020721/64
Dangerous in admin/upload.php via
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 26 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Type phar filess.
CVE ID : CVE-2021-28976
Cross Site Scripting
Improper vulnerability in
Neutralizatio GetSimpleCMS 3.3.16 in
n of Input admin/upload.php by adding
During Web comments or jpg and other A-GET-GETS-
23-Jun-21 3.5 N/A
Page file header information to the 020721/65
Generation content of xla, pages, and gzip
('Cross-site files,
Scripting')
CVE ID : CVE-2021-28977
getastra
wp_hardening
The WP Hardening â€“ Fix
Your WordPress Security
Improper WordPress plugin before https://wpsc
Neutralizatio 1.2.2 did not sanitise or an.com/vuln
n of Input escape the erability/534 A-GET-
During Web $_SERVER['REQUEST_URI']
21-Jun-21 4.3 0ae4e-95ba- WP_H-
Page before outputting it in an 4a69-beb1- 020721/66
Generation attribute, leading to a 3459cac177
('Cross-site reflected Cross-Site Scripting 82
Scripting') issue.
CVE ID : CVE-2021-24372
The WP Hardening â€“ Fix
Improper Your WordPress Security
WordPress plugin before https://wpsc
Neutralizatio
1.2.2 did not sanitise or an.com/vuln
n of Input
escape the historyvalue GET erability/fcf1 A-GET-
During Web
21-Jun-21 4.3 parameter before outputting 7278-609f- WP_H-
Page
it in a Javascript block, 4f75-8a87- 020721/67
Generation
leading to a reflected Cross- 9b4579dee1
('Cross-site
Site Scripting issue. c8
Scripting')
CVE ID : CVE-2021-24373
Gitlab
gitlab

Uncontrolled 24-Jun-21 4.3 In the bindata RubyGem https://githu A-GIT-GITL-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 27 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Resource before version 2.4.10 there is b.com/rubys 020721/68
Consumption a potential denial-of-service ec/ruby-
vulnerability. In affected advisory-
versions it is very slow for db/issues/4
certain classes in BinData to 76,
be created. For example https://githu
BinData::Bit100000, b.com/dmen
BinData::Bit100001, del/bindata/
BinData::Bit100002, commit/d99f
BinData::Bit<N>. In 050b883375
combination with 59be2cb359
<user_input>.constantize 06c1f8da495
there is a potential for a CPU- 31323
based DoS. In version 2.4.10
bindata improved the
creation time of Bits and
Integers.
CVE ID : CVE-2021-32823
gitpod
gitpod
https://githu
b.com/gitpo
d-
io/gitpod/pu
ll/2879#issu
ecomment-
865662372,
URL https://githu
Redirection Gitpod before 0.6.0 allows b.com/gitpo
unvalidated redirects. d- A-GIT-GITP-
to Untrusted 22-Jun-21 5.8
Site ('Open io/gitpod/pu 020721/69
CVE ID : CVE-2021-35206
Redirect') ll/4567/com
mits/f78b7d
18e509e28e
71b65bbd4d
fd52c16ca57
c18,
https://githu
b.com/gitpo
d-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 28 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
io/gitpod/co
mmit/8ca43
1f86ae3a6f9
a17afcfed51c
dd065fcff1a5
hashicorp
nomad
https://discu
ss.hashicorp.
com/t/hcsec
HashiCorp Nomad and -2021-14-
Nomad Enterprise up to nomad-
version 1.0.4 bridge bridge-
networking mode allows ARP networking- A-HAS-
N/A 17-Jun-21 3.3 spoofing from other bridged mode- NOMA-
tasks on the same node. Fixed allows-arp- 020721/70
in 0.12.12, 1.0.5, and 1.1.0 spoofing-
RC1. from-other-
CVE ID : CVE-2021-32575 bridged-
tasks-on-
same-
node/24296
helm
helm
Helm is a tool for managing
Charts (packages of pre-
configured Kubernetes
resources). In versions of
helm prior to 3.6.1, a https://githu
Exposure of
vulnerability exists where the b.com/helm/
Sensitive
username and password helm/securit A-HEL-
Information
16-Jun-21 5 credentials associated with a y/advisories HELM-
to an
Helm repository could be /GHSA- 020721/71
Unauthorize
passed on to another domain 56hp-xqp3-
d Actor
referenced by that Helm w2jf
repository. This issue has
been resolved in 3.6.1. There
is a workaround through
which one may check for

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 29 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
improperly passed
credentials. One may use a
username and password for a
Helm repository and may
audit the Helm repository in
order to check for another
domain being used that could
have received the credentials.
In the `index.yaml` file for
that repository, one may look
for another domain in the
`urls` list for the chart
versions. If there is another
domain found and that chart
version was pulled or
installed, the credentials
would be passed on.
CVE ID : CVE-2021-32690
Hitachi
application_server_v10_manual
Cross-site scripting
vulnerability in Hitachi
Application Server Help
Improper (Hitachi Application Server https://ww
Neutralizatio V10 Manual (Windows) w.hitachi.co.j
n of Input version 10-11-01 and earlier p/Prod/com
During Web and Hitachi Application p/soft1/glob A-HIT-APPL-
22-Jun-21 4.3
Page Server V10 Manual (UNIX) al/security/i 020721/72
Generation version 10-11-01 and earlier) nfo/vuls/hit
('Cross-site allows a remote attacker to achi-sec-
Scripting') inject an arbitrary script via 2021-104
unspecified vectors.
CVE ID : CVE-2021-20741
IBM
db2
Improper Db2 for Linux, UNIX and https://exch A-IBM-DB2-
Neutralizatio 16-Jun-21 5 Windows (includes Db2 ange.xforce.i 020721/73
n of Special Connect Server) 11.1.4 and bmcloud.com

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 30 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Elements in 11.5.5 is vulnerable to a /vulnerabiliti
Output Used denial of service as the server es/200658,
by a terminates abnormally when https://ww
Downstream executing a specially crafted w.ibm.com/s
Component SELECT statement. IBM X- upport/page
('Injection') Force ID: 200658. s/node/6463
CVE ID : CVE-2021-29702 985

Db2 for Linux, UNIX and https://ww

IBM Resilient SOAR V38.0 https://ww

Use of a uses weaker than expected w.ibm.com/s
Broken or cryptographic algorithms that upport/page
Risky 16-Jun-21 5 could allow an attacker to s/node/6464 A-IBM-RESI-
043, 020721/76
Cryptographi decrypt highly sensitive
c Algorithm information. IBM X-Force ID: https://exch
199238. ange.xforce.i
bmcloud.com
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 31 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-20566 /vulnerabiliti
es/199238
https://ww
IBM Resilient SOAR V38.0 w.ibm.com/s
could allow a local privileged upport/page
Missing attacker to obtain sensitive s/node/6464
Encryption information due to improper 039, A-IBM-RESI-
16-Jun-21 2.1 or nonexisting
of Sensitive https://exch 020721/77
Data encryption.IBM X-Force ID: ange.xforce.i
199239. bmcloud.com
CVE ID : CVE-2021-20567 /vulnerabiliti
es/199239
security_identity_manager
IBM Security Identity https://exch
Manager 6.0.2 is vulnerable ange.xforce.i
to server-side request forgery bmcloud.com
Server-Side (SSRF). By sending a specially /vulnerabiliti
Request crafted request, a remote es/197591, A-IBM-SECU-
16-Jun-21 4 authenticated attacker could
Forgery https://ww 020721/78
(SSRF) exploit this vulnerability to w.ibm.com/s
obtain sensitive data. IBM X- upport/page
Force ID: 197591. s/node/6464
CVE ID : CVE-2021-20483 081

IBM Security Identity

Out-of- IBM Security Identity https://ww A-IBM-SECU-

28-Jun-21 4
bounds Manager Adapters 6.0 and 7.0 w.ibm.com/s 020721/80

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 32 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Write are vulnerable to a heap upport/page
based buffer overflow, caused s/node/6465
by improper bounds. An 875
authenticared user could
overflow the buffer and cause
the service to crash. IBM X-
Force ID: 197882.
CVE ID : CVE-2021-20494
icehrm
icehrm
A stored cross site scripting
(XSS) vulnerability was
Improper discovered in Ice Hrm
Neutralizatio 29.0.0.OS which allows
n of Input attackers to execute arbitrary
During Web web scripts or HTML via a A-ICE-ICEH-
22-Jun-21 3.5 crafted file uploaded into the N/A
Page 020721/81
Generation Document Management tab.
('Cross-site The exploit is triggered when
Scripting') a user visits the upload
location of the crafted file.
CVE ID : CVE-2021-34243
A cross site request forgery
(CSRF) vulnerability was
Cross-Site discovered in Ice Hrm
Request 29.0.0.OS which allows A-ICE-ICEH-
22-Jun-21 6.8 attackers to create new N/A
Forgery 020721/82
(CSRF) admin accounts or change
users' passwords.
CVE ID : CVE-2021-34244
Improper Cross site scripting (XSS)
Neutralizatio vulnerability in Ice Hrm
n of Input 29.0.0.OS, allows attackers to
During Web execute arbitrary code via the A-ICE-ICEH-
22-Jun-21 4.3 N/A
Page parameters to the /app/ 020721/83
Generation endpoint.
('Cross-site
Scripting') CVE ID : CVE-2021-35045

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 33 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
A session fixation
vulnerability was discovered
in Ice Hrm 29.0.0 OS which
Session allows an attacker to hijack a A-ICE-ICEH-
22-Jun-21 5.8 N/A
Fixation valid user session via a 020721/84
crafted session cookie.
CVE ID : CVE-2021-35046
increments
qiita_markdown
Improper
Neutralizatio Increments Qiita::Markdown
n of Input before 0.34.0 allows XSS via a
During Web crafted gist link, a different A-INC-QIIT-
21-Jun-21 4.3 vulnerability than CVE-2021- N/A
Page 020721/85
Generation 28796.
('Cross-site CVE ID : CVE-2021-28833
Scripting')
Intel
brand_verification_tool
Improper permissions in the
installer for the Intel(R) https://ww
Brand Verification Tool w.intel.com/
before version 11.0.0.1225 content/ww
Incorrect
may allow an authenticated w/us/en/sec A-INT-BRAN-
Default 17-Jun-21 4.6
user to potentially enable urity- 020721/86
Permissions
escalation of privilege via center/advis
local access. ory/intel-sa-
00546.html
CVE ID : CVE-2021-0143
is-svg_project
is-svg

A vulnerability was https://githu

Allocation of discovered in IS-SVG version b.com/yeting
Resources 4.3.1 and below where a li/PoCs/blob
A-IS--IS-S-
Without 21-Jun-21 5 Regular Expression Denial of /main/CVE-
020721/87
Limits or Service (ReDOS) occurs if the 2021-
Throttling application is provided and 29059/IS-
checks a crafted invalid SVG SVG.md

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 34 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
string.
CVE ID : CVE-2021-29059
jdom
jdom

Improper An XXE issue in SAXBuilder in

Restriction JDOM through 2.0.6 allows https://githu
of XML attackers to cause a denial of b.com/hunte A-JDO-JDOM-
16-Jun-21 5 service via a crafted HTTP
External rhacker/jdo 020721/88
Entity request. m/pull/188
Reference CVE ID : CVE-2021-33813
Jenkins
generic_webhook_trigger

Jenkins Generic Webhook https://ww

Improper
Trigger Plugin 1.72 and w.jenkins.io/
Restriction
earlier does not configure its security/advi
of XML A-JEN-GENE-
18-Jun-21 7.5 XML parser to prevent XML sory/2021-
External 020721/89
external entity (XXE) attacks. 06-
Entity
18/#SECURI
Reference CVE ID : CVE-2021-21669 TY-2330
scriptler
Jenkins Scriptler Plugin 3.2
and earlier does not escape
Improper parameter names shown in https://ww
Neutralizatio job configuration forms, w.jenkins.io/
n of Input resulting in a stored cross- security/advi
During Web site scripting (XSS) A-JEN-SCRI-
16-Jun-21 3.5 sory/2021-
Page vulnerability exploitable by 020721/90
06-
Generation attackers with 16/#SECURI
('Cross-site Scriptler/Configure TY-2224
Scripting') permission.
CVE ID : CVE-2021-21667
Improper Jenkins Scriptler Plugin 3.1 https://ww
Neutralizatio and earlier does not escape w.jenkins.io/
n of Input 16-Jun-21 3.5 script content, resulting in a security/advi A-JEN-SCRI-
During Web stored cross-site scripting sory/2021- 020721/91
Page (XSS) vulnerability 06-
Generation exploitable by attackers with 16/#SECURI

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 35 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
('Cross-site Scriptler/Configure TY-2390
Scripting') permission.
CVE ID : CVE-2021-21668
jpress
jpress
An issue was discovered in
Improper JPress v3.3.0 and below.
Neutralizatio There are XSS vulnerabilities
n of Input in the template module and
During Web tag management module. If A-JPR-JPRE-
18-Jun-21 3.5 you log in to the background N/A
Page 020721/92
Generation by means of weak password,
('Cross-site the storage XSS vulnerability
Scripting') can occur.
CVE ID : CVE-2021-33347
lutils_project
lutils
All versions of package lutils
are vulnerable to Prototype
Pollution via the main A-LUT-LUTI-
N/A 17-Jun-21 7.5 N/A
(merge) function. 020721/93

CVE ID : CVE-2021-23396
Mantisbt
mantisbt
An XSS issue was discovered
Improper in https://mant
Neutralizatio manage_custom_field_edit_pa isbt.org/bugs
n of Input ge.php in MantisBT before /view.php?id
A-MAN-
During Web 2.25.2. Unescaped output of =28552,
17-Jun-21 4.3 MANT-
Page the return parameter allows https://mant
020721/94
Generation an attacker to inject code into isbt.org/blog
('Cross-site a hidden input field. /archives/m
Scripting') antisbt/699
CVE ID : CVE-2021-33557
Matrix
olm

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 36 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
https://gitla
b.matrix.org/
matrix-
Matrix libolm before 3.2.3 org/olm/-
allows a malicious Matrix /releases/3.
homeserver to crash a client 2.3,
(while it is attempting to https://matr
retrieve an Olm encrypted ix.org/blog/
room key backup from the 2021/06/14
Out-of- homeserver) because /adventures-
A-MAT-OLM-
bounds 16-Jun-21 7.5 olm_pk_decrypt has a stack- in-fuzzing-
020721/95
Write based buffer overflow. libolm,
Remote code execution might https://gitla
be possible for some b.matrix.org/
nonstandard build matrix-
configurations. org/olm/-
/commit/ccc
CVE ID : CVE-2021-34813 0d122ee1b4
d5e5ca4ec14
32086be17d
5f901b
mcusystem
mcusystem
The login page in the
Improper MCUsystem does not filter
Neutralizatio with special characters,
n of Input which allows remote A-MCU-
During Web attackers can inject JavaScript N/A
18-Jun-21 4.3 MCUS-
Page without privilege and thus 020721/96
Generation perform reflected XSS
('Cross-site attacks.
Scripting')
CVE ID : CVE-2021-32536
mongo-express_project
mongo-express
Improper mongo-express is a web- https://githu
Neutralizatio based MongoDB admin b.com/mong A-MON-
n of Input 21-Jun-21 4.3 interface, written with o- MONG-
During Web Node.js and express. 1: As express/mon 020721/97
Page mentioned in this issue: go-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 37 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Generation https://github.com/mongo- express/com
('Cross-site express/mongo- mit/f5e0d49
Scripting') express/issues/577, when 31f856f032f
the content of a cell grows 22664b5e59
larger than supported size, 01d5950cfd4
clicking on a row will show b,
full document unescaped, https://githu
however this needs admin b.com/mong
interaction on cell. 2: Data o-
cells identified as media will express/mon
be rendered as media, go-
without being sanitized. express/secu
Example of different renders: rity/advisori
image, audio, video, etc. As an es/GHSA-
example of type 1 attack, an 7p8h-86p5-
unauthorized user who only wv3p
can send a large amount of
data in a field of a document
may use a payload with
embedded javascript. This
could send an export of a
collection to the attacker
without even an admin
knowing. Other types of
attacks such as dropping a
database\collection are
possible.
CVE ID : CVE-2021-21422
Moodle
moodle
A command execution
vulnerability exists in the
Incorrect default legacy spellchecker
Permission plugin in Moodle 3.10. A A-MOO-
Assignment 23-Jun-21 9 specially crafted series of N/A MOOD-
for Critical HTTP requests can lead to 020721/98
Resource command execution. An
attacker must have
administrator privileges to

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 38 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
exploit this vulnerabilities.
CVE ID : CVE-2021-21809
Improper
Neutralizatio Cross Site Scripting (XSS) in
n of Input Moodle 3.10.3 allows remote
attackers to execute arbitrary A-MOO-
During Web
16-Jun-21 3.5 web script or HTML via the N/A MOOD-
Page
"Description" field. 020721/99
Generation
('Cross-site CVE ID : CVE-2021-32244
Scripting')
Mozilla
firefox
https://ww
w.mozilla.org
/security/ad
visories/mfs
Ports that were written as an a2021-15/,
integer overflow above the https://ww
bounds of a 16-bit integer w.mozilla.org
could have bypassed port /security/ad
blocking restrictions when visories/mfs
Integer
used in the Alt-Svc header. a2021-16/, A-MOZ-FIRE-
Overflow or 24-Jun-21 6.8
This vulnerability affects https://ww 020721/100
Wraparound
Firefox ESR < 78.10, w.mozilla.org
Thunderbird < 78.10, and /security/ad
Firefox < 88. visories/mfs
a2021-14/,
CVE ID : CVE-2021-29946 https://bugz
illa.mozilla.o
rg/show_bug
.cgi?id=1698
503
Improper Mozilla developers and https://ww
Restriction community members w.mozilla.org
of reported memory safety bugs /security/ad A-MOZ-FIRE-
Operations 24-Jun-21 6.8 present in Firefox 87. Some of visories/mfs 020721/101
within the these bugs showed evidence a2021-16/,
Bounds of a of memory corruption and we https://bugz
Memory presume that with enough illa.mozilla.o

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 39 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Buffer effort some of these could rg/buglist.cgi
have been exploited to run ?bug_id=165
arbitrary code. This 1449%2C16
vulnerability affects Firefox < 74142%2C1
88. 693476%2C
CVE ID : CVE-2021-29947 1696886%2
C1700091
When Web Render
components were destructed, https://ww
Concurrent
a race condition could have w.mozilla.org
Execution
caused undefined behavior, /security/ad
using Shared
and we presume that with visories/mfs
Resource
enough effort may have been a2021-20/, A-MOZ-FIRE-
with 24-Jun-21 5.1
exploitable to run arbitrary https://bugz 020721/102
Improper
code. This vulnerability illa.mozilla.o
Synchronizat
affects Firefox < 88.0.1 and rg/show_bug
ion ('Race
Firefox for Android < 88.1.3. .cgi?id=1704
Condition')
227
CVE ID : CVE-2021-29952
When a download was https://ww
initiated, the client did not w.mozilla.org
check whether it was in /security/ad
Exposure of normal or private browsing visories/mfs
Resource to mode, which led to private a2021-25/, A-MOZ-FIRE-
24-Jun-21 4.3 mode cookies being shared in
Wrong https://bugz 020721/103
Sphere normal browsing mode. This illa.mozilla.o
vulnerability affects Firefox rg/show_bug
for iOS < 34. .cgi?id=1670
CVE ID : CVE-2021-29958 127

Firefox for Android would https://ww

become unstable and hard- w.mozilla.org
to-recover when a website /security/ad
Improper opened too many popups. visories/mfs
Resource *This bug only affects Firefox a2021-23/, A-MOZ-FIRE-
24-Jun-21 4.3 for Android. Other operating
Shutdown or https://bugz 020721/104
Release systems are unaffected.*. This illa.mozilla.o
vulnerability affects Firefox < rg/show_bug
89. .cgi?id=1701
CVE ID : CVE-2021-29962 673

Improper 24-Jun-21 6.8 Mozilla developers reported https://ww A-MOZ-FIRE-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 40 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Restriction memory safety bugs present w.mozilla.org 020721/105
of in Firefox 88. Some of these /security/ad
Operations bugs showed evidence of visories/mfs
within the memory corruption and we a2021-23/
Bounds of a presume that with enough
Memory effort some of these could
Buffer have been exploited to run
arbitrary code. This
vulnerability affects Firefox <
89.
CVE ID : CVE-2021-29966

Mozilla developers reported https://ww

memory safety bugs present w.mozilla.org
in Firefox 88 and Firefox ESR /security/ad
78.11. Some of these bugs visories/mfs
Improper
showed evidence of memory a2021-23/,
Restriction
corruption and we presume https://ww
of
that with enough effort some w.mozilla.org
Operations A-MOZ-FIRE-
24-Jun-21 6.8 of these could have been /security/ad
within the 020721/106
exploited to run arbitrary visories/mfs
Bounds of a
code. This vulnerability a2021-24/,
Memory
affects Thunderbird < 78.11, https://ww
Buffer
Firefox < 89, and Firefox ESR w.mozilla.org
< 78.11. /security/ad
visories/mfs
CVE ID : CVE-2021-29967 a2021-26/
When drawing text onto a https://bugz
canvas with WebRender illa.mozilla.o
disabled, an out of bounds rg/show_bug
read could occur. *This bug .cgi?id=1712
Out-of- only affects Firefox on 047, A-MOZ-FIRE-
24-Jun-21 5.8 Windows. Other operating
bounds Read https://ww 020721/107
systems are unaffected.*. This w.mozilla.org
vulnerability affects Firefox < /security/ad
89.0.1. visories/mfs
CVE ID : CVE-2021-29968 a2021-27/

firefox_esr

Integer Ports that were written as an https://ww A-MOZ-FIRE-

24-Jun-21 6.8
Overflow or integer overflow above the w.mozilla.org 020721/108
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 41 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Wraparound bounds of a 16-bit integer /security/ad
could have bypassed port visories/mfs
blocking restrictions when a2021-15/,
used in the Alt-Svc header. https://ww
This vulnerability affects w.mozilla.org
Firefox ESR < 78.10, /security/ad
Thunderbird < 78.10, and visories/mfs
Firefox < 88. a2021-16/,
CVE ID : CVE-2021-29946 https://ww
w.mozilla.org
/security/ad
visories/mfs
a2021-14/,
https://bugz
illa.mozilla.o
rg/show_bug
.cgi?id=1698
503

Mozilla developers reported https://ww

memory safety bugs present w.mozilla.org
in Firefox 88 and Firefox ESR /security/ad
78.11. Some of these bugs visories/mfs
Improper
showed evidence of memory a2021-23/,
Restriction
corruption and we presume https://ww
of
that with enough effort some w.mozilla.org
Operations A-MOZ-FIRE-
24-Jun-21 6.8 of these could have been /security/ad
within the 020721/109
exploited to run arbitrary visories/mfs
Bounds of a
code. This vulnerability a2021-24/,
Memory
affects Thunderbird < 78.11, https://ww
Buffer
Firefox < 89, and Firefox ESR w.mozilla.org
< 78.11. /security/ad
visories/mfs
CVE ID : CVE-2021-29967 a2021-26/
thunderbird
Ports that were written as an https://ww
Integer integer overflow above the w.mozilla.org A-MOZ-
Overflow or 24-Jun-21 6.8 bounds of a 16-bit integer /security/ad THUN-
Wraparound could have bypassed port visories/mfs 020721/110
blocking restrictions when a2021-15/,
used in the Alt-Svc header. https://ww

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 42 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
This vulnerability affects w.mozilla.org
Firefox ESR < 78.10, /security/ad
Thunderbird < 78.10, and visories/mfs
Firefox < 88. a2021-16/,
CVE ID : CVE-2021-29946 https://ww
w.mozilla.org
/security/ad
visories/mfs
a2021-14/,
https://bugz
illa.mozilla.o
rg/show_bug
.cgi?id=1698
503
Thunderbird unprotects a https://bugz
secret OpenPGP key prior to illa.mozilla.o
using it for a decryption, rg/show_bug
Cleartext signing or key import task. If .cgi?id=1673
the task runs into a failure, A-MOZ-
Storage of 239,
24-Jun-21 5 the secret key may remain in THUN-
Sensitive https://ww
memory in its unprotected 020721/111
Information w.mozilla.org
state. This vulnerability /security/ad
affects Thunderbird < 78.8.1. visories/mfs
CVE ID : CVE-2021-29950 a2021-17/

Mozilla developers reported https://ww

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 43 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
mpmath
mpmath
https://githu
b.com/npm/
A Regular Expression Denial hosted-git-
Allocation of of Service (ReDOS) info/pull/76,
Resources vulnerability was discovered https://githu A-MPM-
Without 21-Jun-21 5 in Mpmath v1.0.0 when the b.com/yeting MPMA-
Limits or mpmathify function is called. li/PoCs/blob 020721/113
Throttling /main/CVE-
CVE ID : CVE-2021-29063 2021-
29063/Mpm
ath.md
msi
dragon_center
MODAPI.sys in MSI Dragon
Center 2.0.104.0 allows low-
privileged users to access
kernel memory and
potentially escalate privileges https://githu
Improper A-MSI-
via a crafted IOCTL b.com/rjt-
Privilege 21-Jun-21 7.2 DRAG-
0x9c406104 call. This IOCTL gupta/CVE-
Management 020721/114
provides the MmMapIoSpace 2021-29337
feature for mapping physical
memory.
CVE ID : CVE-2021-29337
myq-solution
myq_server

Improper MyQ Server in MyQ X Smart

Neutralizatio before 8.2 allows remote
n of Special code execution by
Elements unprivileged users because A-MYQ-
used in an OS 21-Jun-21 9 administrative session data N/A MYQ_-
Command can be read in the 020721/115
('OS %PROGRAMFILES%\MyQ\P
Command HP\Sessions directory. The
Injection') "Select server file" feature is
only intended for

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 44 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
administrators but actually
does not require
authorization. An attacker
can inject arbitrary OS
commands (such as
commands to create new .php
files) via the Task Scheduler
component.
CVE ID : CVE-2021-31769
neos
form
neos/forms is an open source
framework to build web
forms. By crafting a special
`GET` request containing a https://githu
valid form state, a form can b.com/neos/
be submitted without form/commi
invoking any validators. Form t/69de4219b
state is secured with an 1f58157e2be
HMAC that is still verified. 6b05811463
That means that this issue 875d75c246,
can only be exploited if Form https://githu
Finishers cause side effects b.com/neos/
even if no form values have form/securit
Improper A-NEO-
been sent. Form Finishers can y/advisories
Input 21-Jun-21 5 FORM-
be adjusted in a way that they /GHSA-
Validation 020721/116
only execute an action if the m5vx-8chx-
submitted form contains qvmm,
some expected data. https://githu
Alternatively a custom b.com/neos/
Finisher can be added as first form/commi
finisher. This regression was t/049d4152
introduced with 95be8d4a04
https://github.com/neos/for 78ccba97dba
m/commit/049d415295be8d 1bb8164956
4a0478ccba97dba1bb81649 7
567
CVE ID : CVE-2021-32697
Nextcloud

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 45 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
nextcloud
https://githu
Nextcloud Android app is the b.com/nextcl
Android client for Nextcloud. oud/security
In versions prior to 3.15.1, a -
malicious application on the advisories/s
same device is possible to ecurity/advis A-NEX-
Uncaught
17-Jun-21 4.3 crash the Nextcloud Android ories/GHSA- NEXT-
Exception
Client due to an uncaught h2gm-m374- 020721/117
exception. The vulnerability 99vc,
is patched in version 3.15.1. https://githu
b.com/nextcl
CVE ID : CVE-2021-32694 oud/android
/pull/7919
Nextcloud Android app is the
Android client for Nextcloud.
In versions prior to 3.16.1, a
malicious app on the same https://githu
device could have gotten b.com/nextcl
access to the shared oud/android
preferences of the Nextcloud /pull/8433,
Exposure of
Android application. This https://githu
Sensitive
required user-interaction as a b.com/nextcl A-NEX-
Information
17-Jun-21 4.3 victim had to initiate the oud/security NEXT-
to an
sharing flow and choose the - 020721/118
Unauthorize
malicious app. The shared advisories/s
d Actor
preferences contain some ecurity/advis
limited private data such as ories/GHSA-
push tokens and the account 25m9-cf6c-
name. The vulnerability is qf2c
patched in version 3.16.1.
CVE ID : CVE-2021-32695
talk
Nextcloud Talk is a fully on- https://githu
premises audio/video and b.com/nextcl A-NEX-
Session chat communication service. oud/security TALK-
16-Jun-21 4
Fixation Password protected shared - 020721/119
chats in Talk before version advisories/s
9.0.10, 10.0.8 and 11.2.2 did ecurity/advis

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 46 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
not rotate the session cookie ories/GHSA-
after a successful p6h7-84v4-
authentication event. It is 827r
recommended that the
Nextcloud Talk App is
upgraded to 9.0.10, 10.0.8 or
11.2.2. No workarounds for
this vulnerability are known
to exist.
CVE ID : CVE-2021-32676
octopus
server
Affected versions of Octopus
Server are prone to an https://advis
Improper authenticated SQL injection ories.octopus
Neutralizatio vulnerability in the Events .com/adv/20
n of Special REST API because user 21-04---SQL-
Elements supplied data in the API Injection-in- A-OCT-SERV-
used in an 17-Jun-21 4 request isn’t parameterised the-Events- 020721/120
SQL correctly. Exploiting this REST-API-
Command vulnerability could allow (CVE-2021-
('SQL unauthorised access to 31818).2013
Injection') database tables. 233248.html
CVE ID : CVE-2021-31818
opendesign
drawings_sdk
An out-of-bounds write issue
exists in the DXF file-
recovering procedure in the
Drawings SDK (All versions
Out-of- prior to 2022.4) resulting A-OPE-
bounds 17-Jun-21 6.8 from the lack of proper N/A DRAW-
Write validation of user-supplied 020721/121
data. This can result in a
write past the end of an
allocated buffer and allow
attackers to cause a denial-of-
service condition or execute

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 47 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
code in the context of the
current process.
CVE ID : CVE-2021-32936
Drawings SDK (All versions
prior to 2022.4) are
vulnerable to an out-of-
bounds read due to parsing of
DWG files resulting from the
lack of proper validation of https://us-
user-supplied data. This can cert.cisa.gov/ A-OPE-
Out-of-
17-Jun-21 5.8 result in a read past the end ics/advisorie DRAW-
bounds Read
of an allocated buffer and s/icsa-21- 020721/122
allows attackers to cause a 159-02
denial-of service condition or
read sensitive information
from memory.
CVE ID : CVE-2021-32938
An out-of-bounds read issue
exists in the DWG file-
recovering procedure in the
Drawings SDK (All versions
prior to 2022.4) resulting
from the lack of proper
validation of user-supplied A-OPE-
Out-of- data. This can result in a read
17-Jun-21 5.8 N/A DRAW-
bounds Read past the end of an allocated 020721/123
buffer and allow attackers to
cause a denial-of-service
condition or read sensitive
information from memory
locations.
CVE ID : CVE-2021-32940
A use-after-free issue exists
in the DGN file-reading
procedure in the Drawings A-OPE-
Use After
17-Jun-21 6.8 SDK (All versions prior to N/A DRAW-
Free
2022.4) resulting from the 020721/124
lack of proper validation of
user-supplied data. This can

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 48 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
result in a memory
corruption or arbitrary code
execution, allowing attackers
to cause a denial-of-service
condition or execute code in
the context of the current
process.
CVE ID : CVE-2021-32944
An improper check for
unusual or exceptional
conditions issue exists within
the parsing DGN files from
Drawings SDK (Version
2022.4 and prior) resulting
Improper from the lack of proper
Check for validation of the user- A-OPE-
Unusual or 17-Jun-21 6.8 supplied data. This may N/A DRAW-
Exceptional result in several of out-of- 020721/125
Conditions bounds problems and allow
attackers to cause a denial-of-
service condition or execute
code in the context of the
current process.
CVE ID : CVE-2021-32946
An out-of-bounds write issue
exists in the DWG file-reading
procedure in the Drawings
SDK (All versions prior to
2022.4) resulting from the
lack of proper validation of
Out-of- user-supplied data. This can A-OPE-
bounds 17-Jun-21 6.8 result in a write past the end N/A DRAW-
Write of an allocated buffer and 020721/126
allow attackers to cause a
denial-of-service condition or
execute code in the context of
the current process.
CVE ID : CVE-2021-32948

Out-of- 17-Jun-21 5.8 An out-of-bounds read issue N/A A-OPE-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 49 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
bounds Read exists within the parsing of DRAW-
DXF files in the Drawings SDK 020721/127
(All versions prior to 2022.4)
resulting from the lack of
proper validation of user-
supplied data. This can result
in a read past the end of an
allocated buffer and allows
attackers to cause a denial-of-
service condition or read
sensitive information from
memory locations.
CVE ID : CVE-2021-32950
An out-of-bounds write issue
exists in the DGN file-reading
procedure in the Drawings
SDK (Version 2022.4 and
prior) resulting from the lack
of proper validation of user-
Out-of- supplied data. This can result A-OPE-
bounds 17-Jun-21 6.8 in a write past the end of an N/A DRAW-
Write allocated buffer and allow 020721/128
attackers to cause a denial-of-
service condition or execute
code in the context of the
current process.
CVE ID : CVE-2021-32952
opener_project
opener
An information disclosure
vulnerability exists in the
Ethernet/IP UDP handler
functionality of EIP Stack
Group OpENer 2.3 and A-OPE-
Out-of-
17-Jun-21 9.4 development commit N/A OPEN-
bounds Read
8c73bf3. A specially crafted 020721/129
network request can lead to
an out-of-bounds read.
CVE ID : CVE-2021-21777
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 50 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Oracle
opengrok
Vulnerability in OpenGrok
(component: Web App).
Versions that are affected are
1.6.7 and prior. Easily
exploitable vulnerability https://ww
allows low privileged w.oracle.com
attacker with network access /security-
XML via HTTPS to compromise alerts/oracle
Injection OpenGrok. Successful attacks -open- A-ORA-
(aka Blind 23-Jun-21 6.5 of this vulnerability can result source-cves- OPEN-
XPath in takeover of OpenGrok. outside- 020721/130
Injection) CVSS 3.1 Base Score 8.8 other-oracle-
(Confidentiality, Integrity and public-
Availability impacts). CVSS documents.h
Vector: tml
(CVSS:3.1/AV:N/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H).
CVE ID : CVE-2021-2322
ory
oathkeeper
ORY Oathkeeper is an https://githu
Identity & Access Proxy (IAP) b.com/ory/o
and Access Control Decision athkeeper/p
API that authorizes HTTP ull/424,
requests based on sets of https://githu
Access Rules. When you make b.com/ory/o
a request to an endpoint that athkeeper/c
Incorrect requires the scope `foo` using ommit/1f9f6 A-ORY-
Authorizatio 22-Jun-21 4.3 an access token granted with 25c1a49e13 OATH-
n that `foo` scope, introspection 4ae2299ee9 020721/131
will be valid and that token 5b8cf158fee
will be cached. The problem c932,
comes when a second https://githu
requests to an endpoint that b.com/ory/o
requires the scope `bar` is athkeeper/se
made before the cache has curity/advis
expired. Whether the token is ories/GHSA-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 51 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
granted or not to the `bar` qvp4-rpmr-
scope, introspection will be xwrr
valid. A patch will be released
with `v0.38.12-beta.1`. Per
default, caching is disabled
for the `oauth2_introspection`
authenticator. When caching
is disabled, this vulnerability
does not exist. The cache is
checked in [`func (a
*AuthenticatorOAuth2Introsp
ection)
Authenticate(...)`](https://git
hub.com/ory/oathkeeper/blo
b/6a31df1c3779425e05db1c
2a381166b087cb29a4/pipeli
ne/authn/authenticator_oaut
h2_introspection.go#L152).
From
[`tokenFromCache()`](https:/
/github.com/ory/oathkeeper
/blob/6a31df1c3779425e05
db1c2a381166b087cb29a4/
pipeline/authn/authenticator
_oauth2_introspection.go#L9
7) it seems that it only
validates the token expiration
date, but ignores whether the
token has or not the proper
scopes. The vulnerability was
introduced in PR #424.
During review, we failed to
require appropriate test
coverage by the submitter
which is the primary reason
that the vulnerability passed
the review process.
CVE ID : CVE-2021-32701
Otrs
otrs

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 52 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
There is a XSS vulnerability in
the ticket overview screens.
It's possible to collect various
information by having an e-
mail shown in the overview
Improper screen. Attack can be
Neutralizatio performed by sending https://otrs.
n of Input specially crafted e-mail to the com/release-
A-OTR-
During Web system and it doesn't require notes/otrs-
16-Jun-21 4.3 OTRS-
Page any user intraction. This issue security-
020721/132
Generation affects: OTRS AG ((OTRS)) advisory-
('Cross-site Community Edition 6.0.x 2021-11/
Scripting') version 6.0.1 and later
versions. OTRS AG OTRS 7.0.x
version 7.0.26 and prior
versions.
CVE ID : CVE-2021-21441
pagekit
pagekit
In PageKit v1.0.18, a user can
upload SVG files in the file
upload portion of the CMS.
These SVG files can contain
malicious scripts. This file
Improper will be uploaded to the
Neutralizatio system and it will not be
n of Input stripped or filtered. The user A-PAG-
During Web can create a link on the
16-Jun-21 3.5 N/A PAGE-
Page website pointing to 020721/133
Generation "/storage/exp.svg" that will
('Cross-site point to
Scripting') http://localhost/pagekit/stor
age/exp.svg. When a user
comes along to click that link,
it will trigger a XSS attack.
CVE ID : CVE-2021-32245
Paloaltonetworks
cortex_xsoar

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 53 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
An improper authorization
vulnerability in Palo Alto
Networks Cortex XSOAR
enables a remote
unauthenticated attacker
with network access to the
Cortex XSOAR server to
perform unauthorized
actions through the REST API.
This issue impacts: Cortex
XSOAR 6.1.0 builds later than https://secu
Incorrect 1016923 and earlier than rity.paloalto A-PAL-
Authorizatio 22-Jun-21 7.5 1271064; Cortex XSOAR 6.2.0 networks.co CORT-
n builds earlier than 1271065. m/CVE- 020721/134
This issue does not impact 2021-3044
Cortex XSOAR 5.5.0, Cortex
XSOAR 6.0.0, Cortex XSOAR
6.0.1, or Cortex XSOAR 6.0.2
versions. All Cortex XSOAR
instances hosted by Palo Alto
Networks are upgraded to
resolve this vulnerability. No
additional action is required
for these instances.
CVE ID : CVE-2021-3044
Phpipam
phpipam

Improper phpIPAM 1.4.3 allows

Neutralizatio Reflected XSS via
app/dashboard/widgets/ipca https://githu
n of Input
lc-result.php and b.com/phpip
During Web A-PHP-PHPI-
23-Jun-21 4.3 app/tools/ip- am/phpipam
Page 020721/135
calculator/result.php of the /issues/335
Generation
IP calculator. 1
('Cross-site
Scripting') CVE ID : CVE-2021-35438
phpmailer_project
phpmailer

Unrestricted 16-Jun-21 5.1 PHPMailer before 6.5.0 on https://githu A-PHP-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 54 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Upload of Windows allows remote code b.com/PHPM PHPM-
File with execution if lang_path is ailer/PHPMa 020721/136
Dangerous untrusted data and has a UNC iler/blob/ma
Type pathname. ster/SECURI
CVE ID : CVE-2021-34551 TY.md

PHPMailer 6.4.1 and earlier

contain a vulnerability that
can result in untrusted code
being called (if such code is
injected into the host https://githu
project's scope by other b.com/PHPM
means). If the $patternselect ailer/PHPMa
parameter to iler/commit/
Inclusion of validateAddress() is set to 45f3c18dc6a
Functionality 'php' (the default, defined by 2de1cb1bf49 A-PHP-
from PHPMailer::$validator), and
17-Jun-21 6.8 b9b249a9ee PHPM-
Untrusted the global namespace 36a5f7f3, 020721/137
Control contains a function called https://ww
Sphere php, it will be called in w.huntr.dev/
preference to the built-in bounties/1-
validator of the same name. PHPMailer/P
Mitigated in PHPMailer 6.5.0 HPMailer/
by denying the use of simple
strings as validator function
names.
CVE ID : CVE-2021-3603
Podsfoundation
pods

The Pods â€“ Custom Content https://wpsc

Improper Types and Fields WordPress an.com/vuln
Neutralizatio plugin before 2.7.27 was erability/d5b
n of Input vulnerable to an 015f3-90c7-
Authenticated Stored Cross- 4d51-a71d- A-POD-
During Web
21-Jun-21 3.5 Site Scripting (XSS) security 630d609651 PODS-
Page
vulnerability within the 51, 020721/138
Generation
('Cross-site 'Singular Label' field https://ww
Scripting') parameter. w.whitesour
cesoftware.c
CVE ID : CVE-2021-24338
om/vulnerab

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 55 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
ility-
database/CV
E-2021-
24338
The Pods â€“ Custom Content
Improper Types and Fields WordPress https://wpsc
Neutralizatio plugin before 2.7.27 was an.com/vuln
n of Input vulnerable to an erability/8e7 A-POD-
During Web Authenticated Stored Cross-
21-Jun-21 3.5 2236d-f620- PODS-
Page Site Scripting (XSS) security 4503-a324- 020721/139
Generation vulnerability within the dcf49405351
('Cross-site 'Menu Label' field parameter. b
Scripting')
CVE ID : CVE-2021-24339
Powerarchiver
powerarchiver
The XML parser used in
ConeXware PowerArchiver
Improper before 20.10.02 allows
Restriction processing of external A-POW-
of XML entities, which might lead to
21-Jun-21 4.3 N/A POWE-
External exfiltration of local files over 020721/140
Entity the network (via an XXE
Reference attack).
CVE ID : CVE-2021-28684
primion-digitek
secure_8

Secure 8 (Evalos) does not http://titani

Improper validate user input data umaics.blogs
Neutralizatio correctly, allowing a remote pot.com/202
n of Special attacker to perform a Blind 1/06/vulner
Elements SQL Injection. An attacker abilidad-
could exploit this zero-day-en- A-PRI-SECU-
used in an 18-Jun-21 7.5
vulnerability in order to primion.html 020721/141
SQL
Command extract information of users ,
('SQL and administrator accounts https://ww
Injection') stored in the database. w.incibe-
cert.es/en/e
CVE ID : CVE-2021-3604
arly-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 56 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
warning/ics-
advisories/p
rimion-
digitek-
secure-8-sql-
injection-
vulnerability
pterodactyl
wings
Wings is the control plane
software for the open source
Pterodactyl game
management system. All
versions of Pterodactyl Wings
prior to `1.4.4` are vulnerable
to system resource https://githu
exhaustion due to improper b.com/ptero
container process limits dactyl/wings
being defined. A malicious /commit/e0
user can consume more 078eee0a71
resources than intended and d61573a94c
Uncontrolled cause downstream impacts to 75e6efcad06 A-PTE-
Resource 22-Jun-21 2.1 other clients on the same 9d78de3, WING-
Consumption hardware, eventually causing https://githu 020721/142
the physical server to stop b.com/ptero
responding. Users should dactyl/wings
upgrade to `1.4.4` to mitigate /security/ad
the issue. There is no non- visories/GHS
code based workaround for A-jj6m-r8jc-
impacted versions of the 2gp7
software. Users running
customized versions of this
software can manually set a
PID limit for containers
created.
CVE ID : CVE-2021-32699
Qnap
myqnapcloud_link

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 57 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Insecure storage of sensitive
information has been
reported to affect QNAP NAS
running myQNAPcloud Link.
If exploited, this vulnerability
allows remote attackers to
read sensitive information by https://ww
Insecure accessing the unrestricted w.qnap.com/
A-QNA-
Storage of storage mechanism. This zh-
16-Jun-21 4 MYQN-
Sensitive issue affects: QNAP Systems tw/security-
020721/143
Information Inc. myQNAPcloud Link advisory/qsa
versions prior to 2.2.21 on -21-26
QTS 4.5.3; versions prior to
2.2.21 on QuTS hero h4.5.2;
versions prior to 2.2.21 on
QuTScloud c4.5.4.
CVE ID : CVE-2021-28815
Quassel-irc
quassel
Quassel through 0.13.1, when
--require-ssl is enabled,
Missing launches without SSL or TLS https://githu
A-QUA-
Encryption support if a usable X.509 b.com/quass
17-Jun-21 4.3 QUAS-
of Sensitive certificate is not found on the el/quassel/p
020721/144
Data local system. ull/581

CVE ID : CVE-2021-34825
radykal
fancy_product_designer
The Fancy Product Designer https://wpsc
Unrestricted WordPress plugin before an.com/vuln
Upload of 4.6.9 allows unauthenticated erability/82c A-RAD-
File with 21-Jun-21 7.5 attackers to upload arbitrary 52461-1fdc- FANC-
Dangerous files, resulting in remote code 41e4-9f51- 020721/145
Type execution. f9dd84962b
CVE ID : CVE-2021-24370 38

Rapid7
nexpose

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 58 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Rapid7 Nexpose is vulnerable
to a non-persistent cross-site
scripting vulnerability
affecting the Security
Console's Filtered Asset
Search feature. A specific
Improper search criterion and operator
Neutralizatio combination in Filtered Asset https://docs.
n of Input Search could have allowed a rapid7.com/r
user to pass code through the A-RAP-
During Web elease-
16-Jun-21 4.3 provided search field. This NEXP-
Page notes/nexpo
issue affects version 6.6.80 020721/146
Generation se/2021050
('Cross-site and prior, and is fixed in 5/
Scripting') 6.6.81. If your Security
Console currently falls on or
within this affected version
range, ensure that you update
your Security Console to the
latest version.
CVE ID : CVE-2021-3535
reportportal
service-api
Report portal is an open
source reporting and analysis
framework. Starting from https://githu
version 3.1.0 of the service- b.com/repor
api XML parsing was tportal/servi
introduced. Unfortunately the ce-
Improper XML parser was not api/pull/139
Restriction configured properly to 2,
of XML prevent XML external entity https://githu A-REP-SERV-
23-Jun-21 5
External (XXE) attacks. This allows a b.com/repor 020721/147
Entity user to import a specifically- tportal/repo
Reference crafted XML file which rtportal/secu
imports external Document rity/advisori
Type Definition (DTD) file es/GHSA-
with external entities for 24wf-7vf2-
extraction of secrets from pv59
Report Portal service-api
module or server-side
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 59 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
request forgery. This will be
resolved in the 5.4.0 release.
CVE ID : CVE-2021-29620
SAP
netweaver_abap
SAP NetWeaver ABAP Server
and ABAP Platform, versions
- 700, 701, 702, 731, 740, https://laun
750, 751, 752, 753, 754, 755, chpad.suppo
804, does not create rt.sap.com/#
information about internal /notes/3007
Improper and external RFC user in 182, A-SAP-
Authenticati 16-Jun-21 7.5 consistent and distinguished https://wiki. NETW-
on format, which could lead to scn.sap.com/ 020721/148
improper authentication and wiki/pages/
may be exploited by viewpage.act
malicious users to obtain ion?pageId=
illegitimate access to the 578125999
system.
CVE ID : CVE-2021-27610
netweaver_as_abap
SAP NetWeaver ABAP Server
and ABAP Platform, versions
- 700, 701, 702, 731, 740, https://laun
750, 751, 752, 753, 754, 755, chpad.suppo
804, does not create rt.sap.com/#
information about internal /notes/3007
Improper and external RFC user in 182, A-SAP-
Authenticati 16-Jun-21 7.5 consistent and distinguished https://wiki. NETW-
on format, which could lead to scn.sap.com/ 020721/149
improper authentication and wiki/pages/
may be exploited by viewpage.act
malicious users to obtain ion?pageId=
illegitimate access to the 578125999
system.
CVE ID : CVE-2021-27610
Sensiolabs
symfony
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 60 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Symfony is a PHP framework
for web and console
applications and a set of
reusable PHP components. A https://githu
vulnerability related to b.com/symfo
firewall authentication is in ny/symfony/
Symfony starting with commit/308
version 5.3.0 and prior to 4764ad82f2
5.3.2. When an application 9dbb025df1
defines multiple firewalls, the 9978b9cbc3
token authenticated by one of ab34728,
the firewalls was available for https://githu
all other firewalls. This could b.com/symfo
Improper be abused when the ny/symfony/ A-SEN-
Authenticati 17-Jun-21 6.5 application defines different security/advi SYMF-
on providers for each part of the sories/GHSA 020721/150
application, in such a -rfcf-m67m-
situation, a user jcrq,
authenticated on a part of the https://githu
application could be b.com/symfo
considered authenticated on ny/security-
the rest of the application. http/commit
Starting in version 5.3.2, a /6bf4c31219
patch ensures that the 773a558b01
authenticated token is only 9ee12e5457
available for the firewall that 2174ff8129
generates it.
CVE ID : CVE-2021-32693
Sonatype
nexus_repository_manager
Sonatype Nexus Repository
Improper Manager 3.x before 3.31.0
Limitation of allows a remote https://supp
a Pathname authenticated attacker to get ort.sonatype.
A-SON-
to a a list of blob files and read the com/hc/en-
18-Jun-21 4 NEXU-
Restricted content of a blob file (via a us/articles/4
020721/151
Directory GET request) without having 4024338283
('Path been granted access. 71
Traversal')
CVE ID : CVE-2021-34553

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 61 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
striptags_project
striptags
The npm package "striptags"
is an implementation of PHP's https://githu
strip_tags in Typescript. In b.com/ericno
striptags before version 3.2.0, rris/striptag
a type-confusion s/commit/f2
vulnerability can cause 52a6b08194
Access of `striptags` to concatenate 99cd654037
Resource unsanitized strings when an 07ebaf5cc92
Using array-like object is passed in A-STR-STRI-
18-Jun-21 5 5f2faca,
Incompatible as the `html` parameter. This 020721/152
https://githu
Type ('Type can be abused by an attacker b.com/ericno
Confusion') who can control the shape of rris/striptag
their input, e.g. if query s/security/a
parameters are passed dvisories/GH
directly into the function. SA-qxg5-
This can lead to a XSS. 2qff-p49r
CVE ID : CVE-2021-32696
Synology
calendar
Use of hard-coded credentials
vulnerability in php https://ww
component in Synology w.synology.c
Use of Hard- Calendar before 2.4.0-0761 om/security A-SYN-CALE-
coded 18-Jun-21 5 allows remote attackers to /advisory/Sy 020721/153
Credentials obtain sensitive information nology_SA_2
via unspecified vectors. 1_12
CVE ID : CVE-2021-34812
diskstation_manager
Use after free vulnerability in
file transfer protocol https://ww
component in Synology w.synology.c
Use After DiskStation Manager (DSM) om/security A-SYN-DISK-
23-Jun-21 7.5
Free before 6.2.3-25426-3 allows /advisory/Sy 020721/154
remote attackers to execute nology_SA_2
arbitrary code via unspecified 0_26
vectors.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 62 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-27649
Improper neutralization of
special elements in output
Improper used by a downstream
Neutralizatio component ('Injection')
vulnerability in Security https://ww
n of Special
Advisor report management w.synology.c
Elements in
component in Synology om/security A-SYN-DISK-
Output Used 23-Jun-21 5
DiskStation Manager (DSM) /advisory/Sy 020721/155
by a
before 6.2.3-25426-3 allows nology_SA_2
Downstream
remote attackers to read 0_26
Component
('Injection') arbitrary files via unspecified
vectors.
CVE ID : CVE-2021-29084
Improper neutralization of
special elements in output
Improper used by a downstream
Neutralizatio component ('Injection') https://ww
n of Special vulnerability in file sharing w.synology.c
Elements in management component in om/security A-SYN-DISK-
Output Used 23-Jun-21 5 Synology DiskStation /advisory/Sy 020721/156
by a Manager (DSM) before 6.2.3- nology_SA_2
Downstream 25426-3 allows remote 0_26
Component attackers to read arbitrary
('Injection') files via unspecified vectors.
CVE ID : CVE-2021-29085
Exposure of sensitive
information to an
unauthorized actor
Exposure of vulnerability in webapi https://ww
Sensitive component in Synology w.synology.c
Information DiskStation Manager (DSM) om/security A-SYN-DISK-
23-Jun-21 5
to an before 6.2.3-25426-3 allows /advisory/Sy 020721/157
Unauthorize remote attackers to obtain nology_SA_2
d Actor sensitive information via 0_26
unspecified vectors.
CVE ID : CVE-2021-29086

Improper Improper limitation of a https://ww A-SYN-DISK-

23-Jun-21 5
Limitation of pathname to a restricted w.synology.c 020721/158
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 63 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
a Pathname directory ('Path Traversal') om/security
to a vulnerability in webapi /advisory/Sy
Restricted component in Synology nology_SA_2
Directory DiskStation Manager (DSM) 0_26
('Path before 6.2.3-25426-3 allows
Traversal') remote attackers to write
arbitrary files via unspecified
vectors.
CVE ID : CVE-2021-29087
download_station
Improper neutralization of
special elements used in a
Improper command ('Command
Neutralizatio Injection') vulnerability in https://ww
n of Special task management component w.synology.c
A-SYN-
Elements in Synology Download Station om/security
18-Jun-21 6.5 DOWN-
used in a before 3.8.16-3566 allows /advisory/Sy
020721/159
Command remote authenticated users nology_SA_2
('Command to execute arbitrary code via 1_11
Injection') unspecified vectors.
CVE ID : CVE-2021-34809
Improper privilege
management vulnerability in
cgi component in Synology https://ww
Download Station before w.synology.c
Improper A-SYN-
3.8.16-3566 allows remote om/security
Privilege 18-Jun-21 6.5 DOWN-
authenticated users to /advisory/Sy
Management 020721/160
execute arbitrary code via nology_SA_2
unspecified vectors. 1_11

CVE ID : CVE-2021-34810
Server-Side Request Forgery
(SSRF) vulnerability in task https://ww
Server-Side management component in w.synology.c
A-SYN-
Request Synology Download Station om/security
18-Jun-21 4 DOWN-
Forgery before 3.8.16-3566 allows /advisory/Sy
020721/161
(SSRF) remote authenticated users nology_SA_2
to access intranet resources 1_11
via unspecified vectors.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 64 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-34811
media_server
Server-Side Request Forgery
(SSRF) vulnerability in cgi https://ww
Server-Side component in Synology w.synology.c
Request Media Server before 1.8.3- om/security A-SYN-MEDI-
18-Jun-21 5 2881 allows remote attackers
Forgery /advisory/Sy 020721/162
(SSRF) to access intranet resources nology_SA_2
via unspecified vectors. 1_10
CVE ID : CVE-2021-34808
Teamviewer
teamviewer
https://com
TeamViewer before munity.team
14.7.48644 on Windows viewer.com/
Uncontrolled A-TEA-
loads untrusted DLLs in English/disc
Search Path 16-Jun-21 4.4 TEAM-
certain situations. ussion/1111
Element 020721/163
54/windows
CVE ID : CVE-2021-34803 -v14-7-
48644
thalesgroup
safenet_keysecure
SafeNet KeySecure
Management Console 8.12.0
is vulnerable to HTTP
response splitting attacks. A
Cleartext remote attacker could exploit https://ww
Storage of this vulnerability using A-THA-SAFE-
16-Jun-21 4.3 w.thalesgrou
Sensitive specially-crafted URL to 020721/164
p.com/en
Information cause the server to return a
split response, once the URL
is clicked.
CVE ID : CVE-2021-28979
theologeek
manuskript
Deserializati 21-Jun-21 6.8 ** DISPUTED ** Manuskript N/A A-THE-
on of through 0.12.0 allows remote MANU-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 65 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Untrusted attackers to execute arbitrary 020721/165
Data code via a crafted
settings.pickle file in a project
file, because there is insecure
deserialization via the
pickle.load() function in
settings.py. NOTE: the
vendor's position is that the
product is not intended for
opening an untrusted project
file.
CVE ID : CVE-2021-35196
tielabs
jannah
The Jannah WordPress theme
Improper before 5.4.4 did not properly
sanitize the options JSON https://wpsc
Neutralizatio
parameter in its an.com/vuln
n of Input
tie_get_user_weather AJAX erability/1d5
During Web A-TIE-JANN-
21-Jun-21 4.3 action before outputting it 3fbe5-a879-
Page 020721/166
back in the page, leading to a 42ca-a9d3-
Generation
Reflected Cross-Site Scripting 768a800183
('Cross-site
(XSS) vulnerability. 82
Scripting')
CVE ID : CVE-2021-24364
togatech
tenvoy
tEnvoy contains the PGP, https://githu
NaCl, and PBKDF2 in node.js b.com/TogaT
and the browser (hashing, ech/tEnvoy/
Improper random, encryption, commit/a12
Verification decryption, signatures, 1b34a45e28 A-TOG-
of 16-Jun-21 7.5 conversions), used by 9d775c62e5 TENV-
Cryptographi TogaTech.org. In versions 8841522891 020721/167
c Signature prior to 7.0.3, the dee686b,
`verifyWithMessage` method https://githu
of `tEnvoyNaClSigningKey` b.com/TogaT
always returns `true` for any ech/tEnvoy/
signature that has a SHA-512 security/advi

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 66 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
hash matching the SHA-512 sories/GHSA
hash of the message even if -7r96-8g3x-
the signature was invalid. g36m
This issue is patched in
version 7.0.3. As a
workaround: In `tenvoy.js`
under the
`verifyWithMessage` method
definition within the
`tEnvoyNaClSigningKey`
class, ensure that the return
statement call to `this.verify`
ends in `.verified`.
CVE ID : CVE-2021-32685
torchbox
wagtail
Wagtail is an open source
content management system
built on Django. A cross-site
scripting vulnerability exists
in versions 2.13-2.13.1,
versions 2.12-2.12.4, and
versions prior to 2.11.8.
When the `{% include_block
Improper %}` template tag is used to https://githu
Neutralizatio output the value of a plain- b.com/wagta
n of Input text StreamField block il/wagtail/se A-TOR-
During Web (`CharBlock`, `TextBlock` or a
17-Jun-21 3.5 curity/advis WAGT-
Page similar user-defined block ories/GHSA- 020721/168
Generation derived from `FieldBlock`), xfrw-hxr5-
('Cross-site and that block does not ghqf
Scripting') specify a template for
rendering, the tag output is
not properly escaped as
HTML. This could allow users
to insert arbitrary HTML or
scripting. This vulnerability is
only exploitable by users with
the ability to author
StreamField content (i.e.
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 67 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
users with 'editor' access to
the Wagtail admin). Patched
versions have been released
as Wagtail 2.11.8 (for the LTS
2.11 branch), Wagtail 2.12.5,
and Wagtail 2.13.2 (for the
current 2.13 branch). As a
workaround, site
implementors who are
unable to upgrade to a
current supported version
should audit their use of `{%
include_block %}` to ensure it
is not used to output
`CharBlock` / `TextBlock`
values with no associated
template. Note that this only
applies where `{%
include_block %}` is used
directly on that block (uses of
`include_block` on a block
_containing_ a CharBlock /
TextBlock, such as a
StructBlock, are unaffected).
In these cases, the tag can be
replaced with Django's `{{ ...
}}` syntax - e.g. `{%
include_block my_title_block
%}` becomes `{{
my_title_block }}`.
CVE ID : CVE-2021-32681
Trendmicro
interscan_web_security_virtual_appliance
Improper
Trend Micro InterScan Web https://succ
Neutralizatio
Security Virtual Appliance ess.trendmic
n of Input A-TRE-INTE-
17-Jun-21 3.5 version 6.5 was found to have ro.com/solut
During Web 020721/169
a reflected cross-site ion/0002864
Page
scripting (XSS) vulnerability 52
Generation
in the product's Captive
('Cross-site
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 68 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Scripting') Portal.
CVE ID : CVE-2021-31521
tsmuxer_project
tsmuxer
Heap based buffer overflow
in tsMuxer 2.6.16 allows https://githu
Out-of- attackers to cause a Denial of A-TSM-
b.com/justda
bounds 23-Jun-21 4.3 Service (DoS) by running the TSMU-
n96/tsMuxer
Write application with a crafted file. 020721/170
/issues/424
CVE ID : CVE-2021-34067
Heap based buffer overflow
in tsMuxer 2.6.16 allows https://githu
Out-of- attackers to cause a Denial of A-TSM-
b.com/justda
bounds 23-Jun-21 4.3 Service (DoS) by running the TSMU-
n96/tsMuxer
Write application with a crafted file. 020721/171
/issues/427
CVE ID : CVE-2021-34068
Divide-by-zero bug in
tsMuxer 2.6.16 allows https://githu
attackers to cause a Denial of A-TSM-
Divide By b.com/justda
23-Jun-21 4.3 Service (DoS) by running the TSMU-
Zero n96/tsMuxer
application with a crafted file. 020721/172
/issues/428
CVE ID : CVE-2021-34069
Out-of-bounds Read in
tsMuxer 2.6.16 allows https://githu
attackers to cause a Denial of A-TSM-
Out-of- b.com/justda
23-Jun-21 4.3 Service (DoS) by running the TSMU-
bounds Read n96/tsMuxer
application with a crafted file. 020721/173
/issues/426
CVE ID : CVE-2021-34070
Heap based buffer overflow
in tsMuxer 2.6.16 allows https://githu
Out-of- attackers to cause a Denial of A-TSM-
b.com/justda
bounds 23-Jun-21 4.3 Service (DoS) by running the TSMU-
n96/tsMuxer
Write application with a crafted file. 020721/174
/issues/423
CVE ID : CVE-2021-34071
valine.js
valine

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 69 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Valine 1.4.14 allows remote
Improper attackers to cause a denial of
Control of service (application outage)
Generation by supplying a ua (aka User- A-VAL-VALI-
16-Jun-21 5 Agent) value that only N/A
of Code 020721/175
('Code specifies the product and
Injection') version.
CVE ID : CVE-2021-34801
vfsjfilechooser2_project
vfsjfilechooser2
https://githu
b.com/yeting
li/SaveResult
s/blob/main
/md/vfsjfilec
hooser2.md,
A Regular Expression Denial https://githu
of Service (ReDOS) b.com/fracpe
vulnerability was discovered te/vfsjfilecho
Allocation of
in Vfsjfilechooser2 version oser2/comm
Resources
0.2.9 and below which occurs it/9c9f2c317 A-VFS-VFSJ-
Without 21-Jun-21 5
when the application f3de5ece60a 020721/176
Limits or
attempts to validate crafted 3ae28c371e
Throttling
URIs. 9796e3909b,
https://githu
CVE ID : CVE-2021-29061 b.com/yeting
li/PoCs/blob
/main/CVE-
2021-
29061/Vfsjfil
echooser2.m
d
Vmware
app_volumes
VMware Tools for Windows https://ww
Improper (11.x.y prior to 11.2.6), w.vmware.co A-VMW-
Input 23-Jun-21 7.2 VMware Remote Console for m/security/a APP_-
Validation Windows (12.x prior to dvisories/V 020721/177
12.0.1) , VMware App MSA-2021-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 70 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Volumes (2.x prior to 2.18.10 0013.html
and 4 prior to 2103) contain
a local privilege escalation
vulnerability. An attacker
with normal access to a
virtual machine may exploit
this issue by placing a
malicious file renamed as
`openssl.cnf' in an
unrestricted directory which
would allow code to be
executed with elevated
privileges.
CVE ID : CVE-2021-21999
carbon_black_app_control
VMware Carbon Black App
Control 8.0, 8.1, 8.5 prior to
8.5.8, and 8.6 prior to 8.6.2
has an authentication bypass.
A malicious actor with https://ww
network access to the w.vmware.co
Improper A-VMW-
VMware Carbon Black App m/security/a
Authenticati 23-Jun-21 7.5 CARB-
Control management server dvisories/V
on 020721/178
might be able to obtain MSA-2021-
administrative access to the 0012.html?
product without the need to
authenticate.
CVE ID : CVE-2021-21998
remote_console
VMware Tools for Windows
(11.x.y prior to 11.2.6),
VMware Remote Console for https://ww
Windows (12.x prior to w.vmware.co
Improper A-VMW-
12.0.1) , VMware App m/security/a
Input 23-Jun-21 7.2 REMO-
Volumes (2.x prior to 2.18.10 dvisories/V
Validation 020721/179
and 4 prior to 2103) contain MSA-2021-
a local privilege escalation 0013.html
vulnerability. An attacker
with normal access to a

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 71 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
virtual machine may exploit
this issue by placing a
malicious file renamed as
`openssl.cnf' in an
unrestricted directory which
would allow code to be
executed with elevated
privileges.
CVE ID : CVE-2021-21999
tools
VMware Tools for Windows
(11.x.y prior to 11.3.0)
contains a denial-of-service
vulnerability in the VM3DMP
driver. A malicious actor with https://ww
local user privileges in the w.vmware.co
Windows guest operating A-VMW-
m/security/a
N/A 18-Jun-21 4.9 system, where VMware Tools TOOL-
dvisories/V
is installed, can trigger a 020721/180
MSA-2021-
PANIC in the VM3DMP driver 0011.html
leading to a denial-of-service
condition in the Windows
guest operating system.
CVE ID : CVE-2021-21997
VMware Tools for Windows
(11.x.y prior to 11.2.6),
VMware Remote Console for
Windows (12.x prior to
12.0.1) , VMware App https://ww
Volumes (2.x prior to 2.18.10 w.vmware.co
Improper and 4 prior to 2103) contain A-VMW-
m/security/a
Input 23-Jun-21 7.2 a local privilege escalation TOOL-
dvisories/V
Validation vulnerability. An attacker 020721/181
MSA-2021-
with normal access to a 0013.html
virtual machine may exploit
this issue by placing a
malicious file renamed as
`openssl.cnf' in an
unrestricted directory which

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 72 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
would allow code to be
executed with elevated
privileges.
CVE ID : CVE-2021-21999
Wibu
codemeter
https://cdn.
wibu.com/fil
A buffer over-read eadmin/wib
vulnerability exists in Wibu- u_downloads
Systems CodeMeter versions /security_ad
< 7.21a. An unauthenticated visories/Adv
remote attacker can exploit A-WIB-
Out-of- isory_WIBU-
16-Jun-21 6.4 this issue to disclose heap CODE-
bounds Read 210423-
memory contents or crash 020721/182
01.pdf,
the CodeMeter Runtime https://ww
Server. w.tenable.co
CVE ID : CVE-2021-20093 m/security/r
esearch/tra-
2021-24
https://cdn.
wibu.com/fil
eadmin/wib
A denial of service u_downloads
vulnerability exists in Wibu- /security_ad
Systems CodeMeter versions visories/Adv
< 7.21a. An unauthenticated A-WIB-
Out-of- isory_WIBU-
16-Jun-21 5 remote attacker can exploit CODE-
bounds Read 210423-
this issue to crash the 020721/183
02.pdf,
CodeMeter Runtime Server. https://ww
CVE ID : CVE-2021-20094 w.tenable.co
m/security/r
esearch/tra-
2021-24
wphappycoders
comments_like_dislike
Incorrect 21-Jun-21 5 The Comments Like Dislike https://wpsc A-WPH-
Authorizatio WordPress plugin before an.com/vuln COMM-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 73 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
n 1.1.4 allows users to erability/aae 020721/184
like/dislike posted 7a889-195c-
comments, however does not 45a3-bbe4-
prevent them from replaying e6d4cd2d7fd
the AJAX request to add a 9
like. This allows any user
(even unauthenticated) to
add unlimited like/dislike to
any comment. The plugin
appears to have some
Restriction modes, such as
Cookie Restriction, IP
Restrictions, Logged In User
Restriction, however, they do
not prevent such attack as
they only check client side
CVE ID : CVE-2021-24379
wp_config_file_editor_project
wp_config_file_editor
Improper The WP Config File Editor https://wpsc
Neutralizatio WordPress plugin through an.com/vuln
n of Input 1.7.1 was affected by an erability/f35 A-WP_-
During Web Authenticated Stored Cross-
21-Jun-21 3.5 b7c8f-cfb6- WP_C-
Page Site Scripting (XSS) 42b6-8a3a- 020721/185
Generation vulnerability. 8c07cd1e9da
('Cross-site
CVE ID : CVE-2021-24367 0
Scripting')
zettlr
zettlr
Improper No filtering of cross-site
Neutralizatio scripting (XSS) payloads in
n of Input the markdown-editor in https://githu
During Web Zettlr 1.8.7 allows attackers b.com/Zettlr A-ZET-ZETT-
18-Jun-21 4.3
Page to perform remote code /Zettlr/issue 020721/186
Generation execution via a crafted file. s/1716
('Cross-site
Scripting') CVE ID : CVE-2021-26835

znote

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 74 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
znote

Unrestricted ZOLL Defibrillator

Upload of Dashboard, v prior to 2.2, The
web application allows a non- N/A A-ZOL-DEFI-
File with 16-Jun-21 6.5
administrative user to upload 020721/194
Dangerous
Type a malicious file. This file could
allow an attacker to remotely

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 76 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
execute arbitrary commands.
CVE ID : CVE-2021-27489
Hardware
bosch
b426
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the
configuration web page. This
vulnerability was discovered https://psirt.
by a security researcher in bosch.com/s
B426 and found during ecurity-
H-BOS-B426-
N/A 18-Jun-21 6.8 internal product tests in advisories/b
020721/195
B426-CN/B429-CN, and osch-sa-
B426-M and has been fixed 196933-
already starting from version bt.html
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
When using http protocol, the
user password is transmitted
as a clear text parameter for https://psirt.
which it is possible to be bosch.com/s
Cleartext obtained by an attacker ecurity-
Transmissio through a MITM attack. This H-BOS-B426-
18-Jun-21 4.3 advisories/b
n of Sensitive will be fixed starting from 020721/196
osch-sa-
Information Firmware version 3.11.5, 196933-
which will be released on the bt.html
30th of June, 2021.
CVE ID : CVE-2021-23846
b426-cn

This vulnerability could allow https://psirt.

an attacker to hijack a session bosch.com/s
while a user is logged in the ecurity-
H-BOS-B426-
N/A 18-Jun-21 6.8 configuration web page. This advisories/b
020721/197
vulnerability was discovered osch-sa-
by a security researcher in 196933-
B426 and found during bt.html
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 77 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
internal product tests in
B426-CN/B429-CN, and
B426-M and has been fixed
already starting from version
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
b426-m
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the
configuration web page. This
vulnerability was discovered https://psirt.
by a security researcher in bosch.com/s
B426 and found during ecurity-
H-BOS-B426-
N/A 18-Jun-21 6.8 internal product tests in advisories/b
020721/198
B426-CN/B429-CN, and osch-sa-
B426-M and has been fixed 196933-
already starting from version bt.html
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
b429-cn
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the
configuration web page. This
vulnerability was discovered https://psirt.
by a security researcher in bosch.com/s
B426 and found during ecurity-
H-BOS-B429-
N/A 18-Jun-21 6.8 internal product tests in advisories/b
020721/199
B426-CN/B429-CN, and osch-sa-
B426-M and has been fixed 196933-
already starting from version bt.html
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
Cisco

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 78 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
sf220-24
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/200
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/201
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542

Improper Multiple vulnerabilities in the https://tools.

Authenticati 16-Jun-21 4.3 web-based management cisco.com/se H-CIS-SF22-
on interface of Cisco Small curity/center 020721/202
Business 220 Series Smart /content/Cis

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 79 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying H-CIS-SF22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/203
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-24p
Multiple vulnerabilities in the https://tools.
web-based management cisco.com/se
Improper interface of Cisco Small curity/center
Authenticati 16-Jun-21 9 Business 220 Series Smart /content/Cis H-CIS-SF22-
on Switches could allow an coSecurityAd 020721/204
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 80 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/205
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small https://tools.
Business 220 Series Smart cisco.com/se
Switches could allow an curity/center
Improper attacker to do the following: /content/Cis
Hijack a user session Execute H-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
arbitrary commands as a root 020721/206
on visory/cisco-
user on the underlying sa-ciscosb-
operating system Conduct a multivulns-
cross-site scripting (XSS) Wwyb7s5E
attack Conduct an HTML
injection attack For more
information about these
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 81 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying H-CIS-SF22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/207
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-48
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/208
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541

Insufficient 16-Jun-21 9.3 Multiple vulnerabilities in the https://tools. H-CIS-SF22-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 82 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Session web-based management cisco.com/se 020721/209
Expiration interface of Cisco Small curity/center
Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/210
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Improper Multiple vulnerabilities in the https://tools.
Neutralizatio web-based management cisco.com/se
n of Input interface of Cisco Small curity/center H-CIS-SF22-
During Web 16-Jun-21 4.3 Business 220 Series Smart /content/Cis 020721/211
Page Switches could allow an coSecurityAd
Generation attacker to do the following: visory/cisco-
('Cross-site Hijack a user session Execute sa-ciscosb-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 83 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Scripting') arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-48p
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/212
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management https://tools.
interface of Cisco Small cisco.com/se
Business 220 Series Smart curity/center
Insufficient Switches could allow an /content/Cis
H-CIS-SF22-
Session 16-Jun-21 9.3 attacker to do the following: coSecurityAd
020721/213
Expiration Hijack a user session Execute visory/cisco-
arbitrary commands as a root sa-ciscosb-
user on the underlying multivulns-
operating system Conduct a Wwyb7s5E
cross-site scripting (XSS)

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 84 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/214
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
https://tools.
Improper Switches could allow an
cisco.com/se
Neutralizatio attacker to do the following:
curity/center
n of Input Hijack a user session Execute
/content/Cis
During Web arbitrary commands as a root H-CIS-SF22-
16-Jun-21 4.3 coSecurityAd
Page user on the underlying 020721/215
visory/cisco-
Generation operating system Conduct a
sa-ciscosb-
('Cross-site cross-site scripting (XSS)
multivulns-
Scripting') attack Conduct an HTML
Wwyb7s5E
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 85 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-1571
sg220-26
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/216
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/217
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Improper Multiple vulnerabilities in the https://tools. H-CIS-SG22-
Authenticati 16-Jun-21 4.3 web-based management cisco.com/se 020721/218
on interface of Cisco Small curity/center
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 86 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying H-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/219
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-26p
Multiple vulnerabilities in the https://tools.
web-based management cisco.com/se
Improper interface of Cisco Small curity/center H-CIS-SG22-
Authenticati 16-Jun-21 9 Business 220 Series Smart /content/Cis 020721/220
on Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 87 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/221
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small https://tools.
Business 220 Series Smart cisco.com/se
Switches could allow an curity/center
Improper attacker to do the following: /content/Cis
H-CIS-SG22-
Authenticati 16-Jun-21 4.3 Hijack a user session Execute coSecurityAd
020721/222
on arbitrary commands as a root visory/cisco-
user on the underlying sa-ciscosb-
operating system Conduct a multivulns-
cross-site scripting (XSS) Wwyb7s5E
attack Conduct an HTML
injection attack For more
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 88 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying H-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/223
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-28mp
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/224
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 89 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/225
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/226
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Improper Multiple vulnerabilities in the https://tools.
Neutralizatio web-based management cisco.com/se
n of Input 16-Jun-21 4.3 interface of Cisco Small curity/center H-CIS-SG22-
During Web Business 220 Series Smart /content/Cis 020721/227
Page Switches could allow an coSecurityAd
Generation attacker to do the following: visory/cisco-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 90 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
('Cross-site Hijack a user session Execute sa-ciscosb-
Scripting') arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-50
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/228
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the https://tools.
web-based management cisco.com/se
interface of Cisco Small curity/center
Insufficient Business 220 Series Smart /content/Cis
Switches could allow an H-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
attacker to do the following: 020721/229
Expiration visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 91 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/230
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
https://tools.
Improper Switches could allow an
cisco.com/se
Neutralizatio attacker to do the following:
curity/center
n of Input Hijack a user session Execute
/content/Cis
During Web arbitrary commands as a root H-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page user on the underlying 020721/231
visory/cisco-
Generation operating system Conduct a
sa-ciscosb-
('Cross-site cross-site scripting (XSS)
multivulns-
Scripting') attack Conduct an HTML
Wwyb7s5E
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 92 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-1571
sg220-50p
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/232
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying H-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/233
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Improper Multiple vulnerabilities in the https://tools. H-CIS-SG22-
Authenticati 16-Jun-21 4.3 web-based management cisco.com/se 020721/234
on interface of Cisco Small curity/center
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 93 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying H-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/235
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
Dlink
dir-2640-us
D-Link DIR-2640-US 1.01B04
is vulnerable to Buffer https://ww
Out-of-
Overflow. There are multiple w.dlink.com/ H-DLI-DIR--
bounds 16-Jun-21 3.6
out-of-bounds vulnerabilities en/security- 020721/236
Write
in some processes of D-Link bulletin/
AC2600(DIR-2640). Local

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 94 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
ordinary users can overwrite
the global variables in the
.bss section, causing the
process crashes or changes.
CVE ID : CVE-2021-34201
There are multiple out-of-
bounds vulnerabilities in
some processes of D-Link
AC2600(DIR-2640) 1.01B04.
Ordinary permissions can be https://ww
elevated to administrator w.dlink.com/
Out-of-
permissions, resulting in local en/security- H-DLI-DIR--
bounds 16-Jun-21 7.2
arbitrary code execution. An bulletin/, 020721/237
Write
attacker can combine other http://d-
vulnerabilities to further link.com
achieve the purpose of
remote code execution.
CVE ID : CVE-2021-34202
D-Link DIR-2640-US 1.01B04
is vulnerable to Incorrect
Access Control. Router
ac2600 (dir-2640-us), when
setting PPPoE, will start
quagga process in the way of
whole network monitoring,
and this function uses the
original default password and https://ww
port. An attacker can easily w.dlink.com/
Incorrect
use telnet to log in, modify en/security- H-DLI-DIR--
Authorizatio 16-Jun-21 4.8
routing information, monitor bulletin/, 020721/238
n
the traffic of all devices under http://d-
the router, hijack DNS and link.com
phishing attacks. In addition,
this interface is likely to be
questioned by customers as a
backdoor, because the
interface should not be
exposed.
CVE ID : CVE-2021-34203

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 95 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
D-Link DIR-2640-US 1.01B04
is affected by Insufficiently
Protected Credentials. D-Link
AC2600(DIR-2640) stores the
device system account
password in plain text. It does
not use linux user https://ww
Insufficiently management. In addition, the w.dlink.com/ H-DLI-DIR--
Protected 16-Jun-21 7.2 passwords of all devices are en/security- 020721/239
Credentials the same, and they cannot be bulletin/
modified by normal users. An
attacker can easily log in to
the target router through the
serial port and obtain root
privileges.
CVE ID : CVE-2021-34204
GE
rpv311
This vulnerability allows
remote attackers to execute
arbitrary code on affected
installations of GE Reason
RPV311 14A03. https://ww
Authentication is not w.gegridsolu
required to exploit this tions.com/pr
vulnerability. The specific oducts/supp
Use of Hard- flaw exists within the ort/GES-
firmware and filesystem of H-GE-RPV3-
coded 16-Jun-21 7.5 2021-
the device. The firmware and 020721/240
Credentials 005%20-
filesystem contain hard- %20RPV311
coded default credentials. An %20Security
attacker can leverage this %20Notice.p
vulnerability to execute code df
in the context of the
download user. Was ZDI-
CAN-11852.
CVE ID : CVE-2021-31477
Huawei

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 96 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
e3372
Huawei LTE USB Dongle
products have an improper
permission assignment
vulnerability. An attacker can https://ww
locally access and log in to a w.huawei.co
PC to induce a user to install a m/en/psirt/
Improper specially crafted application. security-
After successfully exploiting H-HUA-
Preservation advisories/h
22-Jun-21 4.4 this vulnerability, the E337-
of uawei-sa-
attacker can perform 020721/241
Permissions 20210602-
unauthenticated operations. 01-
Affected product versions permission-
include:E3372 E3372h- en
153TCPU-
V200R002B333D01SP00C00.
CVE ID : CVE-2021-22382
e8372
Huawei LTE USB Dongle
products have an improper
permission assignment
vulnerability. An attacker can https://ww
locally access and log in to a w.huawei.co
PC to induce a user to install a m/en/psirt/
Improper specially crafted application. security-
After successfully exploiting H-HUA-
Preservation advisories/h
22-Jun-21 4.4 this vulnerability, the E837-
of uawei-sa-
attacker can perform 020721/242
Permissions 20210602-
unauthenticated operations. 01-
Affected product versions permission-
include:E3372 E3372h- en
153TCPU-
V200R002B333D01SP00C00.
CVE ID : CVE-2021-22382
ecns280

Incorrect There is an improper https://ww H-HUA-

Authorizatio 22-Jun-21 4.6 authorization vulnerability in w.huawei.co ECNS-
n eCNS280 V100R005C00, m/en/psirt/ 020721/243
V100R005C10 and eSE620X security-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 97 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vESS V100R001C10SPC200, advisories/h
V100R001C20SPC200. A file uawei-sa-
access is not authorized 20210519-
correctly. Attacker with low 02-cgp-en
access may launch privilege
escalation in a specific
scenario. This may
compromise the normal
service.
CVE ID : CVE-2021-22361
ecns280_td
There is a resource
management error
vulnerability in eCNS280_TD
V100R005C10SPC650. An https://ww
attacker needs to perform w.huawei.co
Allocation of specific operations to exploit m/en/psirt/
Resources the vulnerability on the security- H-HUA-
Without 22-Jun-21 5 affected device. Due to advisories/h ECNS-
Limits or improper resource uawei-sa- 020721/244
Throttling management of the function, 20210609-
the vulnerability can be 01-resource-
exploited to cause service en
abnormal on affected devices.
CVE ID : CVE-2021-22363
There is a race condition
vulnerability in eCNS280_TD
Concurrent V100R005C00 and https://ww
Execution V100R005C10. There is a w.huawei.co
using Shared timing window exists in m/en/psirt/
Resource which the database can be H-HUA-
security-
with 22-Jun-21 3.5 operated by another thread ECNS-
advisories/h
Improper that is operating 020721/245
uawei-sa-
Synchronizat concurrently. Successful 20210602-
ion ('Race exploit may cause the 01-cgp-en
Condition') affected device abnormal.
CVE ID : CVE-2021-22378
Out-of- There is an out-of-bounds https://ww H-HUA-
22-Jun-21 6.8
bounds Read read vulnerability in w.huawei.co ECNS-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 98 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
eCNS280_TD V100R005C10 m/en/psirt/ 020721/246
and eSE620X vESS security-
V100R001C10SPC200, advisories/h
V100R001C20SPC200, uawei-sa-
V200R001C00SPC300. The 20210616-
vulnerability is due to a 01-cgp-en
message-handling function
that contains an out-of-
bounds read vulnerability. An
attacker can exploit this
vulnerability by sending a
specific message to the target
device, which could cause a
Denial of Service (DoS).
CVE ID : CVE-2021-22383
ese620x_vess
There is an improper
authorization vulnerability in
eCNS280 V100R005C00,
V100R005C10 and eSE620X https://ww
vESS V100R001C10SPC200, w.huawei.co
V100R001C20SPC200. A file m/en/psirt/
Incorrect access is not authorized H-HUA-
security-
Authorizatio 22-Jun-21 4.6 correctly. Attacker with low ESE6-
advisories/h
n access may launch privilege 020721/247
uawei-sa-
escalation in a specific 20210519-
scenario. This may 02-cgp-en
compromise the normal
service.
CVE ID : CVE-2021-22361
There is an out of bounds https://ww
read vulnerability in eSE620X w.huawei.co
vESS V100R001C10SPC200, m/en/psirt/
V100R001C20SPC200, security- H-HUA-
Out-of-
22-Jun-21 2.1 V200R001C00SPC300. A local advisories/h ESE6-
bounds Read
attacker can exploit this uawei-sa- 020721/248
vulnerability by sending 20210526-
specific message to the target 02-
device. Due to insufficient outbounds-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 99 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
validation of internal en
message, successful exploit
may cause the process and
the service abnormal.
CVE ID : CVE-2021-22365
There is an out-of-bounds
read vulnerability in eSE620X
vESS V100R001C10SPC200,
V100R001C20SPC200,
V200R001C00SPC300. The https://ww
vulnerability is due to a w.huawei.co
function that handles an m/en/psirt/
H-HUA-
Out-of- internal message contains an security-
22-Jun-21 4.9 ESE6-
bounds Read out-of-bounds read advisories/h
020721/249
vulnerability. An attacker uawei-sa-
could crafted messages 20210526-
between system process, 03-dos-en
successful exploit could cause
Denial of Service (DoS).
CVE ID : CVE-2021-22366
There is an out-of-bounds
read vulnerability in
eCNS280_TD V100R005C10
and eSE620X vESS
V100R001C10SPC200,
V100R001C20SPC200, https://ww
V200R001C00SPC300. The w.huawei.co
vulnerability is due to a m/en/psirt/
H-HUA-
Out-of- message-handling function security-
22-Jun-21 6.8 ESE6-
bounds Read that contains an out-of- advisories/h
020721/250
bounds read vulnerability. An uawei-sa-
attacker can exploit this 20210616-
vulnerability by sending a 01-cgp-en
specific message to the target
device, which could cause a
Denial of Service (DoS).
CVE ID : CVE-2021-22383
ips_module

Improper 22-Jun-21 4 There is an information leak https://ww H-HUA-IPS_-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 100 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Input vulnerability in Huawei w.huawei.co 020721/251
Validation products. A module does not m/en/psirt/
deal with specific input security-
sufficiently. High privilege advisories/h
attackers can exploit this uawei-sa-
vulnerability by performing 20210428-
some operations. This can 01-
lead to information leak. infomationle
Affected product versions ak-en
include: IPS Module versions
V500R005C00,
V500R005C10,
V500R005C20; NGFW
Module versions
V500R005C00,V500R005C10
, V500R005C20; SeMG9811
versions V500R005C00;
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
ngfw_module
There is an information leak https://ww
vulnerability in Huawei w.huawei.co
products. A module does not m/en/psirt/
deal with specific input security-
Improper sufficiently. High privilege H-HUA-
advisories/h
Input 22-Jun-21 4 attackers can exploit this NGFW-
uawei-sa-
Validation vulnerability by performing 020721/252
20210428-
some operations. This can 01-
lead to information leak. infomationle
Affected product versions ak-en
include: IPS Module versions

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 101 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
V500R005C00,
V500R005C10,
V500R005C20; NGFW
Module versions
V500R005C00,V500R005C10
, V500R005C20; SeMG9811
versions V500R005C00;
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
s12700
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper H-HUA-
A module does not verify security-
Input 22-Jun-21 6.5 S127-
specific input sufficiently. advisories/h
Validation 020721/253
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s2700

Improper There is a command injection https://ww H-HUA-

Input 22-Jun-21 6.5 vulnerability in S12700 w.huawei.co S270-
Validation V200R019C00SPC500, S2700 m/en/psirt/ 020721/254
V200R019C00SPC500, S5700 security-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 102 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
V200R019C00SPC500, S6700 advisories/h
V200R019C00SPC500 and uawei-sa-
S7700 V200R019C00SPC500. 20210602-
A module does not verify 01-cmdinj-en
specific input sufficiently.
Attackers can exploit this
vulnerability by sending
malicious parameters to
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s5700
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper H-HUA-
A module does not verify security-
Input 22-Jun-21 6.5 S570-
specific input sufficiently. advisories/h
Validation 020721/255
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s6700
There is a command injection
vulnerability in S12700 https://ww
V200R019C00SPC500, S2700 w.huawei.co
V200R019C00SPC500, S5700 m/en/psirt/
Improper V200R019C00SPC500, S6700 H-HUA-
security-
Input 22-Jun-21 6.5 V200R019C00SPC500 and S670-
advisories/h
Validation S7700 V200R019C00SPC500. 020721/256
uawei-sa-
A module does not verify 20210602-
specific input sufficiently. 01-cmdinj-en
Attackers can exploit this
vulnerability by sending

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 103 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
malicious parameters to
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s7700
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper H-HUA-
A module does not verify security-
Input 22-Jun-21 6.5 S770-
specific input sufficiently. advisories/h
Validation 020721/257
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
semg9811
There is an information leak
vulnerability in Huawei
products. A module does not
deal with specific input
sufficiently. High privilege https://ww
attackers can exploit this w.huawei.co
vulnerability by performing m/en/psirt/
some operations. This can security-
Improper H-HUA-
lead to information leak. advisories/h
Input 22-Jun-21 4 SEMG-
Affected product versions uawei-sa-
Validation 020721/258
include: IPS Module versions 20210428-
V500R005C00, 01-
V500R005C10, infomationle
V500R005C20; NGFW ak-en
Module versions
V500R005C00,V500R005C10
, V500R005C20; SeMG9811
versions V500R005C00;

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 104 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
usg9500
There is an information leak
vulnerability in Huawei
products. A module does not
deal with specific input
sufficiently. High privilege
attackers can exploit this
vulnerability by performing
some operations. This can
lead to information leak.
Affected product versions https://ww
include: IPS Module versions w.huawei.co
V500R005C00, m/en/psirt/
V500R005C10, security-
Improper H-HUA-
V500R005C20; NGFW advisories/h
Input 22-Jun-21 4 USG9-
Module versions uawei-sa-
Validation 020721/259
V500R005C00,V500R005C10 20210428-
, V500R005C20; SeMG9811 01-
versions V500R005C00; infomationle
USG9500 versions ak-en
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 105 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-22342
Moxa
mgate_mb3180
https://ww
w.moxa.com
/en/product
An issue was discovered on s/industrial-
MOXA Mgate MB3180 edge-
Version 2.1 Build 18113012. connectivity/
Uncontrolled Attacker could send a huge protocol- H-MOX-
Resource 18-Jun-21 5 amount of TCP SYN packet to gateways/m MGAT-
Consumption make web service's resource odbus-tcp- 020721/260
exhausted. Then the web gateways/m
server is denial-of-service. gate-
CVE ID : CVE-2021-33823 mb3180-
mb3280-
mb3480-
series
https://ww
An issue was discovered on w.moxa.com
MOXA Mgate MB3180 /en/product
Version 2.1 Build 18113012. s/industrial-
Attackers can use edge-
slowhttptest tool to send connectivity/
Uncontrolled incomplete HTTP request, protocol- H-MOX-
Resource 18-Jun-21 5 which could make server gateways/m MGAT-
Consumption keep waiting for the packet to odbus-tcp- 020721/261
finish the connection, until its gateways/m
resource exhausted. Then the gate-
web server is denial-of- mb3180-
service. mb3280-
CVE ID : CVE-2021-33824 mb3480-
series
Nvidia
jetson_agx_xavier_16gb

Integer Trusty (the trusted OS https://nvidi

Overflow or 22-Jun-21 4.6 produced by NVIDIA for a.custhelp.co H-NVI-JETS-
Wraparound Jetson devices) driver m/app/answ 020721/262
contains a vulnerability in the ers/detail/a_
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 106 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
NVIDIA OTE protocol id/5205
message parsing code where
an integer overflow in a
malloc() size calculation
leads to a buffer overflow on
the heap, which might result
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/263
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/264
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even https://nvidi
Deserializati
though the TSEC TA does not a.custhelp.co
on of H-NVI-JETS-
22-Jun-21 2.1 expose any command. This m/app/answ
Untrusted 020721/265
vulnerability might allow an ers/detail/a_
Data
attacker to exploit the id/5205
deserializer to impact code
execution, causing
information disclosure.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 107 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/266
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/267
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
jetson_agx_xavier_32gb
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/268
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372

Bootloader contains a https://nvidi

Out-of- vulnerability in NVIDIA MB2 a.custhelp.co
H-NVI-JETS-
bounds 21-Jun-21 4.6 where a potential heap m/app/answ
020721/269
Write overflow might allow an ers/detail/a_
attacker to control all the id/5205

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 108 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
RAM after the heap block,
leading to denial of service or
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/270
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even
though the TSEC TA does not https://nvidi
Deserializati
expose any command. This a.custhelp.co
on of H-NVI-JETS-
22-Jun-21 2.1 vulnerability might allow an m/app/answ
Untrusted 020721/271
attacker to exploit the ers/detail/a_
Data
deserializer to impact code id/5205
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/272
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a https://nvidi H-NVI-JETS-
Out-of- 22-Jun-21 2.1 vulnerability in NVIDIA MB2, a.custhelp.co 020721/273
bounds
which may cause free-the- m/app/answ
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 109 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Write wrong-heap, which may lead ers/detail/a_
to limited denial of service. id/5205
CVE ID : CVE-2021-34397
jetson_agx_xavier_8gb
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/274
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/275
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/276
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389

Deserializati Trusty contains a https://nvidi H-NVI-JETS-

22-Jun-21 2.1
on of vulnerability in TSEC TA a.custhelp.co 020721/277

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 110 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Untrusted which deserializes the m/app/answ
Data incoming messages even ers/detail/a_
though the TSEC TA does not id/5205
expose any command. This
vulnerability might allow an
attacker to exploit the
deserializer to impact code
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/278
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/279
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
jetson_nano
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the https://nvidi
Integer NVIDIA OTE protocol a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 message parsing code where m/app/answ
020721/280
Wraparound an integer overflow in a ers/detail/a_
malloc() size calculation id/5205
leads to a buffer overflow on
the heap, which might result
in information disclosure,
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 111 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/281
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
jetson_nano_2gb
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/282
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/283
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
jetson_tx1

Integer 22-Jun-21 4.6 Trusty (the trusted OS https://nvidi H-NVI-JETS-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 112 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Overflow or produced by NVIDIA for a.custhelp.co 020721/284
Wraparound Jetson devices) driver m/app/answ
contains a vulnerability in the ers/detail/a_
NVIDIA OTE protocol id/5205
message parsing code where
an integer overflow in a
malloc() size calculation
leads to a buffer overflow on
the heap, which might result
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel where an integer https://nvidi
Integer overflow in the calloc size a.custhelp.co
calculation can cause the H-NVI-JETS-
Overflow or 21-Jun-21 4.6 m/app/answ
multiplication of count and 020721/285
Wraparound ers/detail/a_
size can overflow, which id/5205
might lead to heap overflows.
CVE ID : CVE-2021-34386
The ARM TrustZone
Technology on which Trusty
is based on contains a
vulnerability in access
permission settings where
the portion of the DRAM https://nvidi
Incorrect reserved for TrustZone is a.custhelp.co
H-NVI-JETS-
Default 21-Jun-21 7.2 identity-mapped by TLK with m/app/answ
020721/286
Permissions read, write, and execute ers/detail/a_
permissions, which gives id/5205
write access to kernel code
and data that is otherwise
mapped read only.
CVE ID : CVE-2021-34387
Out-of- Bootloader contains a https://nvidi H-NVI-JETS-
bounds 21-Jun-21 4.6 vulnerability in NVIDIA MB2 a.custhelp.co 020721/287
Write where a potential heap m/app/answ
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 113 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
overflow might allow an ers/detail/a_
attacker to control all the id/5205
RAM after the heap block,
leading to denial of service or
code execution.
CVE ID : CVE-2021-34388
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel function where a
lack of checks allows the https://nvidi
Integer exploitation of an integer a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 2.1 overflow on the size m/app/answ
020721/288
Wraparound parameter of the ers/detail/a_
tz_map_shared_mem id/5205
function.
CVE ID : CVE-2021-34390
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernelï¿½s
tz_handle_trusted_app_smc https://nvidi
Integer function where a lack of a.custhelp.co
integer overflow checks on H-NVI-JETS-
Overflow or 22-Jun-21 4.9 m/app/answ
the req_off and param_ofs 020721/289
Wraparound ers/detail/a_
variables leads to memory id/5205
corruption of critical kernel
structures.
CVE ID : CVE-2021-34391
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel where an integer https://nvidi
Integer overflow in the a.custhelp.co
tz_map_shared_mem function H-NVI-JETS-
Overflow or 22-Jun-21 2.1 m/app/answ
can bypass boundary checks, 020721/290
Wraparound ers/detail/a_
which might lead to denial of id/5205
service.
CVE ID : CVE-2021-34392
Deserializati Trusty contains a https://nvidi H-NVI-JETS-
on of 22-Jun-21 2.1 vulnerability in TSEC TA a.custhelp.co 020721/291
Untrusted which deserializes the m/app/answ
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 114 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Data incoming messages even ers/detail/a_
though the TSEC TA does not id/5205
expose any command. This
vulnerability might allow an
attacker to exploit the
deserializer to impact code
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty TLK contains a
vulnerability in its access
permission settings where it
does not properly restrict https://nvidi
Incorrect access to a resource from a a.custhelp.co
H-NVI-JETS-
Default 22-Jun-21 3.6 user with local privileges, m/app/answ
020721/292
Permissions which might lead to limited ers/detail/a_
information disclosure and id/5205
limited denial of service.
CVE ID : CVE-2021-34395
jetson_tx2
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/293
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372

Bootloader contains a https://nvidi

Out-of- vulnerability in NVIDIA MB2 a.custhelp.co
H-NVI-JETS-
bounds 21-Jun-21 4.6 where a potential heap m/app/answ
020721/294
Write overflow might allow an ers/detail/a_
attacker to control all the id/5205
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 115 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
RAM after the heap block,
leading to denial of service or
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/295
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even
though the TSEC TA does not https://nvidi
Deserializati
expose any command. This a.custhelp.co
on of H-NVI-JETS-
22-Jun-21 2.1 vulnerability might allow an m/app/answ
Untrusted 020721/296
attacker to exploit the ers/detail/a_
Data
deserializer to impact code id/5205
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/297
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a https://nvidi H-NVI-JETS-
Incorrect 22-Jun-21 2.1 vulnerability in access a.custhelp.co 020721/298
Authorizatio
permission settings where m/app/answ
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 116 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
n unauthorized software may ers/detail/a_
be able to overwrite NVIDIA id/5205
MB2 code, which would
result in limited denial of
service.
CVE ID : CVE-2021-34396
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/299
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
jetson_tx2i
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/300
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/301
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388

Missing Trusty contains a https://nvidi H-NVI-JETS-

21-Jun-21 2.1
Release of vulnerability in NVIDIA OTE a.custhelp.co 020721/302

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 117 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Memory protocol message parsing m/app/answ
after code, which is present in all ers/detail/a_
Effective the TAs. An incorrect bounds id/5205
Lifetime check leads to a memory leak
of a portion of the heap
situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even
though the TSEC TA does not https://nvidi
Deserializati
expose any command. This a.custhelp.co
on of H-NVI-JETS-
22-Jun-21 2.1 vulnerability might allow an m/app/answ
Untrusted 020721/303
attacker to exploit the ers/detail/a_
Data
deserializer to impact code id/5205
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/304
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in access
permission settings where https://nvidi
Incorrect unauthorized software may a.custhelp.co
be able to overwrite NVIDIA H-NVI-JETS-
Authorizatio 22-Jun-21 2.1 m/app/answ
MB2 code, which would 020721/305
n ers/detail/a_
result in limited denial of id/5205
service.
CVE ID : CVE-2021-34396
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 118 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/306
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
jetson_tx2_4gb
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/307
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/308
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
Missing vulnerability in NVIDIA OTE
https://nvidi
Release of protocol message parsing
a.custhelp.co
Memory code, which is present in all H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after the TAs. An incorrect bounds 020721/309
ers/detail/a_
Effective check leads to a memory leak
id/5205
Lifetime of a portion of the heap
situated after a stream buffer.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 119 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even
though the TSEC TA does not https://nvidi
Deserializati
expose any command. This a.custhelp.co
on of H-NVI-JETS-
22-Jun-21 2.1 vulnerability might allow an m/app/answ
Untrusted 020721/310
attacker to exploit the ers/detail/a_
Data
deserializer to impact code id/5205
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/311
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in access
permission settings where https://nvidi
Incorrect unauthorized software may a.custhelp.co
be able to overwrite NVIDIA H-NVI-JETS-
Authorizatio 22-Jun-21 2.1 m/app/answ
MB2 code, which would 020721/312
n ers/detail/a_
result in limited denial of id/5205
service.
CVE ID : CVE-2021-34396
Bootloader contains a https://nvidi
Out-of- vulnerability in NVIDIA MB2, a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 which may cause free-the- m/app/answ
020721/313
Write wrong-heap, which may lead ers/detail/a_
to limited denial of service. id/5205

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 120 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-34397
jetson_tx2_nx
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
H-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/314
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/315
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/316
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Deserializati Trusty contains a https://nvidi
on of vulnerability in TSEC TA a.custhelp.co H-NVI-JETS-
22-Jun-21 2.1
Untrusted which deserializes the m/app/answ 020721/317
Data incoming messages even ers/detail/a_

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 121 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
though the TSEC TA does not id/5205
expose any command. This
vulnerability might allow an
attacker to exploit the
deserializer to impact code
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/318
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in access
permission settings where https://nvidi
Incorrect unauthorized software may a.custhelp.co
be able to overwrite NVIDIA H-NVI-JETS-
Authorizatio 22-Jun-21 2.1 m/app/answ
MB2 code, which would 020721/319
n ers/detail/a_
result in limited denial of id/5205
service.
CVE ID : CVE-2021-34396
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/320
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
jetson_xavier_nx
Integer Trusty (the trusted OS https://nvidi H-NVI-JETS-
Overflow or 22-Jun-21 4.6 produced by NVIDIA for a.custhelp.co 020721/321
Wraparound Jetson devices) driver m/app/answ
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 122 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
contains a vulnerability in the ers/detail/a_
NVIDIA OTE protocol id/5205
message parsing code where
an integer overflow in a
malloc() size calculation
leads to a buffer overflow on
the heap, which might result
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the H-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/322
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds H-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/323
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty contains a
vulnerability in TSEC TA
which deserializes the https://nvidi
Deserializati incoming messages even a.custhelp.co
on of though the TSEC TA does not H-NVI-JETS-
22-Jun-21 2.1 m/app/answ
Untrusted expose any command. This 020721/324
ers/detail/a_
Data vulnerability might allow an id/5205
attacker to exploit the
deserializer to impact code
execution, causing

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 123 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The H-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/325
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
H-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/326
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
protectimus
slim_nfc_70
Protectimus SLIM NFC 70
10.01 devices allow a Time
Traveler attack in which
attackers can predict TOTP
passwords in certain
situations. The time value
used by the device can be set
Improper independently from the used H-PRO-SLIM-
Authenticati 16-Jun-21 1.9 seed value for generating N/A
020721/327
on time-based one-time
passwords, without
authentication. Thus, an
attacker with short-time
physical access to a device
can set the internal real-time
clock (RTC) to the future,
generate one-time

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 124 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
passwords, and reset the
clock to the current time. This
allows the generation of valid
future time-based one-time
passwords without having
further access to the
hardware token.
CVE ID : CVE-2021-32033
sing4g
4gee_router_hh70vb
An issue was discovered on
4GEE ROUTER HH70VB
Version HH70_E1_02.00_22.
Attackers can use https://ww
slowhttptest tool to send w.sing4g.co
incomplete HTTP request, m/product-
Uncontrolled
which could make server page/4gee- H-SIN-4GEE-
Resource 18-Jun-21 5
keep waiting for the packet to router- 020721/328
Consumption
finish the connection, until its hh70vb-4g-
resource exhausted. Then the 300mbps-
web server is denial-of- 2lan-32wifi
service.
CVE ID : CVE-2021-33822
Trendnet
tw100-s4w1ca
In TrendNet TW100-S4W1CA
2.3.32, due to a lack of proper
session controls, a threat
actor could make
unauthorized changes to an
Cross-Site affected router via a specially H-TRE-
Request crafted web page. If an
17-Jun-21 6.8 N/A TW10-
Forgery authenticated user were to 020721/329
(CSRF) interact with a malicious web
page it could allow for a
complete takeover of the
router.
CVE ID : CVE-2021-32424

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 125 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Improper
Neutralizatio In TrendNet TW100-S4W1CA
n of Input 2.3.32, it is possible to inject
arbitrary JavaScript into the H-TRE-
During Web
17-Jun-21 4.3 router's web interface via the N/A TW10-
Page
"echo" command. 020721/330
Generation
('Cross-site CVE ID : CVE-2021-32426
Scripting')
ui
camera_g3_flex
An issue was discovered in
UniFi Protect G3 FLEX
Camera Version
UVC.v4.30.0.67. Attackers can https://store
use slowhttptest tool to send .ui.com/colle
incomplete HTTP request, ctions/unifi-
Uncontrolled
which could make server protect- H-UI-CAME-
Resource 18-Jun-21 5
keep waiting for the packet to cameras/pro 020721/331
Consumption
finish the connection, until its ducts/unifi-
resource exhausted. Then the video-g3-
web server is denial-of- flex-camera
service.
CVE ID : CVE-2021-33818
An issue was discovered in
UniFi Protect G3 FLEX https://store
Camera Version .ui.com/colle
UVC.v4.30.0.67.Attacker ctions/unifi-
Uncontrolled could send a huge amount of protect- H-UI-CAME-
Resource 18-Jun-21 5 TCP SYN packet to make web cameras/pro 020721/332
Consumption service's resource exhausted. ducts/unifi-
Then the web server is video-g3-
denial-of-service. flex-camera
CVE ID : CVE-2021-33820
Operating System
bosch
b426-cn_firmware

N/A 18-Jun-21 6.8 This vulnerability could allow https://psirt.

O-BOS-B426-
an attacker to hijack a session bosch.com/s
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 126 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
while a user is logged in the ecurity- 020721/333
configuration web page. This advisories/b
vulnerability was discovered osch-sa-
by a security researcher in 196933-
B426 and found during bt.html
internal product tests in
B426-CN/B429-CN, and
B426-M and has been fixed
already starting from version
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
b426-m_firmware
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the
configuration web page. This
vulnerability was discovered https://psirt.
by a security researcher in bosch.com/s
B426 and found during ecurity-
O-BOS-B426-
N/A 18-Jun-21 6.8 internal product tests in advisories/b
020721/334
B426-CN/B429-CN, and osch-sa-
B426-M and has been fixed 196933-
already starting from version bt.html
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
b426_firmware
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the https://psirt.
configuration web page. This bosch.com/s
vulnerability was discovered ecurity-
O-BOS-B426-
N/A 18-Jun-21 6.8 by a security researcher in advisories/b
020721/335
B426 and found during osch-sa-
internal product tests in 196933-
B426-CN/B429-CN, and bt.html
B426-M and has been fixed
already starting from version

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 127 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
When using http protocol, the
user password is transmitted
as a clear text parameter for https://psirt.
which it is possible to be bosch.com/s
Cleartext obtained by an attacker ecurity-
Transmissio through a MITM attack. This O-BOS-B426-
18-Jun-21 4.3 advisories/b
n of Sensitive will be fixed starting from 020721/336
osch-sa-
Information Firmware version 3.11.5, 196933-
which will be released on the bt.html
30th of June, 2021.
CVE ID : CVE-2021-23846
b429-cn_firmware
This vulnerability could allow
an attacker to hijack a session
while a user is logged in the
configuration web page. This
vulnerability was discovered https://psirt.
by a security researcher in bosch.com/s
B426 and found during ecurity-
O-BOS-B429-
N/A 18-Jun-21 6.8 internal product tests in advisories/b
020721/337
B426-CN/B429-CN, and osch-sa-
B426-M and has been fixed 196933-
already starting from version bt.html
3.08 on, which was released
on June 2019.
CVE ID : CVE-2021-23845
Cisco
asyncos
A vulnerability in the Cisco https://tools.
Advanced Malware cisco.com/se
Improper Protection (AMP) for curity/center O-CIS-ASYN-
Certificate 16-Jun-21 5.8 Endpoints integration of /content/Cis 020721/338
Validation Cisco AsyncOS for Cisco Email coSecurityAd
Security Appliance (ESA) and visory/cisco-
Cisco Web Security Appliance sa-esa-wsa-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 128 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
(WSA) could allow an cert-vali-
unauthenticated, remote n8L97RW
attacker to intercept traffic
between an affected device
and the AMP servers. This
vulnerability is due to
improper certificate
validation when an affected
device establishes TLS
connections. A man-in-the-
middle attacker could exploit
this vulnerability by sending
a crafted TLS packet to an
affected device. A successful
exploit could allow the
attacker to spoof a trusted
host and then extract
sensitive information or alter
certain API requests.
CVE ID : CVE-2021-1566
packaged_contact_center_enterprise
A vulnerability in the web-
based management interface
of Cisco Unified Intelligence
Center could allow an
unauthenticated, remote
Improper attacker to conduct a cross- https://tools.
Neutralizatio site scripting (XSS) attack cisco.com/se
n of Input against a user of the interface. curity/center
During Web This vulnerability exists /content/Cis O-CIS-PACK-
16-Jun-21 4.3 because the web-based
Page coSecurityAd 020721/339
Generation management interface does visory/cisco-
('Cross-site not properly validate user- sa-cuic-xss-
Scripting') supplied input. An attacker csHUdtrL
could exploit this
vulnerability by persuading a
user of the interface to click a
crafted link. A successful
exploit could allow the
attacker to execute arbitrary

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 129 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
script code in the context of
the interface or access
sensitive, browser-based
information.
CVE ID : CVE-2021-1395
sf220-24p_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/340
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
https://tools.
Switches could allow an
cisco.com/se
attacker to do the following:
curity/center
Hijack a user session Execute
Insufficient /content/Cis
arbitrary commands as a root O-CIS-SF22-
Session 16-Jun-21 9.3 coSecurityAd
user on the underlying 020721/341
Expiration visory/cisco-
operating system Conduct a
sa-ciscosb-
cross-site scripting (XSS)
multivulns-
attack Conduct an HTML
Wwyb7s5E
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 130 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/342
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SF22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/343
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-24_firmware
Improper Multiple vulnerabilities in the https://tools. O-CIS-SF22-
Authenticati 16-Jun-21 9 web-based management cisco.com/se 020721/344
on interface of Cisco Small curity/center
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 131 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/345
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542

Multiple vulnerabilities in the https://tools.

web-based management cisco.com/se
interface of Cisco Small curity/center
Improper Business 220 Series Smart /content/Cis
O-CIS-SF22-
Authenticati 16-Jun-21 4.3 Switches could allow an coSecurityAd
020721/346
on attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 132 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SF22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/347
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-48p_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small https://tools.
Business 220 Series Smart cisco.com/se
Switches could allow an curity/center
Improper attacker to do the following: /content/Cis
O-CIS-SF22-
Authenticati 16-Jun-21 9 Hijack a user session Execute coSecurityAd
020721/348
on arbitrary commands as a root visory/cisco-
user on the underlying sa-ciscosb-
operating system Conduct a multivulns-
cross-site scripting (XSS) Wwyb7s5E
attack Conduct an HTML
injection attack For more

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 133 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/349
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/350
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543

Improper 16-Jun-21 4.3 Multiple vulnerabilities in the https://tools. O-CIS-SF22-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 134 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Neutralizatio web-based management cisco.com/se 020721/351
n of Input interface of Cisco Small curity/center
During Web Business 220 Series Smart /content/Cis
Page Switches could allow an coSecurityAd
Generation attacker to do the following: visory/cisco-
('Cross-site Hijack a user session Execute sa-ciscosb-
Scripting') arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sf220-48_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/352
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the https://tools.
Insufficient web-based management cisco.com/se O-CIS-SF22-
Session 16-Jun-21 9.3 interface of Cisco Small curity/center 020721/353
Expiration Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 135 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SF22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/354
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management https://tools.
Improper
interface of Cisco Small cisco.com/se
Neutralizatio
Business 220 Series Smart curity/center
n of Input
Switches could allow an /content/Cis
During Web O-CIS-SF22-
16-Jun-21 4.3 attacker to do the following: coSecurityAd
Page 020721/355
Hijack a user session Execute visory/cisco-
Generation
arbitrary commands as a root sa-ciscosb-
('Cross-site
user on the underlying multivulns-
Scripting')
operating system Conduct a Wwyb7s5E
cross-site scripting (XSS)
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 136 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-26p_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/356
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart https://tools.
Switches could allow an cisco.com/se
attacker to do the following: curity/center
Insufficient Hijack a user session Execute /content/Cis
O-CIS-SG22-
Session 16-Jun-21 9.3 arbitrary commands as a root coSecurityAd
020721/357
Expiration user on the underlying visory/cisco-
operating system Conduct a sa-ciscosb-
cross-site scripting (XSS) multivulns-
attack Conduct an HTML Wwyb7s5E
injection attack For more
information about these
vulnerabilities, see the Details

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 137 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/358
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/359
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-26_firmware

Improper 16-Jun-21 9 Multiple vulnerabilities in the https://tools. O-CIS-SG22-

Authenticati web-based management cisco.com/se 020721/360
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 138 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
on interface of Cisco Small curity/center
Business 220 Series Smart /content/Cis
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/361
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the https://tools.
web-based management cisco.com/se
Improper interface of Cisco Small curity/center
Authenticati 16-Jun-21 4.3 Business 220 Series Smart /content/Cis O-CIS-SG22-
on Switches could allow an coSecurityAd 020721/362
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 139 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/363
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-28mp_firmware
Multiple vulnerabilities in the
web-based management https://tools.
interface of Cisco Small cisco.com/se
Business 220 Series Smart curity/center
Improper Switches could allow an /content/Cis
attacker to do the following: O-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
Hijack a user session Execute 020721/364
on visory/cisco-
arbitrary commands as a root sa-ciscosb-
user on the underlying multivulns-
operating system Conduct a Wwyb7s5E
cross-site scripting (XSS)
attack Conduct an HTML

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 140 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Insufficient arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
operating system Conduct a 020721/365
Expiration visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/366
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 141 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/367
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-50p_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/368
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541

Insufficient Multiple vulnerabilities in the https://tools.

Session 16-Jun-21 9.3 web-based management cisco.com/se O-CIS-SG22-
Expiration interface of Cisco Small curity/center 020721/369
Business 220 Series Smart /content/Cis

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 142 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Switches could allow an coSecurityAd
attacker to do the following: visory/cisco-
Hijack a user session Execute sa-ciscosb-
arbitrary commands as a root multivulns-
user on the underlying Wwyb7s5E
operating system Conduct a
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/370
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the https://tools.
Improper web-based management cisco.com/se
Neutralizatio interface of Cisco Small curity/center
n of Input Business 220 Series Smart /content/Cis
During Web Switches could allow an O-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page attacker to do the following: 020721/371
visory/cisco-
Generation Hijack a user session Execute sa-ciscosb-
('Cross-site arbitrary commands as a root multivulns-
Scripting') user on the underlying Wwyb7s5E
operating system Conduct a
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 143 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
cross-site scripting (XSS)
attack Conduct an HTML
injection attack For more
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
sg220-50_firmware
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 9 coSecurityAd
operating system Conduct a 020721/372
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1541
Multiple vulnerabilities in the
web-based management
interface of Cisco Small https://tools.
Business 220 Series Smart cisco.com/se
Switches could allow an curity/center
Insufficient attacker to do the following: /content/Cis
Hijack a user session Execute O-CIS-SG22-
Session 16-Jun-21 9.3 coSecurityAd
arbitrary commands as a root 020721/373
Expiration visory/cisco-
user on the underlying sa-ciscosb-
operating system Conduct a multivulns-
cross-site scripting (XSS) Wwyb7s5E
attack Conduct an HTML
injection attack For more
information about these

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 144 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1542
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
attacker to do the following: cisco.com/se
Hijack a user session Execute curity/center
Improper arbitrary commands as a root /content/Cis
user on the underlying O-CIS-SG22-
Authenticati 16-Jun-21 4.3 coSecurityAd
operating system Conduct a 020721/374
on visory/cisco-
cross-site scripting (XSS) sa-ciscosb-
attack Conduct an HTML multivulns-
injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1543
Multiple vulnerabilities in the
web-based management
interface of Cisco Small
Business 220 Series Smart
Switches could allow an https://tools.
Improper attacker to do the following: cisco.com/se
Neutralizatio Hijack a user session Execute curity/center
n of Input arbitrary commands as a root /content/Cis
During Web user on the underlying O-CIS-SG22-
16-Jun-21 4.3 coSecurityAd
Page operating system Conduct a 020721/375
visory/cisco-
Generation cross-site scripting (XSS) sa-ciscosb-
('Cross-site attack Conduct an HTML multivulns-
Scripting') injection attack For more Wwyb7s5E
information about these
vulnerabilities, see the Details
section of this advisory.
CVE ID : CVE-2021-1571
unified_contact_center_enterprise

Improper 16-Jun-21 4.3 A vulnerability in the web- https://tools. O-CIS-UNIF-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 145 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Neutralizatio based management interface cisco.com/se 020721/376
n of Input of Cisco Unified Intelligence curity/center
During Web Center could allow an /content/Cis
Page unauthenticated, remote coSecurityAd
Generation attacker to conduct a cross- visory/cisco-
('Cross-site site scripting (XSS) attack sa-cuic-xss-
Scripting') against a user of the interface. csHUdtrL
This vulnerability exists
because the web-based
management interface does
not properly validate user-
supplied input. An attacker
could exploit this
vulnerability by persuading a
user of the interface to click a
crafted link. A successful
exploit could allow the
attacker to execute arbitrary
script code in the context of
the interface or access
sensitive, browser-based
information.
CVE ID : CVE-2021-1395
unified_contact_center_express
A vulnerability in the web-
based management interface
of Cisco Unified Intelligence
Center could allow an
Improper unauthenticated, remote https://tools.
Neutralizatio attacker to conduct a cross- cisco.com/se
n of Input site scripting (XSS) attack curity/center
During Web against a user of the interface. /content/Cis O-CIS-UNIF-
16-Jun-21 4.3
Page This vulnerability exists coSecurityAd 020721/377
Generation because the web-based visory/cisco-
('Cross-site management interface does sa-cuic-xss-
Scripting') not properly validate user- csHUdtrL
supplied input. An attacker
could exploit this
vulnerability by persuading a
user of the interface to click a

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 146 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
crafted link. A successful
exploit could allow the
attacker to execute arbitrary
script code in the context of
the interface or access
sensitive, browser-based
information.
CVE ID : CVE-2021-1395
unified_intelligence_center
A vulnerability in the web-
based management interface
of Cisco Unified Intelligence
Center could allow an
unauthenticated, remote
attacker to conduct a cross-
site scripting (XSS) attack
against a user of the interface.
Improper This vulnerability exists https://tools.
Neutralizatio because the web-based cisco.com/se
n of Input management interface does curity/center
During Web not properly validate user- /content/Cis O-CIS-UNIF-
16-Jun-21 4.3 supplied input. An attacker
Page coSecurityAd 020721/378
Generation could exploit this visory/cisco-
('Cross-site vulnerability by persuading a sa-cuic-xss-
Scripting') user of the interface to click a csHUdtrL
crafted link. A successful
exploit could allow the
attacker to execute arbitrary
script code in the context of
the interface or access
sensitive, browser-based
information.
CVE ID : CVE-2021-1395
contiki-ng
contiki-ng

Out-of- Contiki-NG is an open-source, https://githu O-CON-

bounds 18-Jun-21 5 cross-platform operating b.com/contik CONT-
Write system for internet of things i-ng/contiki- 020721/379
devices. The RPL-Classic and ng/pull/143
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 147 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
RPL-Lite implementations in 1,
the Contiki-NG operating https://githu
system versions prior to 4.6 b.com/contik
do not validate the address i-ng/contiki-
pointer in the RPL source ng/security/
routing header This makes it advisories/G
possible for an attacker to HSA-mvc7-
cause out-of-bounds writes 9p4q-c5cm
with packets injected into the
network stack. Specifically,
the problem lies in the
rpl_ext_header_srh_update
function in the two rpl-ext-
header.c modules for RPL-
Classic and RPL-Lite
respectively. The addr_ptr
variable is calculated using an
unvalidated CMPR field value
from the source routing
header. An out-of-bounds
write can be triggered on line
151 in os/net/routing/rpl-
lite/rpl-ext-header.c and line
261 in os/net/routing/rpl-
classic/rpl-ext-header.c,
which contain the following
memcpy call with addr_ptr as
destination. The problem has
been patched in Contiki-NG
4.6. Users can apply a patch
out-of-band as a workaround.
CVE ID : CVE-2021-21257
Contiki-NG is an open-source, https://githu
Loop with cross-platform operating b.com/contik
Unreachable system for internet of things i-ng/contiki- O-CON-
Exit devices. In verions prior to
18-Jun-21 7.8 ng/security/ CONT-
Condition 4.6, an attacker can perform a advisories/G 020721/380
('Infinite denial-of-service attack by HSA-rr5j-
Loop') triggering an infinite loop in j8m8-fc4f
the processing of IPv6

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 148 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
neighbor solicitation (NS)
messages. This type of attack
can effectively shut down the
operation of the system
because of the cooperative
scheduling used for the main
parts of Contiki-NG and its
communication stack. The
problem has been patched in
Contiki-NG 4.6. Users can
apply the patch for this
vulnerability out-of-band as a
workaround.
CVE ID : CVE-2021-21279
Contiki-NG is an open-source,
cross-platform operating
system for internet of things
devices. It is possible to cause
an out-of-bounds write in https://githu
versions of Contiki-NG prior b.com/contik
to 4.6 when transmitting a i-ng/contiki-
6LoWPAN packet with a ng/pull/140
chain of extension headers. 9,
Out-of- Unfortunately, the written O-CON-
https://githu
bounds 18-Jun-21 7.5 header is not checked to be CONT-
b.com/contik
Write within the available space, 020721/381
i-ng/contiki-
thereby making it possible to ng/security/
write outside the buffer. The advisories/G
problem has been patched in HSA-r768-
Contiki-NG 4.6. Users can hrhf-v592
apply the patch for this
vulnerability out-of-band as a
workaround.
CVE ID : CVE-2021-21280
Buffer Copy Contiki-NG is an open-source, https://githu
without cross-platform operating b.com/contik O-CON-
Checking 18-Jun-21 7.5 system for internet of things i-ng/contiki- CONT-
Size of Input devices. A buffer overflow ng/pull/136 020721/382
('Classic vulnerability exists in 6,
Buffer Contiki-NG versions prior to https://githu
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 149 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Overflow') 4.6. After establishing a TCP b.com/contik
socket using the tcp-socket i-ng/contiki-
library, it is possible for the ng/security/
remote end to send a packet advisories/G
with a data offset that is HSA-mc42-
unvalidated. The problem has fqfr-h9fp
been patched in Contiki-NG
4.6. Users can apply the patch
for this vulnerability out-of-
band as a workaround.
CVE ID : CVE-2021-21281
Contiki-NG is an open-source,
cross-platform operating
system for internet of things https://githu
devices. In versions prior to b.com/contik
4.5, buffer overflow can be i-ng/contiki-
Buffer Copy
triggered by an input packet ng/pull/118
without
when using either of Contiki- 3,
Checking O-CON-
NG's two RPL https://githu
Size of Input 18-Jun-21 7.5 CONT-
implementations in source- b.com/contik
('Classic 020721/383
routing mode. The problem i-ng/contiki-
Buffer
has been patched in Contiki- ng/security/
Overflow')
NG 4.5. Users can apply the advisories/G
patch for this vulnerability HSA-6xf2-
out-of-band as a workaround. 77gf-fgjx

CVE ID : CVE-2021-21282
Contiki-NG is an open-source,
cross-platform operating https://githu
system for Next-Generation b.com/contik
IoT devices. An out-of-bounds i-ng/contiki-
read can be triggered by ng/security/
6LoWPAN packets sent to advisories/G
O-CON-
Out-of- devices running Contiki-NG HSA-hhwj-
18-Jun-21 6.4 CONT-
bounds Read 4.6 and prior. The IPv6 2p59-v8p9,
020721/384
header decompression https://githu
function b.com/contik
(<code>uncompress_hdr_iph i-ng/contiki-
c</code>) does not perform ng/pull/148
proper boundary checks 2
when reading from the
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 150 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
packet buffer. Hence, it is
possible to construct a
compressed 6LoWPAN
packet that will read more
bytes than what is available
from the packet buffer. As of
time of publication, there is
not a release with a patch
available. Users can apply the
patch for this vulnerability
out-of-band as a workaround.
CVE ID : CVE-2021-21410
Dlink
dir-2640-us_firmware
D-Link DIR-2640-US 1.01B04
is vulnerable to Buffer
Overflow. There are multiple
out-of-bounds vulnerabilities
in some processes of D-Link https://ww
Out-of-
AC2600(DIR-2640). Local w.dlink.com/ O-DLI-DIR--
bounds 16-Jun-21 3.6
ordinary users can overwrite en/security- 020721/385
Write
the global variables in the bulletin/
.bss section, causing the
process crashes or changes.
CVE ID : CVE-2021-34201
There are multiple out-of-
bounds vulnerabilities in
some processes of D-Link
AC2600(DIR-2640) 1.01B04.
Ordinary permissions can be https://ww
elevated to administrator w.dlink.com/
Out-of-
permissions, resulting in local en/security- O-DLI-DIR--
bounds 16-Jun-21 7.2
arbitrary code execution. An bulletin/, 020721/386
Write
attacker can combine other http://d-
vulnerabilities to further link.com
achieve the purpose of
remote code execution.
CVE ID : CVE-2021-34202

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 151 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
D-Link DIR-2640-US 1.01B04
is vulnerable to Incorrect
Access Control. Router
ac2600 (dir-2640-us), when
setting PPPoE, will start
quagga process in the way of
whole network monitoring,
and this function uses the
original default password and https://ww
port. An attacker can easily w.dlink.com/
Incorrect
use telnet to log in, modify en/security- O-DLI-DIR--
Authorizatio 16-Jun-21 4.8
routing information, monitor bulletin/, 020721/387
n
the traffic of all devices under http://d-
the router, hijack DNS and link.com
phishing attacks. In addition,
this interface is likely to be
questioned by customers as a
backdoor, because the
interface should not be
exposed.
CVE ID : CVE-2021-34203
D-Link DIR-2640-US 1.01B04
is affected by Insufficiently
Protected Credentials. D-Link
AC2600(DIR-2640) stores the
device system account
password in plain text. It does
not use linux user https://ww
Insufficiently management. In addition, the w.dlink.com/ O-DLI-DIR--
Protected 16-Jun-21 7.2 passwords of all devices are en/security- 020721/388
Credentials the same, and they cannot be bulletin/
modified by normal users. An
attacker can easily log in to
the target router through the
serial port and obtain root
privileges.
CVE ID : CVE-2021-34204
GE
reason_rpv311_firmware

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 152 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
This vulnerability allows
remote attackers to execute
arbitrary code on affected
installations of GE Reason
RPV311 14A03. https://ww
Authentication is not w.gegridsolu
required to exploit this tions.com/pr
vulnerability. The specific oducts/supp
Use of Hard- flaw exists within the ort/GES-
firmware and filesystem of O-GE-REAS-
coded 16-Jun-21 7.5 2021-
the device. The firmware and 020721/389
Credentials 005%20-
filesystem contain hard- %20RPV311
coded default credentials. An %20Security
attacker can leverage this %20Notice.p
vulnerability to execute code df
in the context of the
download user. Was ZDI-
CAN-11852.
CVE ID : CVE-2021-31477
Google
android
In updateDrawable of
StatusBarIconView.java,
there is a possible permission
bypass due to an uncaught
exception. This could lead to
local escalation of privilege
by running foreground https://sour
Improper services without notifying the ce.android.co O-GOO-
Handling of user, with User execution
21-Jun-21 7.2 m/security/ ANDR-
Exceptional privileges needed. User bulletin/202 020721/390
Conditions interaction is not needed for 1-06-01
exploitation.Product:
AndroidVersions: Android-10
Android-11 Android-8.1
Android-9Android ID: A-
169255797
CVE ID : CVE-2021-0478

Out-of- 21-Jun-21 3.3 In avrc_pars_browse_rsp of https://sour O-GOO-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 153 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
bounds Read avrc_pars_ct.cc, there is a ce.android.co ANDR-
possible out of bounds read m/security/ 020721/391
due to a missing bounds bulletin/202
check. This could lead to 1-06-01
remote information
disclosure over Bluetooth
with no additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-179162665
CVE ID : CVE-2021-0504
In the Settings app, there is a
possible way to disable an
always-on VPN due to a
missing permission check.
This could lead to local https://sour
Incorrect escalation of privilege with ce.android.co O-GOO-
Authorizatio 21-Jun-21 7.2 no additional execution m/security/ ANDR-
n privileges needed. User bulletin/202 020721/392
interaction is not needed for 1-06-01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-179975048
CVE ID : CVE-2021-0505
In ActivityPicker.java, there is
a possible bypass of user
interaction in intent
resolution due to a
Improper tapjacking/overlay attack. https://sour
Restriction This could lead to local ce.android.co O-GOO-
of Rendered 21-Jun-21 6.9 escalation of privilege with m/security/ ANDR-
UI Layers or User execution privileges bulletin/202 020721/393
Frames needed. User interaction is 1-06-01
needed for
exploitation.Product:
AndroidVersions: Android-10
Android-11 Android-8.1
Android-9Android ID: A-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 154 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
181962311
CVE ID : CVE-2021-0506
In handle_rc_metamsg_cmd of
btif_rc.cc, there is a possible
out of bounds write due to a
missing bounds check. This
could lead to remote code
execution over Bluetooth https://sour
Out-of- with no additional execution ce.android.co O-GOO-
bounds 21-Jun-21 8.3 privileges needed. User m/security/ ANDR-
Write interaction is not needed for bulletin/202 020721/394
exploitation.Product: 1-06-01
AndroidVersions: Android-11
Android-8.1 Android-9
Android-10Android ID: A-
181860042
CVE ID : CVE-2021-0507
In various functions of
DrmPlugin.cpp, there is a
possible use after free due to
Concurrent a race condition. This could
Execution lead to local escalation of
using Shared privilege with no additional https://sour
Resource execution privileges needed. ce.android.co O-GOO-
with 21-Jun-21 6.9 User interaction is not m/security/ ANDR-
Improper needed for bulletin/202 020721/395
Synchronizat exploitation.Product: 1-06-01
ion ('Race AndroidVersions: Android-
Condition') 8.1 Android-9 Android-10
Android-11Android ID: A-
176444154
CVE ID : CVE-2021-0508
Concurrent In various functions of
Execution CryptoPlugin.cpp, there is a https://sour
using Shared possible use after free due to ce.android.co O-GOO-
Resource 21-Jun-21 4.4 a race condition. This could m/security/ ANDR-
with lead to local escalation of bulletin/202 020721/396
Improper privilege with no additional 1-06-01
Synchronizat execution privileges needed.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 155 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
ion ('Race User interaction is not
Condition') needed for
exploitation.Product:
AndroidVersions: Android-9
Android-10 Android-11
Android-8.1Android ID: A-
176444161
CVE ID : CVE-2021-0509
In decrypt_1_2 of
CryptoPlugin.cpp, there is a
possible out of bounds write
due to an integer overflow.
This could lead to local
escalation of privilege with https://sour
Out-of- no additional execution ce.android.co O-GOO-
bounds 21-Jun-21 4.6 privileges needed. User m/security/ ANDR-
Write interaction is not needed for bulletin/202 020721/397
exploitation.Product: 1-06-01
AndroidVersions: Android-9
Android-10 Android-11
Android-8.1Android ID: A-
176444622
CVE ID : CVE-2021-0510
In Dex2oat of dex2oat.cc,
there is a possible way to
inject bytecode into an app
due to improper input
validation. This could lead to
local escalation of privilege https://sour
Improper with no additional execution ce.android.co O-GOO-
Input 21-Jun-21 4.6 privileges needed. User m/security/ ANDR-
Validation interaction is not needed for bulletin/202 020721/398
exploitation.Product: 1-06-01
AndroidVersions: Android-9
Android-10 Android-
11Android ID: A-178055795
CVE ID : CVE-2021-0511
Out-of- 21-Jun-21 4.6 In https://sour O-GOO-
bounds __hidinput_change_resolution ce.android.co ANDR-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 156 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Write _multipliers of hid-input.c, m/security/ 020721/399
there is a possible out of bulletin/202
bounds write due to a heap 1-06-01
buffer overflow. This could
lead to local escalation of
privilege with no additional
execution privileges needed.
User interaction is not
needed for
exploitation.Product:
AndroidVersions: Android
kernelAndroid ID: A-
173843328References:
Upstream kernel
CVE ID : CVE-2021-0512
In deleteNotificationChannel
and related functions of
NotificationManagerService.j
ava, there is a possible
permission bypass due to
improper state validation.
This could lead to local
escalation of privilege via https://sour
Improper hidden services with no ce.android.co O-GOO-
Privilege 21-Jun-21 4.6 additional execution m/security/ ANDR-
Management privileges needed. User bulletin/202 020721/400
interaction is not needed for 1-06-01
exploitation.Product:
AndroidVersions: Android-9
Android-10 Android-11
Android-8.1Android ID: A-
156090809
CVE ID : CVE-2021-0513
In p2p_process_prov_disc_req
of p2p_pd.c, there is a https://sour
possible out of bounds read ce.android.co O-GOO-
Out-of-
21-Jun-21 7.5 and write due to a use after m/security/ ANDR-
bounds Read
free. This could lead to bulletin/202 020721/401
remote escalation of privilege 1-06-01
with no additional execution
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 157 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-11
Android-8.1 Android-9
Android-10Android ID: A-
181660448
CVE ID : CVE-2021-0516
In updateCapabilities of
ConnectivityService.java,
there is a possible incorrect
network state determination
due to a logic error in the
code. This could lead to
biasing of networking tasks
Always- to occur on non-VPN https://sour
Incorrect networks, which could lead to ce.android.co O-GOO-
Control Flow 21-Jun-21 5 remote information m/security/ ANDR-
Implementat disclosure, with no additional bulletin/202 020721/402
ion execution privileges needed. 1-06-01
User interaction is not
needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-179053823
CVE ID : CVE-2021-0517
In several functions of
MemoryFileSystem.cpp and
related files, there is a
Concurrent
possible use after free due to
Execution
a race condition. This could
using Shared https://sour
lead to local escalation of
Resource ce.android.co O-GOO-
privilege with no additional
with 21-Jun-21 4.4 m/security/ ANDR-
execution privileges needed.
Improper bulletin/202 020721/403
User interaction is not
Synchronizat 1-06-01
needed for
ion ('Race
exploitation.Product:
Condition')
AndroidVersions: Android-11
Android-10Android ID: A-
176237595
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 158 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-0520
In getAllPackages of
PackageManagerService,
there is a possible
information disclosure due to
a missing permission check.
This could lead to local
information disclosure of https://sour
Missing cross-user permissions with ce.android.co O-GOO-
Authorizatio 21-Jun-21 2.1 no additional execution m/security/ ANDR-
n privileges needed. User bulletin/202 020721/404
interaction is not needed for 1-06-01
exploitation.Product:
AndroidVersions: Android-11
Android-8.1 Android-9
Android-10Android ID: A-
174661955
CVE ID : CVE-2021-0521
In ConnectionHandler::SdpCb
of connection_handler.cc,
there is a possible out of
bounds read due to a use
after free. This could lead to
remote information https://sour
disclosure with no additional ce.android.co O-GOO-
Out-of- execution privileges needed.
21-Jun-21 5 m/security/ ANDR-
bounds Read User interaction is not bulletin/202 020721/405
needed for 1-06-01
exploitation.Product:
AndroidVersions: Android-11
Android-9 Android-
10Android ID: A-174182139
CVE ID : CVE-2021-0522

Improper In onCreate of https://sour

Restriction WifiScanModeActivity.java, ce.android.co O-GOO-
of Rendered 21-Jun-21 4.4 there is a possible way to m/security/ ANDR-
UI Layers or enable Wi-Fi scanning bulletin/202 020721/406
Frames without user consent due to a 1-06-01
tapjacking/overlay attack.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 159 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
This could lead to local
escalation of privilege with
User execution privileges
needed. User interaction is
needed for
exploitation.Product:
AndroidVersions: Android-10
Android-11Android ID: A-
174047492
CVE ID : CVE-2021-0523
In memory management
driver, there is a possible out
of bounds write due to a use
after free. This could lead to
local escalation of privilege https://sour
Out-of- with no additional execution ce.android.co O-GOO-
bounds 21-Jun-21 4.6 privileges needed. User m/security/ ANDR-
Write interaction is not needed for bulletin/202 020721/407
exploitation.Product: 1-06-01
AndroidVersions: Android
SoCAndroid ID: A-185193929
CVE ID : CVE-2021-0525
In memory management
driver, there is a possible out
of bounds write due to
uninitialized data. This could
lead to local escalation of https://sour
Out-of- privilege with no additional ce.android.co O-GOO-
bounds 21-Jun-21 4.6 execution privileges needed. m/security/ ANDR-
Write User interaction is not bulletin/202 020721/408
needed for 1-06-01
exploitation.Product:
AndroidVersions: Android
SoCAndroid ID: A-185195264
CVE ID : CVE-2021-0526
In memory management https://sour O-GOO-
Use After driver, there is a possible ce.android.co ANDR-
21-Jun-21 4.6
Free memory corruption due to a m/security/ 020721/409
use after free. This could lead bulletin/202

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 160 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
to local escalation of privilege 1-06-01
with no additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android
SoCAndroid ID: A-185193931
CVE ID : CVE-2021-0527
In memory management
driver, there is a possible
memory corruption due to a
double free. This could lead
to local escalation of privilege https://sour
with no additional execution ce.android.co O-GOO-
Double Free 21-Jun-21 4.6 privileges needed. User m/security/ ANDR-
interaction is not needed for bulletin/202 020721/410
exploitation.Product: 1-06-01
AndroidVersions: Android
SoCAndroid ID: A-185195266
CVE ID : CVE-2021-0528
In memory management
driver, there is a possible
memory corruption due to
improper locking. This could
lead to local escalation of https://sour
privilege with no additional ce.android.co O-GOO-
Improper execution privileges needed.
21-Jun-21 4.6 m/security/ ANDR-
Locking User interaction is not bulletin/202 020721/411
needed for 1-06-01
exploitation.Product:
AndroidVersions: Android
SoCAndroid ID: A-185195268
CVE ID : CVE-2021-0529
In memory management https://sour
Out-of- driver, there is a possible out ce.android.co O-GOO-
bounds 21-Jun-21 4.6 of bounds write due to m/security/ ANDR-
Write uninitialized data. This could bulletin/202 020721/412
lead to local escalation of 1-06-01
privilege with no additional

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 161 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
execution privileges needed.
User interaction is not
needed for
exploitation.Product:
AndroidVersions: Android
SoCAndroid ID: A-185196175
CVE ID : CVE-2021-0530
In memory management
driver, there is a possible
memory corruption due to a
use after free. This could lead
to local escalation of privilege https://sour
with no additional execution ce.android.co O-GOO-
Use After
21-Jun-21 4.6 privileges needed. User m/security/ ANDR-
Free
interaction is not needed for bulletin/202 020721/413
exploitation.Product: 1-06-01
AndroidVersions: Android
SoCAndroid ID: A-185195272
CVE ID : CVE-2021-0531
In memory management
driver, there is a possible
Concurrent memory corruption due to a
Execution race condition. This could
using Shared lead to local escalation of https://sour
Resource privilege with no additional ce.android.co O-GOO-
with 21-Jun-21 4.4 execution privileges needed. m/security/ ANDR-
Improper User interaction is not bulletin/202 020721/414
Synchronizat needed for 1-06-01
ion ('Race exploitation.Product:
Condition') AndroidVersions: Android
SoCAndroid ID: A-185196177
CVE ID : CVE-2021-0532
Concurrent In memory management
Execution driver, there is a possible https://sour
using Shared memory corruption due to a ce.android.co O-GOO-
Resource 21-Jun-21 4.4 race condition. This could m/security/ ANDR-
with lead to local escalation of bulletin/202 020721/415
Improper privilege with no additional 1-06-01
Synchronizat execution privileges needed.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 162 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
ion ('Race User interaction is not
Condition') needed for
exploitation.Product:
AndroidVersions: Android
SoCAndroid ID: A-185193932
CVE ID : CVE-2021-0533
In permission declarations of
DeviceAdminReceiver.java,
there is a possible lack of
broadcast protection due to
an insecure default value. https://sour
Insecure This could lead to local ce.android.co
escalation of privilege with O-GOO-
Default m/security/
22-Jun-21 4.6 no additional execution ANDR-
Initialization bulletin/pixe
privileges needed. User 020721/416
of Resource l/2021-06-
interaction is not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-170639543
CVE ID : CVE-2021-0534
In
wpas_ctrl_msg_queue_timeou
t of ctrl_iface_unix.c, there is a
possible memory corruption
due to a use after free. This https://sour
could lead to local escalation ce.android.co
of privilege with System O-GOO-
Use After m/security/
22-Jun-21 4.6 execution privileges needed. ANDR-
Free bulletin/pixe
User interaction is not 020721/417
l/2021-06-
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-168314741
CVE ID : CVE-2021-0535
Externally In dropFile of WiFiInstaller, https://sour
Controlled there is a way to delete files ce.android.co O-GOO-
Reference to 22-Jun-21 4.6 accessible to CertInstaller m/security/ ANDR-
a Resource in due to a confused deputy. bulletin/pixe 020721/418
Another This could lead to local l/2021-06-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 163 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Sphere escalation of privilege with 01
no additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-176756691
CVE ID : CVE-2021-0536
In onCreate of
WiFiInstaller.java, there is a
possible way to install a
malicious Hotspot 2.0
configuration due to a
tapjacking/overlay attack. https://sour
Improper
This could lead to local ce.android.co
Restriction O-GOO-
escalation of privilege with m/security/
of Rendered 22-Jun-21 4.4 ANDR-
User execution privileges bulletin/pixe
UI Layers or 020721/419
needed. User interaction is l/2021-06-
Frames
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-176756141
CVE ID : CVE-2021-0537
In onCreate of
EmergencyCallbackModeExit
Dialog.java, there is a possible
exit of emergency callback
mode due to a
tapjacking/overlay attack. https://sour
Improper
This could lead to local ce.android.co
Restriction O-GOO-
escalation of privilege with m/security/
of Rendered 22-Jun-21 4.4 ANDR-
User execution privileges bulletin/pixe
UI Layers or 020721/420
needed. User interaction is l/2021-06-
Frames
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-178821491
CVE ID : CVE-2021-0538

Incorrect 22-Jun-21 4.6 In archiveStoredConversation https://sour O-GOO-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 164 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Permission of MmsService.java, there is a ce.android.co ANDR-
Assignment possible way to archive m/security/ 020721/421
for Critical message conversation bulletin/pixe
Resource without user consent due to a l/2021-06-
missing permission check. 01
This could lead to local
escalation of privilege with
no additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-180419673
CVE ID : CVE-2021-0539
In halWrapperDataCallback
of hal_wrapper.cc, there is a
possible out of bounds write
due to a missing bounds
check. This could lead to local https://sour
escalation of privilege with ce.android.co
Out-of- O-GOO-
System execution privileges m/security/
bounds 22-Jun-21 4.6 ANDR-
needed. User interaction is bulletin/pixe
Write 020721/422
not needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-169328517
CVE ID : CVE-2021-0540
In
phNxpNciHal_ext_process_nfc
_init_rsp of
phNxpNciHal_ext.cc, there is a https://sour
possible out of bounds read ce.android.co
due to a missing bounds O-GOO-
Out-of- m/security/
22-Jun-21 2.1 check. This could lead to local ANDR-
bounds Read bulletin/pixe
information disclosure in the 020721/423
l/2021-06-
NFC server with System 01
execution privileges needed.
User interaction is not
needed for
exploitation.Product:
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 165 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
AndroidVersions: Android-
11Android ID: A-169258455
CVE ID : CVE-2021-0541
In updateNotification of
BeamTransferManager.java,
there is a missing permission
check. This could lead to local
information disclosure of https://sour
Improper paired Bluetooth addresses ce.android.co
O-GOO-
Preservation with no additional execution m/security/
22-Jun-21 2.1 ANDR-
of privileges needed. User bulletin/pixe
020721/424
Permissions interaction is needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-168712890
CVE ID : CVE-2021-0542
In
phNxpNciHal_process_ext_rsp
of phNxpNciHal_ext.cc, there
is a possible out of bounds
write due to an integer https://sour
overflow. This could lead to ce.android.co
Out-of- local escalation of privilege O-GOO-
m/security/
bounds 22-Jun-21 4.6 with System execution ANDR-
bulletin/pixe
Write privileges needed. User 020721/425
l/2021-06-
interaction is not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-169258743
CVE ID : CVE-2021-0543
In
phNxpNciHal_print_res_statu https://sour
s of phNxpNciHal.cc, there is ce.android.co
Out-of- a possible out of bounds O-GOO-
m/security/
bounds 22-Jun-21 4.6 write due to a missing ANDR-
bulletin/pixe
Write bounds check. This could lead 020721/426
l/2021-06-
to local escalation of privilege 01
with System execution
privileges needed. User

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 166 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-169257710
CVE ID : CVE-2021-0544
In
phNxpNciHal_print_res_statu
s of phNxpNciHal.cc, there is
a possible out of bounds
write due to a missing
bounds check. This could lead https://sour
to local escalation of privilege ce.android.co
Out-of- O-GOO-
in the NFC server with m/security/
bounds 22-Jun-21 4.6 ANDR-
System execution privileges bulletin/pixe
Write 020721/427
needed. User interaction is l/2021-06-
not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-169258884
CVE ID : CVE-2021-0545
In
phNxpNciHal_print_res_statu
s of phNxpNciHal.cc, there is
a possible out of bounds
write due to a missing https://sour
bounds check. This could lead ce.android.co
Out-of- to local escalation of privilege O-GOO-
m/security/
bounds 22-Jun-21 4.6 with System execution ANDR-
bulletin/pixe
Write privileges needed. User 020721/428
l/2021-06-
interaction is not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-169258733
CVE ID : CVE-2021-0546
In onReceive of https://sour
Missing NetInitiatedActivity.java, ce.android.co O-GOO-
Authorizatio 22-Jun-21 4.6 there is a possible way to m/security/ ANDR-
n supply an attacker-controlled bulletin/pixe 020721/429
value to a GPS HAL handler l/2021-06-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 167 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
due to a missing permission 01
check. This could lead to local
escalation of privilege that
may result in undefined
behavior in some HAL
implementations with no
additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-174151048
CVE ID : CVE-2021-0547
In rw_i93_send_to_lower of
rw_i93.cc, there is a possible
out of bounds write due to a
missing bounds check. This
could lead to local escalation https://sour
of privilege with no ce.android.co
Out-of- O-GOO-
additional execution m/security/
bounds 22-Jun-21 4.6 ANDR-
privileges needed. User bulletin/pixe
Write 020721/430
interaction is not needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-157650357
CVE ID : CVE-2021-0548
In sspRequestCallback of
BondStateMachine.java, there
is a possible leak of Bluetooth
MAC addresses due to log
https://sour
information disclosure. This
Insertion of ce.android.co
could lead to local O-GOO-
Sensitive m/security/
22-Jun-21 2.1 information disclosure with ANDR-
Information bulletin/pixe
System execution privileges 020721/431
into Log File l/2021-06-
needed. User interaction is
01
not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-183961896

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 168 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-0549
In onLoadFailed of
AnnotateActivity.java, there
is a possible way to gain
WRITE_EXTERNAL_STORAGE
permissions without user
Externally consent due to a confused https://sour
Controlled deputy. This could lead to ce.android.co
O-GOO-
Reference to local escalation of privilege m/security/
22-Jun-21 4.6 ANDR-
a Resource in with no additional execution bulletin/pixe
020721/432
Another privileges needed. User l/2021-06-
Sphere interaction is not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-179688673
CVE ID : CVE-2021-0550
In bind of
MediaControlPanel.java,
there is a possible way to lock
up the system UI using a
malicious media file due to
improper input validation. https://sour
This could lead to remote ce.android.co
Improper O-GOO-
denial of service with no m/security/
Input 22-Jun-21 4.3 ANDR-
additional execution bulletin/pixe
Validation 020721/433
privileges needed. User l/2021-06-
interaction is needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-180518039
CVE ID : CVE-2021-0551
In getEndItemSliceAction of
MediaOutputSlice.java, there https://sour
Exposure of is a possible permission ce.android.co
O-GOO-
Resource to bypass due to an unsafe m/security/
22-Jun-21 2.1 ANDR-
Wrong PendingIntent. This could bulletin/pixe
020721/434
Sphere lead to local information l/2021-06-
disclosure with User 01
execution privileges needed.

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 169 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
User interaction is not
needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-175124820
CVE ID : CVE-2021-0552
In onBindViewHolder of
AppSwitchPreference.java,
there is a possible bypass of
device admin setttings due to
unclear UI. This could lead to https://sour
local escalation of privilege ce.android.co
Improper O-GOO-
with User execution m/security/
Privilege 22-Jun-21 4.4 ANDR-
privileges needed. User bulletin/pixe
Management 020721/435
interaction is needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-169936038
CVE ID : CVE-2021-0553
In isBackupServiceActive of
BackupManagerService.java,
there is a missing permission
check. This could lead to local https://sour
information disclosure with ce.android.co
Missing no additional execution O-GOO-
m/security/
Authorizatio 22-Jun-21 2.1 privileges needed. User ANDR-
bulletin/pixe
n interaction is not needed for 020721/436
l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-158482162
CVE ID : CVE-2021-0554
In RenderStruct of
protostream_objectsource.cc, https://sour
there is a possible crash due ce.android.co
NULL O-GOO-
to a missing null check. This m/security/
Pointer 22-Jun-21 5 ANDR-
could lead to remote denial of bulletin/pixe
Dereference 020721/437
service with no additional l/2021-06-
execution privileges needed. 01
User interaction is not

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 170 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-179161711
CVE ID : CVE-2021-0555
In getBlockSum of
fastcodemb.cpp, there is a
possible out of bounds read
due to a heap buffer overflow.
This could lead to local https://sour
information disclosure with ce.android.co
O-GOO-
Out-of- no additional execution m/security/
22-Jun-21 2.1 ANDR-
bounds Read privileges needed. User bulletin/pixe
020721/438
interaction is not needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-172716941
CVE ID : CVE-2021-0556
In setRange of ABuffer.cpp,
there is a possible out of
bounds write due to an
integer overflow. This could https://sour
lead to remote code ce.android.co
Out-of- execution with no additional O-GOO-
m/security/
bounds 22-Jun-21 6.8 execution privileges needed. ANDR-
bulletin/pixe
Write User interaction is needed for 020721/439
l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-179046129
CVE ID : CVE-2021-0557
In fillMainDataBuf of
pvmp3_framedecoder.cpp, https://sour
there is a possible out of ce.android.co
bounds read due to a heap O-GOO-
Out-of- m/security/
22-Jun-21 4.3 buffer overflow. This could ANDR-
bounds Read bulletin/pixe
lead to remote information 020721/440
l/2021-06-
disclosure with no additional 01
execution privileges needed.
User interaction is needed for

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 171 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-173473906
CVE ID : CVE-2021-0558
In Lag_max of p_ol_wgh.cpp,
there is a possible out of
bounds read due to a missing
bounds check. This could lead https://sour
to remote information ce.android.co
disclosure with no additional O-GOO-
Out-of- m/security/
22-Jun-21 4.3 execution privileges needed. ANDR-
bounds Read bulletin/pixe
User interaction is needed for 020721/441
l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-172312730
CVE ID : CVE-2021-0559
In
append_to_verify_fifo_interlea
ved_ of stream_encoder.c,
there is a possible out of
bounds write due to a
missing bounds check. This https://sour
could lead to local ce.android.co
Out-of- O-GOO-
information disclosure with m/security/
bounds 22-Jun-21 2.1 ANDR-
no additional execution bulletin/pixe
Write 020721/442
privileges needed. User l/2021-06-
interaction is not needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-174302683
CVE ID : CVE-2021-0561
In RasterIntraUpdate of
motion_est.cpp, there is a https://sour
possible out of bounds read ce.android.co
O-GOO-
Out-of- due to an incorrect bounds m/security/
22-Jun-21 2.1 ANDR-
bounds Read check. This could lead to local bulletin/pixe
020721/443
information disclosure with l/2021-06-
no additional execution 01
privileges needed. User

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 172 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-176084648
CVE ID : CVE-2021-0562
In
ih264e_fmt_conv_422i_to_42
0sp of ih264e_fmt_conv.c,
there is a possible out of
bounds read due to a heap
buffer overflow. This could https://sour
lead to local information ce.android.co
O-GOO-
Out-of- disclosure with no additional m/security/
22-Jun-21 2.1 ANDR-
bounds Read execution privileges needed. bulletin/pixe
020721/444
User interaction is not l/2021-06-
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-172908358
CVE ID : CVE-2021-0563
In decrypt of
CryptoPlugin.cpp, there is a
Concurrent possible use-after-free due to
Execution a race condition. This could
lead to local escalation of https://sour
using Shared
privilege with System ce.android.co
Resource O-GOO-
execution privileges needed. m/security/
with 22-Jun-21 4.4 ANDR-
User interaction is not bulletin/pixe
Improper 020721/445
needed for l/2021-06-
Synchronizat
exploitation.Product: 01
ion ('Race
Condition') AndroidVersions: Android-
11Android ID: A-176495665
CVE ID : CVE-2021-0564

Concurrent In wrapUserThread of https://sour

Execution AudioStream.cpp, there is a ce.android.co
O-GOO-
using Shared possible use after free due to m/security/
22-Jun-21 4.4 ANDR-
Resource a race condition. This could bulletin/pixe
020721/446
with lead to local escalation of l/2021-06-
Improper privilege with no additional 01

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 173 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Synchronizat execution privileges needed.
ion ('Race User interaction is not
Condition') needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-174801970
CVE ID : CVE-2021-0565
In accessAudioHalPidscpp of
TimeCheck.cpp, there is a
possible out of bounds read
due to a missing bounds
check. This could lead to local https://sour
information disclosure with ce.android.co
O-GOO-
Out-of- System execution privileges m/security/
22-Jun-21 2.1 ANDR-
bounds Read needed. User interaction is bulletin/pixe
020721/447
not needed for l/2021-06-
exploitation.Product: 01
AndroidVersions: Android-
11Android ID: A-175894436
CVE ID : CVE-2021-0566
In isRestricted of
RemoteViews.java, there is a
Improper possible way to inject font
Neutralizatio files due to a permissions
bypass. This could lead to https://sour
n of Special
local escalation of privilege ce.android.co
Elements in O-GOO-
with no additional execution m/security/
Output Used 22-Jun-21 4.6 ANDR-
privileges needed. User bulletin/pixe
by a 020721/448
interaction is not needed for l/2021-06-
Downstream
exploitation.Product: 01
Component
('Injection') AndroidVersions: Android-
11Android ID: A-179461812
CVE ID : CVE-2021-0567

In onReceive of https://sour
DevicePolicyManagerService.j ce.android.co
Missing O-GOO-
ava, there is a possible m/security/
Authorizatio 22-Jun-21 4.6 ANDR-
enabling of disabled profiles bulletin/pixe
n 020721/449
due to a missing permission l/2021-06-
check. This could lead to local 01

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 174 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
escalation of privilege with
no additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-170121238
CVE ID : CVE-2021-0568
In onStart of
ContactsDumpActivity.java,
there is possible access to
contacts due to a
tapjacking/overlay attack. https://sour
Improper This could lead to local ce.android.co
Restriction information disclosure with O-GOO-
m/security/
of Rendered 22-Jun-21 1.9 User execution privileges ANDR-
bulletin/pixe
UI Layers or needed. User interaction is 020721/450
l/2021-06-
Frames needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-174045870
CVE ID : CVE-2021-0569
In sendBugreportNotification
of
BugreportProgressService.jav
a, there is a possible
permission bypass due to an
unsafe PendingIntent. This https://sour
could lead to local escalation ce.android.co
Improper O-GOO-
of privilege with User m/security/
Authenticati 22-Jun-21 4.6 ANDR-
execution privileges needed. bulletin/pixe
on 020721/451
User interaction is not l/2021-06-
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-178803845
CVE ID : CVE-2021-0570
Improper 22-Jun-21 4.6 In https://sour O-GOO-
Authenticati ActivityTaskManagerService. ce.android.co ANDR-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 175 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
on startActivity() and m/security/ 020721/452
AppTaskImpl.startActivity() bulletin/pixe
of l/2021-06-
ActivityTaskManagerService.j 01
ava and AppTaskImpl.java,
there is possible access to
restricted activities due to a
permissions bypass. This
could lead to local escalation
of privilege with no
additional execution
privileges needed. User
interaction is not needed for
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-137395936
CVE ID : CVE-2021-0571
In doNotification of
AccountManagerService.java,
there is a possible permission
bypass due to an unsafe
PendingIntent. This could https://sour
lead to local information ce.android.co
Improper disclosure with User O-GOO-
m/security/
Authenticati 22-Jun-21 2.1 execution privileges needed. ANDR-
bulletin/pixe
on User interaction is not 020721/453
l/2021-06-
needed for 01
exploitation.Product:
AndroidVersions: Android-
11Android ID: A-177931355
CVE ID : CVE-2021-0572
In pfkey_dump of af_key.c,
there is a possible out-of- https://sour
bounds read due to a missing ce.android.co
bounds check. This could lead O-GOO-
Out-of- m/security/
22-Jun-21 4.9 to local information ANDR-
bounds Read bulletin/pixe
disclosure in the kernel with 020721/454
l/2021-06-
System execution privileges 01
needed. User interaction is
not needed for
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 176 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
exploitation.Product:
AndroidVersions: Android
kernelAndroid ID: A-
110373476
CVE ID : CVE-2021-0605
In drm_syncobj_handle_to_fd
of drm_syncobj.c, there is a
possible use after free due to
incorrect refcounting. This
could lead to local escalation https://sour
of privilege with System ce.android.co
execution privileges needed. O-GOO-
Use After m/security/
22-Jun-21 4.6 User interaction is not ANDR-
Free bulletin/pixe
needed for 020721/455
l/2021-06-
exploitation.Product: 01
AndroidVersions: Android
kernelAndroid ID: A-
168034487
CVE ID : CVE-2021-0606
In iaxxx_calc_i2s_div of iaxxx-
codec.c, there is a possible
hardware port write with
user controlled data due to a
Improper missing bounds check. This
Restriction could lead to local escalation https://sour
of of privilege with no ce.android.co
O-GOO-
Operations additional execution m/security/
22-Jun-21 4.6 ANDR-
within the privileges needed. User bulletin/pixe
020721/456
Bounds of a interaction is not needed for l/2021-06-
Memory exploitation.Product: 01
Buffer AndroidVersions: Android
kernelAndroid ID: A-
180950209
CVE ID : CVE-2021-0607
Externally In handleAppLaunch of https://sour
Controlled AppLaunchActivity.java, ce.android.co O-GOO-
Reference to 22-Jun-21 4.6 there is a possible arbitrary m/security/ ANDR-
a Resource in activity launch due to a bulletin/pixe 020721/457
Another confused deputy. This could l/2021-06-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 177 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Sphere lead to local escalation of 01
privilege with no additional
execution privileges needed.
User interaction is not
needed for
exploitation.Product:
AndroidVersions: Android
kernelAndroid ID: A-
174870704
CVE ID : CVE-2021-0608
HP
hp-ux

Db2 for Linux, UNIX and https://ww

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 178 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
V200R002B333D01SP00C00.
CVE ID : CVE-2021-22382
e8372_firmware
Huawei LTE USB Dongle
products have an improper
permission assignment
vulnerability. An attacker can https://ww
locally access and log in to a w.huawei.co
PC to induce a user to install a m/en/psirt/
Improper specially crafted application. security-
After successfully exploiting O-HUA-
Preservation advisories/h
22-Jun-21 4.4 this vulnerability, the E837-
of uawei-sa-
attacker can perform 020721/460
Permissions 20210602-
unauthenticated operations. 01-
Affected product versions permission-
include:E3372 E3372h- en
153TCPU-
V200R002B333D01SP00C00.
CVE ID : CVE-2021-22382
ecns280_firmware
There is an improper
authorization vulnerability in
eCNS280 V100R005C00,
V100R005C10 and eSE620X https://ww
vESS V100R001C10SPC200, w.huawei.co
V100R001C20SPC200. A file m/en/psirt/
Incorrect access is not authorized O-HUA-
security-
Authorizatio 22-Jun-21 4.6 correctly. Attacker with low ECNS-
advisories/h
n access may launch privilege 020721/461
uawei-sa-
escalation in a specific 20210519-
scenario. This may 02-cgp-en
compromise the normal
service.
CVE ID : CVE-2021-22361
ecns280_td_firmware

Allocation of There is a resource https://ww O-HUA-

Resources 22-Jun-21 5 management error w.huawei.co ECNS-
Without vulnerability in eCNS280_TD m/en/psirt/ 020721/462

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 179 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Limits or V100R005C10SPC650. An security-
Throttling attacker needs to perform advisories/h
specific operations to exploit uawei-sa-
the vulnerability on the 20210609-
affected device. Due to 01-resource-
improper resource en
management of the function,
the vulnerability can be
exploited to cause service
abnormal on affected devices.
CVE ID : CVE-2021-22363
There is a race condition
vulnerability in eCNS280_TD
Concurrent V100R005C00 and https://ww
Execution V100R005C10. There is a w.huawei.co
using Shared timing window exists in m/en/psirt/
Resource which the database can be O-HUA-
security-
with 22-Jun-21 3.5 operated by another thread ECNS-
advisories/h
Improper that is operating 020721/463
uawei-sa-
Synchronizat concurrently. Successful 20210602-
ion ('Race exploit may cause the 01-cgp-en
Condition') affected device abnormal.
CVE ID : CVE-2021-22378
There is an out-of-bounds
read vulnerability in
eCNS280_TD V100R005C10
and eSE620X vESS
V100R001C10SPC200, https://ww
V100R001C20SPC200, w.huawei.co
V200R001C00SPC300. The m/en/psirt/
O-HUA-
Out-of- vulnerability is due to a security-
22-Jun-21 6.8 ECNS-
bounds Read message-handling function advisories/h
020721/464
that contains an out-of- uawei-sa-
bounds read vulnerability. An 20210616-
attacker can exploit this 01-cgp-en
vulnerability by sending a
specific message to the target
device, which could cause a
Denial of Service (DoS).

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 180 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-22383
ese620x_vess_firmware
There is an improper
authorization vulnerability in
eCNS280 V100R005C00,
V100R005C10 and eSE620X https://ww
vESS V100R001C10SPC200, w.huawei.co
V100R001C20SPC200. A file m/en/psirt/
Incorrect access is not authorized O-HUA-
security-
Authorizatio 22-Jun-21 4.6 correctly. Attacker with low ESE6-
advisories/h
n access may launch privilege 020721/465
uawei-sa-
escalation in a specific 20210519-
scenario. This may 02-cgp-en
compromise the normal
service.
CVE ID : CVE-2021-22361
There is an out of bounds
read vulnerability in eSE620X
vESS V100R001C10SPC200, https://ww
V100R001C20SPC200, w.huawei.co
V200R001C00SPC300. A local m/en/psirt/
attacker can exploit this security-
vulnerability by sending O-HUA-
Out-of- advisories/h
22-Jun-21 2.1 specific message to the target ESE6-
bounds Read uawei-sa-
device. Due to insufficient 020721/466
20210526-
validation of internal 02-
message, successful exploit outbounds-
may cause the process and en
the service abnormal.
CVE ID : CVE-2021-22365
There is an out-of-bounds https://ww
read vulnerability in eSE620X w.huawei.co
vESS V100R001C10SPC200, m/en/psirt/
V100R001C20SPC200, O-HUA-
Out-of- security-
22-Jun-21 4.9 V200R001C00SPC300. The ESE6-
bounds Read advisories/h
vulnerability is due to a 020721/467
uawei-sa-
function that handles an 20210526-
internal message contains an 03-dos-en
out-of-bounds read

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 181 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vulnerability. An attacker
could crafted messages
between system process,
successful exploit could cause
Denial of Service (DoS).
CVE ID : CVE-2021-22366
There is an out-of-bounds
read vulnerability in
eCNS280_TD V100R005C10
and eSE620X vESS
V100R001C10SPC200,
V100R001C20SPC200, https://ww
V200R001C00SPC300. The w.huawei.co
vulnerability is due to a m/en/psirt/
O-HUA-
Out-of- message-handling function security-
22-Jun-21 6.8 ESE6-
bounds Read that contains an out-of- advisories/h
020721/468
bounds read vulnerability. An uawei-sa-
attacker can exploit this 20210616-
vulnerability by sending a 01-cgp-en
specific message to the target
device, which could cause a
Denial of Service (DoS).
CVE ID : CVE-2021-22383
ips_module_firmware
There is an information leak
vulnerability in Huawei
products. A module does not https://ww
deal with specific input w.huawei.co
sufficiently. High privilege m/en/psirt/
attackers can exploit this security-
Improper vulnerability by performing advisories/h O-HUA-IPS_-
Input 22-Jun-21 4 some operations. This can uawei-sa- 020721/469
Validation lead to information leak. 20210428-
Affected product versions 01-
include: IPS Module versions infomationle
V500R005C00, ak-en
V500R005C10,
V500R005C20; NGFW
Module versions

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 182 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
V500R005C00,V500R005C10
, V500R005C20; SeMG9811
versions V500R005C00;
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
ngfw_module_firmware
There is an information leak
vulnerability in Huawei
products. A module does not
deal with specific input
sufficiently. High privilege
attackers can exploit this
vulnerability by performing
some operations. This can https://ww
lead to information leak. w.huawei.co
Affected product versions m/en/psirt/
include: IPS Module versions security-
Improper V500R005C00, O-HUA-
advisories/h
Input 22-Jun-21 4 V500R005C10, NGFW-
uawei-sa-
Validation V500R005C20; NGFW 020721/470
20210428-
Module versions 01-
V500R005C00,V500R005C10 infomationle
, V500R005C20; SeMG9811 ak-en
versions V500R005C00;
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 183 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
s12700_firmware
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper
A module does not verify security- O-HUA-S127-
Input 22-Jun-21 6.5
specific input sufficiently. advisories/h 020721/471
Validation
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s2700_firmware
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper
A module does not verify security- O-HUA-S270-
Input 22-Jun-21 6.5
specific input sufficiently. advisories/h 020721/472
Validation
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s5700_firmware

Improper 22-Jun-21 6.5 There is a command injection https://ww O-HUA-S570-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 184 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Input vulnerability in S12700 w.huawei.co 020721/473
Validation V200R019C00SPC500, S2700 m/en/psirt/
V200R019C00SPC500, S5700 security-
V200R019C00SPC500, S6700 advisories/h
V200R019C00SPC500 and uawei-sa-
S7700 V200R019C00SPC500. 20210602-
A module does not verify 01-cmdinj-en
specific input sufficiently.
Attackers can exploit this
vulnerability by sending
malicious parameters to
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s6700_firmware
There is a command injection
vulnerability in S12700
V200R019C00SPC500, S2700
V200R019C00SPC500, S5700
V200R019C00SPC500, S6700 https://ww
V200R019C00SPC500 and w.huawei.co
S7700 V200R019C00SPC500. m/en/psirt/
Improper
A module does not verify security- O-HUA-S670-
Input 22-Jun-21 6.5
specific input sufficiently. advisories/h 020721/474
Validation
Attackers can exploit this uawei-sa-
vulnerability by sending 20210602-
malicious parameters to 01-cmdinj-en
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
s7700_firmware

There is a command injection https://ww

vulnerability in S12700 w.huawei.co
V200R019C00SPC500, S2700 m/en/psirt/
Improper
V200R019C00SPC500, S5700 security- O-HUA-S770-
Input 22-Jun-21 6.5
V200R019C00SPC500, S6700 advisories/h 020721/475
Validation
V200R019C00SPC500 and uawei-sa-
S7700 V200R019C00SPC500. 20210602-
A module does not verify 01-cmdinj-en

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 185 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
specific input sufficiently.
Attackers can exploit this
vulnerability by sending
malicious parameters to
inject command. This can
compromise normal service.
CVE ID : CVE-2021-22377
semg9811_firmware
There is an information leak
vulnerability in Huawei
products. A module does not
deal with specific input
sufficiently. High privilege
attackers can exploit this
vulnerability by performing
some operations. This can
lead to information leak.
Affected product versions
include: IPS Module versions https://ww
V500R005C00, w.huawei.co
V500R005C10, m/en/psirt/
V500R005C20; NGFW security-
Improper O-HUA-
Module versions advisories/h
Input 22-Jun-21 4 SEMG-
V500R005C00,V500R005C10 uawei-sa-
Validation 020721/476
, V500R005C20; SeMG9811 20210428-
versions V500R005C00; 01-
USG9500 versions infomationle
V500R001C00, ak-en
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
usg9500_firmware

Improper 22-Jun-21 4 There is an information leak https://ww O-HUA-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 186 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Input vulnerability in Huawei w.huawei.co USG9-
Validation products. A module does not m/en/psirt/ 020721/477
deal with specific input security-
sufficiently. High privilege advisories/h
attackers can exploit this uawei-sa-
vulnerability by performing 20210428-
some operations. This can 01-
lead to information leak. infomationle
Affected product versions ak-en
include: IPS Module versions
V500R005C00,
V500R005C10,
V500R005C20; NGFW
Module versions
V500R005C00,V500R005C10
, V500R005C20; SeMG9811
versions V500R005C00;
USG9500 versions
V500R001C00,
V500R001C20,
V500R001C30,
V500R001C50,
V500R001C60,
V500R001C80,
V500R005C00,
V500R005C10,
V500R005C20.
CVE ID : CVE-2021-22342
IBM
aix
IBM Security Identity https://exch
Manager 6.0.2 is vulnerable ange.xforce.i
to server-side request forgery bmcloud.com
Server-Side
(SSRF). By sending a specially /vulnerabiliti O-IBM-AIX-
Request
16-Jun-21 4 crafted request, a remote es/197591,
Forgery 020721/478
authenticated attacker could https://ww
(SSRF)
exploit this vulnerability to w.ibm.com/s
obtain sensitive data. IBM X- upport/page
Force ID: 197591. s/node/6464

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 187 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-20483 081
IBM Security Identity
Manager 6.0.2 could allow an https://exch
authenticated malicious user ange.xforce.i
to change the passwords of bmcloud.com
Exposure of other users in the Windows /vulnerabiliti
Resource to AD environment when IBM es/197789, O-IBM-AIX-
16-Jun-21 3.5 Security Identity Manager
Wrong https://ww 020721/479
Sphere Windows Password Synch w.ibm.com/s
Plug-in is deployed and upport/page
configured. IBM X-Force ID: s/node/6464
197789. 081
CVE ID : CVE-2021-20488
Db2 for Linux, UNIX and https://exch
Improper Windows (includes Db2 ange.xforce.i
Neutralizatio Connect Server) 11.1.4 and bmcloud.com
n of Special 11.5.5 is vulnerable to a /vulnerabiliti
Elements in denial of service as the server es/200658, O-IBM-AIX-
Output Used 16-Jun-21 5 terminates abnormally when https://ww 020721/480
by a executing a specially crafted w.ibm.com/s
Downstream SELECT statement. IBM X- upport/page
Component Force ID: 200658. s/node/6463
('Injection')
CVE ID : CVE-2021-29702 985

Db2 for Linux, UNIX and https://ww

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 188 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
X-Force ID: 200663. w.ibm.com/s
CVE ID : CVE-2021-29706 upport/page
s/node/6464
369
Linux
linux_kernel
IBM Security Identity https://exch
Manager 6.0.2 is vulnerable ange.xforce.i
to server-side request forgery bmcloud.com
Server-Side (SSRF). By sending a specially /vulnerabiliti
Request crafted request, a remote es/197591, O-LIN-LINU-
16-Jun-21 4 authenticated attacker could
Forgery https://ww 020721/483
(SSRF) exploit this vulnerability to w.ibm.com/s
obtain sensitive data. IBM X- upport/page
Force ID: 197591. s/node/6464
CVE ID : CVE-2021-20483 081

IBM Security Identity

Manager 6.0.2 could allow an https://exch
authenticated malicious user ange.xforce.i
to change the passwords of bmcloud.com
Exposure of other users in the Windows /vulnerabiliti
Resource to AD environment when IBM es/197789, O-LIN-LINU-
16-Jun-21 3.5 Security Identity Manager
Wrong https://ww 020721/484
Sphere Windows Password Synch w.ibm.com/s
Plug-in is deployed and upport/page
configured. IBM X-Force ID: s/node/6464
197789. 081
CVE ID : CVE-2021-20488
Db2 for Linux, UNIX and https://exch
Improper Windows (includes Db2 ange.xforce.i
Neutralizatio Connect Server) 11.1.4 and bmcloud.com
n of Special 11.5.5 is vulnerable to a /vulnerabiliti
Elements in denial of service as the server es/200658, O-LIN-LINU-
Output Used 16-Jun-21 5 terminates abnormally when https://ww 020721/485
by a executing a specially crafted w.ibm.com/s
Downstream SELECT statement. IBM X- upport/page
Component Force ID: 200658. s/node/6463
('Injection')
CVE ID : CVE-2021-29702 985

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 189 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID

Db2 for Linux, UNIX and https://ww

Improper Windows (includes Db2 w.ibm.com/s
Neutralizatio Connect Server) is vulnerable upport/page
n of Special to a denial of service as the s/node/6466
Elements server terminates abnormally 371, O-LIN-LINU-
24-Jun-21 5
used in a when executing a specially https://exch 020721/486
Command crafted SELECT statement. ange.xforce.i
('Command IBM X-Force ID: 200659. bmcloud.com
Injection') /vulnerabiliti
CVE ID : CVE-2021-29703 es/200659
https://git.k
ernel.org/cgi
t/linux/kern
An Out-of-Bounds Read was el/git/torval
discovered in ds/linux.git/
arch/arm/mach- commit/?id=
footbridge/personal-pci.c in 298a58e165
the Linux kernel through e447ccfaae3
Out-of- 5.12.11 because of the lack of 5fe9f651f9d O-LIN-LINU-
17-Jun-21 6.6 a check for a value that
bounds Read 7e15166f, 020721/487
shouldn't be negative, e.g., https://githu
access to element -2 of an b.com/torval
array, aka CID- ds/linux/co
298a58e165e4. mmit/298a5
CVE ID : CVE-2021-32078 8e165e447cc
faae35fe9f65
1f9d7e1516
6f
Microsoft
windows
IBM Security Identity https://exch
Manager 6.0.2 is vulnerable ange.xforce.i
to server-side request forgery bmcloud.com
Server-Side
(SSRF). By sending a specially /vulnerabiliti O-MIC-
Request
16-Jun-21 4 crafted request, a remote es/197591, WIND-
Forgery
authenticated attacker could https://ww 020721/488
(SSRF)
exploit this vulnerability to w.ibm.com/s
obtain sensitive data. IBM X- upport/page
Force ID: 197591. s/node/6464

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 190 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
CVE ID : CVE-2021-20483 081
IBM Security Identity
Manager 6.0.2 could allow an https://exch
authenticated malicious user ange.xforce.i
to change the passwords of bmcloud.com
Exposure of other users in the Windows /vulnerabiliti
AD environment when IBM O-MIC-
Resource to es/197789,
16-Jun-21 3.5 Security Identity Manager WIND-
Wrong https://ww
Windows Password Synch 020721/489
Sphere w.ibm.com/s
Plug-in is deployed and upport/page
configured. IBM X-Force ID: s/node/6464
197789. 081
CVE ID : CVE-2021-20488
VMware Tools for Windows
(11.x.y prior to 11.3.0)
contains a denial-of-service
vulnerability in the VM3DMP
driver. A malicious actor with https://ww
local user privileges in the w.vmware.co
Windows guest operating O-MIC-
m/security/a
N/A 18-Jun-21 4.9 system, where VMware Tools WIND-
dvisories/V
is installed, can trigger a 020721/490
MSA-2021-
PANIC in the VM3DMP driver 0011.html
leading to a denial-of-service
condition in the Windows
guest operating system.
CVE ID : CVE-2021-21997
Db2 for Linux, UNIX and https://exch
Improper Windows (includes Db2 ange.xforce.i
Neutralizatio Connect Server) 11.1.4 and bmcloud.com
n of Special 11.5.5 is vulnerable to a /vulnerabiliti
Elements in denial of service as the server O-MIC-
es/200658,
Output Used 16-Jun-21 5 terminates abnormally when WIND-
https://ww
by a executing a specially crafted 020721/491
w.ibm.com/s
Downstream SELECT statement. IBM X- upport/page
Component Force ID: 200658. s/node/6463
('Injection')
CVE ID : CVE-2021-29702 985

Improper 24-Jun-21 5 Db2 for Linux, UNIX and https://ww O-MIC-

Neutralizatio Windows (includes Db2 w.ibm.com/s WIND-
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 191 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
n of Special Connect Server) is vulnerable upport/page 020721/492
Elements to a denial of service as the s/node/6466
used in a server terminates abnormally 371,
Command when executing a specially https://exch
('Command crafted SELECT statement. ange.xforce.i
Injection') IBM X-Force ID: 200659. bmcloud.com
CVE ID : CVE-2021-29703 /vulnerabiliti
es/200659
When drawing text onto a https://bugz
canvas with WebRender illa.mozilla.o
disabled, an out of bounds rg/show_bug
read could occur. *This bug .cgi?id=1712
only affects Firefox on O-MIC-
Out-of- 047,
24-Jun-21 5.8 Windows. Other operating WIND-
bounds Read https://ww
systems are unaffected.*. This 020721/493
w.mozilla.org
vulnerability affects Firefox < /security/ad
89.0.1. visories/mfs
CVE ID : CVE-2021-29968 a2021-27/

This vulnerability allows

remote attackers to execute
arbitrary code on affected
installations of Foxit
PhantomPDF 10.1.3.37598.
User interaction is required
to exploit this vulnerability in
that the target must visit a
Access of malicious page or open a https://ww
Resource malicious file. The specific w.foxit.com/
flaw exists within the O-MIC-
Using support/sec
16-Jun-21 6.8 handling of XFA templates. WIND-
Incompatible urity-
The issue results from the 020721/494
Type ('Type bulletins.htm
Confusion') lack of proper validation of l
user-supplied data, which can
result in a type confusion
condition. An attacker can
leverage this vulnerability to
execute code in the context of
the current process. Was ZDI-
CAN-13531.
CVE ID : CVE-2021-31476
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 192 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
PHPMailer before 6.5.0 on https://githu
Unrestricted Windows allows remote code b.com/PHPM
Upload of execution if lang_path is O-MIC-
ailer/PHPMa
File with 16-Jun-21 5.1 untrusted data and has a UNC WIND-
iler/blob/ma
Dangerous pathname. 020721/495
ster/SECURI
Type
CVE ID : CVE-2021-34551 TY.md

https://com
TeamViewer before munity.team
14.7.48644 on Windows viewer.com/
Uncontrolled O-MIC-
loads untrusted DLLs in English/disc
Search Path 16-Jun-21 4.4 WIND-
certain situations. ussion/1111
Element 020721/496
54/windows
CVE ID : CVE-2021-34803 -v14-7-
48644
Moxa
mgate_mb3180_firmware
https://ww
w.moxa.com
/en/product
An issue was discovered on s/industrial-
MOXA Mgate MB3180 edge-
Version 2.1 Build 18113012. connectivity/
Uncontrolled Attacker could send a huge protocol- O-MOX-
Resource 18-Jun-21 5 amount of TCP SYN packet to gateways/m MGAT-
Consumption make web service's resource odbus-tcp- 020721/497
exhausted. Then the web gateways/m
server is denial-of-service. gate-
CVE ID : CVE-2021-33823 mb3180-
mb3280-
mb3480-
series
An issue was discovered on https://ww
MOXA Mgate MB3180 w.moxa.com
Uncontrolled Version 2.1 Build 18113012. /en/product O-MOX-
Resource 18-Jun-21 5 Attackers can use s/industrial- MGAT-
Consumption slowhttptest tool to send edge- 020721/498
incomplete HTTP request, connectivity/
which could make server protocol-
keep waiting for the packet to gateways/m

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 193 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
finish the connection, until its odbus-tcp-
resource exhausted. Then the gateways/m
web server is denial-of- gate-
service. mb3180-
CVE ID : CVE-2021-33824 mb3280-
mb3480-
series
Nvidia
jetson_linux
Trusty (the trusted OS
produced by NVIDIA for
Jetson devices) driver
contains a vulnerability in the
NVIDIA OTE protocol
message parsing code where https://nvidi
Integer an integer overflow in a a.custhelp.co
O-NVI-JETS-
Overflow or 22-Jun-21 4.6 malloc() size calculation m/app/answ
020721/499
Wraparound leads to a buffer overflow on ers/detail/a_
the heap, which might result id/5205
in information disclosure,
escalation of privileges, and
denial of service.
CVE ID : CVE-2021-34372
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel where an integer https://nvidi
Integer overflow in the calloc size a.custhelp.co
calculation can cause the O-NVI-JETS-
Overflow or 21-Jun-21 4.6 m/app/answ
multiplication of count and 020721/500
Wraparound ers/detail/a_
size can overflow, which id/5205
might lead to heap overflows.
CVE ID : CVE-2021-34386
The ARM TrustZone
Technology on which Trusty https://nvidi
Incorrect is based on contains a a.custhelp.co
O-NVI-JETS-
Default 21-Jun-21 7.2 vulnerability in access m/app/answ
020721/501
Permissions permission settings where ers/detail/a_
the portion of the DRAM id/5205
reserved for TrustZone is
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 194 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
identity-mapped by TLK with
read, write, and execute
permissions, which gives
write access to kernel code
and data that is otherwise
mapped read only.
CVE ID : CVE-2021-34387
Bootloader contains a
vulnerability in NVIDIA MB2
where a potential heap https://nvidi
Out-of- overflow might allow an a.custhelp.co
attacker to control all the O-NVI-JETS-
bounds 21-Jun-21 4.6 m/app/answ
RAM after the heap block, 020721/502
Write ers/detail/a_
leading to denial of service or id/5205
code execution.
CVE ID : CVE-2021-34388
Trusty contains a
vulnerability in NVIDIA OTE
Missing protocol message parsing https://nvidi
Release of code, which is present in all a.custhelp.co
Memory the TAs. An incorrect bounds O-NVI-JETS-
21-Jun-21 2.1 m/app/answ
after check leads to a memory leak 020721/503
ers/detail/a_
Effective of a portion of the heap id/5205
Lifetime situated after a stream buffer.
CVE ID : CVE-2021-34389
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel function where a
lack of checks allows the https://nvidi
Integer exploitation of an integer a.custhelp.co
O-NVI-JETS-
Overflow or 22-Jun-21 2.1 overflow on the size m/app/answ
020721/504
Wraparound parameter of the ers/detail/a_
tz_map_shared_mem id/5205
function.
CVE ID : CVE-2021-34390

Integer Trusty TLK contains a https://nvidi

Overflow or 22-Jun-21 4.9 vulnerability in the NVIDIA a.custhelp.co O-NVI-JETS-
Wraparound TLK kernelï¿½s m/app/answ 020721/505
tz_handle_trusted_app_smc ers/detail/a_
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 195 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
function where a lack of id/5205
integer overflow checks on
the req_off and param_ofs
variables leads to memory
corruption of critical kernel
structures.
CVE ID : CVE-2021-34391
Trusty TLK contains a
vulnerability in the NVIDIA
TLK kernel where an integer https://nvidi
Integer overflow in the a.custhelp.co
tz_map_shared_mem function O-NVI-JETS-
Overflow or 22-Jun-21 2.1 m/app/answ
can bypass boundary checks, 020721/506
Wraparound ers/detail/a_
which might lead to denial of id/5205
service.
CVE ID : CVE-2021-34392
Trusty contains a
vulnerability in TSEC TA
which deserializes the
incoming messages even
though the TSEC TA does not https://nvidi
Deserializati
expose any command. This a.custhelp.co
on of O-NVI-JETS-
22-Jun-21 2.1 vulnerability might allow an m/app/answ
Untrusted 020721/507
attacker to exploit the ers/detail/a_
Data
deserializer to impact code id/5205
execution, causing
information disclosure.
CVE ID : CVE-2021-34393
Trusty contains a
vulnerability in all TAs whose
deserializer does not reject
messages with multiple https://nvidi
Deserializati occurrences of the same a.custhelp.co
on of parameter. The O-NVI-JETS-
22-Jun-21 4.6 m/app/answ
Untrusted deserialization of untrusted 020721/508
ers/detail/a_
Data data might allow an attacker id/5205
to exploit the deserializer to
impact code execution.
CVE ID : CVE-2021-34394
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 196 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Trusty TLK contains a
vulnerability in its access
permission settings where it
does not properly restrict https://nvidi
Incorrect access to a resource from a a.custhelp.co
O-NVI-JETS-
Default 22-Jun-21 3.6 user with local privileges, m/app/answ
020721/509
Permissions which might lead to limited ers/detail/a_
information disclosure and id/5205
limited denial of service.
CVE ID : CVE-2021-34395
Bootloader contains a
vulnerability in access
permission settings where https://nvidi
Incorrect unauthorized software may a.custhelp.co
be able to overwrite NVIDIA O-NVI-JETS-
Authorizatio 22-Jun-21 2.1 m/app/answ
MB2 code, which would 020721/510
n ers/detail/a_
result in limited denial of id/5205
service.
CVE ID : CVE-2021-34396
Bootloader contains a
vulnerability in NVIDIA MB2, https://nvidi
Out-of- which may cause free-the- a.custhelp.co
O-NVI-JETS-
bounds 22-Jun-21 2.1 wrong-heap, which may lead m/app/answ
020721/511
Write to limited denial of service. ers/detail/a_
id/5205
CVE ID : CVE-2021-34397
Oracle
solaris
IBM Security Identity https://exch
Manager 6.0.2 is vulnerable ange.xforce.i
to server-side request forgery bmcloud.com
Server-Side (SSRF). By sending a specially /vulnerabiliti
crafted request, a remote O-ORA-
Request es/197591,
16-Jun-21 4 authenticated attacker could SOLA-
Forgery https://ww
exploit this vulnerability to 020721/512
(SSRF) w.ibm.com/s
obtain sensitive data. IBM X- upport/page
Force ID: 197591. s/node/6464
CVE ID : CVE-2021-20483 081

Exposure of 16-Jun-21 3.5 IBM Security Identity https://exch O-ORA-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 197 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Resource to Manager 6.0.2 could allow an ange.xforce.i SOLA-
Wrong authenticated malicious user bmcloud.com 020721/513
Sphere to change the passwords of /vulnerabiliti
other users in the Windows es/197789,
AD environment when IBM https://ww
Security Identity Manager w.ibm.com/s
Windows Password Synch upport/page
Plug-in is deployed and s/node/6464
configured. IBM X-Force ID: 081
197789.
CVE ID : CVE-2021-20488

Db2 for Linux, UNIX and https://ww

Improper Windows (includes Db2 w.ibm.com/s
Neutralizatio Connect Server) is vulnerable upport/page
n of Special to a denial of service as the s/node/6466
O-ORA-
Elements server terminates abnormally 371,
24-Jun-21 5 SOLA-
used in a when executing a specially https://exch
020721/514
Command crafted SELECT statement. ange.xforce.i
('Command IBM X-Force ID: 200659. bmcloud.com
Injection') /vulnerabiliti
CVE ID : CVE-2021-29703 es/200659
protectimus
slim_nfc_70_firmware
Protectimus SLIM NFC 70
10.01 devices allow a Time
Traveler attack in which
attackers can predict TOTP
passwords in certain
situations. The time value
Improper used by the device can be set
independently from the used O-PRO-SLIM-
Authenticati 16-Jun-21 1.9 N/A
seed value for generating 020721/515
on
time-based one-time
passwords, without
authentication. Thus, an
attacker with short-time
physical access to a device
can set the internal real-time
clock (RTC) to the future,

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 198 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
generate one-time
passwords, and reset the
clock to the current time. This
allows the generation of valid
future time-based one-time
passwords without having
further access to the
hardware token.
CVE ID : CVE-2021-32033
Qnap
qts
Insecure storage of sensitive
information has been
reported to affect QNAP NAS
running myQNAPcloud Link.
If exploited, this vulnerability
allows remote attackers to
read sensitive information by https://ww
Insecure accessing the unrestricted w.qnap.com/
Storage of storage mechanism. This zh- O-QNA-QTS-
16-Jun-21 4
Sensitive issue affects: QNAP Systems tw/security- 020721/516
Information Inc. myQNAPcloud Link advisory/qsa
versions prior to 2.2.21 on -21-26
QTS 4.5.3; versions prior to
2.2.21 on QuTS hero h4.5.2;
versions prior to 2.2.21 on
QuTScloud c4.5.4.
CVE ID : CVE-2021-28815
qutscloud
Insecure storage of sensitive
information has been
reported to affect QNAP NAS https://ww
Insecure running myQNAPcloud Link. w.qnap.com/
O-QNA-
Storage of If exploited, this vulnerability zh-
16-Jun-21 4 QUTS-
Sensitive allows remote attackers to tw/security-
020721/517
Information read sensitive information by advisory/qsa
accessing the unrestricted -21-26
storage mechanism. This
issue affects: QNAP Systems
CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 199 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Inc. myQNAPcloud Link
versions prior to 2.2.21 on
QTS 4.5.3; versions prior to
2.2.21 on QuTS hero h4.5.2;
versions prior to 2.2.21 on
QuTScloud c4.5.4.
CVE ID : CVE-2021-28815
quts_hero
Insecure storage of sensitive
information has been
reported to affect QNAP NAS
running myQNAPcloud Link.
If exploited, this vulnerability
allows remote attackers to
read sensitive information by https://ww
Insecure accessing the unrestricted w.qnap.com/
O-QNA-
Storage of storage mechanism. This zh-
16-Jun-21 4 QUTS-
Sensitive issue affects: QNAP Systems tw/security-
020721/518
Information Inc. myQNAPcloud Link advisory/qsa
versions prior to 2.2.21 on -21-26
QTS 4.5.3; versions prior to
2.2.21 on QuTS hero h4.5.2;
versions prior to 2.2.21 on
QuTScloud c4.5.4.
CVE ID : CVE-2021-28815
Redhat
linux
https://ww
IBM Resilient SOAR V38.0 w.ibm.com/s
uses weaker than expected upport/page
Use of a cryptographic algorithms that s/node/6464
Broken or could allow an attacker to 043, O-RED-LINU-
Risky 16-Jun-21 5 decrypt highly sensitive https://exch 020721/519
Cryptographi information. IBM X-Force ID: ange.xforce.i
c Algorithm 199238. bmcloud.com
CVE ID : CVE-2021-20566 /vulnerabiliti
es/199238

Missing 16-Jun-21 2.1 IBM Resilient SOAR V38.0 https://ww O-RED-LINU-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 200 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Encryption could allow a local privileged w.ibm.com/s 020721/520
of Sensitive attacker to obtain sensitive upport/page
Data information due to improper s/node/6464
or nonexisting 039,
encryption.IBM X-Force ID: https://exch
199239. ange.xforce.i
CVE ID : CVE-2021-20567 bmcloud.com
/vulnerabiliti
es/199239
riot-os
riot
RIOT-OS 2021.01 before https://githu
Buffer Copy commit b.com/RIOT-
without 85da504d2dc30188b89f44c3 OS/RIOT/co
Checking 276fc5a25b31251f contains a mmit/85da5 O-RIO-RIOT-
Size of Input 18-Jun-21 5 buffer overflow which could 04d2dc3018 020721/521
('Classic allow attackers to obtain 8b89f44c327
Buffer sensitive information. 6fc5a25b312
Overflow')
CVE ID : CVE-2021-31660 51f

RIOT-OS 2021.01 before https://githu

Buffer Copy commit b.com/RIOT-
without 609c9ada34da5546cffb632a OS/RIOT/co
Checking 98b7ba157c112658 contains mmit/609c9 O-RIO-RIOT-
Size of Input 18-Jun-21 5 a buffer overflow that could ada34da554 020721/522
('Classic allow attackers to obtain 6cffb632a98
Buffer sensitive information. b7ba157c11
Overflow')
CVE ID : CVE-2021-31661 2658

RIOT-OS 2021.01 before https://githu

Buffer Copy commit b.com/RIOT-
without 07f1254d8537497552e7dce8 OS/RIOT/co
Checking 0364aaead9266bbe contains mmit/07f12 O-RIO-RIOT-
Size of Input 18-Jun-21 5 a buffer overflow which could 54d8537497 020721/523
('Classic allow attackers to obtain 552e7dce80
Buffer sensitive information. 364aaead92
Overflow')
CVE ID : CVE-2021-31662 66bbe

Buffer Copy RIOT-OS 2021.01 before https://githu O-RIO-RIOT-

without 18-Jun-21 5 commit b.com/RIOT- 020721/524
Checking bc59d60be60dfc0a05def57d OS/RIOT/co

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 201 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Size of Input 74985371e4f22d79 contains mmit/bc59d
('Classic a buffer overflow which could 60be60dfc0a
Buffer allow attackers to obtain 05def57d74
Overflow') sensitive information. 985371e4f2
CVE ID : CVE-2021-31663 2d79

RIOT-OS 2021.01 before https://githu

Buffer Copy commit b.com/RIOT-
without 44741ff99f7a71df45420635b OS/RIOT/co
Checking 238b9c22093647a contains a mmit/44741 O-RIO-RIOT-
Size of Input 18-Jun-21 5 buffer overflow which could ff99f7a71df4 020721/525
('Classic allow attackers to obtain 5420635b23
Buffer sensitive information. 8b9c220936
Overflow')
CVE ID : CVE-2021-31664 47a

serenityos
serenityos
https://githu
b.com/Seren
SerenityOS before commit ityOS/serenit
Improper 3844e8569689dd476064a07 y/pull/5713
Limitation of 59d704bc64fb3ca2c contains /commits/3
a Pathname a directory traversal 844e856968
to a vulnerability in tar/unzip O-SER-SERE-
18-Jun-21 7.5 9dd476064a
Restricted that may lead to command 020721/526
0759d704bc
Directory execution or privilege 64fb3ca2c,
('Path escalation. https://githu
Traversal')
CVE ID : CVE-2021-31272 b.com/Seren
ityOS/serenit
y/pull/5713
Buffer Copy SerenityOS contains a buffer
without overflow in the set_range test https://githu
Checking in TestBitmap which could b.com/Seren
O-SER-SERE-
Size of Input 18-Jun-21 5 allow attackers to obtain ityOS/serenit
020721/527
('Classic sensitive information. y/issues/707
Buffer 3
Overflow') CVE ID : CVE-2021-33185

Out-of- SerenityOS in test-crypto.cpp https://githu O-SER-SERE-

bounds 18-Jun-21 5 contains a stack buffer b.com/Seren 020721/528
Write overflow which could allow ityOS/serenit

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 202 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
attackers to obtain sensitive y/issues/707
information. 2
CVE ID : CVE-2021-33186
sing4g
4gee_router_hh70vb_firmware
An issue was discovered on
4GEE ROUTER HH70VB
Version HH70_E1_02.00_22.
Attackers can use https://ww
slowhttptest tool to send w.sing4g.co
incomplete HTTP request, m/product-
Uncontrolled
which could make server page/4gee- O-SIN-4GEE-
Resource 18-Jun-21 5
keep waiting for the packet to router- 020721/529
Consumption
finish the connection, until its hh70vb-4g-
resource exhausted. Then the 300mbps-
web server is denial-of- 2lan-32wifi
service.
CVE ID : CVE-2021-33822
Sonicwall
sonicos
A vulnerability in SonicOS
where the HTTP server https://psirt.
Exposure of response leaks partial global.sonic
Sensitive memory by sending a crafted wall.com/vul
Information HTTP request, this can O-SON-SONI-
23-Jun-21 5 n-
to an potentially lead to an internal 020721/530
detail/SNWL
Unauthorize sensitive data disclosure ID-2021-
d Actor vulnerability. 0006
CVE ID : CVE-2021-20019
sonicosv

A vulnerability in SonicOS https://psirt.

Exposure of
where the HTTP server global.sonic
Sensitive
response leaks partial wall.com/vul
Information O-SON-SONI-
23-Jun-21 5 memory by sending a crafted n-
to an 020721/531
HTTP request, this can detail/SNWL
Unauthorize
potentially lead to an internal ID-2021-
d Actor
sensitive data disclosure 0006

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 203 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
vulnerability.
CVE ID : CVE-2021-20019
Synology
diskstation_manager_unified_controller
Use after free vulnerability in
file transfer protocol
component in Synology https://ww
DiskStation Manager (DSM) w.synology.c
Use After before 6.2.3-25426-3 allows om/security O-SYN-DISK-
23-Jun-21 7.5
Free remote attackers to execute /advisory/Sy 020721/532
arbitrary code via unspecified nology_SA_2
vectors. 0_26

CVE ID : CVE-2021-27649
Improper neutralization of
special elements in output
Improper used by a downstream
Neutralizatio component ('Injection')
vulnerability in Security https://ww
n of Special
Advisor report management w.synology.c
Elements in
component in Synology om/security O-SYN-DISK-
Output Used 23-Jun-21 5
DiskStation Manager (DSM) /advisory/Sy 020721/533
by a
before 6.2.3-25426-3 allows nology_SA_2
Downstream
remote attackers to read 0_26
Component
('Injection') arbitrary files via unspecified
vectors.
CVE ID : CVE-2021-29084
Improper neutralization of
special elements in output
Improper used by a downstream
Neutralizatio component ('Injection') https://ww
n of Special vulnerability in file sharing w.synology.c
Elements in management component in om/security O-SYN-DISK-
Output Used 23-Jun-21 5 Synology DiskStation /advisory/Sy 020721/534
by a Manager (DSM) before 6.2.3- nology_SA_2
Downstream 25426-3 allows remote 0_26
Component attackers to read arbitrary
('Injection') files via unspecified vectors.
CVE ID : CVE-2021-29085

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 204 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Exposure of sensitive
information to an
unauthorized actor
Exposure of vulnerability in webapi https://ww
Sensitive component in Synology w.synology.c
Information DiskStation Manager (DSM) om/security O-SYN-DISK-
23-Jun-21 5
to an before 6.2.3-25426-3 allows /advisory/Sy 020721/535
Unauthorize remote attackers to obtain nology_SA_2
d Actor sensitive information via 0_26
unspecified vectors.
CVE ID : CVE-2021-29086
Improper limitation of a
pathname to a restricted
Improper directory ('Path Traversal')
Limitation of vulnerability in webapi https://ww
a Pathname component in Synology w.synology.c
to a DiskStation Manager (DSM) om/security O-SYN-DISK-
23-Jun-21 5
Restricted before 6.2.3-25426-3 allows /advisory/Sy 020721/536
Directory remote attackers to write nology_SA_2
('Path arbitrary files via unspecified 0_26
Traversal') vectors.
CVE ID : CVE-2021-29087
Trendnet
tw100-s4w1ca_firmware
In TrendNet TW100-S4W1CA
2.3.32, due to a lack of proper
session controls, a threat
actor could make
unauthorized changes to an
Cross-Site affected router via a specially O-TRE-
Request crafted web page. If an
17-Jun-21 6.8 N/A TW10-
Forgery authenticated user were to 020721/537
(CSRF) interact with a malicious web
page it could allow for a
complete takeover of the
router.
CVE ID : CVE-2021-32424

Improper 17-Jun-21 4.3 In TrendNet TW100-S4W1CA N/A O-TRE-

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 205 of 206
Weakness Publish Date CVSS Description & CVE ID Patch NCIIPC ID
Neutralizatio 2.3.32, it is possible to inject TW10-
n of Input arbitrary JavaScript into the 020721/538
During Web router's web interface via the
Page "echo" command.
Generation CVE ID : CVE-2021-32426
('Cross-site
Scripting')
ui
camera_g3_flex_firmware
An issue was discovered in
UniFi Protect G3 FLEX
Camera Version
UVC.v4.30.0.67. Attackers can https://store
use slowhttptest tool to send .ui.com/colle
incomplete HTTP request, ctions/unifi-
Uncontrolled
which could make server protect- O-UI-CAME-
Resource 18-Jun-21 5
keep waiting for the packet to cameras/pro 020721/539
Consumption
finish the connection, until its ducts/unifi-
resource exhausted. Then the video-g3-
web server is denial-of- flex-camera
service.
CVE ID : CVE-2021-33818
An issue was discovered in
UniFi Protect G3 FLEX https://store
Camera Version .ui.com/colle
UVC.v4.30.0.67.Attacker ctions/unifi-
Uncontrolled could send a huge amount of protect- O-UI-CAME-
Resource 18-Jun-21 5 TCP SYN packet to make web cameras/pro 020721/540
Consumption service's resource exhausted. ducts/unifi-
Then the web server is video-g3-
denial-of-service. flex-camera
CVE ID : CVE-2021-33820

CVSS Scoring Scale 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
Page 206 of 206

CVE Report: Vulnerabilities May 2021
No ratings yet
CVE Report: Vulnerabilities May 2021
268 pages
PBX Elastix 2pu361
No ratings yet
PBX Elastix 2pu361
279 pages
CWE Top 25 HTTP Testphp Vulnweb Com
No ratings yet
CWE Top 25 HTTP Testphp Vulnweb Com
60 pages
Apache HTTP Server: List of Security Vulnerabilities
No ratings yet
Apache HTTP Server: List of Security Vulnerabilities
1 page
EY CCC Daily Threat Digest 01st April 2025
No ratings yet
EY CCC Daily Threat Digest 01st April 2025
23 pages
Vulnerability Digest Apr 2025
No ratings yet
Vulnerability Digest Apr 2025
16 pages
Vulnerability Report for PHP & WordPress
No ratings yet
Vulnerability Report for PHP & WordPress
6 pages
PHP 5.2.4 Vulnerabilities Overview
No ratings yet
PHP 5.2.4 Vulnerabilities Overview
2 pages
Vulnerability Digest July 9 2025
No ratings yet
Vulnerability Digest July 9 2025
18 pages
Security Audit for Developers
No ratings yet
Security Audit for Developers
16 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
10 pages
Nexpose Audit Report
No ratings yet
Nexpose Audit Report
376 pages
Image Scan Report Repository Oneapp Coupon Engine, Image Tag Shared Qa 99 E858cf9c No
No ratings yet
Image Scan Report Repository Oneapp Coupon Engine, Image Tag Shared Qa 99 E858cf9c No
8 pages
Website Vulnerability Scan Summary
No ratings yet
Website Vulnerability Scan Summary
5 pages
Understanding OWASP Top 10 Risks
No ratings yet
Understanding OWASP Top 10 Risks
54 pages
Software and Systems Security
No ratings yet
Software and Systems Security
10 pages
Test 7
No ratings yet
Test 7
2 pages
Notes
No ratings yet
Notes
5 pages
Scan Report PDF
No ratings yet
Scan Report PDF
6 pages
19bcs2848 Exp 5 SWL
No ratings yet
19bcs2848 Exp 5 SWL
6 pages
Test 4
No ratings yet
Test 4
2 pages
Penetration DA2
No ratings yet
Penetration DA2
5 pages
Kali Explained
No ratings yet
Kali Explained
18 pages
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
No ratings yet
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
59 pages
Vapt 1
No ratings yet
Vapt 1
18 pages
Command Injection Vulnerabilities in CLI Tools
No ratings yet
Command Injection Vulnerabilities in CLI Tools
9 pages
Research p1
No ratings yet
Research p1
11 pages
Metasploitable 2 Security Audit Report
No ratings yet
Metasploitable 2 Security Audit Report
161 pages
Pass2Lead CS0 003
100% (1)
Pass2Lead CS0 003
220 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
6 pages
Secure Programming Insights 2025
No ratings yet
Secure Programming Insights 2025
43 pages
Website Scanner-Http Darkend - Sytes.net-20250504-1242
No ratings yet
Website Scanner-Http Darkend - Sytes.net-20250504-1242
10 pages
July2025patchtuesday 250709195526 C5aec6f2
No ratings yet
July2025patchtuesday 250709195526 C5aec6f2
40 pages
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
No ratings yet
Developer HTTP Dev Ubk Polindra Ac Id Dashboard
99 pages
Security Audit Report for 172.16.72.212
No ratings yet
Security Audit Report for 172.16.72.212
62 pages
Apache Vulnerabilities Audit Report
No ratings yet
Apache Vulnerabilities Audit Report
76 pages
Aman Saxena Apaar Farmaha Shlok Yadav: WWW - Safe.security
No ratings yet
Aman Saxena Apaar Farmaha Shlok Yadav: WWW - Safe.security
10 pages
Security Audit Report: Lab-6 Vulnerabilities
No ratings yet
Security Audit Report: Lab-6 Vulnerabilities
19 pages
Websitechuyennghiep VN Asx2z7
No ratings yet
Websitechuyennghiep VN Asx2z7
115 pages
February 2022 Zero-Day Vulnerability Report
No ratings yet
February 2022 Zero-Day Vulnerability Report
8 pages
Vulnerability Digest 13 Mar24
No ratings yet
Vulnerability Digest 13 Mar24
23 pages
Vulnhub Darkhole 2 Write UP
No ratings yet
Vulnhub Darkhole 2 Write UP
13 pages
Security Audit Summary Report
No ratings yet
Security Audit Summary Report
18 pages
Website Scanner-Https WWW - Araruama.rj - Gov.br-20250124-0351
No ratings yet
Website Scanner-Https WWW - Araruama.rj - Gov.br-20250124-0351
11 pages
Honeywell XL Web II Vulnerabilities
No ratings yet
Honeywell XL Web II Vulnerabilities
11 pages
NVD - Cve-2022-2839
No ratings yet
NVD - Cve-2022-2839
3 pages
Scan Report
No ratings yet
Scan Report
29 pages
Web Vulnerabilities Guide
100% (1)
Web Vulnerabilities Guide
35 pages
CheckN8 - Wreath
No ratings yet
CheckN8 - Wreath
28 pages
Module 3.2
No ratings yet
Module 3.2
31 pages
Oracle Supply Chain July 2023 Patch Update
No ratings yet
Oracle Supply Chain July 2023 Patch Update
8 pages
SB04 133
No ratings yet
SB04 133
55 pages
Network Vulnerability Scan With Openvas Report
No ratings yet
Network Vulnerability Scan With Openvas Report
4 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
8 pages
Security Patch Updates Guide
No ratings yet
Security Patch Updates Guide
17 pages
EVantage - HPE SimpliVity System Administration Lab Guide Content
No ratings yet
EVantage - HPE SimpliVity System Administration Lab Guide Content
1 page
Year 2025 Calendar - India
No ratings yet
Year 2025 Calendar - India
3 pages
Hikvision Body Camera
No ratings yet
Hikvision Body Camera
2 pages
XYZ Internal Security Assessment v1
No ratings yet
XYZ Internal Security Assessment v1
52 pages
Shri Kedarnath - Ticket - 1680474983
No ratings yet
Shri Kedarnath - Ticket - 1680474983
4 pages
EVantage - HPE SimpliVity System Administration Lab Guide 1
No ratings yet
EVantage - HPE SimpliVity System Administration Lab Guide 1
12 pages
EVantage - HPE SimpliVity System Administration Lab Guide Content
No ratings yet
EVantage - HPE SimpliVity System Administration Lab Guide Content
2 pages
Spec of DS-MH2111 - V1.0 - Build2015.12.17
No ratings yet
Spec of DS-MH2111 - V1.0 - Build2015.12.17
2 pages
SSL VPN Access Users List-20May2020
No ratings yet
SSL VPN Access Users List-20May2020
164 pages
AccelPro Installation Guide
No ratings yet
AccelPro Installation Guide
38 pages
Private
No ratings yet
Private
1 page
Day9 2switch
No ratings yet
Day9 2switch
29 pages
0926231818M1353 Inv#6101812
No ratings yet
0926231818M1353 Inv#6101812
1 page
Book Bill
No ratings yet
Book Bill
1 page
Mahamrityunjay Mantra
No ratings yet
Mahamrityunjay Mantra
1 page
Wlan
No ratings yet
Wlan
9 pages
Network+ Study Guide - Uneditable
No ratings yet
Network+ Study Guide - Uneditable
59 pages
FortiGate SD-WAN & MPLS Guide
No ratings yet
FortiGate SD-WAN & MPLS Guide
7 pages
Security Leaders Handbook
No ratings yet
Security Leaders Handbook
27 pages
Delhi Metro Map Overview
No ratings yet
Delhi Metro Map Overview
1 page
DSpace Backup & Restore-PPT Ashok UGC Final
No ratings yet
DSpace Backup & Restore-PPT Ashok UGC Final
35 pages
Fortigate Maximum Values Matrix: Technical Note
No ratings yet
Fortigate Maximum Values Matrix: Technical Note
28 pages
Data Loss Prevention Strategies
No ratings yet
Data Loss Prevention Strategies
2 pages
Guidelinies 84007 2
No ratings yet
Guidelinies 84007 2
128 pages
Implementation of Information Security Management System in Government & Critical Sectors As Per ISO 27001: Progressive Steps
No ratings yet
Implementation of Information Security Management System in Government & Critical Sectors As Per ISO 27001: Progressive Steps
1 page
NTDCC Leadership in Telecom Crisis Management
No ratings yet
NTDCC Leadership in Telecom Crisis Management
10 pages
RC 4 RC 4HA RC 4HC Instructions
No ratings yet
RC 4 RC 4HA RC 4HC Instructions
2 pages
Pega Platform 87 Update Tomcat Postgres 0
No ratings yet
Pega Platform 87 Update Tomcat Postgres 0
76 pages
2021 DCPD Student Guide11 Jun 2021
No ratings yet
2021 DCPD Student Guide11 Jun 2021
233 pages
Bab 1-5 Thesis
No ratings yet
Bab 1-5 Thesis
55 pages
Oracle Simphony: Release Notes
No ratings yet
Oracle Simphony: Release Notes
15 pages
Jose Rizal's Nationalistic Poetry
No ratings yet
Jose Rizal's Nationalistic Poetry
2 pages
The Subject and Object of Linguistics
No ratings yet
The Subject and Object of Linguistics
3 pages
Fybca Backlog
No ratings yet
Fybca Backlog
3 pages
Assertiveness
No ratings yet
Assertiveness
97 pages
S-Edit Schematic Entry Guide
No ratings yet
S-Edit Schematic Entry Guide
15 pages
GLV JS SDK 4.0 Integration Guide
No ratings yet
GLV JS SDK 4.0 Integration Guide
11 pages
César A. Salgado, "A Note On Víctor Hernández-Cruz"
No ratings yet
César A. Salgado, "A Note On Víctor Hernández-Cruz"
6 pages
Cable Billing
No ratings yet
Cable Billing
2 pages
TWN4 AppBlaster User Guide DocRev14
No ratings yet
TWN4 AppBlaster User Guide DocRev14
38 pages
Livingstone High School November 2025 Examination Time-Tables Gr8-11
No ratings yet
Livingstone High School November 2025 Examination Time-Tables Gr8-11
5 pages
300 Most Common Qur'anic Words
100% (2)
300 Most Common Qur'anic Words
3 pages
Unit 5 Methods Approaches Class Worksheet 2023
No ratings yet
Unit 5 Methods Approaches Class Worksheet 2023
5 pages
Suggested Work Scheme: Papers 1 & 2 Reading and Writing Book 4 Unit 5
No ratings yet
Suggested Work Scheme: Papers 1 & 2 Reading and Writing Book 4 Unit 5
1 page
Scholarship Examination For Grade 5 Students 2025 Application 08123
No ratings yet
Scholarship Examination For Grade 5 Students 2025 Application 08123
5 pages
Question 1 - 5 Match The Picture To The Correct Word. 1. Peacock
No ratings yet
Question 1 - 5 Match The Picture To The Correct Word. 1. Peacock
11 pages
Independence Day Celebration Program
No ratings yet
Independence Day Celebration Program
4 pages
Quick Training Techniques Guide
No ratings yet
Quick Training Techniques Guide
41 pages
Unit 2 Conjunction, Disjunction, Conditional and Biconditional
No ratings yet
Unit 2 Conjunction, Disjunction, Conditional and Biconditional
16 pages
Nse4 Manual Fortinet
100% (8)
Nse4 Manual Fortinet
46 pages
Grade 9 - English - Term1 - M4 - 4.8 - Task - 2 - Assignment - Answer - Sheet
No ratings yet
Grade 9 - English - Term1 - M4 - 4.8 - Task - 2 - Assignment - Answer - Sheet
4 pages
Observation Sheet-Primary
No ratings yet
Observation Sheet-Primary
12 pages
Contributions of American Descriptive Linguistic School To The Study of Vietnamese: A Contemporary Look
No ratings yet
Contributions of American Descriptive Linguistic School To The Study of Vietnamese: A Contemporary Look
17 pages
XN-L Interfacing Guide PDF
33% (3)
XN-L Interfacing Guide PDF
25 pages
Data Structures Course Outline
No ratings yet
Data Structures Course Outline
3 pages
Eeraj Isht: Companies I Have Worked For
No ratings yet
Eeraj Isht: Companies I Have Worked For
3 pages

NCIIPC Fortnightly CVE Report For 16-30 Jun 2021

Uploaded by

NCIIPC Fortnightly CVE Report For 16-30 Jun 2021

Uploaded by

National Critical Information Infrastructure Protection Centre

Common Vulnerabilities and Exposures(CVE) Report

Ampache is an open source https://githu

Improper CheckSec Canopy before 3.5.2

Improper 16-Jun-21 4 A vulnerability in the API of https://tools. A-CIS-MEET-

Improper Cross-site scripting

Allocation of vulnerability was discovered 29060/Color

Integer A flaw was found in djvulibre-

Uncontrolled 24-Jun-21 4.3 In the bindata RubyGem https://githu A-GIT-GITL-

Db2 for Linux, UNIX and https://ww

IBM Resilient SOAR V38.0 https://ww

IBM Security Identity

Out-of- IBM Security Identity https://ww A-IBM-SECU-

A vulnerability was https://githu

Improper An XXE issue in SAXBuilder in

Jenkins Generic Webhook https://ww

Firefox for Android would https://ww

Improper 24-Jun-21 6.8 Mozilla developers reported https://ww A-MOZ-FIRE-

Mozilla developers reported https://ww

Integer Ports that were written as an https://ww A-MOZ-FIRE-

Mozilla developers reported https://ww

Mozilla developers reported https://ww

Improper MyQ Server in MyQ X Smart

Out-of- 17-Jun-21 5.8 An out-of-bounds read issue N/A A-OPE-

Improper phpIPAM 1.4.3 allows

Unrestricted 16-Jun-21 5.1 PHPMailer before 6.5.0 on https://githu A-PHP-

PHPMailer 6.4.1 and earlier

The Pods â€“ Custom Content https://wpsc

Secure 8 (Evalos) does not http://titani

Improper Improper limitation of a https://ww A-SYN-DISK-

Improper A cross-site scripting (XSS)

Unrestricted ZOLL Defibrillator

This vulnerability could allow https://psirt.

Improper Multiple vulnerabilities in the https://tools.

Insufficient 16-Jun-21 9.3 Multiple vulnerabilities in the https://tools. H-CIS-SF22-

Incorrect There is an improper https://ww H-HUA-

Improper 22-Jun-21 4 There is an information leak https://ww H-HUA-IPS_-

Improper There is a command injection https://ww H-HUA-

Integer Trusty (the trusted OS https://nvidi

Bootloader contains a https://nvidi

Deserializati Trusty contains a https://nvidi H-NVI-JETS-

Integer 22-Jun-21 4.6 Trusty (the trusted OS https://nvidi H-NVI-JETS-

Bootloader contains a https://nvidi

Missing Trusty contains a https://nvidi H-NVI-JETS-

N/A 18-Jun-21 6.8 This vulnerability could allow https://psirt.

Multiple vulnerabilities in the https://tools.

Improper 16-Jun-21 4.3 Multiple vulnerabilities in the https://tools. O-CIS-SF22-

Improper 16-Jun-21 9 Multiple vulnerabilities in the https://tools. O-CIS-SG22-

Insufficient Multiple vulnerabilities in the https://tools.

Improper 16-Jun-21 4.3 A vulnerability in the web- https://tools. O-CIS-UNIF-

Out-of- Contiki-NG is an open-source, https://githu O-CON-

Out-of- 21-Jun-21 3.3 In avrc_pars_browse_rsp of https://sour O-GOO-

Improper In onCreate of https://sour

Incorrect 22-Jun-21 4.6 In archiveStoredConversation https://sour O-GOO-

Concurrent In wrapUserThread of https://sour

Db2 for Linux, UNIX and https://ww

Allocation of There is a resource https://ww O-HUA-

Improper 22-Jun-21 6.5 There is a command injection https://ww O-HUA-S570-

There is a command injection https://ww

Improper 22-Jun-21 4 There is an information leak https://ww O-HUA-

Db2 for Linux, UNIX and https://ww

IBM Security Identity

Db2 for Linux, UNIX and https://ww

Improper 24-Jun-21 5 Db2 for Linux, UNIX and https://ww O-MIC-

This vulnerability allows

Integer Trusty TLK contains a https://nvidi

Exposure of 16-Jun-21 3.5 IBM Security Identity https://exch O-ORA-

Db2 for Linux, UNIX and https://ww

Missing 16-Jun-21 2.1 IBM Resilient SOAR V38.0 https://ww O-RED-LINU-

RIOT-OS 2021.01 before https://githu

RIOT-OS 2021.01 before https://githu

Buffer Copy RIOT-OS 2021.01 before https://githu O-RIO-RIOT-

RIOT-OS 2021.01 before https://githu

Out-of- SerenityOS in test-crypto.cpp https://githu O-SER-SERE-

A vulnerability in SonicOS https://psirt.

Improper 17-Jun-21 4.3 In TrendNet TW100-S4W1CA N/A O-TRE-