CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30163
https://notcve.org/view.php?id=CVE-2021-30163
06 Apr 2021 — Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes detectar los nombres de proyectos privados si se presentan detalles del diario de problemas que poseen cambios en unos valores de project_id • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36306
https://notcve.org/view.php?id=CVE-2020-36306
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS por medio del campo back_url • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36307
https://notcve.org/view.php?id=CVE-2020-36307
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, presenta un ataque de tipo XSS almacenado por medio de enlaces en línea de textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36308
https://notcve.org/view.php?id=CVE-2020-36308
06 Apr 2021 — Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. Redmine versiones anteriores a 4.0.7 y versiones 4.1.x anteriores a 4.1.1, permite a atacantes detectar el tema de un problema no visible al llevar a cabo una exportación CSV y leer las entradas de tiempo • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-25026
https://notcve.org/view.php?id=CVE-2019-25026
06 Apr 2021 — Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. Redmine versiones anteriores a 3.4.13 y versiones 4.x anteriores a 4.0.6, maneja inapropiadamente unos datos de marcado durante el formateo de Textile • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-30164
https://notcve.org/view.php?id=CVE-2021-30164
06 Apr 2021 — Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. Redmine versiones anteriores a 4.0.8 y versiones 4.1.x anteriores a 4.1.2, permite a atacantes omitir el requisito de permiso add_issue_notes al aprovechar la API Issues • https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2021-30158 – Gentoo Linux Security Advisory 202107-40
https://notcve.org/view.php?id=CVE-2021-30158
06 Apr 2021 — An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. Se detectó un problema en MediaWiki versiones anteriores a 1.31.12 y versiones 1.32.x hasta 1.35.x anteriores a 1.35.2. Los usua... • https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 19%CPEs: 3EXPL: 1CVE-2021-30151 – sidekiq: XSS via the queue name of the live-poll feature
https://notcve.org/view.php?id=CVE-2021-30151
06 Apr 2021 — Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. Sidekiq versiones hasta 5.1.3 y versiones 6.x hasta 6.2.0, permite un ataque de tipo XSS por medio del nombre queue de la funcionalidad live-poll cuando es usado Internet Explorer A cross-site scripting vulnerability was found in sidekiq via the queue name of the live-poll feature. A potential attacker can impersonate or masquerade as the victim user using this vulnerability whe... • https://github.com/mperham/sidekiq/issues/4852 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 5EXPL: 0CVE-2021-28658 – django: potential directory-traversal via uploaded files
https://notcve.org/view.php?id=CVE-2021-28658
06 Apr 2021 — In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. En Django versiones 2.2 anteriores a 2.2.20, versiones 3.0 anteriores a 3.0.14 y versiones 3.1 anteriores a 3.1.8, MultiPartParser permitía un salto de directorio por medio de archivos cargados con nombres de archivo adecuadamente diseñados. Los controladores de carga integ... • https://docs.djangoproject.com/en/3.1/releases/security • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-20307 – Ubuntu Security Notice USN-6163-1
https://notcve.org/view.php?id=CVE-2021-20307
05 Apr 2021 — Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values. Una vulnerabilidad de cadena de formato en la función panoFileOutputNamesCreate() en libpano versiones 13 2.9.20~rc2+dfsg-3 y anteriores, puede conllevar a leer y escribir valores de memoria arbitrarios It was discovered that pano13 did not properly validate the prefix provided for PTcrop's output. An attacker could use this issue to cause pano13 to crash,... • https://bugzilla.redhat.com/show_bug.cgi?id=1946284 • CWE-134: Use of Externally-Controlled Format String •