Weekly Vulnerabilities Reports > July 26 to August 1, 2021

Overview

179 new vulnerabilities reported during this period, including 35 critical vulnerabilities and 56 high severity vulnerabilities. This weekly summary report vulnerabilities in 163 products from 110 vendors including IBM, Fedoraproject, Dell, Naviwebs, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Input Validation", "Information Exposure Through an Error Message", and "Path Traversal".

  • 160 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 89 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 105 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 17 reported vulnerabilities.
  • Naviwebs has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

35 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-29 CVE-2021-21538 Dell Improper Authentication vulnerability in Dell Idrac9 Firmware 4.40.00.00

Dell EMC iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.10.00, contain an improper authentication vulnerability.

10.0
2021-07-31 CVE-2021-37759 Graylog Information Exposure Through Log Files vulnerability in Graylog

A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).

9.8
2021-07-31 CVE-2021-37760 Graylog Information Exposure Through Log Files vulnerability in Graylog

A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).

9.8
2021-07-30 CVE-2020-18013 Whatsns SQL Injection vulnerability in Whatsns 4.0

SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm.

9.8
2021-07-30 CVE-2020-18175 Metinfo SQL Injection vulnerability in Metinfo 6.1.3

SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.

9.8
2021-07-30 CVE-2020-21806 Ectouch SQL Injection vulnerability in Ectouch 2.0

SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php..

9.8
2021-07-30 CVE-2020-21808 Nukeviet SQL Injection vulnerability in Nukeviet

SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php.

9.8
2021-07-30 CVE-2020-21809 Nukeviet SQL Injection vulnerability in Nukeviet

SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php.

9.8
2021-07-30 CVE-2021-25200 Learning Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Learning Management System Project Learning Management System 1.0

Arbitrary file upload vulnerability in SourceCodester Learning Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to \lms\student_avatar.php.

9.8
2021-07-30 CVE-2021-30124 Vscode Phpmd Project Unspecified vulnerability in Vscode-PHPmd Project Vscode-PHPmd

The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder.

9.8
2021-07-30 CVE-2021-34165 Basic Shopping Cart Project SQL Injection vulnerability in Basic Shopping Cart Project Basic Shopping Cart 1.0

A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin.

9.8
2021-07-30 CVE-2021-34166 Simple Food Website Project SQL Injection vulnerability in Simple Food Website Project Simple Food Website 1.0

A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.

9.8
2021-07-30 CVE-2021-35458 Online PET Shop WE APP Project SQL Injection vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0

Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.

9.8
2021-07-30 CVE-2021-36624 Phone Shop Sales Management System Project SQL Injection vulnerability in Phone Shop Sales Management System Project Phone Shop Sales Management System 1.0

Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

9.8
2021-07-30 CVE-2021-37594 Freerdp Improper Input Validation vulnerability in Freerdp

In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.

9.8
2021-07-30 CVE-2021-37595 Freerdp Improper Input Validation vulnerability in Freerdp

In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_RANGE File Contents Request PDU.

9.8
2021-07-30 CVE-2021-29781 IBM Deserialization of Untrusted Data vulnerability in IBM Partner Engagement Manager 2.0

IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw.

9.8
2021-07-29 CVE-2021-23418 Glances Project XXE vulnerability in Glances Project Glances

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.

9.8
2021-07-29 CVE-2020-36239 Atlassian Missing Authentication for Critical Function vulnerability in Atlassian Jira Data Center

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability.

9.8
2021-07-29 CVE-2021-37578 Apache Deserialization of Untrusted Data vulnerability in Apache Juddi

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services.

9.8
2021-07-28 CVE-2021-23417 Deepmergefn Project Unspecified vulnerability in Deepmergefn Project Deepmergefn

All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.

9.8
2021-07-28 CVE-2020-5341 Dell Deserialization of Untrusted Data vulnerability in Dell products

Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability.

9.8
2021-07-26 CVE-2021-37555 Trixie Use of Hard-coded Credentials vulnerability in Trixie TX9 Automatic Food Dispenser Firmware 3.2.57

TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734.

9.8
2021-07-26 CVE-2020-17952 Twothink Project Unspecified vulnerability in Twothink Project Twothink 2.0

A remote code execution (RCE) vulnerability in /library/think/App.php of Twothink v2.0 allows attackers to execute arbitrary PHP code.

9.8
2021-07-26 CVE-2020-18170 Abloy Unspecified vulnerability in Abloy KEY Manager 7.14301.0.0

An issue in the SeChangeNotifyPrivilege component of Abloy Key Manager Version 7.14301.0.0 allows attackers to escalate privileges via a change in permissions.

9.8
2021-07-26 CVE-2020-18172 Trezor Code Injection vulnerability in Trezor Bridge 2.0.27

A code injection vulnerability in the SeDebugPrivilege component of Trezor Bridge 2.0.27 allows attackers to escalate privileges.

9.8
2021-07-26 CVE-2020-18174 Autohotkey Unspecified vulnerability in Autohotkey 1.1.32.00

A process injection vulnerability in setup.exe of AutoHotkey 1.1.32.00 allows attackers to escalate privileges.

9.8
2021-07-26 CVE-2021-37473 Naviwebs SQL Injection vulnerability in Naviwebs Navigatecms 2.9

In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database.

9.8
2021-07-26 CVE-2021-37475 Naviwebs SQL Injection vulnerability in Naviwebs Navigatecms 2.9

In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database.

9.8
2021-07-26 CVE-2021-37476 Naviwebs SQL Injection vulnerability in Naviwebs Navigatecms 2.9

In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database.

9.8
2021-07-26 CVE-2021-37477 Naviwebs SQL Injection vulnerability in Naviwebs Navigatecms 2.9

In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database.

9.8
2021-07-26 CVE-2021-37478 Naviwebs SQL Injection vulnerability in Naviwebs Navigatecms 2.9

In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database.

9.8
2021-07-30 CVE-2021-37144 Cszcms Use of Incorrectly-Resolved Name or Reference vulnerability in Cszcms CSZ CMS 1.2.9

CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion.

9.1
2021-07-30 CVE-2021-37593 Peel SQL Injection vulnerability in Peel Shopping 9.4.0

PEEL Shopping version 9.4.0 allows remote SQL injection.

9.1
2021-07-27 CVE-2021-20399 IBM XXE vulnerability in IBM Qradar Security Information and Event Manager

IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

9.1

56 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-31 CVE-2020-26806 Objectplanet Path Traversal vulnerability in Objectplanet Opinio

admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.

8.8
2021-07-30 CVE-2020-18157 Metinfo Cross-Site Request Forgery (CSRF) vulnerability in Metinfo 6.1.3

Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.

8.8
2021-07-30 CVE-2020-22761 Flatpress Cross-Site Request Forgery (CSRF) vulnerability in Flatpress 1.1

Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php.

8.8
2021-07-30 CVE-2021-20783 Softbank Cross-Site Request Forgery (CSRF) vulnerability in Softbank Optical BB Unit E-Wmta Firmware 2.3

Cross-site request forgery (CSRF) vulnerability in Optical BB unit E-WMTA2.3 allows a remote attacker to hijack the authentication of administrators via a specially crafted page.

8.8
2021-07-30 CVE-2021-34802 Neo4J Improper Privilege Management vulnerability in Neo4J Graph Databse 4.2/4.3

A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4.2 and 4.3 could allow authenticated users to execute commands with elevated privileges.

8.8
2021-07-30 CVE-2021-35472 Lemonldap NG
Debian
Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products

An issue was discovered in LemonLDAP::NG before 2.0.12.

8.8
2021-07-30 CVE-2021-29736 IBM Unspecified vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote user to gain elevated privileges on the system.

8.8
2021-07-29 CVE-2021-36741 Trendmicro Unrestricted Upload of File with Dangerous Type vulnerability in Trendmicro products

An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations.

8.8
2021-07-29 CVE-2020-5353 Dell Incorrect Default Permissions vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs

The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory.

8.8
2021-07-28 CVE-2020-26180 Dell Incorrect Default Permissions vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs

Dell EMC Isilon OneFS supported versions 8.1 and later and Dell EMC PowerScale OneFS supported version 9.0.0 contain an access issue with the remotesupport user account.

8.8
2021-07-26 CVE-2020-18171 Techsmith Improper Privilege Management vulnerability in Techsmith Snagit 19.1.0.2653

TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) which can allow attackers to obfuscate and embed crafted files used to escalate privileges.

8.8
2021-07-26 CVE-2021-37394 Rpcms Unspecified vulnerability in Rpcms

In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.

8.8
2021-07-30 CVE-2020-11511 Thimpress Missing Authorization vulnerability in Thimpress Learnpress

The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter.

8.1
2021-07-30 CVE-2021-36621 Online Covid Vaccination Scheduler System Project SQL Injection vulnerability in Online Covid Vaccination Scheduler System Project Online Covid Vaccination Scheduler System 1.0

Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection.

8.1
2021-07-30 CVE-2021-36983 Replaysorcery Project Link Following vulnerability in Replaysorcery Project Replaysorcery 0.6.0

replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.

7.8
2021-07-29 CVE-2021-36742 Trendmicro Improper Input Validation vulnerability in Trendmicro products

A improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1 allows a local attacker to escalate privileges on affected installations.

7.8
2021-07-26 CVE-2021-37576 Linux
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.

7.8
2021-07-26 CVE-2020-18169 Techsmith Improper Privilege Management vulnerability in Techsmith Snagit 19.1.1.2860

A vulnerability in the Windows installer XML (WiX) toolset of TechSmith Snagit 19.1.1.2860 allows attackers to escalate privileges.

7.8
2021-07-26 CVE-2020-18173 1Password Uncontrolled Search Path Element vulnerability in 1Password 7.3.712

A DLL injection vulnerability in 1password.dll of 1Password 7.3.712 allows attackers to execute arbitrary code.

7.8
2021-07-31 CVE-2020-26565 Objectplanet Expression Language Injection vulnerability in Objectplanet Opinio

ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter.

7.5
2021-07-30 CVE-2021-27491 Ypsomed Unspecified vulnerability in Ypsomed Mylife and Mylife Cloud

Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.

7.5
2021-07-30 CVE-2021-35193 Pattersondental Improper Certificate Validation vulnerability in Pattersondental Eaglesoft

Patterson Application Service in Patterson Eaglesoft 18 through 21 accepts the same certificate authentication across different customers' installations (that have the same software version).

7.5
2021-07-30 CVE-2020-10590 Replicated Unspecified vulnerability in Replicated Classic 2.41.0

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration.

7.5
2021-07-30 CVE-2020-14999 Acronis Unspecified vulnerability in Acronis Agent

A logic bug in system monitoring driver of Acronis Agent after 12.5.21540 and before 12.5.23094 allowed to bypass Windows memory protection and access sensitive data.

7.5
2021-07-30 CVE-2020-16839 Crestron Improper Authentication vulnerability in Crestron products

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request.

7.5
2021-07-30 CVE-2021-20114 Tecnick Forced Browsing vulnerability in Tecnick Tcexam

When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files.

7.5
2021-07-30 CVE-2021-28966 Ruby Lang Path Traversal vulnerability in Ruby-Lang Ruby

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.

7.5
2021-07-30 CVE-2021-32558 Digium
Debian
Injection vulnerability in multiple products

An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10.

7.5
2021-07-30 CVE-2021-36386 Fetchmail
Fedoraproject
Missing Initialization of Resource vulnerability in multiple products

report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages.

7.5
2021-07-30 CVE-2021-36754 Powerdns Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Powerdns Authoritative Server 4.5.0

PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception.

7.5
2021-07-30 CVE-2021-37601 Prosody Unspecified vulnerability in Prosody

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.

7.5
2021-07-28 CVE-2021-23415 Elfinder Aspnet Project Path Traversal vulnerability in Elfinder.Aspnet Project Elfinder.Aspnet

This affects the package elFinder.AspNet before 1.1.1.

7.5
2021-07-28 CVE-2020-5351 Dell Unspecified vulnerability in Dell EMC Data Protection Advisor 18.1/6.4/6.5

Dell EMC Data Protection Advisor versions 6.4, 6.5 and 18.1 contain an undocumented account with limited privileges that is protected with a hard-coded password.

7.5
2021-07-27 CVE-2021-34432 Eclipse Unspecified vulnerability in Eclipse Mosquitto

In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

7.5
2021-07-26 CVE-2020-18428 Tinyexr Project Improper Validation of Array Index vulnerability in Tinyexr Project Tinyexr 0.9.5

tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).

7.5
2021-07-26 CVE-2020-18430 Tinyexr Project Improper Validation of Array Index vulnerability in Tinyexr Project Tinyexr 0.9.5

tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).

7.5
2021-07-26 CVE-2021-32794 Archisteamfarm Project Missing Authentication for Critical Function vulnerability in Archisteamfarm Project Archisteamfarm

ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously.

7.5
2021-07-26 CVE-2021-25804 Videolan NULL Pointer Dereference vulnerability in Videolan VLC Media Player 3.0.11

A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application.

7.5
2021-07-26 CVE-2021-31292 Exiv2
Debian
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata.

7.5
2021-07-26 CVE-2021-32789 Automattic SQL Injection vulnerability in Automattic Woocommerce Blocks

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks.

7.5
2021-07-26 CVE-2021-33629 Openeuler Unspecified vulnerability in Openeuler Isula-Build

isula-build before 0.9.5-6 can cause a program crash, when building container images, some functions for processing external data do not remove spaces when processing data.

7.5
2021-07-26 CVE-2020-12681 3Xlogic Improper Certificate Validation vulnerability in 3Xlogic Infinias Eidc32 Firmware 2.213/3.4.125

Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied.

7.5
2021-07-26 CVE-2021-20337 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2021-07-26 CVE-2021-33900 Apache Cleartext Transmission of Sensitive Information vulnerability in Apache Directory Studio

While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used.

7.5
2021-08-01 CVE-2021-32066 Ruby Lang
Oracle
Improper Handling of Exceptional Conditions vulnerability in multiple products

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.

7.4
2021-07-30 CVE-2021-32807 Zope Unspecified vulnerability in Zope Accesscontrol

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications.

7.2
2021-07-30 CVE-2020-20698 S CMS Missing Authorization vulnerability in S-Cms 3.0

A remote code execution (RCE) vulnerability in /1.com.php of S-CMS PHP v3.0 allows attackers to getshell via modification of a PHP file.

7.2
2021-07-30 CVE-2021-36766 Concretecms Deserialization of Untrusted Data vulnerability in Concretecms Concrete CMS

Concrete5 through 8.5.5 deserializes Untrusted Data.

7.2
2021-07-30 CVE-2021-27495 Ypsomed Unspecified vulnerability in Ypsomed Mylife and Mylife Cloud

Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.

7.1
2021-07-30 CVE-2021-32610 PHP
Debian
Fedoraproject
Link Following vulnerability in multiple products

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

7.1
2021-07-28 CVE-2021-32000 Suse Link Following vulnerability in Suse Linux Enterprise Server and Opensuse Factory

A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files.

7.1
2021-07-26 CVE-2021-25801 Videolan Out-of-bounds Read vulnerability in Videolan VLC Media Player 3.0.11

A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

7.1
2021-07-26 CVE-2021-25802 Videolan Out-of-bounds Read vulnerability in Videolan VLC Media Player 3.0.11

A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

7.1
2021-07-26 CVE-2021-25803 Videolan Integer Overflow or Wraparound vulnerability in Videolan VLC Media Player 3.0.11

A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

7.1
2021-07-26 CVE-2021-26824 DM Fingertool Project Authentication Bypass by Capture-replay vulnerability in DM Fingertool Project DM Fingertool 1.19

DM FingerTool v1.19 in the DM PD065 Secure USB is susceptible to improper authentication by a replay attack, allowing local attackers to bypass user authentication and access all features and data on the USB.

7.1
2021-07-30 CVE-2021-31799 Debian
Ruby Lang
Oracle
OS Command Injection vulnerability in multiple products

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

7.0

88 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-07-30 CVE-2021-22521 Microfocus Incorrect Authorization vulnerability in Microfocus products

A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions.

6.7
2021-07-31 CVE-2020-26564 Objectplanet XXE vulnerability in Objectplanet Opinio

ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI.

6.5
2021-07-30 CVE-2021-28093 Open Xchange Inadequate Encryption Strength vulnerability in Open-Xchange Documents 7.10.5/7.8.3

OX Documents before 7.10.5-rev5 has Incorrect Access Control of converted images because hash collisions can occur, due to use of Adler32.

6.5
2021-07-30 CVE-2021-28094 Open Xchange Inadequate Encryption Strength vulnerability in Open-Xchange Documents 7.10.5/7.8.3

OX Documents before 7.10.5-rev7 has Incorrect Access Control for converted documents because hash collisions can occur, due to use of CRC32.

6.5
2021-07-30 CVE-2021-31878 Digium Reachable Assertion vulnerability in Digium Asterisk

An issue was discovered in PJSIP in Asterisk before 16.19.1 and before 18.5.1.

6.5
2021-07-30 CVE-2021-37587 JHU Use of a Broken or Risky Cryptographic Algorithm vulnerability in JHU Charm 0.43

In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.

6.5
2021-07-28 CVE-2021-32001 Suse Unspecified vulnerability in Suse Rancher K3S and Rancher Rke2

K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value.

6.5
2021-07-26 CVE-2021-32631 Nimble Project Authentication Bypass by Spoofing vulnerability in Nimble-Project Common

Common is a package of common modules that can be accessed by NIMBLE services.

6.5
2021-07-26 CVE-2020-4623 IBM Uncontrolled Search Path Element vulnerability in IBM I2 Ibase 8.9.13

IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw.

6.5
2021-07-26 CVE-2021-20431 IBM Insufficient Session Expiration vulnerability in IBM I2 Analysts Notebook 9.2.0/9.2.1/9.2.2

IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system.

6.5
2021-07-26 CVE-2021-22144 Elastic
Oracle
Uncontrolled Recursion vulnerability in multiple products

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser.

6.5
2021-07-26 CVE-2021-29770 IBM Improper Input Validation vulnerability in IBM I2 Analyze 4.3.0/4.3.1/4.3.2

IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow an authenticated user to perform unauthorized actions due to hazardous input validation.

6.5
2021-07-26 CVE-2021-21440 Otrs Unspecified vulnerability in Otrs

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden.

6.5
2021-07-28 CVE-2020-4974 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM products

IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF).

6.3
2021-07-30 CVE-2021-34630 Gtranslate Improper Encoding or Escaping of Output vulnerability in Gtranslate

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI'].

6.1
2021-07-30 CVE-2020-26563 Objectplanet Cross-site Scripting vulnerability in Objectplanet Opinio

ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string.

6.1
2021-07-30 CVE-2021-37746 Claws Mail
Sylpheed Project
Fedoraproject
Open Redirect vulnerability in multiple products

textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click.

6.1
2021-07-30 CVE-2020-15948 Egain Cross-site Scripting vulnerability in Egain Chat 15.5.5

eGain Chat 15.5.5 allows XSS via the Name (aka full_name) field.

6.1
2021-07-30 CVE-2020-21854 Tidesec Cross-site Scripting vulnerability in Tidesec Wdscanner 1.1

Cross Site Scripting vulnerabiity exists in WDScanner 1.1 in the system management page.

6.1
2021-07-30 CVE-2020-22765 Nukeviet Cross-site Scripting vulnerability in Nukeviet 4.4.0

Cross Site Scripting (XSS) vulnerability in NukeViet cms 4.4.0 via the editor in the News module.

6.1
2021-07-30 CVE-2021-20789 Groupsession Open Redirect vulnerability in Groupsession products

Open redirect vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack via a specially crafted URL.

6.1
2021-07-30 CVE-2021-37596 Telegram Cross-site Scripting vulnerability in Telegram web K Alpha 0.6.1

Telegram Web K Alpha 0.6.1 allows XSS via a document name.

6.1
2021-07-29 CVE-2020-5329 Dell Open Redirect vulnerability in Dell EMC Avamar Server 7.3.1/7.4.1

Dell EMC Avamar Server contains an open redirect vulnerability.

6.1
2021-07-28 CVE-2021-23416 Curly Bracket Parser Project Cross-site Scripting vulnerability in Curly-Bracket-Parser Project Curly-Bracket-Parser

This affects all versions of package curly-bracket-parser.

6.1
2021-07-28 CVE-2021-23414 Videojs
Fedoraproject
Cross-site Scripting vulnerability in multiple products

This affects the package video.js before 7.14.3.

6.1
2021-07-26 CVE-2021-32792 Openidc
Fedoraproject
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider.
6.1
2021-07-26 CVE-2021-36092 Otrs Cross-site Scripting vulnerability in Otrs

It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack.

6.1
2021-07-30 CVE-2021-37588 JHU Use of a Broken or Risky Cryptographic Algorithm vulnerability in JHU Charm 0.43

In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.

5.9
2021-07-26 CVE-2021-32795 Archisteamfarm Project Improper Input Validation vulnerability in Archisteamfarm Project Archisteamfarm

ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously.

5.9
2021-07-26 CVE-2021-32791 Openidc
Fedoraproject
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider.
5.9
2021-07-30 CVE-2021-37600 Kernel
Netapp
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.

5.5
2021-07-29 CVE-2021-21546 Dell Information Exposure Through Log Files vulnerability in Dell EMC Networker

Dell EMC NetWorker versions 18.x,19.x prior to 19.3.0.4 and 19.4.0.0 contain an Information Disclosure in Log Files vulnerability.

5.5
2021-07-30 CVE-2021-37742 Misp Cross-site Scripting vulnerability in Misp 2.4.147

app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.

5.4
2021-07-30 CVE-2021-37743 Misp Cross-site Scripting vulnerability in Misp 2.4.147

app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.

5.4
2021-07-30 CVE-2020-18158 Hucart Cross-site Scripting vulnerability in Hucart 5.7.4

Cross Site Scripting (XSS) vulnerability in HuCart 5.7.4 via nickname in index.php.

5.4
2021-07-30 CVE-2020-19118 Yzmcms Cross-site Scripting vulnerability in Yzmcms 5.2

Cross Site Scripting (XSS) vulnerabiity in YzmCMS 5.2 via the site_code parameter in admin/index/init.html.

5.4
2021-07-30 CVE-2021-20111 Tecnick Cross-site Scripting vulnerability in Tecnick Tcexam

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1.

5.4
2021-07-30 CVE-2021-20112 Tecnick Cross-site Scripting vulnerability in Tecnick Tcexam

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1.

5.4
2021-07-30 CVE-2021-28674 Solarwinds Incorrect Authorization vulnerability in Solarwinds Orion Platform

The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions.

5.4
2021-07-30 CVE-2021-35478 Nagios Cross-site Scripting vulnerability in Nagios LOG Server

Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function.

5.4
2021-07-30 CVE-2021-35479 Nagios Cross-site Scripting vulnerability in Nagios LOG Server

Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter.

5.4
2021-07-30 CVE-2021-36605 Engineercms Project Cross-site Scripting vulnerability in Engineercms Project Engineercms 1.03

engineercms 1.03 is vulnerable to Cross Site Scripting (XSS).

5.4
2021-07-28 CVE-2020-5004 IBM Cross-site Scripting vulnerability in IBM products

IBM Jazz Foundation products are vulnerable to cross-site scripting.

5.4
2021-07-27 CVE-2021-20562 IBM Cross-site Scripting vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting.

5.4
2021-07-26 CVE-2020-23238 EVO Cross-site Scripting vulnerability in EVO Evolution CMS 2.0.2

Cross Site Scripting (XSS) vulnerability in Evolution CMS 2.0.2 via the Document Manager feature.

5.4
2021-07-26 CVE-2021-36563 Checkmk Cross-site Scripting vulnerability in Checkmk 1.5.0/1.6.0

The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module.

5.4
2021-07-26 CVE-2021-37392 Rpcms Cross-site Scripting vulnerability in Rpcms

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page.

5.4
2021-07-26 CVE-2021-37393 Rpcms Cross-site Scripting vulnerability in Rpcms

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page.

5.4
2021-07-26 CVE-2021-37534 Misp Cross-site Scripting vulnerability in Misp 2.4.146

app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.

5.4
2021-07-26 CVE-2021-20560 IBM Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Sterling Connect Direct User Interface 1.4.1.1/1.5.0.2

IBM Sterling Connect:Direct Browser User Interface 1.4.1.1 and 1.5.0.2 could allow a remote attacker to hijack the clicking action of the victim.

5.4
2021-07-26 CVE-2021-21442 Otrs Cross-site Scripting vulnerability in Otrs Time Accounting 7.0.0/7.0.19

In the project create screen it's possible to inject malicious JS code to the certain fields.

5.4
2021-07-31 CVE-2021-33617 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Password Manager PRO

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.

5.3
2021-07-30 CVE-2021-29297 Emerson Classic Buffer Overflow vulnerability in Emerson Proficy Machine Edition 8.0

Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".

5.3
2021-07-30 CVE-2021-29298 Emerson Improper Input Validation vulnerability in Emerson Proficy Machine Edition 8.0

Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module "fxVPStatcTcp.dll".

5.3
2021-07-30 CVE-2021-20113 Tecnick Information Exposure Through Discrepancy vulnerability in Tecnick Tcexam

An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1.

5.3
2021-07-30 CVE-2021-30483 Isomorphic GIT Path Traversal vulnerability in Isomorphic-Git

isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository.

5.3
2021-07-30 CVE-2021-37606 Meow Hash Project Information Exposure Through Discrepancy vulnerability in Meow Hash Project Meow Hash 0.5

Meow hash 0.5/calico does not sufficiently thwart key recovery by an attacker who can query whether there's a collision in the bottom bits of the hashes of two messages, as demonstrated by an attack against a long-running web service that allows the attacker to infer collisions by measuring timing differences.

5.3
2021-07-27 CVE-2021-32796 Xmldom Project XML Injection (aka Blind XPath Injection) vulnerability in Xmldom Project Xmldom

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

5.3
2021-07-26 CVE-2021-20430 IBM Information Exposure Through an Error Message vulnerability in IBM I2 Analyze 4.3.0/4.3.1/4.3.2

IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2021-07-26 CVE-2021-29766 IBM Information Exposure Through an Error Message vulnerability in IBM I2 Analyze 4.3.0/4.3.1/4.3.2

IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2021-07-26 CVE-2021-29767 IBM Information Exposure Through an Error Message vulnerability in IBM I2 Analysts Notebook 9.2.0/9.2.1/9.2.2

IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2021-07-26 CVE-2021-3664 URL Parse Project Unspecified vulnerability in Url-Parse Project Url-Parse

url-parse is vulnerable to URL Redirection to Untrusted Site

5.3
2021-07-26 CVE-2021-32790 Woocommerce SQL Injection vulnerability in Woocommerce

Woocommerce is an open source eCommerce plugin for WordPress.

4.9
2021-07-30 CVE-2020-20699 S CMS Cross-site Scripting vulnerability in S-Cms 3.0

A cross site scripting (XSS) vulnerability in S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Copyright text box under Basic Settings.

4.8
2021-07-30 CVE-2020-20700 S CMS Cross-site Scripting vulnerability in S-Cms 3.0

A stored cross site scripting (XSS) vulnerability in /app/form_add/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Title Entry text box.

4.8
2021-07-30 CVE-2020-20701 S CMS Cross-site Scripting vulnerability in S-Cms 3.0

A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

4.8
2021-07-30 CVE-2021-20785 Groupsession Cross-site Scripting vulnerability in Groupsession products

Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL.

4.8
2021-07-30 CVE-2021-20787 Groupsession Cross-site Scripting vulnerability in Groupsession products

Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL.

4.8
2021-07-30 CVE-2021-28095 Open Xchange Inadequate Encryption Strength vulnerability in Open-Xchange Documents 7.10.5/7.8.3

OX Documents before 7.10.5-rev5 has Incorrect Access Control for documents that contain XML structures because hash collisions can occur, due to use of CRC32.

4.8
2021-07-29 CVE-2021-25273 Sophos Cross-site Scripting vulnerability in Sophos Unified Threat Management

Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.

4.8
2021-07-26 CVE-2020-23240 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.

4.8
2021-07-26 CVE-2020-23241 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.14

Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.

4.8
2021-07-26 CVE-2020-23242 Naviwebs Cross-site Scripting vulnerability in Naviwebs Navigatecms 2.9

Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature.

4.8
2021-07-26 CVE-2020-23243 Naviwebs Cross-site Scripting vulnerability in Naviwebs Navigatecms 2.9

Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature.

4.8
2021-07-26 CVE-2020-23234 Lavalite Cross-site Scripting vulnerability in Lavalite 5.8.0

Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".

4.8
2021-07-26 CVE-2020-23239 Textpattern Cross-site Scripting vulnerability in Textpattern 4.8.1

Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.

4.8
2021-07-30 CVE-2021-3636 Redhat Improper Authentication vulnerability in Redhat Openshift

It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates.

4.6
2021-07-29 CVE-2021-20505 IBM Unspecified vulnerability in IBM Powervm Hypervisor

The PowerVM Logical Partition Mobility(LPM) (PowerVM Hypervisor FW920, FW930, FW940, and FW950) encryption key exchange protocol can be compromised.

4.4
2021-07-30 CVE-2021-34629 Sendgrid Unspecified vulnerability in Sendgrid 1.11.8

The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.

4.3
2021-07-30 CVE-2021-20786 Groupsession Cross-Site Request Forgery (CSRF) vulnerability in Groupsession products

Cross-site request forgery (CSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to hijack the authentication of administrators via a specially crafted URL.

4.3
2021-07-30 CVE-2021-20788 Groupsession Server-Side Request Forgery (SSRF) vulnerability in Groupsession products

Server-side request forgery (SSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote authenticated attacker to conduct a port scan from the product and/or obtain information from the internal Web server.

4.3
2021-07-27 CVE-2021-32788 Discourse Exposure of Resource to Wrong Sphere vulnerability in Discourse

Discourse is an open source discussion platform.

4.3
2021-07-27 CVE-2021-32748 Nextcloud Missing Authorization vulnerability in Nextcloud Richdocuments

Nextcloud Richdocuments in an open source self hosted online office.

4.3
2021-07-26 CVE-2021-29769 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM I2 Analyze 4.3.0/4.3.1/4.3.2

IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies.

4.3
2021-07-26 CVE-2021-29784 IBM Information Exposure Through an Error Message vulnerability in IBM I2 Analyze 4.3.0/4.3.1/4.3.2

IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

4.3
2021-07-26 CVE-2021-35030 Zyxel Cross-site Scripting vulnerability in Zyxel products

A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize packet contents and could allow an authenticated, local user to perform a cross-site scripting (XSS) attack via a crafted LLDP packet.

4.3
2021-07-26 CVE-2021-21443 Otrs Unspecified vulnerability in Otrs

Agents are able to list customer user emails without required permissions in the bulk action screen.

4.3
2021-07-26 CVE-2021-36091 Otrs Incorrect Authorization vulnerability in Otrs

Agents are able to list appointments in the calendars without required permissions.

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS