Security Vulnerabilities - Known exploited
CVE-2021-20038
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2021-12-08
CVE-2021-43798
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Known exploited
CVSS Score
7.5
EPSS Score
0.944
Published
2021-12-07
CVE-2021-44077
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2021-11-29
CVE-2021-38000
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
Known exploited
CVSS Score
6.1
EPSS Score
0.033
Published
2021-11-23
CVE-2021-38003
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Known exploited
CVSS Score
8.8
EPSS Score
0.718
Published
2021-11-23
CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Known exploited
CVSS Score
9.8
EPSS Score
0.64
Published
2021-11-19
CVE-2021-41277
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Known exploited
CVSS Score
10.0
EPSS Score
0.943
Published
2021-11-17
CVE-2021-42321
Microsoft Exchange Server Remote Code Execution Vulnerability
Known exploited
CVSS Score
8.8
EPSS Score
0.934
Published
2021-11-10
CVE-2021-42292
Microsoft Excel Security Feature Bypass Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.191
Published
2021-11-10
CVE-2021-42287
Active Directory Domain Services Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.5
EPSS Score
0.94
Published
2021-11-10