Security Vulnerabilities - Known exploited
CVE-2021-38003
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Known exploited
CVSS Score
8.8
EPSS Score
0.683
Published
2021-11-23
CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Known exploited
CVSS Score
9.8
EPSS Score
0.725
Published
2021-11-19
CVE-2021-41277
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Known exploited
CVSS Score
10.0
EPSS Score
0.944
Published
2021-11-17
CVE-2021-42321
Microsoft Exchange Server Remote Code Execution Vulnerability
Known exploited
CVSS Score
8.8
EPSS Score
0.936
Published
2021-11-10
CVE-2021-42292
Microsoft Excel Security Feature Bypass Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.355
Published
2021-11-10
CVE-2021-42287
Active Directory Domain Services Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.5
EPSS Score
0.94
Published
2021-11-10
CVE-2021-42278
Active Directory Domain Services Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.5
EPSS Score
0.941
Published
2021-11-10
CVE-2021-41379
Windows Installer Elevation of Privilege Vulnerability
Known exploited
CVSS Score
5.5
EPSS Score
0.012
Published
2021-11-10
CVE-2021-42237
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2021-11-05
CVE-2021-42258
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
Known exploited
CVSS Score
9.8
EPSS Score
0.941
Published
2021-10-22