Security Vulnerabilities - CVEs Published In January 2021
A Buffer Overflow issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
CVSS Score
7.8
EPSS Score
0.002
Published
2021-01-11
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later)
CVSS Score
7.2
EPSS Score
0.025
Published
2021-01-11
AnyDesk before 6.1.0 on Windows, when run in portable mode on a system where the attacker has write access to the application directory, allows this attacker to compromise a local user account via a read-only setting for a Trojan horse gcapi.dll file.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-01-11
A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).
CVSS Score
8.8
EPSS Score
0.003
Published
2021-01-11
In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.
CVSS Score
8.8
EPSS Score
0.02
Published
2021-01-11
Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-01-11
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-11
XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-11
A stack overflow vulnerability in Aleth Ethereum C++ client version <= 1.8.0 using a specially crafted a config.json file may result in a denial of service.
CVSS Score
5.5
EPSS Score
0.003
Published
2021-01-11
A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.
CVSS Score
9.8
EPSS Score
0.014
Published
2021-01-11