Security Vulnerabilities - CVEs Published In January 2021
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.
CVSS Score
6.5
EPSS Score
0.008
Published
2021-01-11
The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected.
CVSS Score
7.5
EPSS Score
0.011
Published
2021-01-11
ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected.
CVSS Score
7.5
EPSS Score
0.016
Published
2021-01-11
EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
9.8
EPSS Score
0.003
Published
2021-01-11
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVSS Score
8.6
EPSS Score
0.001
Published
2021-01-11
before_upstream_connection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion (and versus or).
CVSS Score
7.5
EPSS Score
0.004
Published
2021-01-11
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
6.1
EPSS Score
0.004
Published
2021-01-11
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
6.1
EPSS Score
0.004
Published
2021-01-11
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
5.4
EPSS Score
0.001
Published
2021-01-11
Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the initFile.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-11