Security Vulnerabilities - CVEs Published In January 2021
IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186234.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-01-08
IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186235.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-01-08
IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186281.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-01-08
IBM Engineering Requirements Quality Assistant On-Premises could allow an authenticated user to obtain sensitive information due to improper input validation. IBM X-Force ID: 186282.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-01-08
This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule).
CVSS Score
9.8
EPSS Score
0.006
Published
2021-01-08
This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC:
CVSS Score
9.8
EPSS Score
0.005
Published
2021-01-08
This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution.
CVSS Score
8.1
EPSS Score
0.048
Published
2021-01-08
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI.
CVSS Score
7.5
EPSS Score
0.168
Published
2021-01-08
Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page.
CVSS Score
4.3
EPSS Score
0.001
Published
2021-01-08
Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php).
CVSS Score
8.8
EPSS Score
0.005
Published
2021-01-08