Security Vulnerabilities - CVEs Published In January 2021
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
CVSS Score
9.8
EPSS Score
0.03
Published
2021-01-26
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
CVSS Score
9.8
EPSS Score
0.226
Published
2021-01-26
bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call. NOTE: this reportedly does not violate the security model of Bitcoin Core, but can violate the security model of a fork that has implemented dumpwallet restrictions
CVSS Score
7.5
EPSS Score
0.003
Published
2021-01-26
Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.
CVSS Score
9.8
EPSS Score
0.068
Published
2021-01-26
Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
CVSS Score
7.5
EPSS Score
0.886
Published
2021-01-26
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
CVSS Score
6.5
EPSS Score
0.0
Published
2021-01-26
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
CVSS Score
7.5
EPSS Score
0.001
Published
2021-01-26
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home Assistant; however, Home Assistant does have a security update that is worthwhile in addressing this situation
CVSS Score
5.3
EPSS Score
0.004
Published
2021-01-26
ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
CVSS Score
8.8
EPSS Score
0.212
Published
2021-01-26
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
CVSS Score
7.5
EPSS Score
0.002
Published
2021-01-26