Security Vulnerabilities - CVEs Published In January 2021
Feehi CMS 2.1.0 is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files.
CVSS Score
7.2
EPSS Score
0.021
Published
2021-01-26
APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel.
CVSS Score
5.4
EPSS Score
0.006
Published
2021-01-26
Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices.
CVSS Score
8.8
EPSS Score
0.233
Published
2021-01-26
Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating the file-path in the URL.
CVSS Score
6.5
EPSS Score
0.006
Published
2021-01-26
Sensitive information disclosure and weak encryption in Pyrescom Termod4 time management devices before 10.04k allows remote attackers to read a session-file and obtain plain-text user credentials.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-01-26
An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-01-26
newbee-mall 1.0 is affected by cross-site scripting in shop-cart/settle. Users only need to write xss payload in their address information when buying goods, which is triggered when viewing the "View Recipient Information" of this order in "Order Management Office".
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-26
newbee-mall all versions are affected by incorrect access control to remotely gain privileges through AdminLoginInterceptor.java. The authentication logic of the system's background /admin is in code AdminLoginInterceptor, which can be bypassed.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-01-26
newbee-mall all versions are affected by incorrect access control to remotely gain privileges through NewBeeMallIndexConfigServiceImpl.java. Unauthorized changes can be made to any user information through the userID.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-01-26
The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176
CVSS Score
8.8
EPSS Score
0.114
Published
2021-01-26