Security Vulnerabilities - CVEs Published In January 2021
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-26
openMAINT before 1.1-2.4.2 allows remote authenticated users to run arbitrary JSP code on the underlying web server.
CVSS Score
8.8
EPSS Score
0.01
Published
2021-01-26
A specially crafted Markdown document could cause the execution of malicious JavaScript code in Caret Editor before 4.0.0-rc22.
CVSS Score
9.8
EPSS Score
0.043
Published
2021-01-26
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
CVSS Score
5.8
EPSS Score
0.029
Published
2021-01-26
FPWIN Pro is vulnerable to an out-of-bounds read vulnerability when a user opens a maliciously crafted project file, which may allow an attacker to remotely execute arbitrary code.
CVSS Score
7.8
EPSS Score
0.004
Published
2021-01-26
LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-01-26
In A2DP_GetCodecType of a2dp_codec_config, there is a possible out-of-bounds read due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android, Versions: Android-10, Android ID: A-79703353.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-01-26
IBM Spectrum Scale 5.0.0 through 5.0.5.4 and 5.1.0 could allow a local user to poison log files which could impact support and development efforts. IBM X-Force ID: 190971.
CVSS Score
4.0
EPSS Score
0.0
Published
2021-01-26
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.
CVSS Score
8.2
EPSS Score
0.003
Published
2021-01-26
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.
CVSS Score
5.3
EPSS Score
0.001
Published
2021-01-25