Security Vulnerabilities - CVEs Published In January 2021
Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-01-19
The package jointjs before 3.3.0 are vulnerable to Denial of Service (DoS) via the unsetByPath function.
CVSS Score
5.9
EPSS Score
0.006
Published
2021-01-19
The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution.
CVSS Score
7.3
EPSS Score
0.006
Published
2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.
CVSS Score
9.0
EPSS Score
0.007
Published
2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.
CVSS Score
9.0
EPSS Score
0.006
Published
2021-01-19
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
CVSS Score
8.8
EPSS Score
0.092
Published
2021-01-19
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.
CVSS Score
5.9
EPSS Score
0.002
Published
2021-01-19
Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.
CVSS Score
6.8
EPSS Score
0.002
Published
2021-01-19
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
CVSS Score
7.3
EPSS Score
0.017
Published
2021-01-19
This affects all versions of package immer.
CVSS Score
7.5
EPSS Score
0.007
Published
2021-01-19