Security Vulnerabilities - CVEs Published In January 2021
This affects the package gsap before 3.6.0.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-01-19
HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-01-19
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
CVSS Score
6.5
EPSS Score
0.005
Published
2021-01-19
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVSS Score
9.8
EPSS Score
0.001
Published
2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
CVSS Score
6.5
EPSS Score
0.012
Published
2021-01-19
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php page, as well as on the list.php page (a pop-up on the Affected Issues id hyperlink). Additionally, if the attacker has "Update threshold" in the plugin's configuration (set to the "updater" access level by default), then they can link any Issue to a Changeset by entering the Issue's Id, even if they do not have access to it.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-01-18
CVE-2020-36193
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Known exploited
CVSS Score
7.5
EPSS Score
0.763
Published
2021-01-18