Security Vulnerabilities - CVEs Published In January 2021
UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to execute arbitrary OS commands or cause a denial-of-service (DoS) condition by sending a specially crafted request to a specific URL.
CVSS Score
9.8
EPSS Score
0.006
Published
2021-01-13
Incorrect implementation of authentication algorithm issue in UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to access the remote system maintenance feature and obtain the information by sending a specially crafted request to a specific URL.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-01-13
Untrusted search path vulnerability in the installer of SKYSEA Client View Ver.1.020.05b to Ver.16.001.01g allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-01-13
Multiple NEC products (Express5800/T110j, Express5800/T110j-S, Express5800/T110j (2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti, and Express5800/GT110j) where Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied allows remote attackers to bypass authentication and then obtain/modify BMC setting information, obtain monitoring information, or reboot/shut down the vulnerable product via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.01
Published
2021-01-13
The SECOMN service in Sound Research DCHU model software component modules (APO) through 2.0.9.17, delivered on HP Windows 10 computers, may allow escalation of privilege via a fake DLL. (As a resolution, Windows Update is being submitted for all affected products to update to 2.0.9.18 or later.)
CVSS Score
7.8
EPSS Score
0.001
Published
2021-01-13
JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
CVSS Score
4.5
EPSS Score
0.001
Published
2021-01-13
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.
CVSS Score
8.1
EPSS Score
0.002
Published
2021-01-13
OX App Suite through 7.10.4 allows XSS via the subject of a task.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-12
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
CVSS Score
6.4
EPSS Score
0.001
Published
2021-01-12
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-01-12