Security Vulnerabilities - CVEs Published In February 2021
CVE-2021-20016
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.
Known exploited
CVSS Score
9.8
EPSS Score
0.798
Published
2021-02-04
Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser. NOTE: the discoverer states "I believe that this vulnerability cannot actually be exploited."
CVSS Score
9.8
EPSS Score
0.03
Published
2021-02-04
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.
CVSS Score
5.3
EPSS Score
0.011
Published
2021-02-03
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
CVSS Score
6.1
EPSS Score
0.648
Published
2021-02-03
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-02-03
A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.
CVSS Score
3.7
EPSS Score
0.003
Published
2021-02-03
SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.
CVSS Score
5.4
EPSS Score
0.004
Published
2021-02-03
Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.
CVSS Score
5.4
EPSS Score
0.032
Published
2021-02-03
Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list.
CVSS Score
5.4
EPSS Score
0.009
Published
2021-02-03
Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).
CVSS Score
3.5
EPSS Score
0.001
Published
2021-02-03