Security Vulnerabilities - CVEs Published In February 2021
Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS via the node parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-02-21
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.
CVSS Score
5.4
EPSS Score
0.057
Published
2021-02-20
An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.
CVSS Score
8.8
EPSS Score
0.01
Published
2021-02-20
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-02-19
An issue was discovered in Alfresco Enterprise Content Management (ECM) before 6.2.1. A user with privileges to edit a FreeMarker template (e.g., a webscript) may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco.
CVSS Score
8.8
EPSS Score
0.014
Published
2021-02-19
In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).
CVSS Score
5.9
EPSS Score
0.002
Published
2021-02-19
TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.
CVSS Score
5.9
EPSS Score
0.002
Published
2021-02-19
Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribersByColumn in lib/models/campaigns.js via /campaigns/clicked/ajax because variable column names are not properly escaped.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-02-19
An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account).
CVSS Score
8.8
EPSS Score
0.002
Published
2021-02-19
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-19