Security Vulnerabilities - CVEs Published In February 2021
Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment.
CVSS Score
8.8
EPSS Score
0.016
Published
2021-02-15
steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-02-15
Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, where an authorized user is able to inject additional SQL queries to perform remote command execution.
CVSS Score
8.8
EPSS Score
0.027
Published
2021-02-15
NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerability. An authenticated nagiosadmin user can inject additional commands into a request. NOTE: the vendor disputes whether the CVE and its references are actionable because all technical details are omitted, and the only option is to pay for a subscription service where technical details may be disclosed at an unspecified later time
CVSS Score
7.2
EPSS Score
0.399
Published
2021-02-15
Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.
CVSS Score
8.8
EPSS Score
0.057
Published
2021-02-15
ActivePresenter 6.1.6 is affected by a memory corruption vulnerability that may result in a denial of service (DoS) or arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-02-15
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVSS Score
7.5
EPSS Score
0.052
Published
2021-02-15
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVSS Score
7.5
EPSS Score
0.015
Published
2021-02-15
A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors
CVSS Score
7.8
EPSS Score
0.0
Published
2021-02-15
This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.
CVSS Score
6.6
EPSS Score
0.029
Published
2021-02-15