Security Vulnerabilities - CVEs Published In February 2021
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-02-14
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
CVSS Score
6.1
EPSS Score
0.035
Published
2021-02-14
config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-02-14
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
CVSS Score
7.5
EPSS Score
0.358
Published
2021-02-14
In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP.
CVSS Score
7.1
EPSS Score
0.0
Published
2021-02-13
TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-02-13
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.
CVSS Score
9.9
EPSS Score
0.006
Published
2021-02-12
NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application.
CVSS Score
8.8
EPSS Score
0.004
Published
2021-02-12
NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.
CVSS Score
8.8
EPSS Score
0.012
Published
2021-02-12
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CVSS Score
7.5
EPSS Score
0.008
Published
2021-02-12