Security Vulnerabilities - CVEs Published In March 2021
Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors.
CVSS Score
4.8
EPSS Score
0.003
Published
2021-03-10
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-03-10
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL.
CVSS Score
2.7
EPSS Score
0.003
Published
2021-03-10
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.
CVSS Score
4.7
EPSS Score
0.003
Published
2021-03-10
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.01
Published
2021-03-10
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.
CVSS Score
7.2
EPSS Score
0.022
Published
2021-03-10
Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-03-10
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
CVSS Score
8.8
EPSS Score
0.106
Published
2021-03-10
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
CVSS Score
6.1
EPSS Score
0.032
Published
2021-03-10
Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files).
CVSS Score
7.8
EPSS Score
0.011
Published
2021-03-10