Security Vulnerabilities - CVEs Published In March 2021
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVSS Score
8.8
EPSS Score
0.001
Published
2021-03-30
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2
CVSS Score
8.8
EPSS Score
0.824
Published
2021-03-30
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
CVSS Score
5.3
EPSS Score
0.0
Published
2021-03-30
ircII before 20210314 allows remote attackers to cause a denial of service (segmentation fault and client crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message.
CVSS Score
7.5
EPSS Score
0.043
Published
2021-03-30
Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI.
CVSS Score
8.8
EPSS Score
0.001
Published
2021-03-30
An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B. An unauthenticated attacker can reboot the device causing a Denial of Service, via a hidden reboot command to '/media/?action=cmd'.
CVSS Score
7.5
EPSS Score
0.016
Published
2021-03-30
An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B. Authenticated attackers with the "Operator" Privilege can gain admin privileges via a crafted request to '/goform/formUserMng'.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-03-30
An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B. A local attacker can execute arbitrary code via editing the 'recdata.db' file to call a specially crafted GoAhead ASP-file on the SD card.
CVSS Score
6.2
EPSS Score
0.001
Published
2021-03-30
Cross Site Scripting (XSS) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B via all fields in the FTP settings page to the "goform/formSetFtpCfg" settings page.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-03-30
Cross-Site Scripting (XSS) vulnerability in Zhiyuan G6 Government Collaboration System V6.1SP1, via the 'method' parameter to 'seeyon/hrSalary.do'.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-03-30