Security Vulnerabilities - CVEs Published In March 2021
An open redirect vulnerability in Ilch CMS version 2.1.42 allows attackers to redirect users to an attacker's site after a successful login.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-03-29
Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-03-29
A local authentication bypass vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.15 and below; Aruba Instant 8.3.x: 8.3.0.11 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
CVSS Score
6.8
EPSS Score
0.001
Published
2021-03-29
NBBDownloader.ocx ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.
CVSS Score
7.8
EPSS Score
0.003
Published
2021-03-29
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
CVSS Score
3.3
EPSS Score
0.01
Published
2021-03-29
The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-03-29
The /password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) contains the administrator account password in plaintext. The page can be intercepted on HTTP.
CVSS Score
7.5
EPSS Score
0.338
Published
2021-03-29
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-03-29
remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-03-27
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-03-27