Security Vulnerabilities - CVEs Published In March 2021
Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions
CVSS Score
3.5
EPSS Score
0.002
Published
2021-03-22
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
CVSS Score
5.3
EPSS Score
0.005
Published
2021-03-22
git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows).
CVSS Score
9.8
EPSS Score
0.005
Published
2021-03-22
The unofficial vscode-sass-lint (aka Sass Lint) extension through 1.0.7 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
8.8
EPSS Score
0.005
Published
2021-03-22
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
CVSS Score
7.2
EPSS Score
0.009
Published
2021-03-22
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CVSS Score
5.3
EPSS Score
0.025
Published
2021-03-22
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
CVSS Score
9.8
EPSS Score
0.005
Published
2021-03-21
This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.
CVSS Score
7.5
EPSS Score
0.007
Published
2021-03-21
applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests.
CVSS Score
8.8
EPSS Score
0.011
Published
2021-03-21
In Chris Walz bit before 1.0.5 on Windows, attackers can run arbitrary code via a .exe file in a crafted repository.
CVSS Score
7.8
EPSS Score
0.002
Published
2021-03-21