Security Vulnerabilities - CVEs Published In March 2021
An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server
CVSS Score
9.8
EPSS Score
0.01
Published
2021-03-11
prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely.
CVSS Score
8.8
EPSS Score
0.051
Published
2021-03-11
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.
CVSS Score
7.1
EPSS Score
0.001
Published
2021-03-11
CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-03-11
Cross-site scripting (XSS) vulnerability in Galleries in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-03-11
Cross-site scripting (XSS) vulnerability in Snippets in Batflat CMS 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the field name.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-03-11
Azure Sphere Unsigned Code Execution Vulnerability
CVSS Score
6.2
EPSS Score
0.005
Published
2021-03-11
Azure Virtual Machine Information Disclosure Vulnerability
CVSS Score
6.8
EPSS Score
0.005
Published
2021-03-11
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVSS Score
8.8
EPSS Score
0.092
Published
2021-03-11
Windows Win32k Elevation of Privilege Vulnerability
CVSS Score
7.8
EPSS Score
0.024
Published
2021-03-11