Security Vulnerabilities - CVEs Published In April 2021
SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
CVSS Score
9.8
EPSS Score
0.009
Published
2021-04-09
CVE-2021-20021
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Known exploited
CVSS Score
9.8
EPSS Score
0.902
Published
2021-04-09
CVE-2021-20022
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.
Known exploited
CVSS Score
7.2
EPSS Score
0.326
Published
2021-04-09
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
CVSS Score
6.1
EPSS Score
0.234
Published
2021-04-09
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-04-09
Discord Recon Server is a bot that allows you to do your reconnaissance process from your Discord. Remote code execution in version 0.0.1 would allow remote users to execute commands on the server resulting in serious issues. This flaw is patched in 0.0.2.
CVSS Score
9.9
EPSS Score
0.037
Published
2021-04-09
A ZTE product has a configuration error vulnerability. Because a certain port is open by default, an attacker can consume system processing resources by flushing a large number of packets to the port, and successfully exploiting this vulnerability could reduce system processing capabilities. This affects: ZXA10 C300M all versions up to V4.3P8.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-04-09
A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Score
9.3
EPSS Score
0.001
Published
2021-04-09
A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application.
CVSS Score
9.3
EPSS Score
0.0
Published
2021-04-09
A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Score
9.3
EPSS Score
0.002
Published
2021-04-09