Security Vulnerabilities - CVEs Published In April 2021
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-04-06
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.
CVSS Score
5.4
EPSS Score
0.013
Published
2021-04-06
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
CVSS Score
5.4
EPSS Score
0.005
Published
2021-04-06
Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-04-06
Union Pay up to 3.3.12, for iOS mobile apps, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-04-06
Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-04-06
CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete."
CVSS Score
8.8
EPSS Score
0.04
Published
2021-04-06
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVSS Score
5.3
EPSS Score
0.013
Published
2021-04-06
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-04-06
SerenityOS Unspecified is affected by: Buffer Overflow. The impact is: obtain sensitive information (context-dependent). The component is: /Userland/Libraries/LibCrypto/ASN1/DER.h Crypto::der_decode_sequence() function. The attack vector is: Parsing RSA Key ASN.1.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-04-06