Security Vulnerabilities - CVEs Published In April 2021
A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters.
CVSS Score
4.8
EPSS Score
0.003
Published
2021-04-05
Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-04-05
Mark Text through 0.16.3 allows attackers arbitrary command execution. This could lead to Remote Code Execution (RCE) by opening .md files containing a mutation Cross Site Scripting (XSS) payload.
CVSS Score
9.6
EPSS Score
0.032
Published
2021-04-05
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
CVSS Score
7.8
EPSS Score
0.007
Published
2021-04-05
VSCodeVim before 1.19.0 allows attackers to execute arbitrary code via a crafted workspace configuration.
CVSS Score
7.8
EPSS Score
0.004
Published
2021-04-05
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
CVSS Score
7.3
EPSS Score
0.002
Published
2021-04-03
Dell System Update (DSU) 1.9 and earlier versions contain a denial of service vulnerability. A local authenticated malicious user with low privileges may potentially exploit this vulnerability to cause the system to run out of memory by running multiple instances of the vulnerable application.
CVSS Score
3.8
EPSS Score
0.0
Published
2021-04-02
Dell Wyse ThinOS 8.6 MR9 contains remediation for an improper management server validation vulnerability that could be potentially exploited to redirect a client to an attacker-controlled management server, thus allowing the attacker to change the device configuration or certificate file.
CVSS Score
5.0
EPSS Score
0.001
Published
2021-04-02
Wyse Management Suite versions up to 3.2 contains a vulnerability wherein a malicious authenticated user can cause a denial of service in the job status retrieval page, also affecting other users that would have normally access to the same subset of job details
CVSS Score
4.3
EPSS Score
0.002
Published
2021-04-02
HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter.
CVSS Score
9.8
EPSS Score
0.764
Published
2021-04-02