Security Vulnerabilities - CVEs Published In April 2021
There is a denial of service vulnerability in some versions of CloudEngine 5800, CloudEngine 6800, CloudEngine 7800 and CloudEngine 12800. The affected product cannot deal with some messages because of module design weakness . Attackers can exploit this vulnerability by sending a large amount of specific messages to cause denial of service. This can compromise normal service.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-04-28
An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM.
CVSS Score
9.8
EPSS Score
0.018
Published
2021-04-28
The NTP Server configuration function of the IP camera device is not verified with special parameters. Remote attackers can perform a command Injection attack and execute arbitrary commands after logging in with the privileged permission.
CVSS Score
7.2
EPSS Score
0.06
Published
2021-04-28
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
CVSS Score
9.8
EPSS Score
0.03
Published
2021-04-28
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.
CVSS Score
9.8
EPSS Score
0.013
Published
2021-04-28
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential.
CVSS Score
5.3
EPSS Score
0.009
Published
2021-04-28
Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.
CVSS Score
9.0
EPSS Score
0.101
Published
2021-04-28
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
CVSS Score
6.1
EPSS Score
0.015
Published
2021-04-28
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
CVSS Score
4.9
EPSS Score
0.003
Published
2021-04-28
The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-04-28