Security Vulnerabilities - CVEs Published In April 2021
NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication. The vulnerability exists within the handling of an HTTP request. An attacker can leverage this to execute code as root. The problem is that a user-provided length value is trusted during a backup.cgi file upload. The attacker must add a \n before the Content-Length header.
CVSS Score
8.8
EPSS Score
0.112
Published
2021-04-26
An access control vulnerability in Hame SD1 Wi-Fi firmware <=V.20140224154640 allows an attacker to get system administrator through an open Telnet service.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-04-26
Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.
CVSS Score
6.1
EPSS Score
0.022
Published
2021-04-26
Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.032
Published
2021-04-26
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.033
Published
2021-04-26
The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data).
CVSS Score
4.8
EPSS Score
0.004
Published
2021-04-26
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
CVSS Score
6.1
EPSS Score
0.003
Published
2021-04-26
LeoCAD before 21.03 sometimes allows a use-after-free during the opening of a new document.
CVSS Score
5.5
EPSS Score
0.002
Published
2021-04-26
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.5.1 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-04-26
Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.006
Published
2021-04-26