Security Vulnerabilities - CVEs Published In April 2021
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-04-23
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.
CVSS Score
4.7
EPSS Score
0.002
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.073
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-sparkle 1.5.2-beta allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.004
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.011
Published
2021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-04-23
CVE-2021-22204
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Known exploited
CVSS Score
6.8
EPSS Score
0.931
Published
2021-04-23
CVE-2021-22205
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Known exploited
CVSS Score
10.0
EPSS Score
0.945
Published
2021-04-23