Security Vulnerabilities - CVEs Published In May 2021
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVSS Score
7.5
EPSS Score
0.903
Published
2021-05-28
GENIVI Diagnostic Log and Trace (DLT) provides a log and trace interface. In versions of GENIVI DLT between 2.10.0 and 2.18.6, a configuration file containing the special characters could cause a vulnerable component to crash. All the applications which are using the configuration file could fail to generate their dlt logs in system. As of time of publication, no patch exists. As a workaround, one may check the integrity of information in configuration file manually.
CVSS Score
5.7
EPSS Score
0.003
Published
2021-05-28
1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side.
CVSS Score
8.1
EPSS Score
0.003
Published
2021-05-28
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-05-28
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. It is possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-05-28
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.
CVSS Score
8.8
EPSS Score
0.011
Published
2021-05-28
A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
CVSS Score
8.8
EPSS Score
0.001
Published
2021-05-28
A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-05-28
Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). The vulnerability could allow remote attackers to execute arbitrary code on affected installations of SiteScope.
CVSS Score
9.8
EPSS Score
0.018
Published
2021-05-28
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-05-28