Security Vulnerabilities - CVEs Published In May 2021
Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
CVSS Score
6.1
EPSS Score
0.047
Published
2021-05-19
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to administrators.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-05-19
An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked in cleartext in the ns_server.info.log file.
CVSS Score
4.4
EPSS Score
0.002
Published
2021-05-19
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-05-19
In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.
CVSS Score
9.8
EPSS Score
0.011
Published
2021-05-19
Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.
CVSS Score
6.1
EPSS Score
0.008
Published
2021-05-19
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).
CVSS Score
9.8
EPSS Score
0.033
Published
2021-05-19
BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. Remote logging can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include user names and HTTP data.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-05-19
BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.
CVSS Score
8.8
EPSS Score
0.01
Published
2021-05-19
BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting (XSS). A DOM-based cross-site scripting vulnerability was discovered in a legacy utility.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-05-19