Security Vulnerabilities - CVEs Published In June 2021
SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-06-24
Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the act parameter in bbs/move_update.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-24
Cross Site Scripting (XSS) vulnerability in WebPort <=1.19.1via the connection name parameter in type-conn.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-06-24
Directory Traversal vulnerability in WebPort <=1.19.1 in tags of system settings.
CVSS Score
5.3
EPSS Score
0.005
Published
2021-06-24
In IBOS 4.5.4 the email function has a cross site scripting (XSS) vulnerability in emailbody[content] parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-06-24
phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-06-24
In IBOS 4.5.4 Open, the database backup has Command Injection Vulnerability.
CVSS Score
8.8
EPSS Score
0.056
Published
2021-06-24
In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-06-24
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute
CVSS Score
9.8
EPSS Score
0.004
Published
2021-06-24
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the /api/trackedEntityInstances API endpoint in DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0. Earlier versions, such as 2.34.3 and 2.35.1 and all versions 2.33 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance endpoint as a temporary workaround while waiting to upgrade.
CVSS Score
8.5
EPSS Score
0.003
Published
2021-06-24