Security Vulnerabilities - CVEs Published In July 2021
Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don't allow users to choose usernames themselves. This is the default behaviour of Nextcloud, but some user providers may allow doing so.
CVSS Score
8.1
EPSS Score
0.003
Published
2021-07-12
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.
CVSS Score
4.3
EPSS Score
0.006
Published
2021-07-12
Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-12
Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-07-12
File Deletion vulnerability in Halo 0.4.3 via delBackup.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-07-12
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-07-12
The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
CVSS Score
9.8
EPSS Score
0.013
Published
2021-07-12
IBM Event Streams 10.0, 10.1, 10.2, and 10.3 could allow a user the CA private key to create their own certificates and deploy them in the cluster and gain privileges of another user. IBM X-Force ID: 203450.
CVSS Score
4.7
EPSS Score
0.001
Published
2021-07-12
IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 203556.
CVSS Score
5.9
EPSS Score
0.001
Published
2021-07-12
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204164.
CVSS Score
6.4
EPSS Score
0.002
Published
2021-07-12