Security Vulnerabilities - CVEs Published In July 2021
Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-07-07
An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details
CVSS Score
4.3
EPSS Score
0.002
Published
2021-07-07
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions
CVSS Score
8.8
EPSS Score
0.003
Published
2021-07-07
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
CVSS Score
9.8
EPSS Score
0.912
Published
2021-07-07
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .
CVSS Score
9.8
EPSS Score
0.007
Published
2021-07-07
A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
CVSS Score
9.8
EPSS Score
0.008
Published
2021-07-07
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
CVSS Score
9.8
EPSS Score
0.009
Published
2021-07-07
A vulnerability in the saveCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to inject arbitrary web scripts. This issue affects versions 2.2.3 and prior.
CVSS Score
6.4
EPSS Score
0.002
Published
2021-07-07
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-07-07
A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-07-07