Security Vulnerabilities - CVEs Published In July 2021
The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder.
CVSS Score
9.8
EPSS Score
0.027
Published
2021-07-30
isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-07-30
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVSS Score
7.0
EPSS Score
0.006
Published
2021-07-30
An issue was discovered in PJSIP in Asterisk before 16.19.1 and before 18.5.1. To exploit, a re-INVITE without SDP must be received after Asterisk has sent a BYE request.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-07-30
An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.
CVSS Score
7.5
EPSS Score
0.012
Published
2021-07-30
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
CVSS Score
7.1
EPSS Score
0.12
Published
2021-07-30
Arbitrary file upload vulnerability in SourceCodester Learning Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to \lms\student_avatar.php.
CVSS Score
9.8
EPSS Score
0.01
Published
2021-07-30
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-30
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-30
An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of
CVSS Score
5.3
EPSS Score
0.003
Published
2021-07-30