Security Vulnerabilities - CVEs Published In July 2021
Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.
CVSS Score
7.5
EPSS Score
0.009
Published
2021-07-19
Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.
CVSS Score
7.5
EPSS Score
0.009
Published
2021-07-19
In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device. NOTE: the vendor disagrees with the reporter's opinion about an alleged "security best practices" violation
CVSS Score
6.8
EPSS Score
0.0
Published
2021-07-19
KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS Score
8.8
EPSS Score
0.001
Published
2021-07-19
Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the sshd process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.
CVSS Score
6.5
EPSS Score
0.009
Published
2021-07-19
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 193738.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-19
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198235.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-19
IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 200879.
CVSS Score
8.4
EPSS Score
0.0
Published
2021-07-19
IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authenticated user to perform actions that they should not have access to due to improper input validation. IBM X-Force ID: 203085.
CVSS Score
4.7
EPSS Score
0.002
Published
2021-07-19
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
CVSS Score
7.5
EPSS Score
0.032
Published
2021-07-19