Security Vulnerabilities - CVEs Published In July 2021
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
CVSS Score
6.1
EPSS Score
0.096
Published
2021-07-19
The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure
CVSS Score
8.8
EPSS Score
0.072
Published
2021-07-19
The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-07-19
NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function.
CVSS Score
9.8
EPSS Score
0.01
Published
2021-07-19
uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).
CVSS Score
7.5
EPSS Score
0.011
Published
2021-07-18
Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.
CVSS Score
9.8
EPSS Score
0.068
Published
2021-07-17
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.
CVSS Score
6.1
EPSS Score
0.039
Published
2021-07-17
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
CVSS Score
6.1
EPSS Score
0.039
Published
2021-07-17
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
CVSS Score
7.5
EPSS Score
0.012
Published
2021-07-17
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
CVSS Score
7.5
EPSS Score
0.011
Published
2021-07-17