Security Vulnerabilities - CVEs Published In August 2021
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).
CVSS Score
9.8
EPSS Score
0.034
Published
2021-08-07
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-08-07
In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior
CVSS Score
7.8
EPSS Score
0.0
Published
2021-08-07
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-08-07
An arbitrary file upload vulnerability in /jeecg-boot/sys/common/upload of jeecg-boot CMS 2.3 allows attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.059
Published
2021-08-06
A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-08-06
An information disclosure vulnerability in upload.php of PopojiCMS 1.2 leads to physical path disclosure of the host when 'name = "file" is deleted during file uploads.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-08-06
A stored cross site scripting (XSS) vulnerability in /admin.php?mod=user&act=addnew of PopojiCMS 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the E-Mail field.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-08-06
A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-08-06
A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information.
CVSS Score
7.5
EPSS Score
0.007
Published
2021-08-06