Security Vulnerabilities - CVEs Published In September 2021
Command Injection in PPGo_Jobs v2.8.0 allows remote attackers to execute arbitrary code via the 'AjaxRun()' function.
CVSS Score
9.8
EPSS Score
0.027
Published
2021-09-08
Incorrect Access Control in Autumn v1.0.4 and earlier allows remote attackers to obtain clear-text login credentials via the component "autumn-cms/user/getAllUser/?page=1&limit=10".
CVSS Score
7.5
EPSS Score
0.001
Published
2021-09-08
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-09-08
Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app. Administration role is necessary for exploitation.
CVSS Score
2.7
EPSS Score
0.003
Published
2021-09-08
Central Dogma allows privilege escalation with mirroring to the internal dogma repository that has a file managing the authorization of the project.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-09-08
LINE client for iOS 10.21.3 and before allows address bar spoofing due to inappropriate address handling.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-09-08
LINE for Windows 6.2.1.2289 and before allows arbitrary code execution via malicious DLL injection.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-09-08
Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder 3.2.2 or above. If upgrading is infeasible users may filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting as a workaround.
CVSS Score
7.2
EPSS Score
0.002
Published
2021-09-08
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
CVSS Score
5.4
EPSS Score
0.0
Published
2021-09-08
A reflected cross-site scripting (XSS) vulnerability in the Palo Alto Network PAN-OS web interface enables an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performs arbitrary actions in the PAN-OS web interface as the targeted authenticated administrator. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.20; PAN-OS 9.0 versions earlier than 9.0.14; PAN-OS 9.1 versions earlier than 9.1.10; PAN-OS 10.0 versions earlier than 10.0.2. This issue does not affect Prisma Access.
CVSS Score
8.0
EPSS Score
0.006
Published
2021-09-08