Security Vulnerabilities - CVEs Published In September 2021
Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-07
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
CVSS Score
9.8
EPSS Score
0.012
Published
2021-09-07
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-09-07
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
CVSS Score
7.2
EPSS Score
0.033
Published
2021-09-07
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.
CVSS Score
8.2
EPSS Score
0.006
Published
2021-09-07
An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read.
CVSS Score
7.5
EPSS Score
0.005
Published
2021-09-07
An issue was discovered in gpac 0.8.0. The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read.
CVSS Score
9.1
EPSS Score
0.005
Published
2021-09-07
The find_color_or_error function in gifsicle 1.92 contains a NULL pointer dereference.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-09-07
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.
CVSS Score
5.8
EPSS Score
0.004
Published
2021-09-07
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-09-07