Security Vulnerabilities - CVEs Published In September 2021
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
CVSS Score
6.5
EPSS Score
0.156
Published
2021-09-06
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
CVSS Score
2.7
EPSS Score
0.004
Published
2021-09-06
mrdoc is vulnerable to Deserialization of Untrusted Data
CVSS Score
7.5
EPSS Score
0.003
Published
2021-09-06
An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection
CVSS Score
7.2
EPSS Score
0.006
Published
2021-09-06
The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
CVSS Score
7.2
EPSS Score
0.006
Published
2021-09-06
The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues
CVSS Score
6.1
EPSS Score
0.133
Published
2021-09-06
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-06
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-06
The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-06
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-09-06