Security Vulnerabilities - CVEs Published In September 2021
Chromium: CVE-2021-30618 Inappropriate implementation in DevTools
CVSS Score
8.8
EPSS Score
0.017
Published
2021-09-03
Chromium: CVE-2021-30619 UI Spoofing in Autofill
CVSS Score
6.5
EPSS Score
0.017
Published
2021-09-03
Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink
CVSS Score
8.8
EPSS Score
0.017
Published
2021-09-03
Chromium: CVE-2021-30621 UI Spoofing in Autofill
CVSS Score
6.5
EPSS Score
0.017
Published
2021-09-03
Chromium: CVE-2021-30622 Use after free in WebApp Installs
CVSS Score
8.8
EPSS Score
0.004
Published
2021-09-03
Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-09-03
A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).
CVSS Score
6.1
EPSS Score
0.106
Published
2021-09-03
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-09-03
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-09-03
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
CVSS Score
4.7
EPSS Score
0.004
Published
2021-09-03