Security Vulnerabilities - CVEs Published In September 2021
libiec_iccp_mod v1.5 contains a segmentation violation in the component server_example1.c.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-09-30
rudp v0.6 was discovered to contain a memory leak in the component main.c.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-09-30
IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199179.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-09-30
IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199282.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-30
IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207320.
CVSS Score
5.9
EPSS Score
0.001
Published
2021-09-30
An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.
CVSS Score
3.7
EPSS Score
0.001
Published
2021-09-30
An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-30
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to locally escalate privileges in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS Score
3.3
EPSS Score
0.007
Published
2021-09-30
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-09-30
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
CVSS Score
7.3
EPSS Score
0.002
Published
2021-09-30