Security Vulnerabilities - CVEs Published In September 2021
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.
CVSS Score
7.5
EPSS Score
0.077
Published
2021-09-21
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
CVSS Score
6.5
EPSS Score
0.01
Published
2021-09-21
ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover.
CVSS Score
9.8
EPSS Score
0.123
Published
2021-09-21
ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.
CVSS Score
8.8
EPSS Score
0.054
Published
2021-09-21
An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.
CVSS Score
5.5
EPSS Score
0.003
Published
2021-09-21
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-09-21
Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-09-21
SonicWall Global VPN Client 4.10.5 installer (32-bit and 64-bit) incorrect default file permission vulnerability leads to privilege escalation which potentially allows command execution in the host operating system. This vulnerability impacts GVC 4.10.5 installer and earlier.
CVSS Score
7.8
EPSS Score
0.0
Published
2021-09-21
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a denial of service attack on an inefficient regular expression. The vulnerable regular expression is [here](https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359). The problem has been patched in release version 0.9.5.1. Users who are unable to upgrade are advised to remove `apprise/plugins/NotifyIFTTT.py` to eliminate the service.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-09-20
Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0.
CVSS Score
8.0
EPSS Score
0.002
Published
2021-09-20