Security Vulnerabilities - CVEs Published In September 2021
Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-09-30
Craft CMS before 3.7.14 allows CSV injection.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-09-30
PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
CVSS Score
6.1
EPSS Score
0.24
Published
2021-09-30
A stored cross-site scripting (XSS) vulnerability in /ucms/index.php?do=list_edit of UCMS 1.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the title, key words, description or content text fields.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-09-29
Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial of service. A crafted message must be sent from an authenticated agent to the manager.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-09-29
LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-09-29
LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content editor.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-09-29
LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows atackers to execute arbitrary web scripts or HTML via a crafted payload in the page management module.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-09-29
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.
CVSS Score
8.1
EPSS Score
0.002
Published
2021-09-29
The Safari app extension bundled with 1Password for Mac 7.7.0 through 7.8.x before 7.8.7 is vulnerable to authorization bypass. By targeting a vulnerable component of this extension, a malicious web page could read a subset of 1Password vault items that would normally be fillable by the user on that web page. These items are usernames and passwords for vault items associated with its domain, usernames and passwords without a domain association, credit cards, and contact items. (1Password must be unlocked for these items to be accessible, but no further user interaction is required.)
CVSS Score
6.5
EPSS Score
0.003
Published
2021-09-29