Security Vulnerabilities - CVEs Published In September 2021
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-09-30
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-09-30
JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-09-30
Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).
CVSS Score
6.5
EPSS Score
0.004
Published
2021-09-30
A stack-based buffer overflow in the httpd server on Tenda AC9 V15.03.06.60_EN allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via a crafted POST request to /goform/SetStaticRouteCfg.
CVSS Score
7.2
EPSS Score
0.029
Published
2021-09-30
REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-09-30
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp).
CVSS Score
5.7
EPSS Score
0.003
Published
2021-09-30
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
CVSS Score
9.8
EPSS Score
0.222
Published
2021-09-30
Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-09-30
Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)
CVSS Score
6.5
EPSS Score
0.002
Published
2021-09-30
Page 1