Security Vulnerabilities - CVEs Published In October 2021
It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.
CVSS Score
5.3
EPSS Score
0.008
Published
2021-10-11
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-10-11
Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-10-11
Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID equals the correction ID.
CVSS Score
7.5
EPSS Score
0.008
Published
2021-10-11
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
CVSS Score
8.1
EPSS Score
0.002
Published
2021-10-11
The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-10-11
In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-10-10
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVSS Score
4.3
EPSS Score
0.004
Published
2021-10-08
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVSS Score
4.3
EPSS Score
0.005
Published
2021-10-08
Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file.
CVSS Score
7.8
EPSS Score
0.007
Published
2021-10-08