Security Vulnerabilities - CVEs Published In October 2021
Tad Book3 editing book page does not perform identity verification. Remote attackers can use the vulnerability to view and modify arbitrary content of books without permission.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-10-08
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-10-08
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-10-08
Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-10-08
Tad Honor viewing book list function is vulnerable to authorization bypass, thus remote attackers can use special parameters to delete articles arbitrarily without logging in.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-10-08
TadTools special page parameter does not properly restrict the input of specific characters, thus remote attackers can inject JavaScript syntax without logging in, and further perform reflective XSS attacks.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-10-08
The file extension of the TadTools file upload function fails to filter, thus remote attackers can upload any types of files and execute arbitrary code without logging in.
CVSS Score
9.8
EPSS Score
0.022
Published
2021-10-08
In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.
CVSS Score
9.8
EPSS Score
0.002
Published
2021-10-08
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-10-08
An issue was discovered in Digi RealPort for Windows through 4.8.488.0. A buffer overflow exists in the handling of ADDP discovery response messages. This could result in arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.007
Published
2021-10-08