Security Vulnerabilities - CVEs Published In October 2021
Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-10-07
Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm listbox that could result in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
CVSS Score
7.8
EPSS Score
0.208
Published
2021-10-07
Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a use-after-free vulnerability when processing AcroForm field that could result in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
CVSS Score
7.8
EPSS Score
0.208
Published
2021-10-07
CVE-2021-42013
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2021-10-07
While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. Users who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice.
CVSS Score
7.8
EPSS Score
0.002
Published
2021-10-07
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.374
Published
2021-10-07
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
CVSS Score
9.8
EPSS Score
0.36
Published
2021-10-07
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
CVSS Score
9.8
EPSS Score
0.374
Published
2021-10-07
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
CVSS Score
9.8
EPSS Score
0.374
Published
2021-10-07
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
CVSS Score
9.8
EPSS Score
0.374
Published
2021-10-07