Security Vulnerabilities - CVEs Published In October 2021
Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-10-07
In LCOS 10.40 to 10.42.0473-RU3 with SNMPv3 enabled on LANCOM devices, changing the password of the root user via the CLI does not change the password of the root user for SNMPv3 access. (However, changing the password of the root user via LANconfig does change the password of the root user for SNMPv3 access.)
CVSS Score
8.8
EPSS Score
0.004
Published
2021-10-07
Meross MSG100 devices before 3.2.3 allow an attacker to replay the same data or similar data (e.g., an attacker who sniffs a Close message can transmit an acceptable Open message).
CVSS Score
8.1
EPSS Score
0.002
Published
2021-10-07
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-10-07
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS Score
9.8
EPSS Score
0.004
Published
2021-10-07
SilverStripe Framework through 4.8.1 allows XSS.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-10-07
Integria IMS in its 5.0.92 version is vulnerable to a Remote Code Execution attack through file uploading. An unauthenticated attacker could abuse the AsyncUpload() function in order to exploit the vulnerability.
CVSS Score
9.8
EPSS Score
0.016
Published
2021-10-07
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1
CVSS Score
7.5
EPSS Score
0.848
Published
2021-10-07
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-10-07
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
CVSS Score
9.8
EPSS Score
0.704
Published
2021-10-07