Security Vulnerabilities - CVEs Published In October 2021
bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-27
vim is vulnerable to Heap-based Buffer Overflow
CVSS Score
7.3
EPSS Score
0.003
Published
2021-10-27
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`.
CVSS Score
7.5
EPSS Score
0.005
Published
2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable component.
CVSS Score
6.5
EPSS Score
0.0
Published
2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.
CVSS Score
5.5
EPSS Score
0.0
Published
2021-10-27
Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an attacker through specific configuration and with local unprivileged system access may cause improper input validation, which may lead to denial of service.
CVSS Score
4.7
EPSS Score
0.0
Published
2021-10-27
In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.
CVSS Score
5.3
EPSS Score
0.005
Published
2021-10-27
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVSS Score
3.5
EPSS Score
0.001
Published
2021-10-27
CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-10-27
A vulnerability in Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to overwrite or append arbitrary data to system files using root-level privileges. The attacker must have administrative credentials on the device. This vulnerability is due to incomplete validation of user input for a specific CLI command. An attacker could exploit this vulnerability by authenticating to the device with administrative privileges and issuing a CLI command with crafted user parameters. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using root-level privileges.
CVSS Score
4.4
EPSS Score
0.002
Published
2021-10-27