Security Vulnerabilities - CVEs Published In October 2021
Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php.
CVSS Score
9.8
EPSS Score
0.012
Published
2021-10-26
Online Student Admission System 1.0 is affected by an insecure file upload vulnerability. A low privileged user can upload malicious PHP files by updating their profile image to gain remote code execution.
CVSS Score
8.8
EPSS Score
0.079
Published
2021-10-26
Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.
CVSS Score
7.8
EPSS Score
0.015
Published
2021-10-26
Penguin Aurora TV Box 41502 is a high-end network HD set-top box produced by Tencent Video and Skyworth Digital. An unauthorized access vulnerability exists in the Penguin Aurora Box. An attacker can use the vulnerability to gain unauthorized access to a specific link to remotely control the TV.
CVSS Score
10.0
EPSS Score
0.004
Published
2021-10-26
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-26
An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.
CVSS Score
7.8
EPSS Score
0.005
Published
2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
CVSS Score
7.2
EPSS Score
0.672
Published
2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
CVSS Score
7.2
EPSS Score
0.765
Published
2021-10-26
An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
CVSS Score
9.8
EPSS Score
0.037
Published
2021-10-26
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.
CVSS Score
7.5
EPSS Score
0.016
Published
2021-10-26