Security Vulnerabilities - CVEs Published In October 2021
The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
CVSS Score
8.0
EPSS Score
0.002
Published
2021-10-22
The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.
CVSS Score
8.0
EPSS Score
0.002
Published
2021-10-22
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
CVSS Score
8.0
EPSS Score
0.002
Published
2021-10-22
The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality.
CVSS Score
8.0
EPSS Score
0.002
Published
2021-10-22
The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure.
CVSS Score
8.0
EPSS Score
0.005
Published
2021-10-22
In multiple methods of AAudioService, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-153358911
CVSS Score
7.8
EPSS Score
0.0
Published
2021-10-22
In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183612370
CVSS Score
5.5
EPSS Score
0.0
Published
2021-10-22
In loadLabel of PackageItemInfo.java, there is a possible way to DoS a device by having a long label in an app due to incorrect input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-67013844
CVSS Score
5.5
EPSS Score
0.0
Published
2021-10-22
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
CVSS Score
8.1
EPSS Score
0.002
Published
2021-10-22
All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM (Product Life Cycle Management) is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the collaborative creation, distribution, application and management of product information across organizations. Yonyou PLM uses jboss by default, and you can access the management control background without authorization An attacker can use this vulnerability to gain server permissions.
CVSS Score
9.8
EPSS Score
0.028
Published
2021-10-22