Security Vulnerabilities - CVEs Published In October 2021
IBM QRadar Advisor 2.5 through 2.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209566.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-10-20
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects. The problem has been patched in 1.0.4. There is no workaround.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-10-20
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
CVSS Score
5.3
EPSS Score
0.0
Published
2021-10-20
The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.
CVSS Score
6.5
EPSS Score
0.005
Published
2021-10-20
ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.
CVSS Score
4.3
EPSS Score
0.004
Published
2021-10-20
ZTE MF971R product has a configuration file control vulnerability. An attacker could use this vulnerability to modify the configuration parameters of the device, causing some security functions of the device to be disabled.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-10-20
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
CVSS Score
4.3
EPSS Score
0.406
Published
2021-10-20
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.013
Published
2021-10-20
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.013
Published
2021-10-20
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-10-20