Security Vulnerabilities - CVEs Published In November 2021
The affected product is vulnerable to cookie information being transmitted as cleartext over HTTP. An attacker can capture network traffic, obtain the user’s cookie and take over the account.
CVSS Score
5.7
EPSS Score
0.001
Published
2021-11-05
An attacker could prepare a specially crafted project file that, if opened, would attempt to connect to the cloud and trigger a man in the middle (MiTM) attack. This could allow an attacker to obtain credentials and take over the user’s cloud account.
CVSS Score
5.0
EPSS Score
0.001
Published
2021-11-05
vim is vulnerable to Heap-based Buffer Overflow
CVSS Score
7.3
EPSS Score
0.002
Published
2021-11-05
vim is vulnerable to Use of Uninitialized Variable
CVSS Score
7.3
EPSS Score
0.001
Published
2021-11-05
Multiple Cross Site Scripting (XSS) vulnerabilities exist in PHPGurukul Hospital Management System 4.0 via the (1) searchdata parameter in (a) doctor/search.php and (b) admin/patient-search.php, and the (2) fromdate and (3) todate parameters in admin/betweendates-detailsreports.php.
CVSS Score
6.1
EPSS Score
0.052
Published
2021-11-05
Multiple Cross Site Scripting (XSS) vulnerabilities exists in PHPGurukul Shopping v3.1 via the (1) callback parameter in (a) server_side/scripts/id_jsonp.php, (b) server_side/scripts/jsonp.php, and (c) scripts/objects_jsonp.php, the (2) value parameter in examples_support/editable_ajax.php, and the (3) PHP_SELF parameter in captcha/index.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-11-05
bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Score
6.5
EPSS Score
0.004
Published
2021-11-05
grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Score
8.8
EPSS Score
0.01
Published
2021-11-05
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
CVSS Score
9.8
EPSS Score
0.724
Published
2021-11-05
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
CVSS Score
9.8
EPSS Score
0.214
Published
2021-11-05