Security Vulnerabilities - CVEs Published In November 2021
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
CVSS Score
6.1
EPSS Score
0.048
Published
2021-11-30
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.
CVSS Score
7.5
EPSS Score
0.072
Published
2021-11-30
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
CVSS Score
9.8
EPSS Score
0.742
Published
2021-11-30
PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-11-30
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
CVSS Score
9.8
EPSS Score
0.277
Published
2021-11-30
An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default Wi-Fi password corresponds to the last 4 bytes of the MAC address of its 2.4 GHz network interface controller (NIC). An attacker within scanning range of the Wi-Fi network can thus scan for Wi-Fi networks to obtain the default key.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-11-30
An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges.
CVSS Score
8.8
EPSS Score
0.033
Published
2021-11-30
An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through SSH (regardless of whether the admin password was changed on the web interface).
CVSS Score
7.8
EPSS Score
0.001
Published
2021-11-30
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
CVSS Score
6.1
EPSS Score
0.048
Published
2021-11-30
This issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]') . The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command.
CVSS Score
8.8
EPSS Score
0.008
Published
2021-11-30