Security Vulnerabilities - CVEs Published In November 2021
Using the parameter of getPFXFolderList function, attackers can see the information of authorization certification and delete the files. It occurs because the parameter contains path traversal characters(ie. '../../../')
CVSS Score
7.5
EPSS Score
0.004
Published
2021-11-22
OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records.
CVSS Score
6.5
EPSS Score
0.044
Published
2021-11-22
OX App Suite 7.10.5 allows XSS via an OX Chat room name.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-11-22
The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.
CVSS Score
6.0
EPSS Score
0.002
Published
2021-11-22
OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-11-22
OX App Suite 7.10.5 allows XSS via an OX Chat system message.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
CVSS Score
7.5
EPSS Score
0.451
Published
2021-11-22
OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL.
CVSS Score
5.4
EPSS Score
0.004
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-11-22