Security Vulnerabilities - CVEs Published In November 2021
OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-11-22
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
CVSS Score
7.5
EPSS Score
0.36
Published
2021-11-22
An Out-of-Bounds Read vulnerability exists when reading a U3D file using Open Design Alliance PRC SDK before 2022.11. The specific issue exists within the parsing of U3D files. Incorrect use of the LibJpeg source manager inside the U3D library, and crafted data in a U3D file, can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-11-22
A Use-After-Free Remote Vulnerability exists when reading a DWG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.003
Published
2021-11-22
chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution.
CVSS Score
9.8
EPSS Score
0.083
Published
2021-11-22
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.
CVSS Score
8.8
EPSS Score
0.001
Published
2021-11-21