Security Vulnerabilities - CVEs Published In November 2021
The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission.
CVSS Score
5.5
EPSS Score
0.001
Published
2021-11-10
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.
CVSS Score
9.6
EPSS Score
0.024
Published
2021-11-10
An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-11-10
An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The extension fails to restrict the image download to the configured pixx.io DAM URL, resulting in SSRF. As a result, an attacker can download various content from a remote location and save it to a user-controlled filename, which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit this.
CVSS Score
8.8
EPSS Score
0.015
Published
2021-11-10
IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests that could be used in further attacks against the system. IBM X-Force ID: 209401.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-11-10
In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 the remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active
CVSS Score
7.5
EPSS Score
0.003
Published
2021-11-10
Vulnerability in the product Docsis 3.0 UBC1319BA00 Router supported affected version 1319010201r009. The vulnerability allows an attacker with privileges and network access through the ping.cmd component to execute commands on the device.
CVSS Score
7.2
EPSS Score
0.043
Published
2021-11-10
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
CVSS Score
9.8
EPSS Score
0.47
Published
2021-11-10
In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file.
CVSS Score
4.8
EPSS Score
0.001
Published
2021-11-10
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-11-10