Security Vulnerabilities - CVEs Published In December 2021
A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-22
MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-12-22
An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-12-22
Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-22
Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.
CVSS Score
8.7
EPSS Score
0.002
Published
2021-12-22
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
CVSS Score
7.7
EPSS Score
0.012
Published
2021-12-22
An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RSA_KEY_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to increased privileges.
CVSS Score
9.4
EPSS Score
0.005
Published
2021-12-22
An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted man-in-the-middle attack can lead to increased privileges.
CVSS Score
7.7
EPSS Score
0.003
Published
2021-12-22
DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-12-22
DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”.
CVSS Score
6.5
EPSS Score
0.009
Published
2021-12-22