Security Vulnerabilities - CVEs Published In 2021
Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Comment Engine Pro plugin (versions <= 1.0), could be exploited by users with Editor or higher role.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-12-10
Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.
CVSS Score
9.8
EPSS Score
0.014
Published
2021-12-10
An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.
CVSS Score
7.5
EPSS Score
0.005
Published
2021-12-10
openwhyd is vulnerable to URL Redirection to Untrusted Site
CVSS Score
7.3
EPSS Score
0.002
Published
2021-12-10
A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing attack.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-12-10
An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.
CVSS Score
9.8
EPSS Score
0.081
Published
2021-12-10
An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may read a password file (with reversible passwords) from the device, which allows decoding of other users' passwords.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-12-10
An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior of the gateway.
CVSS Score
8.8
EPSS Score
0.003
Published
2021-12-10
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-12-10
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Score
7.4
EPSS Score
0.0
Published
2021-12-10