Security Vulnerabilities - CVEs Published In 2021
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
CVSS Score
10.0
EPSS Score
0.287
Published
2021-12-06
Serv-U server responds with valid CSRFToken when the request contains only Session.
CVSS Score
8.3
EPSS Score
0.001
Published
2021-12-06
When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.
CVSS Score
8.4
EPSS Score
0.002
Published
2021-12-06
Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data.
CVSS Score
8.3
EPSS Score
0.002
Published
2021-12-06
The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion
CVSS Score
9.8
EPSS Score
0.005
Published
2021-12-06
The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.
CVSS Score
8.0
EPSS Score
0.001
Published
2021-12-06
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
CVSS Score
7.5
EPSS Score
0.745
Published
2021-12-06
The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue
CVSS Score
6.1
EPSS Score
0.002
Published
2021-12-06
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue
CVSS Score
5.4
EPSS Score
0.002
Published
2021-12-06
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
CVSS Score
9.8
EPSS Score
0.72
Published
2021-12-06