Security Vulnerabilities - CVEs Published In 2021
OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-11-22
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
CVSS Score
7.5
EPSS Score
0.489
Published
2021-11-22
An Out-of-Bounds Read vulnerability exists when reading a U3D file using Open Design Alliance PRC SDK before 2022.11. The specific issue exists within the parsing of U3D files. Incorrect use of the LibJpeg source manager inside the U3D library, and crafted data in a U3D file, can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-11-22
A Use-After-Free Remote Vulnerability exists when reading a DWG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.003
Published
2021-11-22
chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22
OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-22