Security Vulnerabilities - CVEs Published In 2021
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
CVSS Score
4.8
EPSS Score
0.038
Published
2021-11-03
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
CVSS Score
8.8
EPSS Score
0.111
Published
2021-11-03
HP has identified a security vulnerability with the I.R.I.S. OCR (Optical Character Recognition) software available with HP PageWide and OfficeJet printer software installations that could potentially allow unauthorized local code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-11-03
HP Print and Scan Doctor may potentially be vulnerable to local elevation of privilege.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-11-03
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-11-03
In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-11-03
Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable.
CVSS Score
7.5
EPSS Score
0.013
Published
2021-11-03
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter supplier of the API maintenance, which may allow an attacker to remotely execute code.
CVSS Score
5.5
EPSS Score
0.003
Published
2021-11-03
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code.
CVSS Score
5.5
EPSS Score
0.003
Published
2021-11-03
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter deviceName of the API modbusWriter-Reader, which may allow an attacker to remotely execute code.
CVSS Score
5.5
EPSS Score
0.002
Published
2021-11-03