Security Vulnerabilities - CVEs Published In 2021
SQL Injection vulnerability in 188Jianzhan v2.1.0, allows attackers to execute arbitrary code and gain escalated privileges, via the username parameter to login.php.
CVSS Score
9.8
EPSS Score
0.006
Published
2021-11-02
Cross site request forgery (CSRF) vulnerability in AyaCMS 3.1.2 allows attackers to change an administrators password or other unspecified impacts.
CVSS Score
8.8
EPSS Score
0.002
Published
2021-11-02
Cross site scripting (XSS) vulnerability in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the route parameter to index.php.
CVSS Score
9.6
EPSS Score
0.007
Published
2021-11-02
Cross site scripting (XSS) vulnerability in application/controllers/AdminController.php in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the bbsmeta parameter.
CVSS Score
9.6
EPSS Score
0.007
Published
2021-11-02
Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature.
CVSS Score
9.6
EPSS Score
0.008
Published
2021-11-02
An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.
CVSS Score
6.3
EPSS Score
0.002
Published
2021-11-02
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-11-02
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-11-02
A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests.
CVSS Score
3.1
EPSS Score
0.003
Published
2021-11-02
An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS versions 6.4.6 and below may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials.
CVSS Score
3.5
EPSS Score
0.001
Published
2021-11-02