βΌ CVE-2021-39211 βΌ
π Read
via "National Vulnerability Database".
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39209 βΌ
π Read
via "National Vulnerability Database".
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27046 βΌ
π Read
via "National Vulnerability Database".
A Memory Corruption vulnerability for PDF files in Autodesk Navisworks 2019, 2020, 2021, 2022 may lead to code execution through maliciously crafted DLL files.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40156 βΌ
π Read
via "National Vulnerability Database".
A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to write beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37412 βΌ
π Read
via "National Vulnerability Database".
The TechRadar app 1.1 for Confluence Server allows XSS via the Title field of a Radar.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39392 βΌ
π Read
via "National Vulnerability Database".
The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39210 βΌ
π Read
via "National Vulnerability Database".
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40155 βΌ
π Read
via "National Vulnerability Database".
A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40238 βΌ
π Read
via "National Vulnerability Database".
A Cross Site Scriptiong (XSS) vulnerability exists in the admin panel in Webuzo < 2.9.0 via an HTTP request to a non-existent page, which is activated by administrators viewing the "Error Log" page. An attacker can leverage this to achieve Unauthenticated Remote Code Execution via the "Cron Jobs" functionality of Webuzo.π Read
via "National Vulnerability Database".
βΌ CVE-2020-21121 βΌ
π Read
via "National Vulnerability Database".
Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3795 βΌ
π Read
via "National Vulnerability Database".
semver-regex is vulnerable to Inefficient Regular Expression Complexityπ Read
via "National Vulnerability Database".
π Microsoft Fixes MSHTML Zero Day in Patch Tuesday Update π
π Read
via "".
Microsoft fixed last week's MSHTML zero day - a vulnerability it confirmed was being exploited in the wild - in this month's Patch Tuesday round of updates.π Read
via "".
Digital Guardian
Microsoft Fixes MSHTML Zero Day in Patch Tuesday Update
Microsoft fixed last week's MSHTML zero day - a vulnerability it confirmed was being exploited in the wild - in this month's Patch Tuesday round of updates.
β No Patch for High-Severity Bug in Legacy IBM System X Servers β
π Read
via "Threat Post".
Two of IBM's aging flagship server models, retired in 2020, wonβt be patched for a command-injection flaw.π Read
via "Threat Post".
Threat Post
No Patch for High-Severity Bug in Legacy IBM System X Servers
Two of IBM's aging flagship server models, retired in 2020, wonβt be patched for a command-injection flaw.
βΌ CVE-2021-39205 βΌ
π Read
via "National Vulnerability Database".
Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33692 βΌ
π Read
via "National Vulnerability Database".
SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37912 βΌ
π Read
via "National Vulnerability Database".
The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33705 βΌ
π Read
via "National Vulnerability Database".
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40862 βΌ
π Read
via "National Vulnerability Database".
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40965 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33697 βΌ
π Read
via "National Vulnerability Database".
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33690 βΌ
π Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.π Read
via "National Vulnerability Database".