‼ CVE-2021-41390 ‼
📖 Read
via "National Vulnerability Database".
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41380 ‼
📖 Read
via "National Vulnerability Database".
RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of service (application crash) via crafted RFB protocol data.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41383 ‼
📖 Read
via "National Vulnerability Database".
setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to execute arbitrary shell commands via shell metacharacters in the ntp_server field.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41391 ‼
📖 Read
via "National Vulnerability Database".
In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21548 ‼
📖 Read
via "National Vulnerability Database".
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39216 ‼
📖 Read
via "National Vulnerability Database".
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39218 ‼
📖 Read
via "National Vulnerability Database".
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `externref`s, the host creates non-null `externrefs`, Wasmtime performs a garbage collection (GC), and there has to be a Wasm frame on the stack that is at a GC safepoint where there are no live references at this safepoint, and there is a safepoint with live references earlier in this frame's function. Under this scenario, Wasmtime would incorrectly use the GC stack map for the safepoint from earlier in the function instead of the empty safepoint. This would result in Wasmtime treating arbitrary stack slots as `externref`s that needed to be rooted for GC. At the *next* GC, it would be determined that nothing was referencing these bogus `externref`s (because nothing could ever reference them, because they are not really `externref`s) and then Wasmtime would deallocate them and run `<ExternRef as Drop>::drop` on them. This results in a free of memory that is not necessarily on the heap (and shouldn't be freed at this moment even if it was), as well as potential out-of-bounds reads and writes. Even though support for `externref`s (via the reference types proposal) is enabled by default, unless you are creating non-null `externref`s in your host code or explicitly triggering GCs, you cannot be affected by this bug. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime at this time, you can avoid this bug by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types`.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41387 ‼
📖 Read
via "National Vulnerability Database".
seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21547 ‼
📖 Read
via "National Vulnerability Database".
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38412 ‼
📖 Read
via "National Vulnerability Database".
Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.📖 Read
via "National Vulnerability Database".
🗓️ VPN users unmasked by zero-day vulnerability in Virgin Media routers 🗓️
📖 Read
via "The Daily Swig".
Disclosure comes two years after privacy-busting flaw was discovered📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
VPN users unmasked by zero-day vulnerability in Virgin Media routers
Disclosure comes two years after privacy-busting flaw was discovered
‼ CVE-2021-24741 ‼
📖 Read
via "National Vulnerability Database".
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24663 ‼
📖 Read
via "National Vulnerability Database".
The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24401 ‼
📖 Read
via "National Vulnerability Database".
The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24604 ‼
📖 Read
via "National Vulnerability Database".
The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24638 ‼
📖 Read
via "National Vulnerability Database".
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24600 ‼
📖 Read
via "National Vulnerability Database".
The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24618 ‼
📖 Read
via "National Vulnerability Database".
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24585 ‼
📖 Read
via "National Vulnerability Database".
The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24398 ‼
📖 Read
via "National Vulnerability Database".
The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24402 ‼
📖 Read
via "National Vulnerability Database".
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors📖 Read
via "National Vulnerability Database".