Archive for April, 2021

CVE-2021-31792

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
Source: NIST
CVE-2021-31792

CVE-2021-31935

OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
Source: NIST
CVE-2021-31935

CVE-2020-28943

OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
Source: NIST
CVE-2020-28943

CVE-2021-31934

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.
Source: NIST
CVE-2021-31934

CVE-2020-28944

OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.
Source: NIST
CVE-2020-28944

CVE-2021-31933

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
Source: NIST
CVE-2021-31933

CVE-2021-21230 (chrome)

Type confusion in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Source: NIST
CVE-2021-21230 (chrome)

CVE-2021-21539

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to gain elevated privileges when a user with higher privileges is simultaneously accessing iDRAC through the web interface.
Source: NIST
CVE-2021-21539

CVE-2021-21540

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to overwrite configuration information by injecting arbitrarily large payload.
Source: NIST
CVE-2021-21540

CVE-2021-21541

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a DOM-based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application.
Source: NIST
CVE-2021-21541