CVE-2021-20755

Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.

Source: CVE-2021-20755

CVE-2021-20759

Operational restrictions bypass vulnerability in Bulletin of Cybozu Garoon 4.6.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Portal without the appropriate privilege.

Source: CVE-2021-20759

CVE-2021-39268

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.

Source: CVE-2021-39268

CVE-2021-39267

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.

Source: CVE-2021-39267

CVE-2021-39250

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).

Source: CVE-2021-39250

CVE-2021-39131

ced detects character encoding using Google’s compact_enc_det library. In ced v0.1.0, passing data types other than `Buffer` causes the Node.js process to crash. The problem has been patched in ced v1.0.0. As a workaround, before passing an argument to ced, verify it’s a `Buffer` using `Buffer.isBuffer(obj)`.

Source: CVE-2021-39131

CVE-2021-39249

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.

Source: CVE-2021-39249

CVE-2021-0284

A buffer overflow vulnerability in the TCP/IP stack of Juniper Networks Junos OS allows an attacker to send specific sequences of packets to the device thereby causing a Denial of Service (DoS).

By repeatedly sending these sequences of packets to the device, an attacker can sustain the Denial of Service (DoS) condition.

The device will abnormally shut down as a result of these sent packets. A potential indicator of compromise will be the following message in the log files:
"eventd[13955]: SYSTEM_ABNORMAL_SHUTDOWN: System abnormally shut down"

This issue is only triggered by traffic destined to the device. Transit traffic will not trigger this issue.
This issue affects:
Juniper Networks Junos OS
12.3 versions prior to 12.3R12-S19;
15.1 versions prior to 15.1R7-S10;
17.3 versions prior to 17.3R3-S12;
18.4 versions prior to 18.4R3-S9;
19.1 versions prior to 19.1R3-S7;
19.2 versions prior to 19.2R1-S7, 19.2R3-S3;
19.3 versions prior to 19.3R3-S3;
19.4 versions prior to 19.4R3-S5;
20.1 versions prior to 20.1R3-S1;
20.2 versions prior to 20.2R3-S2;
20.3 versions prior to 20.3R3-S1;
20.4 versions prior to 20.4R2-S2, 20.4R3;
21.1 versions prior to 21.1R2;
21.2 versions prior to 21.2R2.

Source: CVE-2021-0284

CVE-2020-23341

A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Source: CVE-2020-23341

CVE-2021-28372

ThroughTek’s Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). This could result in an attacker hijacking a victim’s connection and forcing them into supplying credentials needed to access the victim TUTK device.

Source: CVE-2021-28372