Selection:
XSS CSRF Privilege Buffer Remote Stack
CVE ID Name Status References
CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.

Assigned (20210914)

MISC:https://blog.travis-ci.com/2021-09-13-bulletin | MISC:https://news.ycombinator.com/item?id=28523350 | MISC:https://news.ycombinator.com/item?id=28524727 | MISC:https://travis-ci.community/t/security-bulletin/12081 | MISC:https://twitter.com/peter_szilagyi/status/1437646118700175360 | MISC:https://twitter.com/peter_szilagyi/status/1437649838477283330

CVE-2021-41076

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Assigned (20210914)

CVE-2021-41072

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.

Assigned (20210914)

MISC:https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd | MISC:https://github.com/plougher/squashfs-tools/issues/72#issuecomment-913833405

CVE-2021-41061

In RIOT-OS 2021.01, nonce reuse in 802.15.4 encryption in the ieee820154_security component allows attackers to break encryption by triggering reboots.

Assigned (20210913)

MISC:https://github.com/RIOT-OS/RIOT/issues/16844

CVE-2021-41054

tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.

Assigned (20210913)

MISC:https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/

CVE-2021-41033

In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code.

Assigned (20210913)

CONFIRM:https://bugs.eclipse.org/bugs/show_bug.cgi?id=575688 | URL:https://bugs.eclipse.org/bugs/show_bug.cgi?id=575688

CVE-2021-40966

A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.

Assigned (20210913)

MISC:https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | MISC:https://github.com/prasathmani/tinyfilemanager

CVE-2021-40965

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.

Assigned (20210913)

MISC:https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | MISC:https://github.com/prasathmani/tinyfilemanager

CVE-2021-40964

A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.

Assigned (20210913)

MISC:https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | MISC:https://github.com/prasathmani/tinyfilemanager

CVE-2021-40881

An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code.

Assigned (20210913)

MISC:https://github.com/sanluan/PublicCMS/issues/57


Page created:

CVE year by year statistics.

CVE year statistics by common vulnerability domain.

Latest data from: 2021-09-13