List of latest published vulnerabilities.

Exploit-DB

• [webapps] Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass July 27, 2021
  Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass
• [webapps] PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection July 27, 2021
  PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
• [webapps] Elasticsearch ECE 7.13.3 - Anonymous Database Dump July 26, 2021
  Elasticsearch ECE 7.13.3 - Anonymous Database Dump
• [dos] Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) July 26, 2021
  Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)
• [webapps] NoteBurner 2.35 - Denial Of Service (DoS) (PoC) July 26, 2021
  NoteBurner 2.35 - Denial Of Service (DoS) (PoC)
• [webapps] XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) July 26, 2021
  XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)
• [webapps] ElasticSearch 7.13.3 - Memory disclosure July 23, 2021
  ElasticSearch 7.13.3 - Memory disclosure
• [webapps] WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS) July 23, 2021
  WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)
• [webapps] Microsoft SharePoint Server 2019 - Remote Code Execution (2) July 23, 2021
  Microsoft SharePoint Server 2019 - Remote Code Execution (2)
• [webapps] KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass July 21, 2021
  KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass

National Vulnerability Database

• CVE-2021-20399 July 27, 2021
  IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.
• CVE-2021-20562 July 27, 2021
  IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199232.
• CVE-2021-37576 July 26, 2021
  arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.
• CVE-2020-18428 July 26, 2021
  tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).
• CVE-2020-18430 July 26, 2021
  tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).
• CVE-2021-37555 July 26, 2021
  TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyBox utilities (e.g., tar and nc).
• CVE-2020-23243 July 26, 2021
  Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature.
• CVE-2020-23241 July 26, 2021
  Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.
• CVE-2020-23242 July 26, 2021
  Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature.
• CVE-2020-23240 July 26, 2021
  Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.