Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

CVE-2021-32819: GHSL-2021-023: Remote code execution in squirrelly - CVE-2021-32819

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

CVE
#xss#vulnerability#js#git#java#rce
CVE-2021-32820: GHSL-2021-018: File disclosure in Express Handlebars - CVE-2021-32820

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

CVE-2021-24191

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

CVE-2021-33026: Extensible serializers support by subnix · Pull Request #209 · pallets-eco/flask-caching

** DISPUTED ** The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision.

CVE-2021-31214

Visual Studio Code Remote Code Execution Vulnerability

CVE-2021-31213

Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability

CVE-2021-31211

Visual Studio Code Remote Code Execution Vulnerability

CVE-2021-31192

Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2021-31181

Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2021-28476

Hyper-V Remote Code Execution Vulnerability