Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2021-31923
PUBLISHED: 2021-09-24

Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.

CVE-2021-41581
PUBLISHED: 2021-09-24

x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks ‘’ termination.

CVE-2021-41583
PUBLISHED: 2021-09-24

vpn-user-portal (aka eduVPN or Let’s Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VP…

CVE-2021-41584
PUBLISHED: 2021-09-24

Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.

CVE-2020-19949
PUBLISHED: 2021-09-23

A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

#Hot #Cyber #Threat #Trends #Expect #Black #Hat