Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3243PUBLISHED: 2021-04-15Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
CVE-2021-29448PUBLISHED: 2021-04-15Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
CVE-2021-30138PUBLISHED: 2021-04-15** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-27112PUBLISHED: 2021-04-15LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
CVE-2021-20288PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
User Rank: Ninja
5/15/2015 | 9:28:37 AM
I think what is overblown is how everyone wants to compare one vulnerability to the other; I personally think that is dangerous. Why, because no two vulnerabilities are the same there is no way that you can compare this vulnerability to Heartbleed or to a vulnerability like BEAST. With Heartbleed it was pretty easy to say how big this would be because there was no denying it. With this particular vulnerability, it does confirm an argument that has been going on for a very long time that quite a few folks said could not happen. And this, as with Heartbleed has internal implications too if these affected systems are used inhouse. And while this particular bug has not impacted all of the virtual space... I can bet you the rest are scrambling to make sure it doesn't affect them too. Remember, when Heartbleed was first reported nobody took as seriously as they did when the scope was finally realized.
"High impact vulnerabilities are becoming the new normal, some security analysts expecting us to see one big one per quarter. The industry as a whole needs to work on how to best address these vulnerabilities without overhyping them..."
Now this I can totally agree with, but my one bit of advice would be to assume that every vulnerability has the ability to disrupt your operations or possible damage your reputation.
Question, which was worse:
a) Blaster
b) SQL Slammer