Apr 22, 2021 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Remoteclinic Remote Clinic: public exploit or PoC linked (cross-site scripting)
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Active exploit activity

CVE-2021-28935 Cmsmadesimple Cms Made Simple cross-site scripting

  • Public exploit or PoC available
  • Exploit activity linked

Cmsmadesimple Cms Made Simple cross-site scripting now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.

Active exploit activity

CVE-2021-30030 Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.

  • Public exploit or PoC available
  • Exploit activity linked

Remoteclinic Remote Clinic cross-site scripting now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.

Critical exposure

CVE-2021-2244 Oracle Essbase Analytic Provider Services

  • CVSS 10

New critical disclosure (CVSS 10) — high severity with a short public awareness window before exploit material typically surfaces.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

CVE-2021-31327 Exploit

Stored XSS in Remote Clinic v2.0 in /medicines due to Medicine Name Field.

CVE-2021-31329 Exploit

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Chat" and "Personal Address" field on staff/register.php

CVE-2021-30030 Exploit

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Name field on register-patient.php.

CVE-2021-30034 Exploit

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Symptons field on patients/register-report.php.

CVE-2021-30039 Exploit

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Fever" or "Blood Pressure" field on the patients/register-report.php.

CVE-2021-30042 Exploit

Cross Site Scripting (XSS) in Remote Clinic v2.0 via the "Clinic Name", "Clinic Address", "Clinic City", or "Clinic Contact" field on cli...

CVE-2021-28935 Exploit

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > T...

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2021-2244 CVSS 10

Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provider Servi...

CVE-2021-2248 CVSS 10

Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Server).

CVE-2021-2253 CVSS 9.1

Vulnerability in the Oracle Advanced Supply Chain Planning product of Oracle Supply Chain (component: Core).

CVE-2021-2256 CVSS 10

Vulnerability in the Oracle Storage Cloud Software Appliance product of Oracle Storage Gateway (component: Management Console).

CVE-2021-2302 CVSS 9.8

Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS).

CVE-2021-2317 CVSS 10

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console).

CVE-2021-2318 CVSS 9.1

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console).

CVE-2021-2319 CVSS 9.1

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console).

CVE-2021-2320 CVSS 9.1

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console).

CVE-2021-31597 CVSS 9.4

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when...

View critical disclosures

cvelogic Threat Intelligence