Sep 30, 2021 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2020-20796 FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.

  • CVSS 9.8

New critical Flamecms Project Flamecms SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2020-20797 FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.

  • CVSS 9.8

New critical Flamecms Project Flamecms SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2021-33583 Reiner-sct Timecard SQL injection

  • CVSS 9.8

New critical Reiner-sct Timecard SQL injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2020-20796 CVSS 9.8

FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.

CVE-2020-20797 CVSS 9.8

FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.

CVE-2021-20578 CVSS 9.8

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to i...

CVE-2021-33583 CVSS 9.8

REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.

CVE-2021-41288 CVSS 9.8

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

CVE-2021-41296 CVSS 9.8

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain fu...

CVE-2021-41299 CVSS 9.8

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain adminis...

CVE-2021-41300 CVSS 9.8

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page...

CVE-2021-41301 CVSS 9.8

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GE...

CVE-2021-41729 CVSS 9.1

BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the se...

View critical disclosures

cvelogic Threat Intelligence