This latest vulnerability overview covers high risk and critical bugs discovered in various software, including yet another zero-day vulnerability in Google Chrome, as well as numerous important issues affecting MyBB forum software, Moxa, Schneider Electric, and Apache products, and others.

Google released a new version of its Chrome browser (89.0.4389.90) for Windows, Mac and Linux to address a number of dangerous vulnerabilities, including one that was exploited in the wild.

The zero-day in question is tracked as CVE-2021-21193 and is described as a use-after-free error within Blink component in Google Chrome, which can be exploited by adversaries for remote code execution. To achieve this an attacker needs to trick a victim into visiting a malicious webpage.

The browser maker also fixed two high risk flaws, specifically, CVE-2021-21191, which is a use-after-free issue affecting WebRTC component in Google Chrome. A remote attacker can trick the victim top open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

The second bug (CVE-2021-21192) is a heap-based buffer overflow within the tab groups implementation in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Microsoft has also released a security update for its Edge (Chromium-based) browser to eliminate the above mentioned issues.

Maintainers behind the MyBB bulletin board software (previously known as MyBBoard and MyBulletinBoard) patched multiple flaws in the product some of which could be chained together to achieve remote code execution. One of the most important issues is CVE-2021-27890, which allows a remote attacker to execute arbitrary SQL queries in database and take over application. The vulnerabilities affect MyBB versions 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25.

Another SQL-injection vulnerability had been found in the WoWonder social networking platform. The issue stems from insufficient sanitization of user-supplied data in the "event_id" parameter in "requests.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. The vulnerability impacts WoWonder - The Ultimate PHP Social Network Platform v3.1.

Schneider Electric IGSS SCADA, a SCADA system used for monitoring and controlling industrial processes, is affected by multiple vulnerabilities (CVE-2021-22709, CVE-2021-22710, CVE-2021-22711, CVE-2021-22712) all of which could be exploited by a remote hacker for code execution. The flaws impact IGSS SCADA v15.0.0.21041.

Moxa VPort 06EC-2V Series IP cameras contain a number of vulnerabilities that, if exploited, could lead to remote code execution, DoS attacks, and information leakage. Note, currently, there is no patch available for these flaws. The affected products include VPort 06EC-2V Series 1.1.

A bunch of high risk flaws have also been discovered in Apache Velocity Engine, Visual Studio Code Python Extension, and JBoss Enterprise Application Platform, which could be used for remote code execution, or to perform brute-force attacks.