петък, 21 май 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (42 items)

New vulnerabilities from the NVD: CVE-2019-2393

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-2392

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20924

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20923

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14562

Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14559

Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14553

Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20805

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20804

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20802

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.
Published at: November 23, 2020 at 06:15PM
View on website

November 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12352

Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12351

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-0569

Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14587

Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14586

Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14575

Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14563

Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
Published at: November 23, 2020 at 07:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20803

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.
Published at: November 23, 2020 at 08:15PM
View on website

November 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16723

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020.
Published at: November 23, 2020 at 11:15PM
View on website

November 24, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16722

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305.
Published at: November 23, 2020 at 11:15PM
View on website

November 24, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16721

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306.
Published at: November 23, 2020 at 11:15PM
View on website

November 24, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16720

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304.
Published at: November 23, 2020 at 11:15PM
View on website

November 24, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16719

In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482.
Published at: November 23, 2020 at 11:15PM
View on website

November 24, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20925

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.
Published at: November 24, 2020 at 01:15PM
View on website

November 24, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10763

An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.
Published at: November 24, 2020 at 07:15PM
View on website

November 24, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10762

An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.
Published at: November 24, 2020 at 07:15PM
View on website

November 24, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9551

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.
Published at: November 24, 2020 at 11:15PM
View on website

November 25, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-9550

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.
Published at: November 24, 2020 at 11:15PM
View on website

November 25, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13886

Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal.
Published at: November 26, 2020 at 07:15PM
View on website

November 26, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12262

Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.
Published at: November 27, 2020 at 02:15AM
View on website

November 27, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19872

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364.
Published at: November 27, 2020 at 05:15PM
View on website

November 27, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19869

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface.
Published at: November 27, 2020 at 05:15PM
View on website

November 27, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19875

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE-2019-16364.
Published at: November 27, 2020 at 07:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19874

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE-2019-16364.
Published at: November 27, 2020 at 07:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19873

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get information from the AprolSqlServer DBMS by bypassing authentication, a different vulnerability than CVE-2019-16356 and CVE-2019-9983.
Published at: November 27, 2020 at 07:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15686

Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15685

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15684

Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15683

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15682

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15681

In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-15680

In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
Published at: November 27, 2020 at 08:15PM
View on website

November 27, 2020 at 09:36PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар