сряда, 26 май 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (70 items)

New vulnerabilities from the NVD: CVE-2020-26035

An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26034

An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26033

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26032

An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26031

An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions).
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26030

An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26029

An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-26028

An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
Published at: December 28, 2020 at 10:15AM
View on website

December 28, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25507

An incorrect permission assignment (chmod 777) of /etc/environment during the installation script of No Magic TeamworkCloud 18.0 through 19.0 allows any local unprivileged user to write to /etc/environment. An attacker can escalate to root by writing arbitrary code to this file, which would be executed by root during the next login, reboot, or sourcing of the environment.
Published at: December 28, 2020 at 10:15PM
View on website

December 28, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24360

An issue with ARP packets in Arista’s EOS affecting the 7800R3, 7500R3, and 7280R3 series of products may result in issues that cause a kernel crash, followed by a device reload. The affected Arista EOS versions are: 4.24.2.4F and below releases in the 4.24.x train; 4.23.4M and below releases in the 4.23.x train; 4.22.6M and below releases in the 4.22.x train.
Published at: December 28, 2020 at 09:15PM
View on website

December 28, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15898

In Arista EOS malformed packets can be incorrectly forwarded across VLAN boundaries in one direction. This vulnerability is only susceptible to exploitation by unidirectional traffic (ex. UDP) and not bidirectional traffic (ex. TCP). This affects: EOS 7170 platforms version 4.21.4.1F and below releases in the 4.21.x train; EOS X-Series versions 4.21.11M and below releases in the 4.21.x train; 4.22.6M and below releases in the 4.22.x train; 4.23.4M and below releases in the 4.23.x train; 4.24.2.1F and below releases in the 4.24.x train.
Published at: December 28, 2020 at 09:15PM
View on website

December 28, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14273

HCL Domino v10 and v11 is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to crash the Domino server.
Published at: December 28, 2020 at 10:15PM
View on website

December 28, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13476

NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.
Published at: December 29, 2020 at 12:15AM
View on website

December 29, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13474

In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users.
Published at: December 29, 2020 at 12:15AM
View on website

December 29, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13473

NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.
Published at: December 29, 2020 at 12:15AM
View on website

December 29, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25847

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero.
Published at: December 29, 2020 at 09:15AM
View on website

December 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-17533

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.
Published at: December 29, 2020 at 02:15PM
View on website

December 29, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-1848

There is a resource management error vulnerability in Jackman-AL00D versions 8.2.0.185(C00R2P1). Local attackers construct malicious application files, causing system applications to run abnormally.
Published at: December 29, 2020 at 08:15PM
View on website

December 29, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-16268

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.
Published at: December 29, 2020 at 11:15PM
View on website

December 30, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10148

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Published at: December 30, 2020 at 12:15AM
View on website

December 30, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10210

Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH.
Published at: December 30, 2020 at 01:15AM
View on website

December 30, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10209

Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-the-middle attackers to execute arbitrary commands with root level privileges.
Published at: December 30, 2020 at 02:15AM
View on website

December 30, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10208

Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges.
Published at: December 30, 2020 at 02:15AM
View on website

December 30, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10207

Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings.
Published at: December 30, 2020 at 01:15AM
View on website

December 30, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10206

Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact with the video output of the device.
Published at: December 30, 2020 at 02:15AM
View on website

December 30, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15080

An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. A typo in the constructor of the Owned contract (which is inherited by MORPH Token) allows attackers to acquire contract ownership. A new owner can subsequently obtain MORPH Tokens for free and can perform a DoS attack.
Published at: December 30, 2020 at 10:15PM
View on website

December 30, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15079

A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. This vulnerability could be used by an attacker to acquire EAI tokens for free.
Published at: December 30, 2020 at 10:15PM
View on website

December 30, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15078

An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo (wrong case: XBornID versus XBORNID) that allows an attacker to change the owner of the contract and obtain cryptocurrency for free.
Published at: December 30, 2020 at 10:15PM
View on website

December 30, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12953

Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599.
Published at: December 30, 2020 at 10:15PM
View on website

December 30, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12768

An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.
Published at: December 30, 2020 at 10:15PM
View on website

December 30, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11103

JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution.
Published at: December 30, 2020 at 11:15PM
View on website

December 31, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16747

In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431.
Published at: December 30, 2020 at 11:15PM
View on website

December 31, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16281

Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block.
Published at: December 30, 2020 at 11:15PM
View on website

December 31, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15523

An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.
Published at: December 30, 2020 at 11:15PM
View on website

December 31, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12658

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c.
Published at: December 31, 2020 at 03:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11947

iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.
Published at: December 31, 2020 at 03:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-7726

modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
Published at: December 31, 2020 at 07:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-7725

includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
Published at: December 31, 2020 at 07:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20808

In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
Published at: December 31, 2020 at 03:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-16795

OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-14067

Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-9026

Exponent CMS before 2.6.0 has improper input validation in fileController.php.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-9025

Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-9023

Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-9022

Exponent CMS before 2.6.0 has improper input validation in usersController.php.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-9021

Exponent CMS before 2.6.0 has improper input validation in storeController.php.
Published at: December 31, 2020 at 05:15AM
View on website

December 31, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25010

An issue was discovered in the failure crate through 2019-11-13 for Rust. Type confusion can occur when __private_get_type_id__ is overridden.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25009

An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25008

An issue was discovered in the http crate before 0.1.20 for Rust. HeaderMap::reserve() has an integer overflow that allows attackers to cause a denial of service.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25007

An issue was discovered in the streebog crate before 0.8.0 for Rust. The Streebog hash function can cause a panic.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25006

An issue was discovered in the streebog crate before 0.8.0 for Rust. The Streebog hash function can produce the wrong answer.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25005

An issue was discovered in the chacha20 crate before 0.2.3 for Rust. A ChaCha20 counter overflow makes it easier for attackers to determine plaintext.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25004

An issue was discovered in the flatbuffers crate before 0.6.1 for Rust. Arbitrary bytes can be reinterpreted as a bool, defeating soundness.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25003

An issue was discovered in the libsecp256k1 crate before 0.3.1 for Rust. Scalar::check_overflow allows a timing side-channel attack; consequently, attackers can obtain sensitive information.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25002

An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. generichash::Digest::eq compares itself to itself and thus has degenerate security properties.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25001

An issue was discovered in the serde_cbor crate before 0.10.2 for Rust. The CBOR deserializer can cause stack consumption via nested semantic tags.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-25001

An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. proplist::Iterator can cause a use-after-free.
Published at: December 31, 2020 at 12:15PM
View on website

December 31, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-19945

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.
Published at: December 31, 2020 at 07:15PM
View on website

December 31, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-19944

A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)
Published at: December 31, 2020 at 07:15PM
View on website

December 31, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-19941

A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.2.1379 build 20200730 (and later)
Published at: December 31, 2020 at 07:15PM
View on website

December 31, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20008

The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 02:15AM
View on website

January 01, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20007

The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 02:15AM
View on website

January 01, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20006

The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 02:15AM
View on website

January 01, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-25002

uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-20001

The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20005

The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20004

The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20003

The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20002

The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20001

The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
Published at: January 01, 2021 at 03:15AM
View on website

January 01, 2021 at 08:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар