неделя, 6 юни 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (83 items)

New vulnerabilities from the NVD: CVE-2020-4635

IBM Resilient SOAR 40 and earlier could disclose sensitive information by allowing a user to enumerate usernames.
Published at: March 19, 2021 at 06:15PM
View on website

March 23, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-36144

Redash 8.0.0 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided template since the username included in the search filter lacks sanitization.
Published at: March 18, 2021 at 10:15PM
View on website

March 23, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-35492

A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Published at: March 18, 2021 at 09:15PM
View on website

March 23, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-28503

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.
Published at: March 23, 2021 at 12:15PM
View on website

March 23, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12483

The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.
Published at: March 23, 2021 at 07:15PM
View on website

March 23, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24994

Stack overflow in the parse_tag function in libass/ass_parse.c in libass before 0.14.0 allows remote attackers to cause a denial of service or remote code execution via a crafted file.
Published at: March 23, 2021 at 10:15PM
View on website

March 24, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19343

A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.
Published at: March 23, 2021 at 11:15PM
View on website

March 24, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13612

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13611

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13610

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13609

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13608

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13607

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13606

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13605

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13604

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: March 24, 2021 at 01:15AM
View on website

March 24, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15809

spxmanage on certain SpinetiX devices allows requests that access unintended resources because of SSRF and Path Traversal. This affects HMP350, HMP300, and DiVA through 4.5.2-1.0.36229; HMP400 and HMP400W through 4.5.2-1.0.2-1eb2ffbd; and DSOS through 4.5.2-1.0.2-1eb2ffbd.
Published at: March 24, 2021 at 07:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19354

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Published at: March 24, 2021 at 07:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19353

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hive as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Published at: March 24, 2021 at 07:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19352

An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/presto as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Published at: March 24, 2021 at 07:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19350

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ansible-service-broker as shipped in Red Hat Openshift 4 and 3.11. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Published at: March 24, 2021 at 06:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19349

An insecure modification vulnerability in the /etc/passwd file was found in the container operator-framework/operator-metering as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Published at: March 24, 2021 at 06:15PM
View on website

March 24, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-1946

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
Published at: March 25, 2021 at 12:15PM
View on website

March 25, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-35502

A flaw was found in Privoxy in versions before 3.0.29. Memory leaks when a response is buffered and the buffer limit is reached or Privoxy is running out of memory can lead to a system crash.
Published at: March 25, 2021 at 09:15PM
View on website

March 25, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10584

A directory traversal on the /admin/search_by.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to read arbitrary server files accessible to the user running the application.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10583

The /admin/admapi.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary OS commands on the server as the user running the application.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10582

A SQL injection on the /admin/display_errors.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to execute arbitrary SQL requests (including data reading and modification) on the database.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10581

Multiple session validity check issues in several administration functionalities of Invigo Automatic Device Management (ADM) through 5.0 allow remote attackers to read potentially sensitive data hosted by the application.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10580

A command injection on the /admin/broadcast.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary PHP code on the server as the user running the application.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10579

A directory traversal on the /admin/sysmon.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to list the content of arbitrary server directories accessible to the user running the application.
Published at: March 25, 2021 at 10:15PM
View on website

March 26, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-28346

ACRN through 2.2 has a devicemodel/hw/pci/virtio/virtio.c NULL Pointer Dereference.
Published at: March 26, 2021 at 06:15AM
View on website

March 26, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-23517

Cross Site Scripting (XSS) vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.
Published at: March 26, 2021 at 05:16AM
View on website

March 26, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25840

Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction.
Published at: March 26, 2021 at 04:15PM
View on website

March 26, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 26, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 26, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25840

Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction.
Published at: March 26, 2021 at 04:15PM
View on website

March 26, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 26, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 26, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 07:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 27, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 27, 2021 at 11:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 27, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 27, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 27, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 28, 2021 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 28, 2021 at 10:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 11:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 11:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 11:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 11:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 28, 2021 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 28, 2021 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 28, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 28, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13963 (soplanning)

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
Published at: March 21, 2021 at 11:15PM
View on website

March 28, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25579

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.
Published at: March 26, 2021 at 11:15PM
View on website

March 29, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25578

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
Published at: March 26, 2021 at 11:15PM
View on website

March 29, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19626 (craft_cms)

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
Published at: March 26, 2021 at 05:15PM
View on website

March 29, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Published at: March 26, 2021 at 05:15PM
View on website

March 29, 2021 at 12:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар