Weekly Update: a new vulnerability is published on the National Vulnerability Database (8 items)

New vulnerabilities from the NVD: CVE-2020-28593 A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability. Published at: April 15, 2021 at 05:15PM View on website April 15, 2021 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-28592 A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability. Published at: April 15, 2021 at 05:15PM View on website April 15, 2021 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-27239 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this vulnerability. Published at: April 15, 2021 at 05:15PM View on website April 15, 2021 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-27238 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. Published at: April 15, 2021 at 05:15PM View on website April 15, 2021 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-27237 An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. Published at: April 15, 2021 at 05:15PM View on website April 15, 2021 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-28898 In QED ResourceXpress through 4.9k, a large numeric or alphanumeric value submitted in specific URL parameters causes a server error in script execution due to insufficient input validation. Published at: April 15, 2021 at 10:15PM View on website April 15, 2021 at 11:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-19942 A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later) Published at: April 16, 2021 at 04:15AM View on website April 16, 2021 at 08:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-2509 A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later Published at: April 17, 2021 at 07:15AM View on website April 17, 2021 at 08:36AM via National Vulnerability Database