вторник, 10 август 2021 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (42 items)

New vulnerabilities from the NVD: CVE-2020-21133

SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.
Published at: July 12, 2021 at 04:15PM
View on website

July 12, 2021 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21132

SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.
Published at: July 12, 2021 at 04:15PM
View on website

July 12, 2021 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21131

SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage.
Published at: July 12, 2021 at 04:15PM
View on website

July 12, 2021 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18980

Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.
Published at: July 12, 2021 at 06:15PM
View on website

July 12, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18979

Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via theX-forwarded-for Header parameter.
Published at: July 12, 2021 at 06:15PM
View on website

July 12, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19204

Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 is affected by: Cross Site Scripting (XSS). The impact is: Session Hijacking (local). The component is: Affected at Routing configuration via the "Remark" text box or "remark" parameter. The attack vector is: Attacker need to craft the malicious javascript code.
Published at: July 12, 2021 at 07:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19203

Netgate pfSense Community Edition 2.4.4 - p2 (arm64) is affected by: Cross Site Scripting (XSS). The impact is: Session Hijacking, Information Leakage (local). The component is: pfSense Dashboard, Work-on-LAN Service configuration. The attack vector is: Inject the malicious JavaScript code in Description text box or parameter.
Published at: July 12, 2021 at 07:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19201

Netgate pfSense 2.4.4 - p2 is affected by: Cross Site Scripting (XSS). The impact is: Authenticated Stored XSS in NAT Configuration (local). The component is: Description Text box, Status/Reload Filter Page. The attack vector is: An attacker get access to the victim's session by performing the CSRF and gather the cookie and session ids or possibly can change the victims NAT configuration using this Stored XSS. This attack can possibly spoof the victim's informations.
Published at: July 12, 2021 at 07:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19038

File Deletion vulnerability in Halo 0.4.3 via delBackup.
Published at: July 12, 2021 at 08:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19037

Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
Published at: July 12, 2021 at 08:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18982

Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
Published at: July 12, 2021 at 08:15PM
View on website

July 12, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19907

A command injection vulnerability in the sandcat plugin of Caldera 2.3.1 and earlier allows authenticated attackers to execute any command or service.
Published at: July 12, 2021 at 11:15PM
View on website

July 13, 2021 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18544

SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the "username" parameter in the component "chkuser.php".
Published at: July 12, 2021 at 11:15PM
View on website

July 13, 2021 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11307

Buffer overflow in modem due to improper array index check before copying into it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables
Published at: July 13, 2021 at 09:15AM
View on website

July 13, 2021 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20250

Mikrotik RouterOs before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). NOTE: this is different from CVE-2020-20253 and CVE-2020-20254. All four vulnerabilities in the /nova/bin/lcdstat process are discussed in the CVE-2020-20250 github.com/cq674350529 reference.
Published at: July 13, 2021 at 03:15PM
View on website

July 13, 2021 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20252

Mikrotik RouterOs before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
Published at: July 13, 2021 at 09:15PM
View on website

July 13, 2021 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19722

An unhandled memory allocation failure in Core/Ap4Atom.cpp of Bento 1.5.1-628 causes a direct copy to NULL pointer dereference, leading to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19721

A heap buffer overflow vulnerability in Ap4TrunAtom.cpp of Bento 1.5.1-628 may lead to an out-of-bounds write while running mp42aac, leading to system crashes and a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19720

An unhandled memory allocation failure in Core/AP4IkmsAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19719

A buffer overflow vulnerability in Ap4ElstAtom.cpp of Bento 1.5.1-628 leads to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19718

An unhandled memory allocation failure in Core/Ap4Atom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19717

An unhandled memory allocation failure in Core/Ap48bdlAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19716

A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 v0.27.1 leads to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19715

An integer overflow vulnerability in the getUShort function of Exiv2 0.27.1 results in segmentation faults within the application, leading to a denial of service (DOS).
Published at: July 14, 2021 at 01:15AM
View on website

July 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-0417

In setNiNotification of GpsNetInitiatedHandler.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-154319182
Published at: July 14, 2021 at 05:15PM
View on website

July 14, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11098

Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
Published at: July 14, 2021 at 05:15PM
View on website

July 14, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18144

SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php.
Published at: July 14, 2021 at 08:15PM
View on website

July 14, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18151

Cross Site Request Forgerly (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.
Published at: July 14, 2021 at 10:15PM
View on website

July 14, 2021 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18145

Cross Site Scripting (XSS) vulnerability in umeditor v1.2.3 via /public/common/umeditor/php/getcontent.php.
Published at: July 14, 2021 at 09:15PM
View on website

July 14, 2021 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18155

SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
Published at: July 14, 2021 at 11:15PM
View on website

July 15, 2021 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15496

Acronis True Image for Mac before 2021 Update 4 allowed local privilege escalation due to insecure folder permissions.
Published at: July 15, 2021 at 05:15PM
View on website

July 15, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15495

Acronis True Image 2019 update 1 through 2020 on macOS allows local privilege escalation due to an insecure XPC service configuration.
Published at: July 15, 2021 at 06:15PM
View on website

July 15, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12731

The MagicMotion Flamingo 2 application for Android stores data on an sdcard under com.vt.magicmotion/files/Pictures, whence it can be read by other applications.
Published at: July 15, 2021 at 06:15PM
View on website

July 15, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12730

MagicMotion Flamingo 2 lacks BLE encryption, enabling data sniffing and packet forgery.
Published at: July 15, 2021 at 06:15PM
View on website

July 15, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12729

MagicMotion Flamingo 2 has a lack of access control for reading from device descriptors.
Published at: July 15, 2021 at 06:15PM
View on website

July 15, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12734

DEPSTECH WiFi Digital Microscope 3 allows remote attackers to change the SSID and password, and demand a ransom payment from the rightful device owner, because there is no way to reset to Factory Default settings.
Published at: July 15, 2021 at 07:15PM
View on website

July 15, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12733

Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.
Published at: July 15, 2021 at 07:15PM
View on website

July 15, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12732

DEPSTECH WiFi Digital Microscope 3 has a default SSID of Jetion_xxxxxxxx with a password of 12345678.
Published at: July 15, 2021 at 07:15PM
View on website

July 15, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11633

The Zscaler Client Connector for Windows prior to 2.1.2.74 had a stack based buffer overflow when connecting to misconfigured TLS servers. An adversary would potentially have been able to execute arbitrary code with system privileges.
Published at: July 15, 2021 at 09:15PM
View on website

July 15, 2021 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11634

The Zscaler Client Connector for Windows prior to 2.1.2.105 had a DLL hijacking vulnerability caused due to the configuration of OpenSSL. A local adversary may be able to execute arbitrary code in the SYSTEM context.
Published at: July 15, 2021 at 11:15PM
View on website

July 16, 2021 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11632

The Zscaler Client Connector prior to 2.1.2.150 did not quote the search path for services, which allows a local adversary to execute code with system privileges.
Published at: July 15, 2021 at 11:15PM
View on website

July 16, 2021 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3752

Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
Published at: July 17, 2021 at 01:15AM
View on website

July 17, 2021 at 03:36AM

via National Vulnerability Database

pi

Няма коментари:

Публикуване на коментар