петък, 24 септември 2021 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (27 items)

New vulnerabilities from the NVD: CVE-2020-15744

Stack-based Buffer Overflow vulnerability in the ONVIF server component of Victure PC420 smart camera allows an attacker to execute remote code on the target device. This issue affects: Victure PC420 firmware version 1.2.2 and prior versions.
Published at: August 30, 2021 at 01:15PM
View on website

August 30, 2021 at 03:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18127

An issue in the /config/config.php component of Indexhibit 2.1.5 allows attackers to arbitrarily view files.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18126

Multiple stored cross-site scripting (XSS) vulnerabilities in the Sections module of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18125

A reflected cross-site scripting (XSS) vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18124

A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18123

A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18121

A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell.
Published at: August 30, 2021 at 09:15PM
View on website

August 30, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13639

A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console.
Published at: August 31, 2021 at 07:15AM
View on website

August 31, 2021 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19049

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
Published at: August 31, 2021 at 05:15PM
View on website

August 31, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19048

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
Published at: August 31, 2021 at 05:15PM
View on website

August 31, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19047

Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.
Published at: August 31, 2021 at 05:15PM
View on website

August 31, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19046

Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='.
Published at: August 31, 2021 at 05:15PM
View on website

August 31, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20486

IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr.
Published at: September 01, 2021 at 02:15AM
View on website

September 01, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20495

bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter.
Published at: September 01, 2021 at 03:15AM
View on website

September 01, 2021 at 08:37AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-9002

An issue was discovered in iPortalis iCS 7.1.13.0. An attacker can gain privileges by intercepting a request and changing UserRoleKey=COMPANY_ADMIN to UserRoleKey=DOMAIN_ADMIN (to achieve Domain Administrator access).
Published at: September 01, 2021 at 02:15PM
View on website

September 01, 2021 at 03:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-9000

An issue was discovered in iPortalis iCS 7.1.13.0. Attackers can send a sequence of requests to rapidly cause .NET Input Validation errors. This increases the size of the log file on the remote server until memory is exhausted, therefore consuming the maximum amount of resources (triggering a denial of service condition).
Published at: September 01, 2021 at 02:15PM
View on website

September 01, 2021 at 03:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20341

YzmCMS v5.5 contains a server-side request forgery (SSRF) in the grab_image() function.
Published at: September 01, 2021 at 11:15PM
View on website

September 02, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20340

A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information.
Published at: September 01, 2021 at 11:15PM
View on website

September 02, 2021 at 01:34AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20349

WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link address field under the background links module.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20348

WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link field under the background menu management module.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20347

WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the source field under the article management module.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20345

WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the page management background which allows attackers to obtain cookies via a crafted payload entered into the search box.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20344

WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the keyword search function under the background articles module.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20343

WTCMS 1.0 contains a cross-site request forgery (CSRF) vulnerability in the index.php?g=admin&m=nav&a=add_post component that allows attackers to arbitrarily add articles in the administrator background.
Published at: September 02, 2021 at 01:15AM
View on website

September 02, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13929

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Published at: September 02, 2021 at 08:15PM
View on website

September 02, 2021 at 09:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10095

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Published at: September 02, 2021 at 08:15PM
View on website

September 02, 2021 at 09:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18048

An issue in craigms/main.php of CraigMS 1.0 allows attackers to execute arbitrary commands via a crafted input entered into the DB Name field.
Published at: September 02, 2021 at 09:15PM
View on website

September 02, 2021 at 11:42PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар