понеделник, 27 септември 2021 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (35 items)

New vulnerabilities from the NVD: CVE-2019-20101

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
Published at: September 14, 2021 at 08:15AM
View on website

September 14, 2021 at 01:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10941

A vulnerability has been identified in SINEMA Server (All versions < V14 SP3). Missing authentication for functionality that requires administrative user identity could allow an attacker to obtain encoded system configuration backup files. This is only possible through network access to the affected system, and successful exploitation requires no system privileges.
Published at: September 14, 2021 at 02:15PM
View on website

September 14, 2021 at 03:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22149

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
Published at: September 15, 2021 at 03:15PM
View on website

September 15, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22148

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
Published at: September 15, 2021 at 03:15PM
View on website

September 15, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22147

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Published at: September 15, 2021 at 03:15PM
View on website

September 15, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-3960

VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. A malicious actor with local non-administrative access to a virtual machine with a virtual NVMe controller present may be able to read privileged information contained in physical memory.
Published at: September 15, 2021 at 04:15PM
View on website

September 15, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-35340

A Directory Traversal vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read.
Published at: September 15, 2021 at 03:15PM
View on website

September 15, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19159

Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19158

Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19157

Cross Site Scripting (CSS) in Wenku CMS v3.4 allows remote attackers to execute arbitrary code via the 'Intro' parameter for the component '/index.php?m=ucenter&a=index'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19156

Cross Site Scripting (XSS) in Ari Adminer v1 allows remote attackers to execute arbitrary code via the 'Title' parameter of the 'Add New Connections' component when the 'save()' function is called.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19155

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19154

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19151

Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19150

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19148

Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19147

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19146

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'.
Published at: September 15, 2021 at 05:15PM
View on website

September 15, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21127

MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21126

MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21125

An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21124

UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21122

UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21121

Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.
Published at: September 15, 2021 at 08:15PM
View on website

September 15, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-20012

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session.
Published at: September 15, 2021 at 11:15PM
View on website

September 16, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-21321

emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles.
Published at: September 16, 2021 at 01:15AM
View on website

September 16, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14130

Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809
Published at: September 16, 2021 at 03:15PM
View on website

September 16, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14124

There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12.
Published at: September 16, 2021 at 04:15PM
View on website

September 16, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14119

There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12
Published at: September 16, 2021 at 04:15PM
View on website

September 16, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14109

There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12
Published at: September 16, 2021 at 03:15PM
View on website

September 16, 2021 at 05:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-9060

An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).
Published at: September 17, 2021 at 07:15PM
View on website

September 17, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12083

An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).
Published at: September 17, 2021 at 09:15PM
View on website

September 17, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12082

A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).
Published at: September 17, 2021 at 09:15PM
View on website

September 17, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12080

A Denial of Service vulnerability has been identified in FlexNet Publisher's lmadmin.exe version 11.16.6. A certain message protocol can be exploited to cause lmadmin to crash.
Published at: September 17, 2021 at 09:15PM
View on website

September 17, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-20686

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: September 17, 2021 at 10:15PM
View on website

September 17, 2021 at 11:33PM

via National Vulnerability Database



Няма коментари:

Публикуване на коментар