четвъртък, 16 март 2023 г.

Fwd: Weekly Digest: a new vulnerability is published on the National Vulnerability Database (52 items)


New vulnerabilities from the NVD: CVE-2022-21797

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Published at: September 26, 2022 at 08:15AM
View on website

September 26, 2022 at 01:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-21169

The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
Published at: September 26, 2022 at 08:15AM
View on website

September 26, 2022 at 01:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-1755

The SVG Support WordPress plugin before 2.5 does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks
Published at: September 26, 2022 at 04:15PM
View on website

September 26, 2022 at 05:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-1613

The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.
Published at: September 26, 2022 at 04:15PM
View on website

September 26, 2022 at 05:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-24890

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
Published at: September 26, 2022 at 04:15PM
View on website

September 26, 2022 at 05:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-41437

An HTTP response splitting attack in web application in ASUS RT-AX88U before v3.0.0.4.388.20558 allows an attacker to craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker.
Published at: September 26, 2022 at 05:15PM
View on website

September 26, 2022 at 07:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22058

Memory corruption due to use after free issue in kernel while processing ION handles in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: September 26, 2022 at 08:15PM
View on website

September 26, 2022 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-28052

A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. This issue affects: Hitachi Vantara Hitachi Content Platform versions prior to 8.3.7; 9.0.0 versions prior to 9.2.3.
Published at: September 26, 2022 at 07:15PM
View on website

September 26, 2022 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-27862

Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).
Published at: September 27, 2022 at 10:15PM
View on website

September 27, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-27861

Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers)
Published at: September 27, 2022 at 10:15PM
View on website

September 27, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-27854

Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers, and converting frames from Ethernet to Wifi and its reverse.
Published at: September 27, 2022 at 10:15PM
View on website

September 27, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-27853

Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
Published at: September 27, 2022 at 09:15PM
View on website

September 27, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-41433

SQL Injection vulnerability exists in version 1.0 of the Resumes Management and Job Application Website application login form by EGavilan Media that allows authentication bypass through login.php.
Published at: September 28, 2022 at 02:15AM
View on website

September 28, 2022 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22526

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22525

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22524

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22523

An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22522

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-43980

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Published at: September 28, 2022 at 05:15PM
View on website

September 28, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-22387

IBM Application Gateway is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221965.
Published at: September 28, 2022 at 07:15PM
View on website

September 28, 2022 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-41434

A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.
Published at: September 28, 2022 at 08:15PM
View on website

September 28, 2022 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2022-1270

In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.
Published at: September 28, 2022 at 11:15PM
View on website

September 29, 2022 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20247

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20246

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20245

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20244

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20243

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20242

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20241

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20240

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20239

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20238

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20237

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20236

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20235

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20234

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20233

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20232

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20231

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20230

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20229

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20228

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20227

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: September 29, 2022 at 07:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2016-2338

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-1931

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-0148

Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-0147

Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2014-0144

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-4818

IBM InfoSphere Information Server 8.1, 8.5, and 8,7 could allow a remote authenticated attacker to obtain sensitive information, caused by improper restrictions on directories. An attacker could exploit this vulnerability via the DataStage application to load or import content functionality to view arbitrary files on the system.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-2201

IBM WebSphere MQ 7.1 is vulnerable to a denial of service, caused by an error when handling user ids. A remote attacker could exploit this vulnerability to bypass the security configuration setup on a SVRCONN channel and flood the queue manager.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2012-2160

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2011-4820

IBM Rational Asset Manager 7.5 could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using the UID parameter to modify another user's preferences.
Published at: September 29, 2022 at 06:15AM
View on website

September 29, 2022 at 08:33AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар