четвъртък, 16 март 2023 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (42 items)



New vulnerabilities from the NVD: CVE-2021-43943

Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0.
Published at: February 24, 2022 at 07:15AM
View on website

February 24, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-35689

A potential vulnerability in the Oracle Talent Acquisition Cloud - Taleo Enterprise Edition. This high severity potential vulnerability allows attackers to perform remote code execution on Taleo Enterprise Edition system. Successful attacks of this vulnerability can result in unauthorized remote code execution within Taleo Enterprise Edition and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Talent Acquisition Cloud - Taleo Enterprise Edition. All affected customers were notified of CVE-2021-35689 by Oracle.
Published at: February 24, 2022 at 05:15AM
View on website

February 24, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-26092

Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters.
Published at: February 24, 2022 at 05:15AM
View on website

February 24, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3876

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3873

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3871

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3870

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3868

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-3867

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2021. Notes: none.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-25636

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-27467

A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-25058

An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.
Published at: February 24, 2022 at 05:15PM
View on website

February 24, 2022 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-26252

A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in pspdf_prepare_page(),in ps-pdf.cxx may lead to execute arbitrary code and denial of service.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14504

The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14502

The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14481

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14480

Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14478

A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10640

Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10636

Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10635

Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. When these devices request a model, the server transmits the model in plaintext.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10632

Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner.
Published at: February 24, 2022 at 09:15PM
View on website

February 24, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-23495

The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Published at: February 25, 2022 at 10:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22489

There is a DoS vulnerability in smartphones. Successful exploitation of this vulnerability may affect service availability.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22480

The interface of a certain HarmonyOS module has an integer overflow vulnerability. Successful exploitation of this vulnerability may lead to heap memory overflow.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22479

The interface of a certain HarmonyOS module has an invalid address access vulnerability. Successful exploitation of this vulnerability may lead to kernel crash.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22478

The interface of a certain HarmonyOS module has a UAF vulnerability. Successful exploitation of this vulnerability may lead to information leakage.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22448

There is an improper verification vulnerability in smartphones. Successful exploitation of this vulnerability may cause unauthorized read and write of some files.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22441

Some Huawei products have an integer overflow vulnerability. Successful exploitation of this vulnerability may lead to kernel crash.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22437

There is a software integer overflow leading to a TOCTOU condition in smartphones. Successful exploitation of this vulnerability may cause random address access.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22434

There is a memory address out of bounds vulnerability in smartphones. Successful exploitation of this vulnerability may cause malicious code to be executed.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22433

There is a memory address out of bounds in smartphones. Successful exploitation of this vulnerability may cause malicious code to be executed.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22432

There is a vulnerability when configuring permission isolation in smartphones. Successful exploitation of this vulnerability may cause out-of-bounds access.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22431

There is a vulnerability when configuring permission isolation in smartphones. Successful exploitation of this vulnerability may cause out-of-bounds access.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22430

There is a logic bypass vulnerability in smartphones. Successful exploitation of this vulnerability may cause code injection.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22429

There is a memory address out of bounds in smartphones. Successful exploitation of this vulnerability may cause malicious code to be executed.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22426

There is a memory address out of bounds in smartphones. Successful exploitation of this vulnerability may cause malicious code to be executed.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22395

There is a code injection vulnerability in smartphones. Successful exploitation of this vulnerability may affect service confidentiality.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22394

There is a buffer overflow vulnerability in smartphones. Successful exploitation of this vulnerability may cause DoS of the apps during Multi-Screen Collaboration.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2021-22319

There is an improper verification vulnerability in smartphones. Successful exploitation of this vulnerability may cause integer overflows.
Published at: February 25, 2022 at 09:15PM
View on website

February 25, 2022 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-36516

An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.
Published at: February 26, 2022 at 06:15AM
View on website

February 26, 2022 at 08:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-27958

The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template.
Published at: February 26, 2022 at 10:15PM
View on website

February 26, 2022 at 11:33PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар