понеделник, 12 октомври 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (69 items)



New vulnerabilities from the NVD: CVE-2019-20414

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
Published at: June 29, 2020 at 10:15AM
View on website

June 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20413

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
Published at: June 29, 2020 at 09:15AM
View on website

June 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
Published at: June 29, 2020 at 09:15AM
View on website

June 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20411

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
Published at: June 29, 2020 at 09:15AM
View on website

June 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.
Published at: June 29, 2020 at 09:15AM
View on website

June 29, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3681

A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .
Published at: June 29, 2020 at 03:15PM
View on website

June 29, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19160

Reportexpress ProPlus contains a vulnerability that could allow an arbitrary code execution by inserted VBscript into the configure file(rxp).
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18256

BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit.
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18254

BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18252

BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18248

BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18246

BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure.
Published at: June 29, 2020 at 05:15PM
View on website

June 29, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-6446

A vulnerability in Brocade Network Advisor Version Before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications.
Published at: June 29, 2020 at 09:15PM
View on website

June 29, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20416

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
Published at: June 30, 2020 at 06:15AM
View on website

June 30, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
Published at: June 30, 2020 at 06:15AM
View on website

June 30, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-18922

It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow.
Published at: June 30, 2020 at 02:15PM
View on website

June 30, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20893

An issue was discovered in Activision Infinity Ward Call of Duty Modern Warfare 2 through 2019-12-11. PartyHost_HandleJoinPartyRequest has a buffer overflow vulnerability and can be exploited by using a crafted joinParty packet. This can be utilized to conduct arbitrary code execution on a victim's machine.
Published at: June 30, 2020 at 03:15PM
View on website

June 30, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19163

A Vulnerability in the firmware of COMMAX WallPad(CDP-1020MB) allow an unauthenticated adjacent attacker to execute arbitrary code, because of a using the old version of MySQL.
Published at: June 30, 2020 at 05:15PM
View on website

June 30, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19161

CyMiInstaller322 ActiveX which runs MIPLATFORM downloads files required to run applications. A vulnerability in downloading files by CyMiInstaller322 ActiveX caused by an attacker to download randomly generated DLL files and MIPLATFORM to load those DLLs due to insufficient verification.
Published at: June 30, 2020 at 05:15PM
View on website

June 30, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Published at: July 01, 2020 at 05:15AM
View on website

July 01, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10379

In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10378

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10177

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20892

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
Published at: June 25, 2020 at 01:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19506

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a denial of service, caused by an error in the "homeplugd" process. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19505

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the "Wireless" section in the web-UI. By sending a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16213

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted string, an attacker could modify the device name of an attached PLC adapter to inject and execute arbitrary commands on the system with root privileges.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21268

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Published at: June 25, 2020 at 08:15PM
View on website

July 01, 2020 at 09:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Published at: July 01, 2020 at 05:15AM
View on website

July 01, 2020 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10379

In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10378

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10177

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20892

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
Published at: June 25, 2020 at 01:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19506

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a denial of service, caused by an error in the "homeplugd" process. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19505

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the "Wireless" section in the web-UI. By sending a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16213

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted string, an attacker could modify the device name of an attached PLC adapter to inject and execute arbitrary commands on the system with root privileges.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21268

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Published at: June 25, 2020 at 08:15PM
View on website

July 01, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Published at: July 01, 2020 at 05:15AM
View on website

July 01, 2020 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10379

In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10378

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10177

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20892

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
Published at: June 25, 2020 at 01:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19506

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a denial of service, caused by an error in the "homeplugd" process. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19505

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the "Wireless" section in the web-UI. By sending a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16213

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted string, an attacker could modify the device name of an attached PLC adapter to inject and execute arbitrary commands on the system with root privileges.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21268

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Published at: June 25, 2020 at 08:15PM
View on website

July 01, 2020 at 03:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Published at: July 01, 2020 at 05:15AM
View on website

July 01, 2020 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10379

In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10378

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10177

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c.
Published at: June 25, 2020 at 10:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20892

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
Published at: June 25, 2020 at 01:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19506

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a denial of service, caused by an error in the "homeplugd" process. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19505

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the "Wireless" section in the web-UI. By sending a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16213

Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted string, an attacker could modify the device name of an attached PLC adapter to inject and execute arbitrary commands on the system with root privileges.
Published at: June 25, 2020 at 11:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21268

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Published at: June 25, 2020 at 08:15PM
View on website

July 01, 2020 at 05:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Published at: July 01, 2020 at 05:15AM
View on website

July 01, 2020 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4706

IBM Security Identity Manager Virtual Appliance 7.0.2 writes information to log files which can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. IBM X-Force ID: 172016.
Published at: July 01, 2020 at 06:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4705

IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 172015.
Published at: July 01, 2020 at 06:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4704

IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 172014.
Published at: July 01, 2020 at 06:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4676

IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512.
Published at: July 01, 2020 at 06:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-1712

"A vulnerability in the TLS protocol implementation of the Domino server could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions."
Published at: July 01, 2020 at 05:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-1659

"HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerability. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials."
Published at: July 01, 2020 at 05:15PM
View on website

July 01, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15312

An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is a Zolo Halo DNS rebinding attack. The device was found to be vulnerable to DNS rebinding. Combined with one of the many /httpapi.asp endpoint command-execution security issues, the DNS rebinding attack could allow an attacker to compromise the victim device from the Internet.
Published at: July 01, 2020 at 11:15PM
View on website

July 02, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15311

An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is Zolo Halo LAN remote code execution. The Zolo Halo Bluetooth speaker had a GoAhead web server listening on the port 80. The /httpapi.asp endpoint of the GoAhead web server was also vulnerable to multiple command execution vulnerabilities.
Published at: July 01, 2020 at 11:15PM
View on website

July 02, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15310

An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled.
Published at: July 01, 2020 at 11:15PM
View on website

July 02, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20417

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate internal services via an Information Disclosure vulnerability. The vulnerability is only exploitable if WebSudo is disabled in Jira. The affected versions are before version 8.4.2.
Published at: July 02, 2020 at 04:15AM
View on website

July 02, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20894

Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.
Published at: July 02, 2020 at 07:15PM
View on website

July 02, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.
Published at: July 03, 2020 at 05:15AM
View on website

July 03, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
Published at: July 03, 2020 at 04:15AM
View on website

July 03, 2020 at 08:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар