понеделник, 26 октомври 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (33 items)

New vulnerabilities from the NVD: CVE-2017-18924

** DISPUTED ** oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'
Published at: October 04, 2020 at 08:15AM
View on website

October 04, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12302

Improper permissions in the Intel(R) Driver & Support Assistant before version 20.7.26.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
Published at: October 05, 2020 at 05:15PM
View on website

October 05, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-0571

Improper conditions check in BIOS firmware for 8th Generation Intel(R) Core(TM) Processors and Intel(R) Pentium(R) Silver Processor Series may allow an authenticated user to potentially enable information disclosure via local access.
Published at: October 05, 2020 at 05:15PM
View on website

October 05, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14558

Insufficient control flow management in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable denial of service via adjacent access.
Published at: October 05, 2020 at 05:15PM
View on website

October 05, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14557

Buffer overflow in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable elevation of privilege or denial of service via adjacent access.
Published at: October 05, 2020 at 05:15PM
View on website

October 05, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14556

Improper initialization in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow a privileged user to potentially enable denial of service via local access.
Published at: October 05, 2020 at 05:15PM
View on website

October 05, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-1999-0199

manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999.
Published at: October 06, 2020 at 04:15PM
View on website

October 06, 2020 at 05:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19200

REDDOXX MailDepot 2032 2.2.1242 allows authenticated users to access the mailboxes of other users.
Published at: October 06, 2020 at 06:15PM
View on website

October 06, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4725

IBM Security Access Manager Appliance 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172131.
Published at: October 06, 2020 at 07:15PM
View on website

October 06, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13345

An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes
Published at: October 06, 2020 at 10:15PM
View on website

October 06, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13343

An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template
Published at: October 06, 2020 at 10:15PM
View on website

October 06, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13333

A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Published at: October 06, 2020 at 10:15PM
View on website

October 06, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4326

"HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header."
Published at: October 06, 2020 at 09:15PM
View on website

October 06, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4325

"HCL AppScan Enterprise makes use of broken or risky cryptographic algorithm to store REST API user details."
Published at: October 06, 2020 at 09:15PM
View on website

October 06, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14183

Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.
Published at: October 07, 2020 at 02:15AM
View on website

October 07, 2020 at 03:38AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13347

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.
Published at: October 07, 2020 at 05:15PM
View on website

October 07, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13346

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Published at: October 07, 2020 at 05:15PM
View on website

October 07, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13335

Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
Published at: October 07, 2020 at 05:15PM
View on website

October 07, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13334

In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
Published at: October 07, 2020 at 05:15PM
View on website

October 07, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13332

Improper access expiration date validation in GitLab version >=8.11.0-rc6+ allows user to have access to projects with expiration.
Published at: October 07, 2020 at 05:15PM
View on website

October 07, 2020 at 07:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13342

An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
Published at: October 07, 2020 at 07:15PM
View on website

October 07, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11800

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.
Published at: October 07, 2020 at 07:15PM
View on website

October 07, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16160

An integer underflow in the SMB server of MikroTik RouterOS before 6.45.5 allows remote unauthenticated attackers to crash the service.
Published at: October 07, 2020 at 07:15PM
View on website

October 07, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7380

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: October 08, 2020 at 01:15AM
View on website

October 08, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2015-7379

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: October 08, 2020 at 01:15AM
View on website

October 08, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13344

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13340

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13339

An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted.
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12401

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-12400

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4545

IBM QRadar SIEM 7.3 and 7.4 when configured to use Active Directory Authentication may be susceptible to spoofing attacks. IBM X-Force ID: 165877.
Published at: October 08, 2020 at 05:15PM
View on website

October 08, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10816

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
Published at: October 08, 2020 at 08:15PM
View on website

October 08, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19115

An escalation of privilege vulnerability in Nahimic APO Software Component Driver 1.4.2, 1.5.0, 1.5.1, 1.6.1 and 1.6.2 allows an attacker to execute code with SYSTEM privileges.
Published at: October 09, 2020 at 01:15AM
View on website

October 09, 2020 at 03:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар