петък, 30 октомври 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (33 items)

New vulnerabilities from the NVD: CVE-2019-13633

Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed.
Published at: October 19, 2020 at 11:15PM
View on website

October 20, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4680

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.2.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171733.
Published at: October 20, 2020 at 06:15PM
View on website

October 20, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-9080

DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
Published at: October 20, 2020 at 11:15PM
View on website

October 21, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14736

Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows high privileged attacker having Create Public Synonym privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Database Vault accessible data as well as unauthorized read access to a subset of Database Vault accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14735

Vulnerability in the Scheduler component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Scheduler executes to compromise Scheduler. While the vulnerability is in Scheduler, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Scheduler. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14734

Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Text. Successful attacks of this vulnerability can result in takeover of Oracle Text. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14732

Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Promotions). The supported version that is affected is 19.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Customer Management and Segmentation Foundation accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14731

Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Segment). Supported versions that are affected are 18.0 and 19.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Customer Management and Segmentation Foundation accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14672

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published at: October 21, 2020 at 06:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10140

Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis.
Published at: October 21, 2020 at 05:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10139

Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Published at: October 21, 2020 at 05:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10138

Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Published at: October 21, 2020 at 05:15PM
View on website

October 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11764

Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
Published at: October 21, 2020 at 10:15PM
View on website

October 21, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16129

Microchip CryptoAuthentication Library CryptoAuthLib prior to 20191122 has a Buffer Overflow (issue 2 of 2).
Published at: October 22, 2020 at 10:15PM
View on website

October 22, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16127

Atmel Advanced Software Framework (ASF) 4 has an Integer Overflow.
Published at: October 22, 2020 at 10:15PM
View on website

October 22, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13327

An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments
Published at: October 23, 2020 at 12:15AM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11853

An arbitrary code execution vulnerability exists in Micro Focus Operation Bridge Manager 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. The vulnerability could allow remote attackers to execute arbitrary code.
Published at: October 23, 2020 at 12:15AM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-10721

A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Published at: October 22, 2020 at 11:15PM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-17007

In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.
Published at: October 23, 2020 at 12:15AM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-17006

In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
Published at: October 23, 2020 at 12:15AM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16128

Microchip CryptoAuthentication Library CryptoAuthLib prior to 20191122 has a Buffer Overflow (issue 1 of 2).
Published at: October 22, 2020 at 11:15PM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-18508

In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.
Published at: October 23, 2020 at 12:15AM
View on website

October 23, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21267

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: October 23, 2020 at 01:15AM
View on website

October 23, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-21266

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Published at: October 23, 2020 at 01:15AM
View on website

October 23, 2020 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14719

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow multiple arbitrary command injections, as demonstrated by the file manager.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14718

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14717

Verifone Verix OS on VerixV Pinpad Payment Terminals with QT000530 have a Buffer Overflow via the Run system call.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14716

Verifone VerixV Pinpad Payment Terminals with QT000530 have an undocumented physical access mode (aka VerixV shell.out).
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14715

Verifone Pinpad Payment Terminals allow undocumented physical access to the system via an SBI bootloader memory write operation.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14713

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow installation of unsigned packages.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14712

Verifone VerixV Pinpad Payment Terminals with QT000530 allow bypass of integrity and origin control for S1G file generation.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14711

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8062

A cross-site scripting (XSS) vulnerability on Comtrend AR-5387un devices with A731-410JAZ-C04_R02.A2pD035g.d23i firmware allows remote attackers to inject arbitrary web script or HTML via the Service Description parameter while creating a WAN service.
Published at: October 23, 2020 at 08:15AM
View on website

October 23, 2020 at 01:36PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар