четвъртък, 8 октомври 2020 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (23 items)


New vulnerabilities from the NVD: CVE-2019-20898

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
Published at: July 13, 2020 at 04:15AM
View on website

July 13, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
Published at: July 13, 2020 at 04:15AM
View on website

July 13, 2020 at 08:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-19338

A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
Published at: July 13, 2020 at 08:15PM
View on website

July 13, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15886

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15885

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15884

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15883

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15882

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-15881

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: July 14, 2020 at 09:15PM
View on website

July 14, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12784

An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and potentially compromise valid credentials without ever sending any traffic from their own machine to the target site.
Published at: July 14, 2020 at 11:15PM
View on website

July 15, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12783

An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and potentially compromise valid credentials without ever sending any traffic from their own machine to the target site.
Published at: July 14, 2020 at 11:15PM
View on website

July 15, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12773

An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product is installed, given the attacker can convince a victim to visit a crafted link.
Published at: July 14, 2020 at 11:15PM
View on website

July 15, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4748

IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 173174.
Published at: July 16, 2020 at 06:15PM
View on website

July 16, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4747

IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172887.
Published at: July 16, 2020 at 06:15PM
View on website

July 16, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20915

An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in bit_write_TF in bits.c.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20914

An issue was discovered in GNU LibreDWG through 0.9.3. There is a NULL pointer dereference in the function dwg_encode_common_entity_handle_data in common_entity_handle_data.spec.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20913

An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in dwg_encode_entity in common_entity_data.spec.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20912

An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a stack overflow in bits.c, possibly related to bit_read_TF.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20911

An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to denial of service in bit_calc_CRC in bits.c, related to a for loop.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20910

An issue was discovered in GNU LibreDWG through 0.9.3. Crafted input will lead to a heap-based buffer over-read in decode_R13_R2000 in decode.c, a different vulnerability than CVE-2019-20011.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-20909

An issue was discovered in GNU LibreDWG through 0.9.3. There is a NULL pointer dereference in the function dwg_encode_LWPOLYLINE in dwg.spec.
Published at: July 16, 2020 at 09:15PM
View on website

July 16, 2020 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4090

"HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field."
Published at: July 17, 2020 at 11:15PM
View on website

July 18, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-12000

HPE has found a potential Remote Access Restriction Bypass in HPE MSE Msg Gw application E-LTU prior to version 3.2 when HTTPS is used between the USSD and an external USSD service logic application. Update to version 3.2 and update the HTTPS configuration as described in the HPE MSE Messaging Gateway Configuration and Operations Guide.
Published at: July 18, 2020 at 01:15AM
View on website

July 18, 2020 at 08:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар