вторник, 25 май 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (22 items)

New vulnerabilities from the NVD: CVE-2019-16959

SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
Published at: December 21, 2020 at 06:15PM
View on website

December 21, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11717

An issue was discovered in Programi 014 31.01.2020. It has multiple SQL injection vulnerabilities.
Published at: December 21, 2020 at 11:15PM
View on website

December 22, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-7580

Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen until the flood stops. During the flood, the user won't be able to turn on/off the lights, and all of the hub's functionality will be unresponsive. The cloud service also won't work with the hub.
Published at: December 21, 2020 at 11:15PM
View on website

December 22, 2020 at 01:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11786

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11785

Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11784

Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11783

Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11782

Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-11781

Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15645

Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15641

Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15638

Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15634

Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15633

Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-15632

Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
Published at: December 22, 2020 at 07:15PM
View on website

December 22, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11720

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. During the installation, it sets up administrative access by default with the account admin and password 0000. After the installation, users/admins are not prompted to change this password.
Published at: December 23, 2020 at 06:15PM
View on website

December 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11718

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP.
Published at: December 23, 2020 at 06:15PM
View on website

December 23, 2020 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11719

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. It relies on broken encryption with a weak and guessable static encryption key.
Published at: December 23, 2020 at 07:15PM
View on website

December 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-1000893

Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions.
Published at: December 23, 2020 at 07:15PM
View on website

December 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-1000892

Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages.
Published at: December 23, 2020 at 07:15PM
View on website

December 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-1000891

Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums.
Published at: December 23, 2020 at 07:15PM
View on website

December 23, 2020 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11093

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because 1) Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions), 2) Any DID can change any other DID's alias, 3) The update transaction modifies the ledger metadata associated with a DID.
Published at: December 24, 2020 at 10:15PM
View on website

December 24, 2020 at 11:36PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар