петък, 28 май 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (30 items)

New vulnerabilities from the NVD: CVE-2020-13922

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.
Published at: January 11, 2021 at 12:15PM
View on website

January 11, 2021 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11995

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.
Published at: January 11, 2021 at 12:15PM
View on website

January 11, 2021 at 01:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3405

In the 3.1.3.64296 and lower version of 360F5, the third party can trigger the device to send a deauth frame by constructing and sending a specific illegal 802.11 Null Data Frame, which will cause other wireless terminals connected to disconnect from the wireless, so as to attack the router wireless by DoS. At present, the vulnerability has been effectively handled, and users can fix the vulnerability after updating the firmware version.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-9333

K7Computing Pvt Ltd K7AntiVirus Premium 15.1.0.53 is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). The component is: K7TSMngr.exe.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-9332

K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Incorrect Access Control. The impact is: gain privileges (local).
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8726

K7Computing Pvt Ltd K7Antivirus Premium 15.1.0.53 is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). The component is: K7TSMngr.exe.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8725

K7Computing Pvt Ltd K7AntiVirus Premium 15.01.00.53 is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). The component is: K7TSMngr.exe.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8724

K7Computing Pvt Ltd K7AntiVirus Premium 15.1.0.53 is affected by: Incorrect Access Control. The impact is: gain privileges (local). The component is: K7TSMngr.exe.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-8044

K7Computing Pvt Ltd K7Antivirus Premium 15.1.0.53 is affected by: Incorrect Access Control. The impact is: Local Process Execution (local). The component is: K7Sentry.sys.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11246

K7TSMngr.exe in K7Computing K7AntiVirus Premium 15.1.0.53 has a Memory Leak.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11010

A Buffer Overflow issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11009

A Buffer Overflow issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11008

An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11007

A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11006

An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2018-11005

A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53.
Published at: January 11, 2021 at 06:15PM
View on website

January 11, 2021 at 07:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13116

OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation.
Published at: January 12, 2021 at 09:15PM
View on website

January 12, 2021 at 11:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15221

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.
Published at: January 13, 2021 at 07:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15220

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0.
Published at: January 13, 2021 at 07:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15219

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0.
Published at: January 13, 2021 at 07:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15218

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0.
Published at: January 13, 2021 at 07:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4702

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Published at: January 13, 2021 at 08:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4687

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 171823.
Published at: January 13, 2021 at 08:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-4160

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158577.
Published at: January 13, 2021 at 08:15PM
View on website

January 13, 2021 at 09:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14102

There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
Published at: January 14, 2021 at 01:15AM
View on website

January 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14101

The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
Published at: January 14, 2021 at 01:15AM
View on website

January 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14098

The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
Published at: January 14, 2021 at 01:15AM
View on website

January 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14097

Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18.
Published at: January 14, 2021 at 01:15AM
View on website

January 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-1053

In crypt.c of remote-login-service, the cryptographic algorithm used to cache usernames and passwords is insecure. An attacker could use this vulnerability to recover usernames and passwords from the file. This issue affects version 1.0.0-0ubuntu3 and prior versions.
Published at: January 14, 2021 at 01:15AM
View on website

January 14, 2021 at 03:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-16961

SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
Published at: January 15, 2021 at 04:15PM
View on website

January 15, 2021 at 05:36PM

via National Vulnerability Database

Няма коментари:

Публикуване на коментар