събота, 5 юни 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (64 items)

New vulnerabilities from the NVD: CVE-2020-28385

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3), Solid Edge SE2021 (SE2021MP3). Affected applications lack proper validation of user-supplied data when parsing DFT files. This could result in an out of bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-12049)
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25241

A vulnerability has been identified in SIMATIC MV400 family (All Versions < V7.0.6). The underlying TCP stack of the affected products does not correctly validate the sequence number for incoming TCP RST packages. An attacker could exploit this to terminate arbitrary TCP sessions.
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25240

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). Unpriviledged users can access services when guessing the url. An attacker could impact availability, integrity and gain information from logs and templates of the service.
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25239

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with unprivilege user rights.
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-25236

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions). The control logic (CL) the LOGO! 8 executes could be manipulated in a way that could cause the device executing the CL to improperly handle the manipulation and crash. After successful execution of the attack, the device needs to be manually reset.
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24877

A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
Published at: March 15, 2021 at 07:15PM
View on website

March 15, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24985

An issue was discovered in Quadbase EspressReports ES 7 Update 9. An authenticated user is able to navigate to the MenuPage section of the application, and change the frmsrc parameter value to retrieve and execute external files or payloads.
Published at: March 15, 2021 at 08:15PM
View on website

March 15, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24982

An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. It allows CSRF. An attacker may be able to trick an authenticated user into changing the email address associated with their account.
Published at: March 15, 2021 at 08:15PM
View on website

March 15, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-1926

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
Published at: March 16, 2021 at 03:15PM
View on website

March 16, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24264

Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Published at: March 16, 2021 at 05:15PM
View on website

March 16, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-24263

Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
Published at: March 16, 2021 at 05:15PM
View on website

March 16, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-28899

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.
Published at: March 16, 2021 at 07:15PM
View on website

March 16, 2021 at 08:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3903

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 17, 2021 at 12:15AM
View on website

March 17, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3898

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 17, 2021 at 12:15AM
View on website

March 17, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3897

It has been discovered in redhat-certification that any unauthorized user may download any file under /var/www/rhcert, provided they know its name. Red Hat Certification 6 and 7 is vulnerable to this issue.
Published at: March 17, 2021 at 12:15AM
View on website

March 17, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3853

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 17, 2021 at 12:15AM
View on website

March 17, 2021 at 02:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13924

In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download files.
Published at: March 17, 2021 at 11:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11309

Use after free in GPU driver while mapping the user memory to GPU memory due to improper check of referenced memory in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11308

Buffer overflow occurs when trying to convert ASCII string to Unicode string if the actual size is more than required in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11305

Integer overflow in boot due to improper length check on arguments received in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11299

Buffer overflow can occur in video while playing the non-standard clip in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11290

Use after free condition in msm ioctl events due to race between the ioctl register and deregister events in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11230

Potential arbitrary memory corruption when the qseecom driver updates ion physical addresses in the buffer as it exposes a physical address to user land in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11228

Part of RPM region was not protected from xblSec itself due to improper policy and leads to unprivileged access in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11227

Out of bound write while parsing RTT/TTY packet parsing due to lack of check of buffer size before copying into buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11226

Out of bound memory read in Data modem while unpacking data due to lack of offset length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11222

Buffer over read while processing MT SMS with maximum length due to improper length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11221

Usage of syscall by non-secure entity can allow extraction of secure QTEE diagnostic information in clear text form due to insufficient checks in the syscall handler and leads to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11220

While processing storage SCM commands there is a time of check or time of use window where a pointer used could be invalid at a specific time while executing the storage SCM call in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11218

Denial of service in baseband when NW configures LTE betaOffset-RI-Index due to lack of data validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11199

HLOS to access EL3 stack canary by just mapping imem region due to Improper access control and can lead to information exposure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11192

Out of bound write while parsing SDP string due to missing check on null termination in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11190

Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11189

Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11188

Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11186

Modem will enter into busy mode in an infinite loop while parsing histogram dimension due to improper validation of input received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11171

Buffer over-read can happen while parsing received SDP values due to lack of NULL termination check on SDP in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-11166

Potential out of bound read exception when UE receives unusually large number of padding octets in the beginning of ROHC header in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2017-20002

The Debian shadow package before 4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
Published at: March 17, 2021 at 08:15AM
View on website

March 17, 2021 at 12:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-17525

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7
Published at: March 17, 2021 at 12:15PM
View on website

March 17, 2021 at 02:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15285

** REJECT ** Unused CVE for 2020.
Published at: March 17, 2021 at 03:15PM
View on website

March 17, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15282

** REJECT ** Unused CVE for 2020.
Published at: March 17, 2021 at 03:15PM
View on website

March 17, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15281

** REJECT ** Unused CVE for 2020.
Published at: March 17, 2021 at 03:15PM
View on website

March 17, 2021 at 04:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-14358

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 17, 2021 at 05:15PM
View on website

March 17, 2021 at 06:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18235

Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack.
Published at: March 17, 2021 at 09:15PM
View on website

March 17, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18233

In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the affected product does not neutralize special characters in the error response, allowing attackers to use a reflected XSS attack.
Published at: March 17, 2021 at 09:15PM
View on website

March 17, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-18231

Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request.
Published at: March 17, 2021 at 09:15PM
View on website

March 17, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-3867

A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.
Published at: March 18, 2021 at 09:15PM
View on website

March 18, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14908

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 18, 2021 at 09:15PM
View on website

March 18, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14903

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 18, 2021 at 09:15PM
View on website

March 18, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14850

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.
Published at: March 18, 2021 at 09:15PM
View on website

March 18, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14848

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: March 18, 2021 at 09:15PM
View on website

March 18, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14852

A flaw was found in 3scale’s APIcast gateway that enabled the TLS 1.0 protocol. An attacker could target traffic using this weaker protocol and break its encryption, gaining access to unauthorized information. Version shipped in Red Hat 3scale API Management Platform is vulnerable to this issue.
Published at: March 18, 2021 at 10:15PM
View on website

March 19, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14851

A denial of service vulnerability was discovered in nbdkit. A client issuing a certain sequence of commands could possibly trigger an assertion failure, causing nbdkit to exit. This issue only affected nbdkit versions 1.12.7, 1.14.1, and 1.15.1.
Published at: March 18, 2021 at 10:15PM
View on website

March 19, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10127

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.
Published at: March 19, 2021 at 09:15PM
View on website

March 19, 2021 at 10:36PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14831

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14830

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14829

A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-14828

A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10225

A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10200

A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.
Published at: March 19, 2021 at 11:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10196

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Published at: March 19, 2021 at 10:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10151

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Published at: March 19, 2021 at 10:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2019-10128

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
Published at: March 19, 2021 at 10:15PM
View on website

March 20, 2021 at 12:36AM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар