Weekly Update: a new vulnerability is published on the National Vulnerability Database (62 items)

New vulnerabilities from the NVD: CVE-2020-22650 A memory leak vulnerability in sim-organizer.c of AlienVault Ossim v5 causes a denial of service (DOS) via a system crash triggered by the occurrence of a large number of alarm events. Published at: July 19, 2021 at 08:15PM View on website July 19, 2021 at 09:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20230 Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the sshd process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. Published at: July 19, 2021 at 08:15PM View on website July 19, 2021 at 09:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-22741 An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature. Published at: July 19, 2021 at 10:15PM View on website July 20, 2021 at 12:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20249 Mikrotik RouterOs before stable 6.47 suffers from a memory corruption vulnerability in the resolver process. By sending a crafted packet, an authenticated remote attacker can cause a Denial of Service. Published at: July 19, 2021 at 09:15PM View on website July 20, 2021 at 12:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20248 Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. Published at: July 19, 2021 at 09:15PM View on website July 20, 2021 at 12:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-25051 objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list). Published at: July 20, 2021 at 10:15AM View on website July 20, 2021 at 01:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-25050 netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and netCDFDataset::~netCDFDataset). Published at: July 20, 2021 at 10:15AM View on website July 20, 2021 at 01:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-15660 Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution. Published at: July 20, 2021 at 03:15PM View on website July 20, 2021 at 06:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-35427 SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication. Published at: July 20, 2021 at 05:15PM View on website July 20, 2021 at 08:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-25206 The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 allows authenticated command injection in the Throughput, WANStats, PhyStats, and QosStats API classes. An attacker with access to a web console account may execute operating system commands on affected devices by sending crafted POST requests to the affected endpoints (/core/api/calls/Throughput.php, /core/api/calls/WANStats.php, /core/api/calls/PhyStats.php, /core/api/calls/QosStats.php). This results in the complete takeover of the vulnerable device. This vulnerability does not occur in the older 1.5.x firmware versions. Published at: July 20, 2021 at 10:15PM View on website July 21, 2021 at 12:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-25205 The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's filesystem, to contain arbitrary JavaScript. The file contents are then used as part of a welcome/banner message presented to unauthenticated users who visit the login page for the web console. This vulnerability does not occur in the older 1.5.x firmware versions. Published at: July 20, 2021 at 10:15PM View on website July 21, 2021 at 12:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-23284 Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application. Published at: July 20, 2021 at 11:15PM View on website July 21, 2021 at 02:12AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-23283 Information disclosure in Logon Page in MV's mConnect application v02.001.00 allows an attacker to know valid users from the application's database via brute force. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-23282 SQL injection in Logon Page in MV's mConnect application, v02.001.00, allows an attacker to use a non existing user with a generic password to connect to the application and get access to unauthorized information. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21937 An command injection vulnerability in HNAP1/SetWLanApcliSettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary system commands. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21936 An issue in HNAP1/GetMultipleHNAPs of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to access the components GetStationSettings, GetWebsiteFilterSettings and GetNetworkSettings without authentication. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21935 A command injection vulnerability in HNAP1/GetNetworkTomographySettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary code. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21934 An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where authentication to download the Syslog could be bypassed. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21933 An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where the admin password and private key could be found in the log tar package. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21932 A vulnerability in /Login.html of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to bypass login and obtain a partially authorized token and uid. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20262 Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20221 Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20219 Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19609 Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service. Published at: July 21, 2021 at 06:15PM View on website July 21, 2021 at 07:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-22150 A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML. Published at: July 21, 2021 at 08:15PM View on website July 21, 2021 at 09:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-22148 A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML. Published at: July 21, 2021 at 08:15PM View on website July 21, 2021 at 09:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19499 An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19498 Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19497 Integer overflow vulnerability in Mat_VarReadNextInfo5 in mat5.c in tbeu matio (aka MAT File I/O Library) 1.5.17, allows attackers to cause a Denial of Service or possibly other unspecified impacts. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19492 There is a floating point exception in ReadImage that leads to a Segmentation fault in sam2p 0.49.4. A crafted input will lead to a denial of service or possibly unspecified other impact. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19491 There is an invalid memory access bug in cgif.c that leads to a Segmentation fault in sam2p 0.49.4. A crafted input will lead to a denial of service or possibly unspecified other impact. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19490 tinyexr 0.9.5 has a integer overflow over-write in tinyexr::DecodePixelData in tinyexr.h, related to OpenEXR code. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19488 An issue was discovered in box_code_apple.c:119 in Gpac MP4Box 0.8.0, allows attackers to cause a Denial of Service due to an invalid read on function ilst_item_Read. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19481 An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid memory read in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19475 An issue has been found in function CCITTFaxStream::lookChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid write of size 2 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19474 An issue has been found in function Gfx::doShowText in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Use After Free . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19473 An issue has been found in function DCTStream::decodeImage in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an uncaught floating point exception. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19472 An issue has been found in function DCTStream::readHuffSym in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 2 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19471 An issue has been found in function DCTStream::decodeImage in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 4 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19470 An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19469 An issue has been found in function DCTStream::reset in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid write of size 8 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19468 An issue has been found in function EmbedStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a null pointer derefenrece (invalid read of size 8) . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19467 An issue has been found in function DCTStream::transformDataUnit in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Illegal Use After Free . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19466 An issue has been found in function DCTStream::transformDataUnit in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 1 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19465 An issue has been found in function ObjectStream::getObject in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 4 . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19464 An issue has been found in function XRef::fetch in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow . Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19463 An issue has been found in function vfprintf in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow. Published at: July 21, 2021 at 09:15PM View on website July 21, 2021 at 11:12PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-20467 An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device. Published at: July 22, 2021 at 04:15PM View on website July 22, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11669 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11668 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11666 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11665 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11664 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11663 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11662 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 10:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11661 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 09:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-11659 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 22, 2021 at 09:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-2100 Multiple stack-based buffer overflows in WebGate eDVR Manager and Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) TCPDiscover or (2) TCPDiscover2 function in the WESPDiscovery.WESPDiscoveryCtrl.1 control. Published at: July 22, 2021 at 09:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-2099 Multiple buffer overflows in WebGate Control Center allow remote attackers to execute arbitrary code via unspecified vectors to the (1) GetRecFileInfo function in the FileConverter.FileConverterCtrl.1 control, (2) Login function in the LoginContoller.LoginControllerCtrl.1 control, or (3) GetThumbnail function in the WESPPlayback.WESPPlaybackCtrl.1 control. Published at: July 22, 2021 at 09:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-2098 Multiple stack-based buffer overflows in WebGate eDVR Manager allow remote attackers to execute arbitrary code via unspecified vectors to the (1) Connect, (2) ConnectEx, or (3) ConnectEx2 function in the WESPEvent.WESPEventCtrl.1 control; (4) AudioOnlySiteChannel function in the WESPPlayback.WESPPlaybackCtrl.1 control; (5) Connect or (6) ConnectEx function in the WESPPTZ.WESPPTZCtrl.1 control; (7) SiteChannel property in the WESPPlayback.WESPPlaybackCtrl.1 control; (8) SiteName property in the WESPPlayback.WESPPlaybackCtrl.1 control; or (9) OpenDVrSSite function in the WESPPTZ.WESPPTZCtrl.1 control. Published at: July 22, 2021 at 09:15PM View on website July 22, 2021 at 11:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-14032 ASRock 4x4 BOX-R1000 before BIOS P1.40 allows privilege escalation via code execution in the SMM. Published at: July 23, 2021 at 02:15PM View on website July 23, 2021 at 03:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-9983 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Published at: July 23, 2021 at 04:15PM View on website July 23, 2021 at 05:33PM via National Vulnerability Database