Weekly Update: a new vulnerability is published on the National Vulnerability Database (27 items)

New vulnerabilities from the NVD: CVE-2020-15744 Stack-based Buffer Overflow vulnerability in the ONVIF server component of Victure PC420 smart camera allows an attacker to execute remote code on the target device. This issue affects: Victure PC420 firmware version 1.2.2 and prior versions. Published at: August 30, 2021 at 01:15PM View on website August 30, 2021 at 03:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18127 An issue in the /config/config.php component of Indexhibit 2.1.5 allows attackers to arbitrarily view files. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18126 Multiple stored cross-site scripting (XSS) vulnerabilities in the Sections module of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18125 A reflected cross-site scripting (XSS) vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18124 A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18123 A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18121 A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell. Published at: August 30, 2021 at 09:15PM View on website August 30, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-13639 A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console. Published at: August 31, 2021 at 07:15AM View on website August 31, 2021 at 08:33AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19049 Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'. Published at: August 31, 2021 at 05:15PM View on website August 31, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19048 Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'. Published at: August 31, 2021 at 05:15PM View on website August 31, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19047 Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'. Published at: August 31, 2021 at 05:15PM View on website August 31, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19046 Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='. Published at: August 31, 2021 at 05:15PM View on website August 31, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20486 IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr. Published at: September 01, 2021 at 02:15AM View on website September 01, 2021 at 03:33AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20495 bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter. Published at: September 01, 2021 at 03:15AM View on website September 01, 2021 at 08:37AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-9002 An issue was discovered in iPortalis iCS 7.1.13.0. An attacker can gain privileges by intercepting a request and changing UserRoleKey=COMPANY_ADMIN to UserRoleKey=DOMAIN_ADMIN (to achieve Domain Administrator access). Published at: September 01, 2021 at 02:15PM View on website September 01, 2021 at 03:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-9000 An issue was discovered in iPortalis iCS 7.1.13.0. Attackers can send a sequence of requests to rapidly cause .NET Input Validation errors. This increases the size of the log file on the remote server until memory is exhausted, therefore consuming the maximum amount of resources (triggering a denial of service condition). Published at: September 01, 2021 at 02:15PM View on website September 01, 2021 at 03:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20341 YzmCMS v5.5 contains a server-side request forgery (SSRF) in the grab_image() function. Published at: September 01, 2021 at 11:15PM View on website September 02, 2021 at 01:33AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20340 A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. Published at: September 01, 2021 at 11:15PM View on website September 02, 2021 at 01:34AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20349 WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link address field under the background links module. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20348 WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link field under the background menu management module. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20347 WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the source field under the article management module. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20345 WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the page management background which allows attackers to obtain cookies via a crafted payload entered into the search box. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20344 WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the keyword search function under the background articles module. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-20343 WTCMS 1.0 contains a cross-site request forgery (CSRF) vulnerability in the index.php?g=admin&m=nav&a=add_post component that allows attackers to arbitrarily add articles in the administrator background. Published at: September 02, 2021 at 01:15AM View on website September 02, 2021 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-13929 Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. Published at: September 02, 2021 at 08:15PM View on website September 02, 2021 at 09:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-10095 bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. Published at: September 02, 2021 at 08:15PM View on website September 02, 2021 at 09:34PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-18048 An issue in craigms/main.php of CraigMS 1.0 allows attackers to execute arbitrary commands via a crafted input entered into the DB Name field. Published at: September 02, 2021 at 09:15PM View on website September 02, 2021 at 11:42PM via National Vulnerability Database