Weekly Update: a new vulnerability is published on the National Vulnerability Database (35 items)

New vulnerabilities from the NVD: CVE-2019-20101 Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. Published at: September 14, 2021 at 08:15AM View on website September 14, 2021 at 01:38PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-10941 A vulnerability has been identified in SINEMA Server (All versions < V14 SP3). Missing authentication for functionality that requires administrative user identity could allow an attacker to obtain encoded system configuration backup files. This is only possible through network access to the affected system, and successful exploitation requires no system privileges. Published at: September 14, 2021 at 02:15PM View on website September 14, 2021 at 03:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2021-22149 Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users. Published at: September 15, 2021 at 03:15PM View on website September 15, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2021-22148 Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines. Published at: September 15, 2021 at 03:15PM View on website September 15, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2021-22147 Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. Published at: September 15, 2021 at 03:15PM View on website September 15, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-3960 VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. A malicious actor with local non-administrative access to a virtual machine with a virtual NVMe controller present may be able to read privileged information contained in physical memory. Published at: September 15, 2021 at 04:15PM View on website September 15, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-35340 A Directory Traversal vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. Published at: September 15, 2021 at 03:15PM View on website September 15, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19159 Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19158 Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19157 Cross Site Scripting (CSS) in Wenku CMS v3.4 allows remote attackers to execute arbitrary code via the 'Intro' parameter for the component '/index.php?m=ucenter&a=index'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19156 Cross Site Scripting (XSS) in Ari Adminer v1 allows remote attackers to execute arbitrary code via the 'Title' parameter of the 'Add New Connections' component when the 'save()' function is called. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19155 Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19154 Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19151 Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19150 Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19148 Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19147 Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-19146 Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'. Published at: September 15, 2021 at 05:15PM View on website September 15, 2021 at 07:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21127 MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21126 MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21125 An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21124 UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21122 UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21121 Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. Published at: September 15, 2021 at 08:15PM View on website September 15, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2016-20012 OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. Published at: September 15, 2021 at 11:15PM View on website September 16, 2021 at 01:33AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-21321 emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles. Published at: September 16, 2021 at 01:15AM View on website September 16, 2021 at 03:33AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-14130 Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 Published at: September 16, 2021 at 03:15PM View on website September 16, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-14124 There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12. Published at: September 16, 2021 at 04:15PM View on website September 16, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-14119 There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12 Published at: September 16, 2021 at 04:15PM View on website September 16, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-14109 There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12 Published at: September 16, 2021 at 03:15PM View on website September 16, 2021 at 05:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-9060 An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1). Published at: September 17, 2021 at 07:15PM View on website September 17, 2021 at 09:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12083 An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64). Published at: September 17, 2021 at 09:15PM View on website September 17, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12082 A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64). Published at: September 17, 2021 at 09:15PM View on website September 17, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12080 A Denial of Service vulnerability has been identified in FlexNet Publisher's lmadmin.exe version 11.16.6. A certain message protocol can be exploited to cause lmadmin to crash. Published at: September 17, 2021 at 09:15PM View on website September 17, 2021 at 11:33PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20686 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Published at: September 17, 2021 at 10:15PM View on website September 17, 2021 at 11:33PM via National Vulnerability Database