Weekly Digest: a new vulnerability is published on the National Vulnerability Database (42 items)

New vulnerabilities from the NVD: CVE-2019-2393 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-2392 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-20924 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-20923 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14562 Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14559 Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14553 Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20805 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20804 A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20802 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3. Published at: November 23, 2020 at 06:15PM View on website November 23, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12352 Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12351 Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-0569 Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14587 Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14586 Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14575 Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-14563 Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. Published at: November 23, 2020 at 07:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-20803 A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19. Published at: November 23, 2020 at 08:15PM View on website November 23, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16723 In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020. Published at: November 23, 2020 at 11:15PM View on website November 24, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16722 In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305. Published at: November 23, 2020 at 11:15PM View on website November 24, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16721 In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306. Published at: November 23, 2020 at 11:15PM View on website November 24, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16720 In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304. Published at: November 23, 2020 at 11:15PM View on website November 24, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2018-16719 In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482. Published at: November 23, 2020 at 11:15PM View on website November 24, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-20925 An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24. Published at: November 24, 2020 at 01:15PM View on website November 24, 2020 at 03:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-10763 An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. Published at: November 24, 2020 at 07:15PM View on website November 24, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-10762 An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality. Published at: November 24, 2020 at 07:15PM View on website November 24, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9551 An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter. Published at: November 24, 2020 at 11:15PM View on website November 25, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9550 An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface. Published at: November 24, 2020 at 11:15PM View on website November 25, 2020 at 01:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-13886 Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal. Published at: November 26, 2020 at 07:15PM View on website November 26, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2020-12262 Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS. Published at: November 27, 2020 at 02:15AM View on website November 27, 2020 at 03:36AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-19872 An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364. Published at: November 27, 2020 at 05:15PM View on website November 27, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-19869 An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface. Published at: November 27, 2020 at 05:15PM View on website November 27, 2020 at 07:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-19875 An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE-2019-16364. Published at: November 27, 2020 at 07:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-19874 An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE-2019-16364. Published at: November 27, 2020 at 07:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2019-19873 An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get information from the AprolSqlServer DBMS by bypassing authentication, a different vulnerability than CVE-2019-16356 and CVE-2019-9983. Published at: November 27, 2020 at 07:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15686 Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15685 Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15684 Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15683 In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15682 In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15681 In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2017-15680 In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data. Published at: November 27, 2020 at 08:15PM View on website November 27, 2020 at 09:36PM via National Vulnerability Database