петък, 10 септември 2021 г.

Weekly Digest: a new vulnerability is published on the National Vulnerability Database (35 items)


New vulnerabilities from the NVD: CVE-2020-18705

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18704

Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18703

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18702

Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18701

Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18699

Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18698

Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.
Published at: August 16, 2021 at 09:15PM
View on website

August 16, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-15955

In s/qmail through 4.0.07, an active MitM can inject arbitrary plaintext commands into a STARTTLS encrypted session between an SMTP client and s/qmail. This allows e-mail messages and user credentials to be sent to the MitM attacker.
Published at: August 17, 2021 at 09:15PM
View on website

August 17, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18164

SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter.
Published at: August 17, 2021 at 11:15PM
View on website

August 18, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13589

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Published at: August 17, 2021 at 11:15PM
View on website

August 18, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-13588

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Published at: August 17, 2021 at 11:15PM
View on website

August 18, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18746

SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php".
Published at: August 18, 2021 at 06:15PM
View on website

August 18, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-28146

Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.
Published at: August 18, 2021 at 08:15PM
View on website

August 18, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-23069

Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files.
Published at: August 18, 2021 at 08:15PM
View on website

August 18, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18875

Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.
Published at: August 18, 2021 at 08:15PM
View on website

August 18, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-22124

A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information.
Published at: August 18, 2021 at 09:15PM
View on website

August 18, 2021 at 11:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-22122

A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request.
Published at: August 18, 2021 at 09:15PM
View on website

August 18, 2021 at 11:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-22120

A remote code execution (RCE) vulnerability in /root/run/adm.php?admin-ediy&part=exdiy of imcat v5.1 allows authenticated attackers to execute arbitrary code.
Published at: August 18, 2021 at 09:15PM
View on website

August 18, 2021 at 11:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-19669

Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
Published at: August 18, 2021 at 10:15PM
View on website

August 18, 2021 at 11:34PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-22345

/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.
Published at: August 19, 2021 at 12:15AM
View on website

August 19, 2021 at 01:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18748

Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks. This is a different vulnerability from CVE-2020-18221.
Published at: August 19, 2021 at 07:15PM
View on website

August 19, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-1837

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Published at: August 19, 2021 at 07:15PM
View on website

August 19, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-1791

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2013. Notes: none.
Published at: August 19, 2021 at 07:15PM
View on website

August 19, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2013-0344

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2013. Notes: none.
Published at: August 19, 2021 at 07:15PM
View on website

August 19, 2021 at 09:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20645

Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area.
Published at: August 19, 2021 at 10:15PM
View on website

August 19, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-20642

Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn.
Published at: August 19, 2021 at 10:15PM
View on website

August 19, 2021 at 11:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18900

A heap-based buffer overflow in the libexe_io_handle_read_coff_optional_header function of libyal libexe before 20181128 allows attackers to execute arbitrary code.
Published at: August 20, 2021 at 01:15AM
View on website

August 20, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18899

An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function of Exiv2 0.27 allows attackers to cause a denial of service (DOS) via a crafted input.
Published at: August 20, 2021 at 01:15AM
View on website

August 20, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18898

A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service (DOS) via a crafted file.
Published at: August 20, 2021 at 01:15AM
View on website

August 20, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18897

An use-after-free vulnerability in the libpff_item_tree_create_node function of libyal Libpff before 20180623 allows attackers to cause a denial of service (DOS) or execute arbitrary code via a crafted pff file.
Published at: August 20, 2021 at 01:15AM
View on website

August 20, 2021 at 03:33AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18886

Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.
Published at: August 20, 2021 at 05:15PM
View on website

August 20, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18885

Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.
Published at: August 20, 2021 at 05:15PM
View on website

August 20, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18879

Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component 'bl-kereln/ajax/upload-logo.php'.
Published at: August 20, 2021 at 05:15PM
View on website

August 20, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18878

Directory Traversal in Skycaiji v1.3 allows remote attackers to obtain sensitive information via the component 'index.php?m=admin&c=Tool&a=log&file=D%3A%5CphpStudy%5CWWW%5Cindex.php'.
Published at: August 20, 2021 at 05:15PM
View on website

August 20, 2021 at 07:33PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2020-18877

SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'.
Published at: August 20, 2021 at 05:15PM
View on website

August 20, 2021 at 07:33PM

via National Vulnerability Database


Няма коментари:

Публикуване на коментар

Етикети

имена (151) Ски (140) уеб камери (128) Право (121) документи (111) Grand Tour (102) video (100) Ski (97) webcams (93) skiing weather (83) ski resort information (82) банки (66) ски курорти (60) Маркетинг (45) Рила (40) snow reports (37) икономика (35) София (34) Боровец (33) Borovets (27) Родопи (27) история (27) Банско (26) Пампорово (23) проекти (23) здраве (21) интернет (21) планини (21) смях (21) екипировка (20) карта (20) Pamporovo (19) Rila (19) Time (19) health (19) море (19) Bansko (17) лифт (17) resort information (16) eco (15) раница (15) цени (15) язовир (15) Стара Планина (14) връзки (14) деца (14) пътувания (14) хижа (14) Marketing (13) bike (13) Витоша (13) Пирин (13) snow forecast (12) буква С (12) данъци (12) лавини (12) магазини (12) Алеко (11) буква В (11) буква М (11) freeskiing (10) Маршрути (10) буква А (10) ski abroad (9) Пловдив (9) буква Д (9) отбрана (9) празник (9) първа помощ (9) ски чужбина (9) термини (9) map ski area (8) буква Б (8) буква К (8) календар (8) old applications (7) Чепеларе (7) архитектура (7) буква Г (7) буква Н (7) поддръжка на ски (7) сняг (7) футбол (7) буква Е (6) буква Л (6) буква П (6) буква Т (6) видео (6) годишнини (6) град (6) именни дни (6) къщи (6) трафик (6) хидро (6) Rodopy (5) Skype (5) Sofia (5) YouTube (5) vlog (5) буква И (5) буква Х (5) влог (5) кино (5) литература (5) очила (5) село (5) снимка (5) спорт (5) EU projects (4) Ski Bindings (4) boots (4) gsm (4) smart phone (4) Нотариус (4) буква З (4) буква Ф (4) енергетика (4) ски учител (4) слама (4) състезание (4) туризъм (4) упражнения (4) Aleko (3) Maliovitsa (3) Physics (3) Tyrolia (3) brand (3) climb (3) mass (3) sexy (3) shoe size (3) Безбог (3) Мальовица (3) Узана (3) автомобил (3) безопастност (3) буква Ц (3) буква Ш (3) влак (3) времето в момента (3) докторантури (3) недвижими имоти (3) поща (3) пропаганда (3) пълномощно (3) статистика (3) строителство (3) теснолинейка (3) DIN (2) NASA (2) Release Setting (2) Rossignol (2) Vitosha (2) clothes sizes (2) file hosting (2) franchaise (2) relativity (2) replace (2) search (2) БАССЕС (2) Благоевград (2) Добринище (2) Здравец (2) Лале (2) Мусала (2) Осогово (2) Средна гора (2) бедствие (2) буква Ж (2) буква Й (2) буква О (2) буква У (2) буква Ч (2) буква Щ (2) буква Я (2) геометрия (2) гора (2) еко (2) екология (2) електроенергия (2) космос (2) магистрала (2) местност (2) очи (2) парк (2) плакат (2) планиране (2) световно (2) технологии (2) упътвания (2) явление (2) F1 (1) FIS (1) Fieberbrunn (1) Hamlet (1) Hopfgarten (1) Kirchberg (1) Macedonia (1) Norway (1) Reit im Winkl (1) Scheffau (1) Shakespeare (1) Solomon (1) St Johann (1) Söll (1) Tirol (1) Walchsee (1) Zahmer Kaiser (1) apple (1) drone (1) h Pleven (1) hypnosis (1) ibooks (1) ipad (1) iphone (1) ipod (1) mathematic (1) skate (1) tablet (1) telemark (1) trekking (1) Бачево (1) Беклемето (1) Бяла Черква (1) ВЕИ (1) Вежен (1) Ветровал (1) Гела (1) Горна Оряховица (1) Добрила (1) Информация за фирми (1) Камчатка (1) Карлово (1) Картала (1) Кицбюел (1) Ком (1) Копривки (1) Копривщица (1) Леденото езеро (1) Мерцедес (1) Михаел Шумахер (1) Норвегия (1) Офелиите (1) Панагюрище (1) Предела (1) Румъния (1) Русия (1) САЩ (1) Самоков (1) Студенец (1) Формула 1 (1) Църна Могила (1) Черни Връх (1) Япония (1) автомати (1) биатлон (1) био (1) буква Р (1) буква Ъ (1) буква Ь (1) буква Ю (1) великия пост (1) гра (1) градоустройство (1) дрехи (1) дърво (1) запалка (1) култура (1) ландшафт (1) математика (1) мода (1) музей (1) мъдрости (1) олимпиада (1) поддръжка (1) потребители (1) програма (1) реклама (1) синя зона (1) фото (1) х. Дерменка (1) храна (1)