‼ CVE-2021-37144 ‼
📖 Read
via "National Vulnerability Database".
CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37743 ‼
📖 Read
via "National Vulnerability Database".
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20787 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35478 ‼
📖 Read
via "National Vulnerability Database".
Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37601 ‼
📖 Read
via "National Vulnerability Database".
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37746 ‼
📖 Read
via "National Vulnerability Database".
textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37587 ‼
📖 Read
via "National Vulnerability Database".
In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36624 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37606 ‼
📖 Read
via "National Vulnerability Database".
Meow hash 0.5/calico does not sufficiently thwart key recovery by an attacker who can query whether there's a collision in the bottom bits of the hashes of two messages, as demonstrated by an attack against a long-running web service that allows the attacker to infer collisions by measuring timing differences.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37600 ‼
📖 Read
via "National Vulnerability Database".
An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32558 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35472 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35479 ‼
📖 Read
via "National Vulnerability Database".
Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34166 ‼
📖 Read
via "National Vulnerability Database".
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37594 ‼
📖 Read
via "National Vulnerability Database".
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32610 ‼
📖 Read
via "National Vulnerability Database".
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36766 ‼
📖 Read
via "National Vulnerability Database".
Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36004 ‼
📖 Read
via "National Vulnerability Database".
Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability in the CoolType library. An unauthenticated attacker could leverage this vulnerability to achieve remote code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35458 ‼
📖 Read
via "National Vulnerability Database".
Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37588 ‼
📖 Read
via "National Vulnerability Database".
In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.📖 Read
via "National Vulnerability Database".
🦿 Cryptomining scams target Android app users 🦿
📖 Read
via "Tech Republic".
TechRepublic's Karen Roby interviews Lance Whitney about a recent report that detailed how cryptomining scams targeted Android app users and stole an estimated $350,000 from more than 93,000 people.📖 Read
via "Tech Republic".
TechRepublic
Cryptomining scams target Android app users
TechRepublic's Karen Roby interviews Lance Whitney about a recent report that detailed how cryptomining scams targeted Android app users and stole an estimated $350,000 from more than 93,000 people.