๐จ CVE-2021-20205
Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.
๐@cveNotify
Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.
๐@cveNotify
๐จ CVE-2021-28041
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
๐@cveNotify
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
๐@cveNotify
GitHub
upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own ยท openssh/openssh-portable@e04fd6d
function and remove an unused variable; ok dtucker@
OpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559
OpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559
๐จ CVE-2021-21068
Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by a file handling vulnerability that could allow an attacker to cause arbitrary file overwriting. Exploitation of this issue requires physical access and user interaction.
๐@cveNotify
Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by a file handling vulnerability that could allow an attacker to cause arbitrary file overwriting. Exploitation of this issue requires physical access and user interaction.
๐@cveNotify
Adobe
Adobe Security Bulletin
Security update available for Adobe Creative Cloud Desktop Application | APSB21-18
๐จ CVE-2021-28134
Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API.
๐@cveNotify
Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API.
๐@cveNotify
GitHub
Potential Command Execution vulnerabilities introduced by preload.js ยท Issue #13 ยท AkashRajpurohit/clipper
Hi, We found that preload.js introduces dangerous API openShellExternal for arbitrary access on unsafe renderer process. This may lead to remote command execution. We suggest that a URL check shoul...
๐จ CVE-2021-22697
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
๐@cveNotify
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
๐@cveNotify
Se
Security Notification - EcoStruxure Power Build - Rapsody | Schneider Electric
Download Security Notification - EcoStruxure Power Build - Rapsody Technical leaflet
๐จ CVE-2021-22698
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to occur which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
๐@cveNotify
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to occur which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
๐@cveNotify
Se
Security Notification - EcoStruxure Power Build - Rapsody | Schneider Electric
Download Security Notification - EcoStruxure Power Build - Rapsody Technical leaflet
๐จ CVE-2020-36280
Leptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c.
๐@cveNotify
Leptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c.
๐@cveNotify
๐จ CVE-2020-26238
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
๐@cveNotify
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.
๐@cveNotify
GitHub
Update dependencies to fix security vulnerability. ยท jmrozanec/cron-utils@4cf373f
Cron utils for parsing, validations and human readable descriptions as well as date/time interoperability. - jmrozanec/cron-utils
๐จ CVE-2021-26776
CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.
๐@cveNotify
CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerability in multiple pages through the field name.
๐@cveNotify
GitHub
Multiple Stored XSS Cross-Site Scripting on CSZ CMS 1.2.9 ยท Issue #29 ยท cskaza/cszcms
Multiple Stored XSS Cross-Site Scripting on CSZ CMS 1.2.9 Login with editor account with rights to Forms Builder, XML Plugin Widgets, Statistic for link, Banner Manager, Carousel Widget, Pages Cont...
๐จ CVE-2019-18231
Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request.
๐@cveNotify
Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request.
๐@cveNotify
๐จ CVE-2019-18235
Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack.
๐@cveNotify
Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack.
๐@cveNotify
๐จ CVE-2021-20627
Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors.
๐@cveNotify
Cross-site scripting vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.4 allows remote attackers to inject an arbitrary script via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20633
Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors.
๐@cveNotify
Improper access control vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Cabinet via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20626
Improper access control vulnerability in Workflow of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and alter the data of Workflow via unspecified vectors.
๐@cveNotify
Improper access control vulnerability in Workflow of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and alter the data of Workflow via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20632
Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the data of Bulletin Board via unspecified vectors.
๐@cveNotify
Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the data of Bulletin Board via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20625
Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Bulletin Board via unspecified vectors.
๐@cveNotify
Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Bulletin Board via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20634
Improper access control vulnerability in Custom App of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Custom App via unspecified vectors.
๐@cveNotify
Improper access control vulnerability in Custom App of Cybozu Office 10.0.0 to 10.8.4 allows authenticated attackers to bypass access restriction and obtain the date of Custom App via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Japan Vulnerability Notes
๐จ CVE-2021-20678
SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
๐@cveNotify
SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
๐@cveNotify
jvn.jp
JVN#08191557: WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection
Japan Vulnerability Notes