π¨ CVE-2021-28653
The iOS and macOS apps before 1.4.1 for the Western Digital G-Technology ArmorLock NVMe SSD store keys insecurely. They choose a non-preferred storage mechanism if the device has Secure Enclave support but lacks biometric authentication hardware.
π@cveNotify
The iOS and macOS apps before 1.4.1 for the Western Digital G-Technology ArmorLock NVMe SSD store keys insecurely. They choose a non-preferred storage mechanism if the device has Secure Enclave support but lacks biometric authentication hardware.
π@cveNotify
Western Digital
WDC-21003 ArmorLock, Insecure Key Storage Vulnerability | Western Digital
Western Digital provides data storage solutions, including systems, HDD, Flash SSD, memory and personal data solutions to help customers capture and preserve their most valued data.
π¨ CVE-2021-25764
In JetBrains PhpStorm before 2020.3, source code could be added to debug logs.
π@cveNotify
In JetBrains PhpStorm before 2020.3, source code could be added to debug logs.
π@cveNotify
The JetBrains Blog
JetBrains Blog: The Drive to Develop
Developer Tools for Professionals and Teams
π¨ CVE-2021-27358
The snapshot feature in Grafana before 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
π@cveNotify
The snapshot feature in Grafana before 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
π@cveNotify
GitHub
grafana/CHANGELOG.md at master Β· grafana/grafana
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many mo...
π¨ CVE-2021-27221
** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.
π@cveNotify
** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work.
π@cveNotify
Medium
RouterOS: User with just βftpβ policy can write to filesystem [CVE-2021β27221]
I think I found security issue in RouterOS from Mikrotik company. I reported it as SUP-41598 on 2021β02-15. After a bit arogantβ¦
π¨ CVE-2021-28109
TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS).
π@cveNotify
TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS).
π@cveNotify
Gist
CVE-2021-28109
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2021-27928
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
π@cveNotify
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
π@cveNotify
π¨ CVE-2021-3327
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter.
π@cveNotify
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter.
π@cveNotify
Gist
CVE-2021-3327
CVE-2021-3327. GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2021-28126
index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability
π@cveNotify
index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability
π@cveNotify
Gist
Stored XSS in TranzWare e-Commerce Payment Gateway - CVE-2021-28126
Stored XSS in TranzWare e-Commerce Payment Gateway - CVE-2021-28126 - CVE-2021-28126
π¨ CVE-2020-6578
Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php.
π@cveNotify
Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php.
π@cveNotify
usd HeroLab
Security Advisories - usd HeroLab
Wir untersuchen die sich stΓ€ndig im Wandel befindlichen Angriffsszenarien und verΓΆffentlichen in diesem Zusammenhang eine Reihe von Security Advisories zu aktuellen Schwachstellen und Sicherheitsproblemen
π¨ CVE-2021-28110
/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
π@cveNotify
/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
π@cveNotify
Gist
XXE DoS in TranzWare e-Commerce Payment Gateway - CVE-2021-28110
XXE DoS in TranzWare e-Commerce Payment Gateway - CVE-2021-28110 - CVE-2021-28110
π¨ CVE-2020-6577
The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection.
π@cveNotify
The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection.
π@cveNotify
usd HeroLab
Security Advisories - usd HeroLab
Wir untersuchen die sich stΓ€ndig im Wandel befindlichen Angriffsszenarien und verΓΆffentlichen in diesem Zusammenhang eine Reihe von Security Advisories zu aktuellen Schwachstellen und Sicherheitsproblemen
π¨ CVE-2021-25290
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
π@cveNotify
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
π@cveNotify
Pillow (PIL Fork)
8.1.1 (2021-03-01)
Security: CVE-2021-25289: Correct the fix for CVE-2020-35654: The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c. CVE-2021-25290: Fix buffer overfl...
π¨ CVE-2021-25289
An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.
π@cveNotify
An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.
π@cveNotify
Pillow (PIL Fork)
8.1.1 (2021-03-01)
Security: CVE-2021-25289: Correct the fix for CVE-2020-35654: The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c. CVE-2021-25290: Fix buffer overfl...
π¨ CVE-2021-25292
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
π@cveNotify
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
π@cveNotify
π¨ CVE-2021-25293
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
π@cveNotify
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
π@cveNotify
π¨ CVE-2021-25291
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.
π@cveNotify
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.
π@cveNotify
π¨ CVE-2021-28122
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
π@cveNotify
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
π@cveNotify
GitHub
open5gs/open5gs
Open5GS is a C-language Open Source implementation for 5G Core and EPC, i.e. the core network of LTE/NR network (Release-16) - open5gs/open5gs
π¨ CVE-2021-28089
Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001.
π@cveNotify
Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001.
π@cveNotify
blog.torproject.org
New releases (with security fixes): Tor 0.3.5.14, 0.4.4.8, and 0.4.5.7 | Tor Project
We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week. Also today, Tor 0.3.5.14β¦
π¨ CVE-2020-25097
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
π@cveNotify
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
π@cveNotify
π¨ CVE-2021-28831
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
π@cveNotify
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
π@cveNotify
π¨ CVE-2021-28090
Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002.
π@cveNotify
Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002.
π@cveNotify
blog.torproject.org
New releases (with security fixes): Tor 0.3.5.14, 0.4.4.8, and 0.4.5.7 | Tor Project
We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week. Also today, Tor 0.3.5.14β¦