Weekly Vulnerabilities Reports > August 12 to 18, 2019

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.

An issue was discovered in 3S-Smart CODESYS V3 products.

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability.

An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape, aka 'Windows NTFS Elevation of Privilege Vulnerability'.

The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.

The wp-editor plugin before 1.2.6 for WordPress has CSRF.

The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.

The wp-database-backup plugin before 4.3.3 for WordPress has CSRF.

Nessus 8.5.2 and earlier on Windows platforms were found to contain an issue where certain system files could be overwritten arbitrarily, potentially creating a denial of service condition.

An issue was discovered in Dolibarr 11.0.0-alpha.

RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working.

parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application.

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application.

A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Denial of Service Vulnerability'.

eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service.

An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11.

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'.

The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations.

The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.

The note-press plugin before 0.1.2 for WordPress has SQL injection.

The olimometer plugin before 2.57 for WordPress has SQL injection.

The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.

The visitors-online plugin before 0.4 for WordPress has SQL injection.

filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload arbitrary file upload.

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310.

drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes.

An issue was discovered in 3S-Smart CODESYS V3 products.

In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database.

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.

eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration.

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

An elevation of privilege exists in SyncController.dll, aka 'Microsoft Windows Elevation of Privilege Vulnerability'.

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka 'Windows DHCP Client Remote Code Execution Vulnerability'.

The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.

The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues.

The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.

The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.

The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.

The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name.

The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.

The newstatpress plugin before 1.0.1 for WordPress has SQL injection.

The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service.

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service.

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service.

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service.

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.

The liveforms plugin before 3.2.0 for WordPress has SQL injection.

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

An issue was discovered in imcat 4.9.

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM.

Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, installs with incorrect file permissions.

An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory.An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory., aka 'Windows Image Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.To exploit this vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system, aka 'Windows ALPC Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

ALTOOLS update service 18.1 and earlier versions contains a local privilege escalation vulnerability due to insecure permission.

NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in the custom NVIDIA API used in the mount system service where user data could be overridden, which may lead to code execution, denial of service, or information disclosure.

An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.

Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header.

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.

Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders.

coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.

The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.

The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.

The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.

The js-jobs plugin before 1.0.7 for WordPress has CSRF.

The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.

The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.

The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.

The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF.

The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF.

The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416.

Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contains a vulnerability that could allow remote attackers to download and execute arbitrary files by setting the arguments to the ActiveX method.

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.

An issue was discovered in in TortoiseSVN 1.12.1.

An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress.

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests.

An issue was discovered in Bento4 1.5.1.0.

An issue was discovered in Bento4 1.5.1.0.

An issue was discovered in Bento4 1.5.1.0.

An issue was discovered in Bento4 1.5.1.0.

The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.

The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface.

The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.

The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.

The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.

The google-document-embedder plugin before 2.6.2 for WordPress has CSRF.

The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.

Adobe After Effects versions 16 and earlier have an insecure library loading (dll hijacking) vulnerability.

Adobe Prelude CC versions 8.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

Adobe Premiere Pro CC versions 13.1.2 and earlier have an insecure library loading (dll hijacking) vulnerability.

Adobe Character Animator versions 2.1 and earlier have an insecure library loading (dll hijacking) vulnerability.

Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability.

PCManager 9.1.3.1 has an improper authentication vulnerability.

The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks.

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.

Alzip 10.83 and earlier version contains a stack-based buffer overflow vulnerability, caused by improper bounds checking during the parsing of crafted ISO archive file format.

UniSign 2.0.4.0 and earlier version contains a stack-based buffer overflow vulnerability which can overwrite the stack with arbitrary data, due to a buffer overflow in a library.

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.

The wp-database-backup plugin before 4.3.1 for WordPress has CSRF.

Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.

An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Defender Elevation of Privilege Vulnerability'.

WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF.

The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.

In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.

EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.

The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.

The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in Dynamics On-Premise v9, aka 'Dynamics On-Premise Elevation of Privilege Vulnerability'.

Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe.

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50.

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection.

_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards.

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.

In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.

An issue was discovered in Frappe Framework 10 through 12 before 12.0.4.

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details.

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login.

An issue was discovered in 20|20 Storage 2.11.0.

Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.

The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.

The simple-fields plugin before 1.4.11 for WordPress has XSS.

The events-manager plugin before 5.6 for WordPress has XSS.

The ultimate-member plugin before 2.0.4 for WordPress has XSS.

The simple-membership plugin before 3.5.7 for WordPress has XSS.

The ultimate-member plugin before 1.3.40 for WordPress has XSS on the login form.

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.

The wp-database-backup plugin before 5.1.2 for WordPress has XSS.

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS.

The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.

The wp-database-backup plugin before 4.3.1 for WordPress has XSS.

The wp-database-backup plugin before 4.3.3 for WordPress has XSS.

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php.

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used.

lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user.

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03.

The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users.

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability.

The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help.

DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.

In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.

In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.

In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.

A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs.

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures.

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability.

The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.

Prospecta Master Data Online (MDO) 2.0 has Stored XSS.

Evolution CMS 2.0.x allows XSS via a description and new category location in a template.

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS).

The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.

Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.

The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI.

The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.

The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.

The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network.

Zabbix through 4.4.0alpha1 allows User Enumeration.

The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input.

Creative Cloud Desktop Application 4.6.1 and earlier versions have an insecure transmission of sensitive data vulnerability.

Creative Cloud Desktop Application versions 4.6.1 and earlier have a security bypass vulnerability.

In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.

The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI.

An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Server Information Disclosure Vulnerability'.

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability'.

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Denial of Service Vulnerability'.

A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka 'XmlLite Runtime Denial of Service Vulnerability'.

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted XML file and trick the application server into leaking authentication credentials for its own SAP Management console, resulting in Server-Side Request Forgery.

During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, 753, the HTTP Header attributes cache-control and pragma were not properly set, allowing an attacker to access restricted information, resulting in Information Disclosure.

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, allows an attacker to access sensitive data such as directory structure, leading to Information Disclosure.

handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header.

In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.

A vulnerability has been identified in SIMATIC Drive Controller family (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm.

When creating a module in SAP BusinessObjects Business Intelligence Platform (BI Workspace), versions 4.1, 4.2, 4.3, it is possible to store a malicious script which when executed later could potentially allow a user to escalate privileges via session hijacking.

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457.

OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation.

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12.

An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux, aka 'Windows Subsystem for Linux Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

A vulnerability has been identified in SCALANCE SC-600 (V2.0).

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.

GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in demo/GPMF_mp4reader.c.

GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.

GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.

The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.

The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.

The xo-security plugin before 1.5.3 for WordPress has XSS.

DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi-fillblank!answers.action surveyId parameter.

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200.

The read_chunk function in flif-dec.cpp in Free Lossless Image Format (FLIF) 0.3 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted flif file.

The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.

The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,

XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages, aka 'Microsoft Outlook Elevation of Privilege Vulnerability'.

A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.

An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session, aka 'Windows Information Disclosure Vulnerability'.

A security feature bypass exists when Windows incorrectly validates CAB file signatures, aka 'Windows File Signature Security Feature Bypass Vulnerability'.

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka 'Microsoft Edge Information Disclosure Vulnerability'.

SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.

The google-document-embedder plugin before 2.6.2 for WordPress has XSS.

The google-document-embedder plugin before 2.6.1 for WordPress has XSS.

The newstatpress plugin before 1.0.4 for WordPress has XSS related to the Referer header.

The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element.

The newstatpress plugin before 1.0.6 for WordPress has reflected XSS.

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious scripts in the url thereby resulting in Reflected Cross-Site Scripting (XSS) vulnerability

Under certain conditions SAP BusinessObjects Business Intelligence Platform (Central Management Console), versions 4.1, 4.2, 4.3, allows an attacker to store a malicious payload within the description field of a user account.

SAP BusinessObjects Business Intelligence Platform (Info View), versions 4.1, 4.2, 4.3, allows an attacker to give some payload for keyword in the search and it will be executed while search performs its action, resulting in Cross-Site Scripting (XSS) vulnerability.

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl.

The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues.

The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.

The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues.

The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search.

The liveforms plugin before 3.4.0 for WordPress has XSS.

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.

The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS.

The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues.

The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues.

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues.

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues.

The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.

The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS.

The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page.

The google-language-translator plugin before 5.0.06 for WordPress has XSS.

The contact-form-plugin plugin before 4.0.2 for WordPress has XSS.

The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages.

The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.

The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.

The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg.

The contact-form-plugin plugin before 3.96 for WordPress has XSS.

The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.

The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.

The contact-form-plugin plugin before 3.52 for WordPress has XSS.

The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.

Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.

In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp.

In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function.

iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.

An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12.

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

The twitter-plugin plugin before 2.55 for WordPress has XSS.

The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS.

The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.

The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.

The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS.

The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for WordPress has XSS via the tab or section variable on settings screens.

The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.

Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions.

SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.1, 4.2, can access database with unencrypted connection, even if the quality of protection should be encrypted.

Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure.

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set.

In some situations, when a client cancels a query in SAP BusinessObjects Business Intelligence Platform (Web Intelligence), versions 4.2, 4.3, the attacker can then query and receive the whole data set instead of just what is part of their authorized security profile, resulting in Information Disclosure.

A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANCE XB-200 (V4.1), SCALANCE XC-200 (V4.1), SCALANCE XF-200BA (V4.1), SCALANCE XP-200 (V4.1), SCALANCE XR-300WG (V4.1).

In Storage Performance Development Kit (SPDK) before 19.07, a user of a vhost can cause a crash if the target is sent invalid input.

An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files, aka 'Git for Visual Studio Elevation of Privilege Vulnerability'.

An information disclosure vulnerability exists in the way Microsoft SharePoint handles session objects, aka 'Microsoft SharePoint Information Disclosure Vulnerability'.

CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Resource Groups, and User/Resource Group Links fields.

The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.

A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages, aka 'Outlook iOS Spoofing Vulnerability'.

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.

Adive Framework through 2.0.7 is affected by XSS in the Create New Table and Create New Navigation Link functions.

The ultimate-member plugin before 2.0.52 for WordPress has XSS during an account upgrade.

The ultimate-member plugin before 2.0.52 for WordPress has XSS related to UM Roles create and edit operations.

The ultimate-member plugin before 2.0.54 for WordPress has XSS.

Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out-of-bounds read vulnerability, which may allow an attacker to read limited information from the device.

Arista EOS through 4.21.0F allows a crash because 802.1x authentication is mishandled.

On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found.

xtrlock through 2.10 does not block multitouch events.

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage, aka 'SymCrypt Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.

An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'.

An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js.