Weekly Vulnerabilities Reports > August 26 to September 1, 2019

A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication.

IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

An issue was discovered in the openssl crate before 0.9.0 for Rust.

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility.

A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2.62ubuntu0.1, 0.2.64ubuntu0.1, 0.2.66, results in an out-of-bounds write to a heap allocated buffer when processing large crash dumps.

libZetta.rs through 0.1.2 has an integer overflow in the zpool parser (for error stats) that leads to a panic.

In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_load function in frontend/cmd.cc via a crafted chess position in an EPD file.

The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time.

Various Lexmark printers contain a denial of service vulnerability in the SNMP service that can be exploited to crash the device.

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command.

An issue was discovered in Suricata 4.1.3.

A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an unexpected restart of the netstack process on an affected device.

A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause process crashes, which can result in a denial of service (DoS) condition on an affected system.

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum and db2hpum_debug binaries are setuid root and have built-in options that allow an low privileged user the ability to load arbitrary db2 libraries from a privileged context.

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable.

An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37.

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

The wps-hide-login plugin before 1.5.3 for WordPress has a protection bypass via wp-login.php in the Referer field.

The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp&key&login protection bypass.

The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash protection bypass.

The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection bypass.

The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal.

The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication.

In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r351265, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, the kernel driver for /dev/midistat implements a read handler that is not thread-safe.

In FreeBSD 12.0-STABLE before r350828, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r350829, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, a missing check in the function to arrange data in a chain of mbufs could cause data returned not to be contiguous.

In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding.

In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet.

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs.

Clara Genomics Analysis before 0.2.0 has an integer overflow for cudapoa memory management in allocate_block.cpp.

ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large rxpacket.

FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.

Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array overflow if there are many SRT connections.

Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc.

The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4.

The woo-confirmation-email plugin before 3.2.0 for WordPress has no blocking of direct access to supportive xl folders inside uploads.

The sharebar plugin before 1.2.2 for WordPress has SQL injection.

In Xymon through 4.3.28, a stack-based buffer overflow exists in the status-log viewer component because of   expansion in svcstatus.c.

In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the history viewer component via a long hostname or service parameter to history.c.

In Xymon through 4.3.28, a buffer overflow exists in the status-log viewer CGI because of   expansion in appfeed.c.

In Xymon through 4.3.28, a stack-based buffer overflow vulnerability exists in the alert acknowledgment CGI tool because of   expansion in acknowledge.c.

In Xymon through 4.3.28, a buffer overflow vulnerability exists in reportlog.c.

In Xymon through 4.3.28, a buffer overflow vulnerability exists in history.c.

In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script.

A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress.

The wp-polls plugin before 2.72 for WordPress has SQL injection.

The feed-them-social plugin before 1.7.0 for WordPress has possible shortcode execution in the Facebook Feeds load more button.

The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.

The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.

The buddyforms plugin before 2.2.8 for WordPress has SQL injection.

The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.

The link-log plugin before 2.1 for WordPress has SQL injection.

connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex.

Buffer Overflow in dactetra in Delta Controls enteliBUS Manager V3.40_B-571848 allows remote unauthenticated users to execute arbitrary code and possibly cause a denial of service via unspecified vectors.

An issue was discovered in the ncurses crate through 5.99.0 for Rust.

An issue was discovered in the protobuf crate before 2.6.0 for Rust.

An issue was discovered in the slice-deque crate before 0.2.0 for Rust.

XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php.

An issue was discovered in the arrayfire crate before 3.6.0 for Rust.

An issue was discovered in the crossbeam crate before 0.4.1 for Rust.

An issue was discovered in the slice-deque crate before 0.1.16 for Rust.

XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java.

XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key.

FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.

The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.

DianoxDragon Hawn before 2019-07-10 allows SQL injection.

Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php.

Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php.

Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php.

The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.

BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters.

HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java.

idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform IDseq allows SQL injection via tax_levels.

OpenForis Arena before 2019-05-07 allows SQL injection in the sorting feature.

The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.

The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.

The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection in models/partner_compassion.py.

Observational Health Data Sciences and Informatics (OHDSI) WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java.

An issue was discovered in the smallvec crate before 0.6.10 for Rust.

An issue was discovered in the libflate crate before 0.1.25 for Rust.

An issue was discovered in the smallvec crate before 0.6.10 for Rust.

Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for SNMP, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

Several Ricoh printers have multiple buffer overflows parsing HTTP parameter settings for Wi-Fi, mDNS, POP3, SMTP, and notification alerts, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

Several Ricoh printers have multiple buffer overflows parsing HTTP cookie headers, which allow an attacker to cause a denial of service or code execution via crafted requests to the web server.

An issue was discovered in the safe-transmute crate before 0.10.1 for Rust.

An issue was discovered in the smallvec crate before 0.6.3 for Rust.

Several Ricoh printers have multiple buffer overflows parsing LPD packets, which allow an attacker to cause a denial of service or code execution via crafted requests to the LPD service.

FlashLingo before 2019-06-12 allows SQL injection, related to flashlingo.js and db.js.

Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.

CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.

Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.

Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update.

A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device.

An issue was discovered in Avira Free Security Suite 10.

CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action.

Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report.

The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility.

The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF.

The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF.

The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF.

A memory corruption vulnerability exists in the .PSD parsing functionality of ALSee v5.3 ~ v8.39.

The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF.

The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.

The one-click-ssl plugin before 1.4.7 for WordPress has CSRF.

The photo-gallery plugin before 1.2.42 for WordPress has CSRF.

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed.

A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file.

The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1.

A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1.

A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer over-read via a crafted .ogg file.

The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly.

The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF.

The insta-gallery plugin before 2.4.8 for WordPress has no nonce validation for qligg_dismiss_notice or qligg_form_item_delete.

The woo-address-book plugin before 1.6.0 for WordPress has save calls without nonce verification checks.

The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via add_option and update_option.

Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature.

There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary processes that are running at a higher privilege.

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.

MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack.

components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used.

Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/.

The wp-members plugin before 3.2.8 for WordPress has CSRF.

The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.

The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.

The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.

The wp-rollback plugin before 1.2.3 for WordPress has CSRF.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a command injection vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a type confusion vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound write vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have a heap overflow vulnerability.

xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks.

Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code.

A SQL injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to execute arbitrary SQL commands via the AgentConsole/UserGroupQuery.php ShowUser parameter.

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.

The kubectl cp command allows copying files between containers and the user machine.

Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.

The gigpress plugin before 2.3.11 for WordPress has SQL injection in the admin area, a different vulnerability than CVE-2015-4066.

The insert-or-embed-articulate-content-into-wordpress plugin before 4.2999 for WordPress has insufficient restrictions on file upload.

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution.

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call.

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port.

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network.

Various Lexmark products have Incorrect Access Control.

An issue was discovered in the ncurses crate through 5.99.0 for Rust.

An issue was discovered in the pancurses crate through 0.16.1 for Rust.

The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF.

Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device.

An issue was discovered in the tar crate before 0.4.16 for Rust.

IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles.

The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789.

The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS.

In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.

The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication.

The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist.

The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file.

The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

The kubectl cp command allows copying files between containers and the user machine.

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

Edimax BR-6208AC V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device.

An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows.

The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.

MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files.

Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS.

The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS.

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price.

IBM Cloud Automation Manager 3.1.2 could allow a malicious user on the client side (with access to client computer) to run a custom script.

The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion.

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

The bold-page-builder plugin before 2.3.2 for WordPress has no protection against modifying settings and importing data.

The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions.

Directory traversal vulnerability on ONKYO TX-NR686 1030-5000-1040-0010 A/V Receiver devices allows remote attackers to read arbitrary files via a ..

A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to perform SNMP polling of an affected device, even if it is configured to deny SNMP traffic.

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart.

Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs of high privileged users by leveraging access to a read-only auditor role.

/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price.

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

The TeamSpeak client before 3.3.2 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7 byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE) and U+2067 (RIGHT-TO-LEFT ISOLATE).

A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230.

A broken access control vulnerability found in Advan VD-1 firmware versions up to 230.

A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230.

nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse.

The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices.

An issue was discovered in Suricata 4.1.3.

An issue was discovered in Suricata 4.1.3.

An issue was discovered in Suricata 4.1.3.

An issue was discovered in Suricata 4.1.3.

Various Lexmark products have Incorrect Access Control (issue 2 of 2).

Various Lexmark products have Incorrect Access Control (issue 1 of 2).

cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \ in command names, which might allow a directory traversal attack in unusual situations.

An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2).

In the TCP implementation (gnrc_tcp) in RIOT through 2019.07, the parser for TCP options does not terminate on all inputs, allowing a denial-of-service, because sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c has an infinite loop for an unknown zero-length option.

The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads.

The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs.

The link-log plugin before 2.0 for WordPress has HTTP Response Splitting.

OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.

An issue was discovered in the libp2p-core crate before 0.8.1 for Rust.

An issue was discovered in the ammonia crate before 2.1.0 for Rust.

An issue was discovered in the untrusted crate before 0.6.2 for Rust.

An issue was discovered in the cookie crate before 0.7.6 for Rust.

An issue was discovered in the security-framework crate before 0.1.12 for Rust.

Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.

An issue was discovered in the asn1_der crate before 0.6.2 for Rust.

An issue was discovered in the memoffset crate before 0.5.0 for Rust.

An issue was discovered in the simd-json crate before 0.1.15 for Rust.

An issue was discovered in the orion crate before 0.11.2 for Rust.

An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust.

An issue was discovered in the yaml-rust crate before 0.4.1 for Rust.

An issue was discovered in the hyper crate before 0.9.18 for Rust.

rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for Rust allows attackers to cause a denial of service (loop of conn_event and ready) by arranging for a client to never be writable.

A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication.

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails.

A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications.

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution.

Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution.

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access.

An issue was discovered in the Linux kernel before 5.0.19.

The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS.

The easy-property-listings plugin before 3.4 for WordPress has XSS.

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances.

Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3.

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser.

Cross-site scripting (XSS) vulnerability in the 'Authorisation Service' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

Cross-site scripting (XSS) vulnerability in the 'Notification template' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

Cross-site scripting (XSS) vulnerability in the 'Certificate' feature of totemomail 6.0.0 build 570 allows remote attackers to inject arbitrary web script or HTML.

In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack.

WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name.

An issue was discovered in Binaryen 1.38.32.

An issue was discovered in Binaryen 1.38.32.

libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG parser in parser.c.

A XSS found in Advan VD-1 firmware versions up to 230.

Various Lexmark products have CSRF.

The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.

In Knowage through 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.

The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg().

Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

The my-calendar plugin before 3.1.10 for WordPress has XSS.

The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log file.

Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

The Post Connector plugin before 1.0.4 for WordPress has XSS via add_query_arg() and remove_query_arg().

The Related Posts plugin before 1.8.2 for WordPress has XSS via add_query_arg() and remove_query_arg().

The updraftplus plugin before 1.9.64 for WordPress has XSS via add_query_arg() and remove_query_arg().

The feedwordpress plugin before 2015.0514 for WordPress has XSS via add_query_arg() and remove_query_arg().

The akismet plugin before 3.1.5 for WordPress has XSS.

The wp-vipergb plugin before 1.3.16 for WordPress has XSS via add_query_arg() and remove_query_arg(), a different issue than CVE-2014-9460.

The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area.

The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491.

The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562.

The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562.

public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted "changed value of" text.

In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGI script due to insufficient filtering of the db parameter.

The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.

The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll bar option.

The feed-them-social plugin before 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.

The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

The ultimate-faqs plugin before 1.8.22 for WordPress has XSS.

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

The anycomment plugin before 0.0.33 for WordPress has XSS.

The timesheet plugin before 0.1.5 for WordPress has multiple XSS issues.

The check-email plugin before 0.5.2 for WordPress has XSS.

The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser.

The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors.

The cp-polls plugin before 1.0.5 for WordPress has XSS.

The wp-rollback plugin before 1.2.3 for WordPress has XSS.

The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes list.

GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability.

Discourse 2.3.2 sends the CSRF token in the query string.

Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.

Status Board 1.1.81 has reflected XSS via dashboard.ts.

An issue was discovered in the claxon crate before 0.4.1 for Rust.

An issue was discovered in the portaudio crate through 0.7.0 for Rust.

CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs.

laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS.

Status Board 1.1.81 has reflected XSS via logic.ts.

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.

An information disclosure vulnerability in the Management Center (MC) REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.

An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access.

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser.

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting.

A vulnerability in the Virtual Shell (VSH) session management for Cisco NX-OS Software could allow an authenticated, remote attacker to cause a VSH process to fail to delete upon termination.

In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.

In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values.

The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPress has insufficient restrictions on option changes (such as disabling unattended theme updates) because of a nonce check error.

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

The webp-express plugin before 0.14.8 for WordPress has stored XSS.

The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS.

The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS.

The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter.

Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy.

The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS.

The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/admin-ajax.php?action=admin-common-settings&admin_email= XSS.

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher.

LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Notifications, Alert Rule, Create Maintenance, and Alert Template sections of the admin console.

The gigpress plugin before 2.3.11 for WordPress has XSS.

IBM Cloud Automation Manager 3.1.2 could allow a user to be impropertly redirected and obtain sensitive information rather than receive a 404 error message.

The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app.

WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.