Weekly Vulnerabilities Reports > September 16 to 22, 2019

A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.

An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation.

CWE-284: Improper Access Control vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause the execution of commands by unauthorized users when using IEC 60870-5-104 protocol.

Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

Allow changes to some table by non-SysAdmin in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value.

VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.

A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware version prior to V2.90) and Modicon M340 (firmware version prior to V3.10), which could cause a possible denial of service when writing to specific memory addresses in the controller over Modbus.

A CWE-248: Uncaught Exception vulnerability exists Modicon M580 (firmware version prior to V2.90), Modicon M340 (firmware version prior to V3.10), Modicon Premium (all versions), and Modicon Quantum (all versions), which could cause a possible denial of service when reading specific coils and registers in the controller over Modbus.

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions) and Modicon M340 controller (all firmware versions), which could cause denial of service when truncated SNMP packets on port 161/UDP are received by the device.

A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware versions prior to V2.90), Modicon M340 (firmware versions prior to V3.10), Modicon Premium (all versions), Modicon Quantum (all versions), which could cause a possible denial of service when reading invalid data from the controller.

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration.

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP code via /install by placing the code in the name of an object in the database.

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number.

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring.

App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring.

The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.

An issue was discovered in PRiSE adAS 1.7.0.

An issue was discovered in PRiSE adAS 1.7.0.

An issue was discovered in the Linux kernel before 5.0.4.

RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability.

An uninitialized memory access vulnerability exists in the way Aspose.PDF 19.2 for C++ handles invalid parent object pointers.

An exploitable use-after-free vulnerability exists in the way LZW-compressed streams are processed in Aspose.PDF 19.2 for C++.

The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets.

An issue was discovered in the secure portal in Publisure 2.1.2.

Western Digital WD My Book World through II 1.02.12 suffers from Broken Authentication, which allows an attacker to access the /admin/ directory without credentials.

The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php.

eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.

An Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability exists in Modicon Quantum 140 NOE771x1 version 6.9 and earlier, which could cause denial of service when the module receives an IP fragmented packet with a length greater than 65535 bytes.

Data exposure in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

IBM Cognos Analytics 11.0, and 11.1 is vulnerable to a denial of service attack that could allow a remote user to send specially crafted requests that would consume all available CPU and memory resources.

IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Unauthorized access to contact information in Micro Focus Service Manager, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed.

In XS 9.0.0 in Moddable SDK OS180329, there is a heap-based buffer overflow in fxBeginHost in xsAPI.c when called from fxRunDefine in xsRun.c, as demonstrated by crafted JavaScript code to xst.

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.

The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.

In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database.

The MemberSonic Lite plugin before 1.302 for WordPress has incorrect login access control because only knowlewdge of an e-mail address is required.

The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php.

Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability.

On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.

IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection.

A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.

In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.

joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CSRF.

TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.

TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.

The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs-form-conf arbitrary file upload.

The users-ultra plugin before 1.5.63 for WordPress has CSRF via action=package_add_new to wp-admin/admin-ajax.php.

An issue was discovered in PRiSE adAS 1.7.0.

LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.

The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to access a repository, if public access is enabled for a project or repository then attackers are able to exploit this issue anonymously, to read the contents of arbitrary files on the system and execute commands via injecting additional arguments into git commands.

Integer overflow vulnerability in LINE(Android) from 4.4.0 to the version before 9.15.1 allows remote attackers to cause a denial of service (DoS) condition or execute arbitrary code via a specially crafted image.

vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.

GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.

GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.

A CWE-287: Authentication vulnerability exists in spaceLYnk (all versions before 2.4.0) and Wiser for KNX (all versions before 2.4.0 - formerly known as homeLYnk), which could cause loss of control when an attacker bypasses the authentication.

A CWE-426: Untrusted Search Path vulnerability exists in SoMachine HVAC v2.4.1 and earlier versions, which could cause arbitrary code execution on the system running SoMachine HVAC when a malicious DLL library is loaded by the product.

3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versions prior to 3.5.16.0, allows the system to display active library content without checking its validity, which may allow the contents of manipulated libraries to be displayed or executed.

The leenkme plugin before 2.6.0 for WordPress has wp-admin/admin.php?page=leenkme_facebook CSRF.

The kento-post-view-counter plugin through 2.8 for WordPress has wp-admin/admin.php?page=kentopvc_settings CSRF.

The fossura-tag-miner plugin before 1.1.5 for WordPress has CSRF.

The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has frs_save CSRF with resultant stored XSS.

ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngiflib.c when called from DecodeGifImg, because deinterlacing for small pictures is mishandled.

ngiflib 0.4 has a heap-based buffer overflow in WritePixel() in ngiflib.c when called from DecodeGifImg, because deinterlacing for small pictures is mishandled.

An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2.

Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations.

The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admin/post-new.php text SQL injection.

The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php gcid SQL injection.

The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.

The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privilege escalation.

The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privilege escalation.

The Elegant Themes Extra theme before 1.2.4 for WordPress has privilege escalation.

An issue was discovered in PRiSE adAS 1.7.0.

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e.

RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation.

RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation.

RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability.

In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

An exploitable Use-After-Free vulnerability exists in the way FunctionType 0 PDF elements are processed in Aspose.PDF 19.2 for C++.

In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.

Some of Dahua's Debug functions do not have permission separation.

An issue was discovered in the secure portal in Publisure 2.1.2.

In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking.

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to upload a rogue file.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options.

An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30.

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.

ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.

marc-q libwav through 2017-04-20 has a NULL pointer dereference in gain_file() at wav_gain.c.

audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.

The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePreferencesAjax->save() privilege escalation.

The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.

The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.

joyplus-cms 1.6.0 allows reinstallation if the install/ URI remains available.

An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2.

An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1.

The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion.

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.

IBM Cloud Application Performance Management 8.1.4 could allow a remote attacker to hijack the clicking action of the victim.

A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component.

In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.

The icegram plugin before 1.9.19 for WordPress has XSS.

The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.

A CWE-248: Uncaught Exception vulnerability exists IN Modicon M580 all versions prior to V2.80, which could cause a possible denial of service when sending an appropriately timed HTTP request to the controller.

An issue was discovered in idreamsoft iCMS V7.0.

F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.

An issue was discovered in PRiSE adAS 1.7.0.

An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2.

VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration.

A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3.

LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted web site that captures the credentials for a victim's account on a previously visited web site, because do_popupregister can be bypassed via clickjacking.

VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-201903001), Workstation (15.x before 15.0.3 and 14.x before 14.1.6) and Fusion (11.x before 11.0.3 and 10.x before 10.1.6) contain an out-of-bounds read vulnerability in the pixel shader functionality.

If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow a user with low privileges to delete a critical file.

An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1.

An issue was discovered in GitLab Enterprise Edition 11.x and 12.x before 12.0.9, 12.1.x before 12.1.9, and 12.2.x before 12.2.5.

A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to inject client-side script when a user visits a web page.

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deployment could allow a remote attacker to obtain sensitive information, caused by sending a specially-crafted URL.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system.

The Reset Password feature in Pagekit 1.0.17 gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices.

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.

Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a ..

The Antioch theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to lib/scripts/download.php.

The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.

An issue was discovered in Embedthis GoAhead 2.5.0.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval.

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admin_init settings changes.

The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak.

An issue was discovered in PRiSE adAS 1.7.0.

Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL.

libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.

Some Dahua products have information leakage issues.

Some Dahua products have the problem of denial of service during the login process.

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device.

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file.

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause disconnection of active connections when an unusually high number of IEC 60870- 5-104 packets are received by the module on port 2404/TCP.

Online upgrade information in some firmware packages of Dahua products is not encrypted.

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 .

An issue was discovered in ASUSWRT 3.0.0.4.384.20308.

An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1.

The imdb-widget plugin before 1.0.9 for WordPress has Local File Inclusion.

An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1.

An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.2.1.

Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device.

The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload.

The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php.

The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.

A race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.

Improper file permissions in the installer for Intel(R) Easy Streaming Wizard before version 2.1.0731 may allow an authenticated user to potentially enable escalation of privilege via local attack.

admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.

An issue was discovered in ThinkSAAS 2.91.

TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/.

Prospecta Master Data Online (MDO) allows CSRF.

An issue was discovered in Mautic 2.13.1.

On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen.

On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS.

The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.

The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.

The wp-piwik plugin before 1.0.5 for WordPress has XSS.

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS.

The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS.

The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS.

The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS.

The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS.

The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.

The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter.

The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.

The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant arbitrary file upload in includes/sendmail.php.

The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter.

The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.

The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF.

The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz parameter during a Quiz Manage operation.

The quotes-and-tips plugin before 1.20 for WordPress has XSS.

The relevant plugin before 1.0.8 for WordPress has XSS.

An issue was discovered in PRiSE adAS 1.7.0.

An issue was discovered in PRiSE adAS 1.7.0.

An issue was discovered in PRiSE adAS 1.7.0.

An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress.

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability.

Class and method names in error message in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device.

The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.

A CWE-754 – Improper Check for Unusual or Exceptional Conditions vulnerability exists in Magelis HMI Panels (all versions of - HMIGTO, HMISTO, XBTGH, HMIGTU, HMIGTUX, HMISCU, HMISTU, XBTGT, XBTGT, HMIGXO, HMIGXU), which could cause a temporary freeze of the HMI when a high rate of frames is received.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system.

The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter.

The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.

The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer.

The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.

The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.

The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.

The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.

The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text.

The kento-post-view-counter plugin through 2.8 for WordPress has XSS via kento_pvc_geo.

The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS.

The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.

The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.

OpenEMR v5.0.1-6 allows XSS.

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.

An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.2.1.

The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.

The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data.

Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.

GPAC 0.7.1 has a memory leak in dinf_Read in isomedia/box_code_base.c.

The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt.

The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title.

The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.

The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.

The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.

Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.

An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2.

The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation.

The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled.

An issue was discovered in PRiSE adAS 1.7.0.

Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download.

RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability.

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties.

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF.

IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) v2.0.0.0 through 2.0.0.5, v2.1.0.0 through 2.1.0.4, v2.1.1.0 through 2.1.1.4, and v3.0.0.0 through 3.0.0.8 could allow a remote attacker to traverse directories on the system.

3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition.

The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.

The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=..%2f directory traversal.

An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1.

An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1.

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus.

The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.

IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set the secure attribute on authorization tokens or session cookies.

An issue was discovered in ThinkSAAS 2.91.

Ogma CMS 0.5 has XSS via creation of a new blog.

An issue was discovered in ZrLog 2.1.1.

The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.

The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.

The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS.

The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.

An issue was discovered in PRiSE adAS 1.7.0.

Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files.

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability.

The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.

The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI.

An issue was discovered in GNOME file-roller before 3.29.91.

A flaw was found in FreeIPA versions 4.5.0 and later.

Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files.

The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.