Weekly Vulnerabilities Reports > September 23 to 29, 2019

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libeffects, there is a possible out of bounds write due to a missing bounds check.

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libstagefright, there is a possible out of bounds write due to a heap buffer overflow.

In libFDK, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libMpegTPDec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libMpegTPDec, there is a possible out of bounds write due to an integer overflow.

In libFDK, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In libAACdec, there is a possible out of bounds write due to an integer overflow.

In Bluetooth, there is a possible remote code execution due to an improper memory allocation.

In libexif, there is a possible out of bounds write due to an integer overflow.

In MPEG4Extractor, there is a possible out of bounds write due to an integer overflow.

In libmediaextractor there is a possible out of bounds write due to an integer overflow.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write to missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

In libxaac, there is a possible out of bounds write due to a missing bounds check.

The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.

It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion.

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application.

A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use.

Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8.

Mozilla developers and community members reported memory safety bugs present in Firefox 68 and Firefox ESR 68.

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes.

CF UAA versions prior to 74.1.0, allow external input to be directly queried against.

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands.

The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.

The unite-gallery-lite plugin before 1.5 for WordPress has SQL injection via data[galleryID] to wp-admin/admin-ajax.php.

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin-ajax.php in a unitegallery_ajax_action operation.

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature.

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device.

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device.

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device.

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

kkcms v1.3 has a CSRF vulnerablity that can add an user account via admin/cms_user_add.php.

A vulnerability in the Cisco TrustSec (CTS) Protected Access Credential (PAC) provisioning module of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection.

An integer overflow in WhatsApp media parsing libraries allows a remote attacker to perform an out-of-bounds write on the heap via specially-crafted EXIF tags in WEBP images.

In profman, there is a possible out of bounds write due to memory corruption.

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check.

In notification management of the service manager, there is a possible permissions bypass.

In the Activity Manager service, there is a possible permission bypass due to incorrect permission check.

In Keymaster, there is a possible EoP due to a use after free.

In com.android.apps.tag, there is a possible bypass of user interaction requirements due to a missing permission check.

In tzdata there is possible memory corruption due to a mismatch between allocation and deallocation functions.

In telephony, there is a possible bypass of user interaction requirements due to missing permission checks.

In wifilogd, there is a possible out of bounds write due to a missing bounds check.

In Bluetooth, there is a possible out of bounds write due to an integer overflow.

In Platform, there is a possible bypass of user interaction requirements due to missing permission checks.

The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware.

LibreOffice documents can contain macros.

The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default.

The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost.

The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost.

The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges.

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS).

In IrfanView 4.53, Data from a Faulting Address controls a subsequent Write Address starting at image00400000+0x000000000001dcfc.

In Rockwell Automation Arena Simulation Software Cat.

In Total Defense Anti-virus 9.0.0.773, resource acquisition from the untrusted search path C:\ used by caschelp.exe allows local attackers to hijack ccGUIFrm.dll, which leads to code execution.

In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\bd\TDUpdate2\ used by AMRT.exe allows local attackers to hijack bdcore.dll, which leads to privilege escalation when the AMRT service loads the DLL.

In Total Defense Anti-virus 9.0.0.773, insecure access control for the directory %PROGRAMDATA%\TotalDefense\Consumer\ISS\9\ used by ccschedulersvc.exe allows local attackers to hijack dotnetproxy.exe, which leads to privilege escalation when the ccSchedulerSVC service runs the executable.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that can reference memory after it has been freed.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that causes the program to mishandle pointers.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that operates outside of the designated memory area.

In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to improper input validation.

In Bluetooth, there is a possible null pointer dereference due to a missing null check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In the Screen Lock, there is a possible information disclosure due to an unusual root cause.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is a possible null pointer dereference due to a missing null check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is possible controlled termination due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In netd, there is a possible out of bounds read due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to uninitialized data.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible crash due to an integer overflow.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In GoogleContactsSyncAdapter, there is a possible path traversal due to improper input sanitization.

In the wifi hotspot service, there is a possible denial of service due to a null pointer dereference.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to an incorrect bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to an incorrect bounds check.

In libvpx, there is a possible out of bounds read due to a missing bounds check.

A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message.

ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Security bypass vulnerability.

In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.

In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname.

An issue was discovered in CKFinder through 2.6.2.1.

A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M.

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands.

Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4.

Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c.

In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918.

The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.

A vulnerability in the RADIUS Change of Authorization (CoA) code of Cisco TrustSec, a feature within Cisco IOS XE Software, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

A vulnerability in the Dialer interface feature for ISDN connections in Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers (ISRs) could allow an unauthenticated, adjacent attacker to pass IPv4 traffic through an ISDN channel prior to successful PPP authentication.

A vulnerability in the HTTP server code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the HTTP server to crash.

A vulnerability in the filesystem resource management code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to exhaust filesystem resources on an affected device and cause a denial of service (DoS) condition.

A vulnerability in Unified Threat Defense (UTD) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

A vulnerability in the IOx application environment of multiple Cisco platforms could allow an unauthenticated, remote attacker to cause the IOx web server to stop processing HTTPS requests, resulting in a denial of service (DoS) condition.

A vulnerability in the FTP application layer gateway (ALG) functionality used by Network Address Translation (NAT), NAT IPv6 to IPv4 (NAT64), and the Zone-Based Policy Firewall (ZBFW) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

A vulnerability in the common Session Initiation Protocol (SIP) library of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

A vulnerability in the Raw Socket Transport feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

A vulnerability in the ingress packet processing function of Cisco IOS Software for Cisco Catalyst 4000 Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files.

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header.

A vulnerability in the Ident protocol handler of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

An issue was discovered in the string-interner crate before 0.7.1 for Rust.

Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implementation (asymcute), potentially allowing an attacker to crash a network node running RIOT.

SICK FX0-GPNT00000 and FX0-GENT00000 devices through 3.4.0 have a Buffer Overflow

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

A denial of service vulnerability exists when Microsoft Defender improperly handles files, aka 'Microsoft Defender Denial of Service Vulnerability'.

Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.

Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page.

ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel.

In Platform, there is a possible bypass of user interaction requirements due to background app interception.

In NFC server, there is a possible out of bounds write due to a missing bounds check.

In NFC, there is a possible out of bounds write due to a missing bounds check.

In NFC, there is a possible out of bounds write due to a missing bounds check.

In System Settings, there is a possible permissions bypass due to a cached Linux user ID.

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a password storage vulnerability in the ACM component.

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference.

The microblog-poster plugin before 1.6.2 for WordPress has SQL Injection via the wp-admin/options-general.php?page=microblogposter.php account_id parameter.

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations.

The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access.

In libhidcommand_jni, there is a possible out of bounds write due to a missing bounds check.

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges.

In LockPatternUtils, there is a possible escalation of privilege due to an improper permissions check.

In sensorservice, there is a possible out of bounds write due to a missing bounds check.

In the Bluetooth stack, there is a possible out of bounds write due to a use after free.

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device.

A vulnerability in the Guest Shell of Cisco IOS XE Software could allow an authenticated, local attacker to perform directory traversal on the base Linux operating system of Cisco IOS XE Software.

A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device.

A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root.

A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3.

An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.

On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register.

On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated with a debug probe via the Instruction Tightly Coupled Memory (ITCM) bus.

In libvpx, there is a possible information disclosure due to improper input validation.

In the Framework, it is possible to set up BROWSEABLE intents to take over certain URLs.

In libhevc, there is a possible out of bounds read due to an integer overflow.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libstagefright there is a possible information disclosure due to uninitialized data.

In libstagefright there is a possible information disclosure due to uninitialized data.

In libSBRdec there is a possible out of bounds read due to incorrect bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In cn-cbor, there is a possible out of bounds read due to improper casting.

In libxaac, there is a possible out of bounds read due to uninitialized data.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In the settings UI, there is a possible spoofing vulnerability due to a missing permission check.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libskia, there is a possible crash due to a missing null check.

In libvpx, there is a possible resource exhaustion due to improper input validation.

In sonivox, there is a possible out of bounds read due to an incorrect bounds check.

In libSBRdec there is a possible out of bounds read due to a missing bounds check.

In libSACdec, there is a possible out of bounds read due to a missing bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In NFC server, there's a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In libstagefright, there is a possible resource exhaustion due to a missing bounds check.

In libstagefright, there is a possible resource exhaustion due to improper input validation.

In libstagefright, there is a possible resource exhaustion due to improper input validation.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc there is a possible information disclosure due to uninitialized data.

In libhevc there is a possible information disclosure due to uninitialized data.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In libvpx, there is a possible out of bounds read due to a missing bounds check.

In libavc there is a possible information disclosure due to uninitialized data.

In libavc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libhevc, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libhevc, there is a missing variable initialization.

In libavc, there is a missing variable initialization.

In libstagefright, there is a missing variable initialization.

In libstagefright, there is a possible out of bounds read due to a missing bounds check.

In libstagefright, there is a possible out of bounds read due to a missing bounds check.

In AAC Codec, there is a possible resource exhaustion due to improper input validation.

In skia, there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to missing bounds check.

In libxaac there is a possible out of bounds read due to missing bounds check.

In libavc there is a possible out of bounds read due to uninitialized data.

In AAC Codec, there is a missing variable initialization.

In the NFC stack, there is a possible out of bounds write due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible information disclosure due to uninitialized data.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible information disclosure due to uninitialized data.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

In libxaac, there is a possible out of bounds read due to a missing bounds check.

A type confusion vulnerability exists in Spidermonkey, which results in a non-exploitable crash.

WebRTC in Firefox will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context.

The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site.

A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content.

Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward.

IBM MQ 7.1.0.0 - 7.1.0.9, 7.5.0.0 - 7.5.0.9, 8.0.0.0 - 8.0.0.11, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.1 - 9.1.2 is vulnerable to a denial of service attack caused by a memory leak in the clustering code.

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature.

In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer.

IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages.

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin.php galleryid or id parameters.

The accurate-form-data-real-time-form-validation plugin 1.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=Accu_Data_WP.

The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=avenir_plugin.

The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=bookmarkify.php.

The monetize plugin through 1.03 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=monetize-zones-new.

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter.

The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has CSRF with resultant XSS via configuration parameters for Tumblr, Twitter, Facebook, etc.

The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter.

The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter.

The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.

The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters.

The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter.

The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter.

The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters.

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter.

The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.

The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter.

In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS).

The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php.

Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774.

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows.

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as demonstrated by deleting the admin user.

WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS.

ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.

ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.

ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.

ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.

ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.

Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.

In hostapd, there is a possible out of bounds write due to a race condition.

In the Easel driver, there is possible memory corruption due to race conditions.

In the Easel driver, there is possible memory corruption due to race conditions.

SilverStripe through 4.3.3 allows session fixation in the "change password" form.

It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library.

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field.

Flower 0.9.3 has XSS via a crafted worker name.

Flower 0.9.3 has XSS via the name parameter in an @app.task call.

Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup.

A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process.

kkcms 1.3 has jx.php?url= XSS.

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page.

An XSS issue was discovered in pfSense through 2.4.4-p3.

An HTTP Host header injection vulnerability exists in YzmCMS V5.3.

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page.

The altos-connect plugin 1.3.0 for WordPress has XSS via the wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/ PATH_SELF.

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.

The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via the wp-admin/admin-ajax.php?action=get_soundcloud_player id parameter.

The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section.

The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.

The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter.

The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter.

The Postmatic plugin before 1.4.6 for WordPress has XSS.

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

An issue was discovered in Devise Token Auth through 1.1.2.

CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials (admin/admin) for the administrator account located at grafana-credentials secret.

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.

In wpa_supplicant, there is a possible man in the middle vulnerability due to improper input validation of the basicConstraints field of intermediary certificates.

The Print Service is susceptible to man in the middle attacks due to improperly used crypto.

Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible information disclosure due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Account of Account.java, there is a possible boot loop due to improper input validation.

In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute.

In Bluetooth, there is a use of uninitialized variable.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In the m4v_h263 codec, there is a possible out of bounds read due to a use after free.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In WiFi, there is a possible leak of WiFi state due to a permissions bypass.

In libstagefright, there is a possible use-after-free due to improper locking.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In wpa_supplicant_8, there is a possible out of bounds read due to a missing bounds check.

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to write values to the underlying memory of an affected device.

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentials in plain in clear text which can be read by a local user.

Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php.

Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php.

Dolibarr 9.0.5 has stored XSS in a User Note section to note.php.

Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php.

TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin.

In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.

The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter.

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter.

The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter.

The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.

IBM Content Navigator 3.0CD is vulnerable to cross-site scripting.

There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system.

Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).

Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts.

In the Wallpaper Manager service, there is a possible information disclosure due to a missing permission check.

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content.

SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.

An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3.5.0.

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network.

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forgery (SSRF).

In SilverStripe assets 4.0, there is broken access control on files.

Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /..

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile().

In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling a malicious request.

Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

In libandroidfw, there is a possible OOB read due to an integer overflow.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC server, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In NFC, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

In Bluetooth, there is a possible out of bounds read due to a use after free.

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

An issue was discovered in Grafana 5.4.0.

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a stored cross-site scripting vulnerability.

The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters.

The addthis plugin before 5.0.13 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=addthis_social_widget pubid parameter.

A vulnerability in the web framework code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software using the banner parameter.

A vulnerability in the web framework code of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software.

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.

The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.

In the TEE, there's a possible out of bounds read due to a missing bounds check.

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag.

A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).

In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check.

In LG's LAF component, there is a possible leak of information in a protected disk partition due to a missing bounds check.

When the pointer lock is enabled by a website though requestPointerLock(), no user notification is given.

A vulnerability exists in WebRTC where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification.

The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes.

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface).

Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.

A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

An issue was discovered on Swell Kit Mod devices that use the Vandy Vape platform.

In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode.

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin.

In AOSP Email, there is a possible information disclosure due to a confused deputy.

In the Package Manager service, there is a possible information disclosure due to a confused deputy.

In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check.

In AudioService, there is a possible trigger of background user audio due to a permissions bypass.

In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check.

In the Activity Manager service, there is a possible information disclosure due to a confused deputy.

In keyguard, there is a possible escalation of privilege due to improper permission checks.

In the proc filesystem, there is a possible information disclosure due to log information disclosure.

In WiFi, the RSSI value and SSID information is broadcast as part of android.net.wifi.RSSI_CHANGE and android.net.wifi.STATE_CHANGE intents.

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.