Weekly Vulnerabilities Reports > January 20 to 26, 2020

Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.

A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system.

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'.

In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions.

A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary code.

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input.

An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0.

SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries.

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185.

In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file.

PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.

BabyGekko before 1.2.4 has SQL injection.

Toshiba ConfigFree 8.0.38 has a CF7 File Remote Command Execution Vulnerability

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated.

A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement.

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used.

WebKitGTK+ before 2.14.0: A use-after-free vulnerability can allow remote attackers to cause a DoS

Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.

A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions.

The PulseAudio system service in Tizen allows an unprivileged process to control its A2DP MediaEndpoint, due to improper D-Bus security policy configurations.

The pkgmgr system service in Tizen allows an unprivileged process to perform package management actions, due to improper D-Bus security policy configurations.

The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allows wp-admin/admin.php?page=marketo_fat CSRF with resultant XSS.

A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token.

An Arbitrary File Upload issue in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to deploy a new WebApp WAR file to the Tomcat server via Path Traversal, allowing remote code execution with SYSTEM privileges.

Incorrect Access Control in AfficheExplorateurParam() in DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to use administrative controllers.

Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the content-length header

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.

The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/* content type.

Meinberg Lantime M300 and M1000 devices allow attackers (with privileges to configure a device) to execute arbitrary OS commands by editing the /config/netconf.cmd script (aka Extended Network Configuration).

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php.

Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

A vulnerability in the implementation of the Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007.

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13025.10004.

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.50005.

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X and CARESCAPE Central Station (CSCS) Versions 2.X, the integrated service for keyboard switching of the affected devices could allow attackers to obtain remote keyboard input access without authentication over the network.

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading.

The system-popup system service in Tizen allows an unprivileged process to perform popup-related system actions, due to improper D-Bus security policy configurations.

The Enlightenment system service in Tizen allows an unprivileged process to fully control or capture windows, due to improper D-Bus security policy configurations.

storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation.

The update process in Xmind 3.4.1 and earlier allow remote attackers to execute arbitrary code via a man-in-the-middle attack.

Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.

The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c in VideoLAN VLC media player before 2.1.6 uses a stack-allocation approach with a size determined by arbitrary input data, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted length value.

Integer overflow in the Encode function in modules/codec/schroedinger.c in VideoLAN VLC media player before 2.1.6 and 2.2.x before 2.2.1 allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted length value.

The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks, and consequently execute arbitrary code, via a box size of 7.

The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size.

Integer underflow in the MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a box size less than 7.

The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted update status file, aka an "integer truncation" vulnerability.

An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka 'Visual Studio Code Elevation of Privilege Vulnerability'.

An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation.

media/libmedia/IAudioPolicyService.cpp in Android before 5.1 allows attackers to execute arbitrary code with media_server privileges or cause a denial of service (integer overflow) via a crafted application that provides an invalid array size.

The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.

Soapbox through 0.3.1: Sandbox bypass - runs a second instance of Soapbox within a sandboxed Soapbox.

UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of privoxy on openSUSE Leap 15.1, Factory allows local attackers to escalate from user privoxy to root.

SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.

Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.

In IXP EasyInstall 6.2.13723, there is Lateral Movement (using the Agent Service) against other users on a client system.

A Symbolic Link (Symlink) Following vulnerability in the packaging of munge in SUSE Linux Enterprise Server 15; openSUSE Factory allowed local attackers to escalate privileges from user munge to root.

FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will.

FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will.

Splunk 5.0.3 has an Unquoted Service Path in Windows for Universal Forwarder which can allow an attacker to escalate privileges

A CWE-427:Uncontrolled Search Path Element vulnerability exists in MSX Configurator (Software Version prior to V1.0.8.1), which could cause privilege escalation when injecting a malicious DLL.

Locked regions may be modified through other interfaces in secure boot loader image due to improper access control.

Possible buffer overflow issue in error processing due to improper validation of array index value in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8064, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MDM9615, MDM9640, MSM8996AU, QCN7605

Use after free while processing eeprom query as there is a chance to not unlock mutex after error occurs in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, Nicobar, QCS605, QM215, Rennell, SA6155P, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

Possible stack-use-after-scope issue in NFC usecase for card emulation in Snapdragon Auto, Snapdragon Industrial IOT, Snapdragon Mobile in MSM8917, MSM8953, Nicobar, QM215, Rennell, SDM429, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR2130

String format issue will occur while processing HLOS data as there is no user input validation to ensure inputs are properly NULL terminated before string copy in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9607, Nicobar, Rennell, SA6155P, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

Out-of-bound access will occur in USB driver due to lack of check to validate the frame size passed by user in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, QCS605, SDX24

Potential use-after-free heap error during Validate/Present calls on display HW composer in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCS605, SDA660, SDM845, SDX20, SM8150

Possible integer overflow happens when mmap find function will increment refcount every time when it invokes and can lead to use after free issue in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, MDM9607, MDM9640, MSM8909W, MSM8917, MSM8953, Nicobar, QCS605, QM215, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM8150, SM8250, SXR1130, SXR2130

Use after free issue occurs when camera access sensors data through direct report mode in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8096AU, MDM9607, MSM8909W, Nicobar, QCS605, SA6155P, SDA845, SDM429W, SDM670, SDM710, SDM845, SM6150, SM8150, SM8250, SXR1130, SXR2130

Use after free issue due to using of invalidated iterator to delete an object in sensors HAL in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8096AU, MSM8909W, Nicobar, QCS605, SA6155P, SDA845, SDM429W, SDM670, SDM710, SDM845, SM6150, SM8150, SM8250, SXR1130, SXR2130

While transferring data from APPS to DSP, Out of bound in FastRPC HLOS Driver due to the data buffer which can be controlled by DSP in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM8150, SM8250, SXR1130, SXR2130

While trying to obtain datad ipc handle during DPL initialization, Heap use-after-free issue can occur if modem SSR occurs at same time in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, APQ8096AU, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SXR1130

SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information.

A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password.

Novell ZENworks Configuration Management before 11.2.4 allows obtaining sensitive trace information.

Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.

A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.

The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote servers to cause a denial of service (assertion failure and application exit) via a malformed HS descriptor.

The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors.

Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.

buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.

Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors.

Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.

An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text.

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

General Electric D20ME devices are not properly configured and reveal plaintext passwords.

NULL Pointer Dereference in PowerTCP WebServer for ActiveX 1.9.2 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted HTTP request.

Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.

In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely.

In IXP EasyInstall 6.2.13723, there is Directory Traversal on TCP port 8000 via the Engine Service by an unauthenticated attacker, who can access the server's filesystem with the access rights of NT AUTHORITY\SYSTEM.

Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (memory consumption) via a large number of ASN.1 object identifiers in X.509 certificates.

A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN.

EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation.

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace.

Freeciv before 2.3.3 allows remote attackers to cause a denial of service via a crafted packet.

Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.

mIRC before 6.35 allows attackers to cause a denial of service (crash) via a long nickname.

SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice.

An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.

Samsung Galaxy Gear series before build RE2 includes the hcidump utility with no privilege or permission restriction.

The wnoti system service in Samsung Galaxy Gear series allows an unprivileged process to take over the internal notification message data, due to improper D-Bus security policy configurations.

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.

There is an integer overflow vulnerability in LDAP server of some Huawei products.

There is an integer overflow vulnerability in LDAP client of some Huawei products.

Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.

Grin through 2.1.1 has Insufficient Validation.

The Meinberg SyncBox/PTP/PTPv2 devices have default SSH keys which allow attackers to get root access to the devices.

Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks.

tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.

In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence (dossier=../) and servletrecuperefichier (document=../) allows an unauthenticated user to download arbitrary files from the server.

websitebaker prior to and including 2.8.1 has an authentication error in backup module.

The device may enter into error state when some tool or application gets failure at 1st buffer map all and performs 2nd buffer map which happens to be at same physical address in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9607, Nicobar, Rennell, SA6155P, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

Possible null pointer dereference issue in location assistance data processing due to missing null check on resources before using it in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9150, MDM9607, MDM9650, SDM660, SDM845, SM8150, SM8250, SXR2130

Null pointer exception can happen while parsing invalid MKV clip where cue information is parsed before segment information in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

Null pointer dereference can occur while parsing the clip which is nonstandard in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

The WP Database Backup plugin through 5.5 for WordPress stores downloads by default locally in the directory wp-content/uploads/db-backup/.

A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.

A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system.

D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185.

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to access web console they should not be authorized for.

In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath().

Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.

A File Inclusion vulnerability exists in act parameter to admin.php in UseBB before 1.0.12.

MultiTech Conduit MTCDT-LVW2-24XX 1.4.17-ocea-13592 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Debug Options page and entering shell metacharacters in the interface JSON field of the ping function.

Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve remote code execution by navigating to the Poll Routes page and entering shell metacharacters in the Router IP Address field.

Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve remote code execution by navigating to the Fetch URL page and entering shell metacharacters in the URL field.

Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve remote code execution by navigating to the Diagnostics Trace Route page and entering shell metacharacters in the Target IP address field.

The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser.

log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation.

A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition.

A vulnerability in the implementation of the Intermediate System–to–Intermediate System (IS–IS) routing protocol functionality in Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the IS–IS process.

A vulnerability in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access sensitive information related to the device.

A vulnerability in the web interface for Cisco SD-WAN Solution vManage could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries.

An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Server, aka 'Microsoft Dynamics 365 Elevation of Privilege Vulnerability'.

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials.

Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.

The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.

Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.

Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185.

IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability

A NULL pointer dereference is present in libyang before v1.0-r3 in the function lys_extension_instances_free() due to a copy of unresolved extensions in lys_restr_dup().

A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing.

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs.

An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined.

An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit.

The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations.

The bt/bt_core system service in Tizen allows an unprivileged process to create a system user interface and control the Bluetooth pairing process, due to improper D-Bus security policy configurations.

The BlueZ system service in Tizen allows an unprivileged process to partially control Bluetooth or acquire sensitive information, due to improper D-Bus security policy configurations.

An issue was discovered in Simple Machines Forum (SMF) before 2.0.16.

Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id.

There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer.

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed.

Path Traversal in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to browse the server filesystem.

Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue in the validation of certificates.

htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page.

Adive Framework 2.0.8 has admin/user/add userName XSS.

Adive Framework 2.0.8 has admin/user/add userUsername XSS.

A vulnerability in the web-based management interface of Cisco Jabber Guest could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

A vulnerability in the web-based management interface of Cisco Crosswork Change Automation could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.

A vulnerability in the web-based management interface of the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface of an affected system.

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device.

Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access.

Novell ZENworks Configuration Management before 11.2.4 allows XSS.

An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0.

An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.

sanitize-html before 1.4.3 has XSS.

The WordPress plugin Contact Form Integrated With Google Maps 1.0-2.4 has Stored XSS

A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.

It has been reported that cross-site scripting (XSS) is possible in Forcepoint Web Security, version 8.x, via host header injection.

A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.

Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the interface/interface.php brand parameter.

Jama Connect 8.44.0 is vulnerable to stored Cross-Site Scripting

Jara 1.6 has an XSS vulnerability

The conversation-watson plugin before 0.8.21 for WordPress has a DOM-based XSS vulnerability that is executed when a chat message containing JavaScript is sent.

TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the index.php reqURI parameter.

HUAWEI Mate 20 smart phones with versions earlier than 10.0.0.175(C00E70R3P8) have an insufficient authentication vulnerability.

A vulnerability in the implementation of the Stream Control Transmission Protocol (SCTP) on Cisco Mobility Management Entity (MME) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an eNodeB that is connected to an affected device.

A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.

In postfix-mta-sts-resolver before 0.5.1, All users can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy.

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0.

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0.

An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.

audio/AudioPolicyManagerBase.cpp in Android before 5.1 allows attackers to cause a denial of service (audio_policy application outage) via a crafted application that provides a NULL device address.

In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UAC by using the Agent Service on a client system.

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below.

mysecureshell 1.31: Local Information Disclosure Vulnerability

MySecureShell 1.31 has a Local Denial of Service Vulnerability

Corel WordPerfect Office X6 16.0.0.388 has a DoS Vulnerability via untrusted pointer dereference

Honor V30 smartphones with versions earlier than 10.0.1.135(C00E130R4P1) have an improper authentication vulnerability.

CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key.

Improper initialization of local variables which are parameters to sfs api may cause invalid pointer dereference and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QM215, SDA660, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660

Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.

An issue was discovered in Gallagher Command Centre 7.x before 7.90.991(MR5), 8.00 before 8.00.1161(MR5), and 8.10 before 8.10.1134(MR4).

A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of an affected system.

Cross-site scripting in SimpleSAMLphp before version 1.18.4.

Log injection in SimpleSAMLphp before version 1.18.4.

An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site.

Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.

The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms.

A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports.

A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device.

An issue was discovered in Mirumee Saleor 2.x before 2.9.1.

An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554.

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185.

Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests.

mIRC prior to 7.22 has a message leak because chopping of outbound messages is mishandled.

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to perform system backup config download they should not be authorized for.

A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack.

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185.

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS.

An issue was discovered on Eaton 5P 850 devices.

Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS via the Friendly Name 1 field (after a successful login with the Web Admin Password).

SMC D3G0804W 3.5.2.5-LAT_GA devices allow XSS via the SSID field on the WiFi Network Configuration page (after a successful login to the admin account).

The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka 'Outlook for Android Spoofing Vulnerability'.

In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible.

A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA.

Directory traversal vulnerability in url_redirect.cgi in Supermicro IPMI before SMT_X9_315 allows authenticated attackers to read arbitrary files via the url_name parameter.

Splunk before 5.0.4 lacks X-Frame-Options which can allow Clickjacking

Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.

The SoundServer/FocusServer system services in Tizen allow an unprivileged process to perform media-related system actions, due to improper D-Bus security policy configurations.

USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, V500R005C00SPC100, V500R005C00SPC200 have an information leakage vulnerability.

: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies.

yast2-security didn't use secure defaults to protect passwords.

The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic.

An issue was discovered in button_open in login/logind-button.c in systemd before 243.