Weekly Vulnerabilities Reports > November 16 to 22, 2020

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page.

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24.

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24.

PDFResurrect before 0.20 lack of header validation checks causes heap-buffer-overflow in pdf_get_version().

Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c in ImageMagick 7.0.10-7.

Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series modules (R00/01/02CPU firmware version '19' and earlier, R04/08/16/32/120 (EN) CPU firmware version '51' and earlier, R08/16/32/120SFCPU firmware version '22' and earlier, R08/16/32/120PCPU firmware version '25' and earlier, R08/16/32/120PSFCPU firmware version '06' and earlier, RJ71EN71 firmware version '47' and earlier, RJ71GF11-T2 firmware version '47' and earlier, RJ72GF15-T2 firmware version '07' and earlier, RJ71GP21-SX firmware version '47' and earlier, RJ71GP21S-SX firmware version '47' and earlier, and RJ71GN11-T2 firmware version '11' and earlier) allows a remote unauthenticated attacker to cause an error in a CPU unit and cause a denial-of-service (DoS) condition in execution of the program and its communication, or to cause a denial-of-service (DoS) condition in communication via the unit by receiving a specially crafted SLMP packet

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array.

The affected product is vulnerable to three stack-based buffer overflows, which may allow an unauthenticated attacker to remotely execute arbitrary code on the IP150 (firmware versions 5.02.09).

Buffer overflow in in the copy_msg_element function for the devDiscoverHandle server in the TP-Link WR and WDR series, including WDR7400, WDR7500, WDR7660, WDR7800, WDR8400, WDR8500, WDR8600, WDR8620, WDR8640, WDR8660, WR880N, WR886N, WR890N, WR890N, WR882N, and WR708N.

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.

An issue was discovered in Rclone before 1.53.3.

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.

Dynamic loading of services in the backup and restore SDK leads to elevated privileges, affected product is com.coloros.codebook V2.0.0_5493e40_200722.

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses.

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an unauthenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files.

An issue was discovered in Aviatrix Controller before R6.0.2483.

An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0.

SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php.

SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php.

In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.

SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System With admin panel 2.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.

Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.

In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks.

VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG) contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed.

A CWE-269 Improper Privilege Management vulnerability exists in EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxureª Operator Terminal Expert.

Privilege escalation via arbitrary file write in pritunl electron client 1.0.1116.6 through v1.2.2550.20.

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges.

A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an authenticated, local attacker to perform command injection and elevate privileges to root.

BinaryNights ForkLift 3.4 was compiled with the com.apple.security.cs.disable-library-validation flag enabled which allowed a local attacker to inject code into ForkLift.

BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing permissions.

The update functionality of the Discover Media infotainment system in Volkswagen Polo 2019 vehicles allows physically proximate attackers to execute arbitrary code because some unsigned parts of a metainfo file are parsed, which can cause attacker-controlled files to be written to the infotainment system and executed as root.

Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series CPU Modules (R00/01/02CPU Firmware versions from '05' to '19' and R04/08/16/32/120(EN)CPU Firmware versions from '35' to '51') allows a remote attacker to cause an error in a CPU unit via a specially crafted HTTP packet, which may lead to a denial-of-service (DoS) condition in execution of the program and its communication.

IBM DB2 Accessories Suite for Linux, UNIX, and Windows, DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client.

Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.

Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product.

Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product.

A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-125 Out-of-bounds Read vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

A CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 and prior that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules.

Improper input validation vulnerability exists in TOBESOFT XPLATFORM which could cause arbitrary .hta file execution when the command string is begun with http://, https://, mailto://

The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.

The affected product is vulnerable to five post-authentication buffer overflows, which may allow a logged in user to remotely execute arbitrary code on the IP150 (firmware versions 5.02.09).

A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.

A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.

A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus.

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management.

In moodle, some database module web services allowed students to add entries within groups they did not belong to.

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session.

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device.

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause write access and the execution of commands when uploading a specially crafted file on the controller over FTP.

A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP.

UPNP Service listening on port 5555 in Genexis Platinum 4410 Router V2.1 (P4410-V2–1.34H) has an action 'X_GetAccess' which leaks the credentials of 'admin', provided that the attacker is network adjacent.

In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh.

Garmin Forerunner 235 before 8.20 is affected by: Buffer Overflow.

Garmin Forerunner 235 before 8.20 is affected by: Array index error.

Garmin Forerunner 235 before 8.20 is affected by: Integer Overflow.

Garmin Forerunner 235 before 8.20 is affected by: Array index error.

In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 could allow an authenticated user belonging to a specific user group to create a user or group with administrative privileges.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection.

IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 is vulnerable to SQL injection.

LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.

SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.

If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands.

If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands.

A CWE-284 Improper Access Control vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker being able to access a restricted web resources due to improper access control.

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9.

A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could allow an unauthenticated, remote attacker to bypass security controls and send network traffic to restricted destinations.

A unauthenticated path traversal arbitrary remote file deletion vulnerability in Trend Micro Worry-Free Business Security 10 SP1 could allow an unauthenticated attacker to exploit the vulnerability and modify or delete arbitrary files on the product's management console.

In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible.

A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095.

In Moodle, it was possible to include JavaScript when re-naming content bank items.

A vulnerability in an API of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1.

Chronoforeum 2.0.11 allows Stored XSS vulnerabilities when inserting a crafted payload into a post.

Improper Input validation vulnerability exists in Netis Korea D'live AP which could cause arbitrary command injection and execution when the time setting (using ntpServerlp1 parameter) for the users.

The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT.

Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack.

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability.

SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.

A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP.

A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports.

JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection.

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization.

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem.

An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls.

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14.

A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system.

A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain.

Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy Softswitch 4.5 through 5.2 and other products, allows a bypass of a header-removal protection mechanism via whitespace characters.

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations.

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0.

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application.

Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1.

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1.

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden.

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method.

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby.

In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins.

HCL Notes is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input.

HCL Domino is susceptible to a Denial of Service vulnerability due to improper validation of user-supplied input, potentially giving an attacker the ability to crash the server.

HCL Domino is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input.

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.

web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.

JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to an Authorization Bypass because the Collector component is not properly validating an authenticated session with the Viewer.

Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user.

A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash.

Symantec Endpoint Detection & Response, prior to 4.5, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.

A vulnerability in the API of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive information on an affected system.

A vulnerability in Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive database information on an affected device.

cxuucms v3 has a SQL injection vulnerability, which can lead to the leakage of all database data via the keywords parameter via search.php.

An issue was discovered in Aviatrix Controller before R6.0.2483.

An issue was discovered in Aviatrix Controller before R5.3.1151.

An issue was discovered in Aviatrix Controller before R5.3.1151.

An issue was discovered in Aviatrix Controller before R5.4.1290.

Cross domain policies in Taskcafe Project Management tool before version 0.1.0 and 0.1.1 allows remote attackers to access sensitive data such as access token.

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker.

A predictable device ID in BASETech GE-131 BT-1837836 firmware 20180921 allows unauthenticated remote attackers to connect to the device.

Cleartext Transmission of Sensitive Information vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 exists which could leak sensitive information transmitted between the mobile app and the camera device.

In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the system is configured with the option “DocumentRoot /etc“.

Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3.

Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group.

In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed.

Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new .war file, with resultant remote code execution.

Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service.

The WebTools component on Canon Oce ColorWave 3500 5.1.1.0 devices allows attackers to retrieve stored SMB credentials via the export feature, even though these are intentionally inaccessible in the UI.

There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming.

IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1.

JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.

Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox

LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion.

In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required.

In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts.

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.

In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.

JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.

In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.

JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler.

This affects the package @firebase/util before 0.3.4.

Authentication Bypass resulting in exposure of SD-WAN functionality in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8

Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7.

VMware ESXi (7.0 before ESXi70U1b-17168206, 6.7 before ESXi670-202011101-SG, 6.5 before ESXi650-202011301-SG), Workstation (15.x before 15.5.7), Fusion (11.x before 11.5.7) contain a use-after-free vulnerability in the XHCI USB controller.

A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger.

Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe.

A vulnerability in Trend Micro Apex One could allow an unprivileged user to abuse the product installer to reinstall the agent with additional malicious code in the context of a higher privilege.

A CWE-428 Windows Unquoted Search Path vulnerability exists in EcoStruxure Building Operation Enterprise Server installer V1.9 - V3.1 and Enterprise Central installer V2.0 - V3.1 that could cause any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service.

Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.

A CWE-334: Small Space of Random Values vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption keys when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.

A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.

A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter.

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser.

In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.

In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability.

A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address.

Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system.

REDDOXX MailDepot 2033 (aka 2.3.3022) allows XSS via an incoming HTML e-mail message.

RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability.

PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id=

Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'.

TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting.

The web application of Kyocera printer (ECOSYS M2640IDW) is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book".

SourceCodester Online Clothing Store 1.0 is affected by a cross-site scripting (XSS) vulnerability via a Offer Detail field in offer.php.

CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners.

In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link.

IBM Sterling File Gateway 6.0.0.0 through 6.0.3.2 and 2.2.0.0 through 2.2.6.5 does not set the secure attribute on authorization tokens or session cookies.

IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 does not set the secure attribute on authorization tokens or session cookies.

This affects the package markdown-it-highlightjs before 3.3.1.

In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor.

An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol.

In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific BIG-IP platforms, attackers may be able to obtain TCP sequence numbers from the BIG-IP system that can be reused in future connections with the same source and destination port and IP numbers.

A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system.

A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device.

A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system.

An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3.

An issue has been discovered in GitLab EE affecting all versions starting from 8.12.

An issue has been discovered in GitLab EE affecting all versions starting from 10.2.

Use of an undocumented user in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to view the video stream.

A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 could allow an authenticated user to obtain sensitive information from the Dashboard UI.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 stores potentially sensitive information in log files that could be read by an authenticatedl user.

IBM Sterling B2B Integrator Standard Edition 5.2.6.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.2 stores potentially highly sensitive information in log files that could be read by an authenticated user.

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records.

Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.

UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180125 firmware allows an unauthenticated actor, with physical access and network access, to read sensitive files and write to a limited set of files after plugging a crafted USB drive into the router.

Potential double free in Bluez 5 module of PulseAudio could allow a local attacker to leak memory or crash the program.

Trusted Computing Group (TCG) Trusted Platform Module Library Family 2.0 Library Specification Revisions 1.38 through 1.59 has Incorrect Access Control during a non-orderly TPM shut-down that uses USE_DA_USED.

An improper file permissions vulnerability affects Kata Containers prior to 1.11.5.

A CWE-79 Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.

IBM Jazz Reporting Service 6.0.6, 6.0.6.1, 7.0, and 7.0.1 is vulnerable to stored cross-site scripting.

SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality.

Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.

IBM MQ Appliance 9.1.CD and LTS could allow an authenticated user, under nondefault configuration to cause a data corruption attack due to an error when using segmented messages.

httpd on TP-Link TL-WPA4220 devices (hardware versions 2 through 4) allows remote authenticated users to trigger a buffer overflow (causing a denial of service) by sending a POST request to the /admin/syslog endpoint.

Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1.

Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter.

A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page.

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter.

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting.

IBM Business Automation Workflow 20.0.0.1 is vulnerable to cross-site scripting.

Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).

Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).

Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).

Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).

Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx.

Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.

The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles.

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke the encryption keys.

Some ZTE devices have input verification vulnerabilities.

Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.

QED ResourceXpress Qubi3 devices before 1.40.9 could allow a local attacker (with physical access to the device) to obtain sensitive information via the debug interface (keystrokes over a USB cable), aka wireless password visibility.

A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects.

When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above.

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.

A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.

A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information.

A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information.