Weekly Vulnerabilities Reports > November 23 to 29, 2020

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices.

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices.

An issue was discovered in Devid Espenschied PC Analyser through 4.10.

An issue was discovered in Devid Espenschied PC Analyser through 4.10.

This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11.

Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.

scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.

Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration.

An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error.

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal.

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 allows an access to set arbitrary authorization levels leading to a privilege escalation issue.

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE).

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them.

Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.

An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices.

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices.

blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.

Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020.

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305.

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306.

In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304.

In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482.

Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.

CA Unified Infrastructure Management 20.1 and earlier contains a vulnerability in the robot (controller) component that allows local attackers to elevate privileges.

Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration, which allows the administrative user to obtain root access without using the sudo password by editing and executing /home/<user>/SecurityOnion/setup/so-setup.

A divide by zero issue was found to occur in libvncserver-0.9.12.

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414.

Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08.

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08.

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08.

An issue was discovered in BigBlueButton through 2.2.29.

Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c.

All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.

A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior.

A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior.

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL.

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets.

Nanopb is a small code-size Protocol Buffers implementation.

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol.

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol.

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices.

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices.

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices.

Barco wePresent WiPG-1600W devices have Improper Access Control.

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory.

Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients.

TYPO3 is an open source PHP based web content management system.

Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password.

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service.

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 handles system parameters in an insecure way.

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol.

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11.

An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11.

An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5.

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6.

In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.

Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials.

A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document.

VMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure.

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection.

SimplePHPscripts News Script PHP Pro 2.3 does not properly set the HttpOnly Flag from Session Cookies.

SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Request Forgery (CSRF) vulnerability, which allows attackers to add new users.

Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type.

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks.

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries.

Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch .

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations.

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner.

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem.

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration.

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections.

Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).

jsp/upload.jsp in Coremail XT 5.0 allows XSS via an uploaded personal signature, as demonstrated by a .jpg.html filename in the signImgFile parameter.

A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19.

HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.

Open redirect in SeedDMS 6.0.13 via the dropfolderfileform1 parameter to out/out.AddDocument.php.

SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Scripting (XSS) vulnerability via the editor_name parameter.

TYPO3 is an open source PHP based web content management system.

There is a Stored XSS in Magicpin v2.1 in the User Registration section.

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices.

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices.

IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.

An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices.

CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database.

_get_flag_ip_localdb in server/mhn/ui/utils.py in Modern Honey Network (MHN) through 2020-11-23 allows attackers to cause a denial-of-service via an IP address that is absent from a local geolocation database, because the code tries to uppercase a return value even if that value is not a string.

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information.

An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations.

Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.

In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group.

In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment.

Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.

Jupyter Server before version 1.0.6 has an Open redirect vulnerability.

The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

Scratch Addons is a WebExtension that supports both Chrome and Firefox.

An issue was discovered in the Linux kernel before 5.2.6.

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08.

Incorrect Access Control in the configuration backup path in SAGEMCOM F@ST3486 NET DOCSIS 3.0, software NET_4.109.0, allows remote unauthenticated users to download the router configuration file via the /backupsettings.conf URI, when any valid session is running.

Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal.

In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances.

A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.

In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid.

IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.10.and 7.1.0.000 through 7.1.11 could allow a remote attacker to obtain sensitive information, caused by improper authentication of a websocket endpoint.

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access.

osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.

includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.

An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8.

The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.

slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid.

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive Information to an Unauthorized Actor because xauth for X11 magic cookies is affected by a race condition in a read operation on the /proc filesystem.

An issue was discovered in BigBlueButton through 2.2.29.

TYPO3 is an open source PHP based web content management system.

An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c.

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0.

An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.