jell.ie CVEs

Read at: 2020-11-29T05:05:29+00:00

CVE-2020-29373

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2019-20934

An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29371

An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29370

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29368

An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29369

An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29372

An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-29374

An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.

Source: National Vulnerability Database | 28 Nov 2020 | 7:15 am GMT

CVE-2020-27218

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Source: National Vulnerability Database | 28 Nov 2020 | 1:15 am GMT

CVE-2020-29367

blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.

Source: National Vulnerability Database | 27 Nov 2020 | 8:15 pm GMT

CVE-2020-26245

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Source: National Vulnerability Database | 27 Nov 2020 | 8:15 pm GMT

CVE-2020-28922

An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write arbitrary physical memory. This could lead to arbitrary Ring-0 code execution and escalation of privileges.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15686 (crafter_cms)

Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-28921

An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write to arbitrary Model Specific Registers (MSRs). This could lead to arbitrary Ring-0 code execution and escalation of privileges.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-27746

Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive Information to an Unauthorized Actor because xauth for X11 magic cookies is affected by a race condition in a read operation on the /proc filesystem.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15684 (crafter_cms)

Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15683 (crafter_cms)

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-25014

A stack-based buffer overflow in fbwifi_continue.cgi on Zyxel UTM and VPN series of gateways running firmware version V4.30 through to V4.55 allows remote unauthenticated attackers to execute arbitrary code via a crafted http packet.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15682 (crafter_cms)

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-25708

A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-10772

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15685 (crafter_cms)

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15680 (crafter_cms)

In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2017-15681 (crafter_cms)

In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 pm GMT

CVE-2020-7780

This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19875

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE-2019-16364.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19876

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE-2019-10006.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19874

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE-2019-16364.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19877

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get access to sensitive information outside the working directory via Directory Traversal attacks against AprolSqlServer, a different vulnerability than CVE-2019-16357.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2020-27745

Slurm before 19.05.8 and 20.x before 20.02.6 has an RPC Buffer Overflow in the PMIx MPI plugin.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19878

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get access to historical data from AprolSqlServer by bypassing authentication, a different vulnerability than CVE-2019-16358.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2019-19873

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get information from the AprolSqlServer DBMS by bypassing authentication, a different vulnerability than CVE-2019-16356 and CVE-2019-9983.

Source: National Vulnerability Database | 27 Nov 2020 | 5:15 pm GMT

CVE-2020-29138

Incorrect Access Control in the configuration backup path in SAGEMCOM F@ST3486 NET DOCSIS 3.0, software NET_4.109.0, allows remote unauthenticated users to download the router configuration file via the /backupsettings.conf URI, when any valid session is running.

Source: National Vulnerability Database | 27 Nov 2020 | 4:15 pm GMT

CVE-2019-19872

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364.

Source: National Vulnerability Database | 27 Nov 2020 | 3:15 pm GMT

CVE-2019-19869

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface.

Source: National Vulnerability Database | 27 Nov 2020 | 3:15 pm GMT

CVE-2020-25738

CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database.

Source: National Vulnerability Database | 27 Nov 2020 | 6:15 am GMT

CVE-2020-29145

In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.

Source: National Vulnerability Database | 27 Nov 2020 | 4:15 am GMT

CVE-2020-29144

In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admins' browsers by using the beef framework.

Source: National Vulnerability Database | 27 Nov 2020 | 4:15 am GMT

CVE-2020-29136

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

Source: National Vulnerability Database | 27 Nov 2020 | 2:15 am GMT

CVE-2020-29137

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).

Source: National Vulnerability Database | 27 Nov 2020 | 2:15 am GMT

CVE-2020-29135

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

Source: National Vulnerability Database | 27 Nov 2020 | 2:15 am GMT

CVE-2020-29133

jsp/upload.jsp in Coremail XT 5.0 allows XSS via an uploaded personal signature, as demonstrated by a .jpg.html filename in the signImgFile parameter.

Source: National Vulnerability Database | 27 Nov 2020 | 1:15 am GMT

CVE-2020-12262

Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.

Source: National Vulnerability Database | 27 Nov 2020 | 12:15 am GMT

CVE-2020-29129

ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

Source: National Vulnerability Database | 26 Nov 2020 | 8:15 pm GMT

CVE-2020-29130

slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

Source: National Vulnerability Database | 26 Nov 2020 | 8:15 pm GMT

CVE-2020-26936

Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.

Source: National Vulnerability Database | 26 Nov 2020 | 7:15 pm GMT

CVE-2020-29043

An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.

Source: National Vulnerability Database | 26 Nov 2020 | 6:15 pm GMT

CVE-2020-29042

An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.

Source: National Vulnerability Database | 26 Nov 2020 | 6:15 pm GMT

CVE-2020-27207

Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 pm GMT

CVE-2020-27662 (glpi)

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 pm GMT

CVE-2020-27663 (glpi)

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 pm GMT

CVE-2020-29065

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 pm GMT

CVE-2020-13886

Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal.

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 pm GMT

CVE-2020-7779

All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.

Source: National Vulnerability Database | 26 Nov 2020 | 11:15 am GMT

CVE-2020-7778

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

Source: National Vulnerability Database | 26 Nov 2020 | 11:15 am GMT

CVE-2020-29128

petl before 1.68, in some configurations, allows resolution of entities in an XML document.

Source: National Vulnerability Database | 26 Nov 2020 | 5:15 am GMT

CVE-2020-27251

A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-27253

A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-27255

A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-25652

A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-25651

A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-25653

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.

Source: National Vulnerability Database | 26 Nov 2020 | 2:15 am GMT

CVE-2020-29074

scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.

Source: National Vulnerability Database | 25 Nov 2020 | 11:15 pm GMT

CVE-2020-14190

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.

Source: National Vulnerability Database | 25 Nov 2020 | 11:15 pm GMT

CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.

Source: National Vulnerability Database | 25 Nov 2020 | 10:15 pm GMT

CVE-2020-29070 (oscommerce)

osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.

Source: National Vulnerability Database | 25 Nov 2020 | 8:15 pm GMT

CVE-2020-26212

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.

Source: National Vulnerability Database | 25 Nov 2020 | 5:15 pm GMT

CVE-2020-26243

Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

Source: National Vulnerability Database | 25 Nov 2020 | 5:15 pm GMT

CVE-2020-25650

A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions.

Source: National Vulnerability Database | 25 Nov 2020 | 3:15 pm GMT

CVE-2020-29071

An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user.

Source: National Vulnerability Database | 25 Nov 2020 | 3:15 am GMT

CVE-2020-29072

A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.

Source: National Vulnerability Database | 25 Nov 2020 | 3:15 am GMT

CVE-2020-26242

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.

Source: National Vulnerability Database | 25 Nov 2020 | 2:15 am GMT

CVE-2020-26241

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17.

Source: National Vulnerability Database | 25 Nov 2020 | 2:15 am GMT

CVE-2020-26240

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24

Source: National Vulnerability Database | 25 Nov 2020 | 2:15 am GMT

CVE-2020-26238

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

Source: National Vulnerability Database | 25 Nov 2020 | 12:15 am GMT

CVE-2020-29069

_get_flag_ip_localdb in server/mhn/ui/utils.py in Modern Honey Network (MHN) through 2020-11-23 allows attackers to cause a denial-of-service via an IP address that is absent from a local geolocation database, because the code tries to uppercase a return value even if that value is not a string.

Source: National Vulnerability Database | 25 Nov 2020 | 12:15 am GMT

CVE-2020-26237

Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Source: National Vulnerability Database | 24 Nov 2020 | 11:15 pm GMT

CVE-2020-26235

In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.

Source: National Vulnerability Database | 24 Nov 2020 | 10:15 pm GMT

CVE-2020-29062 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default blank password for the guest account.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29060 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default debug124 password for the debug account.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29061 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default root126 password for the root account.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29059 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default panger123 password for the suma123 account for certain old firmware.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29063 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g value.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2015-9550

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29058 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. Attackers can discover cleartext web-server credentials via certain /opt/lighttpd/web/cgi/ requests.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29055 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. By default, the appliance can be managed remotely only with HTTP, telnet, and SNMP. It doesn't support SSL/TLS for HTTP or SSH. An attacker can intercept passwords sent in cleartext and conduct man-in-the-middle attacks on the management of the appliance.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-26232

Jupyter Server before version 1.0.6 has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29054 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. Attackers can use "show system infor" to discover cleartext TELNET credentials.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29056 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. One can escape from a shell and acquire root privileges by leveraging the TFTP download configuration.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-29057 (72408a_firmware, 9008a_firmware, 9016a_firmware, 92408a_firmware, 92416a_firmware, 9288_firmware, 97016_firmware, 97024p_firmware, 97028p_firmware, 97042p_firmware, 97084p_firmware, 97168p_firmware, fd1002s_firmware, fd1104_firmware, fd1104b_firmware, fd1104s_firmware, fd1104sn_firmware, fd1108s_firmware, fd1204s-r2_firmware, fd1204sn-r2_firmware, fd1204sn_firmware, fd1208s-r2_firmware, fd1216s-r1_firmware, fd1608gs_firmware, fd1608sn_firmware, fd1616gs_firmware, fd1616sn_firmware, fd8000_firmware)

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. It allows remote attackers to cause a denial of service (reboot) by sending random bytes to the telnet server on port 23, aka a "shawarma" attack.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2015-9551

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.

Source: National Vulnerability Database | 24 Nov 2020 | 9:15 pm GMT

CVE-2020-25159

499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.

Source: National Vulnerability Database | 24 Nov 2020 | 8:15 pm GMT

CVE-2020-29053 (hrsale)

HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.

Source: National Vulnerability Database | 24 Nov 2020 | 8:15 pm GMT

CVE-2020-25654

An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Source: National Vulnerability Database | 24 Nov 2020 | 8:15 pm GMT

CVE-2020-28329

Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.

Source: National Vulnerability Database | 24 Nov 2020 | 8:15 pm GMT

CVE-2020-28330

Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device.

Source: National Vulnerability Database | 24 Nov 2020 | 7:15 pm GMT

CVE-2020-28333

Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.

Source: National Vulnerability Database | 24 Nov 2020 | 7:15 pm GMT

CVE-2020-28332

Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.

Source: National Vulnerability Database | 24 Nov 2020 | 7:15 pm GMT

CVE-2020-28334

Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell.

Source: National Vulnerability Database | 24 Nov 2020 | 7:15 pm GMT

CVE-2020-25640

A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.

Source: National Vulnerability Database | 24 Nov 2020 | 7:15 pm GMT

count: 100