The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. Date published : 2018-08-28 https://www.exploit-db.com/exploits/45206/ https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection/
A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring Appliance" before 6.1.0-5263 allows authenticated users, with access to the admin interface, to inject arbitrary commands within the filename of a system upgrade upload. Date...
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks...
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. Date published : 2018-08-28...
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before...
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and...
Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. Date published : 2018-08-27 http://issues.umbraco.org/issue/U4-5901 https://github.com/Umbraco/Umbraco-CMS/commit/cad06502235acabf7fb7dca779d2f78f08547e39
Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator’s workstation via a crafted Windows service. Date published : 2018-08-27 https://www.lansweeper.com/updates/lansweeper-6-0-0-48-security-update/
An issue was discovered in post2file.php in Up.Time Monitoring Station 7.5.0 (build 16) and 7.4.0 (build 13). It allows an attacker to upload an arbitrary file, such as a .php file that can execute...
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and...
An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17. When hubCore crashes, Google Breakpad is used to record minidumps,...
An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings’ remote servers, which...
An exploitable buffer overflow vulnerability exists in the camera ‘update’ feature of video-core’s HTTP server of Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON...
An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core’s HTTP server of Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload,...