Monthly Archive: August 2018

A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. Date published : 2018-08-07 https://github.com/gogs/gogs/issues/5367

An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services. Date published : 2018-08-07 https://github.com/go-gitea/gitea/issues/4624 https://github.com/gogs/gogs/issues/5366

Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial / substring in the user/login redirect_to parameter, related to the function...

In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account. Date published : 2018-08-07 https://gitee.com/gxlcms/gxlcms_news_system_2/issues/ILVLP

XnView 2.45 allows remote attackers to cause a denial of service (User Mode Write AV starting at MSVCR120!memcpy+0x0000000000000074 and application crash) or possibly have unspecified other impact via a crafted RLE file. Date published...

XnView 2.45 allows remote attackers to cause a denial of service (User Mode Write AV starting at Qt5Core!QVariant::~QVariant+0x0000000000000014 and application crash) or possibly have unspecified other impact via a crafted RLE file. Date published...

XnView 2.45 allows remote attackers to cause a denial of service (Read Access Violation at the Instruction Pointer and application crash) or possibly have unspecified other impact via a crafted ICO file. Date published...

Nmap through 7.70, when the -sV option is used, allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted TCP-based service. Date published : 2018-08-07 https://security.netapp.com/advisory/ntap-20200827-0004/ http://code610.blogspot.com/2018/07/crashing-nmap-760.html

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. Date published : 2018-08-07...

A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. Date published : 2018-08-07 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-15168.html https://github.com/x-f1v3/ForCve/issues/2

CeLa Link CLR-M20 devices allow unauthorized users to upload any file (e.g., asp, aspx, cfm, html, jhtml, jsp, or shtml), which causes remote code execution as well. Because of the WebDAV feature, it is...

An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn’t implement the open_basedir check. This could be abused...

ThinkSAAS through 2018-07-25 has XSS via the index.php?app=group&ac=create&ts=do groupdesc parameter. Date published : 2018-08-07 https://github.com/thinksaas/ThinkSAAS/issues/18

ThinkSAAS through 2018-07-25 has XSS via the index.php?app=article&ac=comment&ts=do content parameter. Date published : 2018-08-07 https://github.com/thinksaas/ThinkSAAS/issues/16