admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/…….//./…….//./ requests. Date published : 2018-09-18 http://blog.51cto.com/13770310/2173957 https://github.com/monstra-cms/monstra/issues/457
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/…….//./…….//./&delete_file= requests. Date published : 2018-09-18 http://blog.51cto.com/13770310/2173956 https://github.com/monstra-cms/monstra/issues/456
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls. Date published : 2018-09-18 http://www.securityfocus.com/bid/105378 https://seclists.org/bugtraq/2018/Sep/26
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id. Date published : 2018-09-18 https://www.exploit-db.com/exploits/45384/ https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html. Date published : 2018-09-18 https://www.exploit-db.com/exploits/45384/ https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life
An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look...
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository. Date published : 2018-09-18 https://www.exploit-db.com/exploits/45384/ https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation. Date published : 2018-09-18 https://github.com/matrix-org/synapse/issues/3796#event-1833126269 https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1/
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results...
Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file. Date published : 2018-09-18 http://help.accusoft.com/PrizmDoc/v13.4/ReleaseNotes/index.htm https://medium.com/@mrnikhilsri/stored-cross-site-scripting-in-prizmdoc-13-3-and-before-cve-2018-15546-1938191845c5
An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full...
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare,...
Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and...
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. Date published : 2018-09-18 https://jira.atlassian.com/browse/CRUC-8312 https://jira.atlassian.com/browse/FE-7100