Monthly Archive: February 2019

PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection. Date published : 2019-02-16 URL redirection through HTML injection...

Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter. Date published : 2019-02-16 https://packetstormsecurity.com/files/151706/Find-A-Place-CMS-Directory-1.5-SQL-Injection.html

In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled. Date published : 2019-02-16 https://www.hiawatha-webserver.org/changelog

Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages. Date published : 2019-02-16 http://www.securityfocus.com/bid/107025 Content Injection in Amazon Kindle’s FireOS [CVE-2019-7399]

Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone’s storage Date published : 2019-02-15 http://www.iphoneappstorm.com/iphone-apps/utilities/com.yingzhi.python/yingzhipython.php?id=493505744 http://www.vapidlabs.com/advisory.php?v=94

A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver. Date published : 2019-02-15 http://sourceforge.net/projects/mambo/ http://www.vapidlabs.com/advisory.php?v=75

Vulnerability in FileUtils v0.7, Ruby Gem Fileutils

Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory. Date published : 2019-02-15 http://www.vapidlabs.com/advisory.php?v=130 https://wordpress.org/plugins/easy2map-photos

Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables Date published : 2019-02-15 http://www.vapid.dhs.org/advisory.php?v=130 https://wordpress.org/plugins/easy2map-photos

IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177. Date published : 2019-02-15 http://www.securityfocus.com/bid/107060 https://www.ibm.com/support/docview.wss?uid=ibm10719107

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information...

IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970. Date published...

An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference. Date published : 2019-02-15 https://sourceforge.net/p/sox/bugs/318 https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html