Monthly Archive: February 2019

MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup’s archive file. Date...

MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for deleting a database via the /?q=wrkfrm&type=databases URI. Date published : 2019-02-11 https://github.com/eddietcc/CVEnotes/blob/master/MyWebSQL/CSRF/readme.md

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets)...

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. Date published : 2019-02-11 http://www.securityfocus.com/bid/106964 https://seclists.org/bugtraq/2019/Jul/10

Certain Lexmark CX, MX, X, XC, XM, XS, and 6500e devices before 2019-02-11 allow remote attackers to erase stored shortcuts. Date published : 2019-02-11 http://support.lexmark.com/index?page=content&id=TE912

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command...

Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. An authenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request...

Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1). Date published : 2019-02-10 https://packetstormsecurity.com/files/149894

Traq 3.7.1 allows SQL Injection via a tickets?search= URI. Date published : 2019-02-10 https://packetstormsecurity.com/files/149894

admin/?/plugin/file_manager in Frog CMS 0.9.5 allows XSS by creating a new file containing a crafted attribute of an IMG element. Date published : 2019-02-10 https://github.com/philippe/FrogCMS/issues/28

Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit/1 Body field. Date published : 2019-02-10 https://github.com/philippe/FrogCMS/issues/25

Frog CMS 0.9.5 provides a directory listing for a /public request. Date published : 2019-02-10 https://github.com/philippe/FrogCMS/issues/21

admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI. Date published : 2019-02-10 https://github.com/philippe/FrogCMS/issues/27

Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field. Date published : 2019-02-10 https://github.com/philippe/FrogCMS/issues/26