SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default...
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to...
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists. Date published : 2019-04-24...
SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file attachment. Date published : 2019-04-24 https://www.smartertools.com/smartermail/release-notes/current...
A flaw was found in the Linux kernel’s vfio interface implementation that permits violation of the user’s locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the...
Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access...
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network...
Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private...
Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a...
core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?download= absolute path traversal to read arbitrary files. Date published : 2019-04-24 https://cisk123456.blogspot.com/2019/04/gila-cms-1101.html
User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens. Date published : 2019-04-24 https://discuss.flarum.org/d/17745-flarum-0-1-0-beta-8-released https://github.com/flarum/core/commit/66607a56749339d50620b049701ad4d6a4dafbd7
The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS via the "New name" field in a Rename action. Date published : 2019-04-24 http://dev.cmsmadesimple.org/bug/view/12022
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. Date published : 2019-04-24 https://www.manageengine.com/products/self-service-password/release-notes.html#5708 https://zeroauth.ltd/blog/2019/05/26/cve-2019-11511-zoho-manageengine-adselfservice-plus-xss/
In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have...