Monthly Archive: May 2019

In Godot through 3.1, remote code execution is possible due to the deserialization policy not being applied correctly. Date published : 2019-05-31 https://github.com/godotengine/godot/pull/27398 https://godotengine.org/news

It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn...

The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin’s configuration options, allowing arbitrary shell commands to...

A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload...

An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information. Date published : 2019-05-31 https://www.secureauth.com/labs/advisories

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by...

Evernote 7.9 on macOS allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as the /Applications/Calculator.app/Contents/MacOS/Calculator file. Date published : 2019-05-31 https://drive.google.com/file/d/1cmWixK1vAh7oZ2y3Y3ZtVeSoTRp8c1Ts/view?usp=sharing https://evernote.com/security/updates

Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the error/warning dialog and email body content in Zimbra. Date published : 2019-05-30 https://bugzilla.zimbra.com/show_bug.cgi?id=101435 https://bugzilla.zimbra.com/show_bug.cgi?id=101436

Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS in admin console. Date published : 2019-05-30 https://bugzilla.zimbra.com/show_bug.cgi?id=97625 https://wiki.zimbra.com/wiki/Security_Center

A local privilege escalation in Fortinet FortiClient for Windows 6.0.4 and earlier allows attacker to execute unauthorized code or commands via the parsing of the file. Date published : 2019-05-30 https://fortiguard.com/advisory/FG-IR-18-108

A local privilege escalation in Fortinet FortiClient for Windows 6.0.4 and earlier allows attackers to execute unauthorized code or commands via the named pipe responsible for Forticlient updates. Date published : 2019-05-30 https://fortiguard.com/advisory/FG-IR-18-108

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Date published : 2019-05-30...

An exploitable local privilege elevation vulnerability exists in the file system permissions of the `Temp` directory in GOG Galaxy 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of the Desktop Galaxy Updater to...

An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client,...