Monthly Archive: May 2019

An issue was discovered in Webiness Inventory 2.3. The ProductModel component allows Arbitrary File Upload via a crafted product image during the creation of a new product. Consequently, an attacker can steal information from...

qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter. Date published : 2019-05-14 https://www.exploit-db.com/exploits/46398/ http://packetstormsecurity.com/files/151723/qdPM-9.1-Cross-Site-Scripting.html

qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. Date published : 2019-05-14 https://www.exploit-db.com/exploits/46399/ http://packetstormsecurity.com/files/151723/qdPM-9.1-Cross-Site-Scripting.html

A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2…-, 6SR3…-, 6SR4…- (All Versions with option G28), SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2…-, 6SR3…-,...

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" – 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC...

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" – 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC...

A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2…-, 6SR3…-, 6SR4…- (All Versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46), SINAMICS...

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" – 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC...

An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF....

An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user. Date published : 2019-05-14 https://wso2.com/security-patch-releases/api-manager CERT-XLM: Security advisory

An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page, aka...

An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate...

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134,...

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload. Date published : 2019-05-14 https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6 https://www.exploit-db.com/exploits/46839