The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation. Date published : 2019-06-20 http://firstsight.me/2017/12/lack-of-binary-protection-at-asus-vivo-baby-and-hivivo-for-android-that-could-result-of-several-security-issues
In Jspxcms 9.0.0, a vulnerable URL routing implementation allows remote code execution after logging in as web admin. Date published : 2019-06-20 http://www.jspxcms.com/jspbb/question/770 https://gitee.com/jspxcms/Jspxcms/releases
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through...
A "search for user discovery" injection issue exists in Creatiwity wityCMS 0.6.2 via the "Utilisateur" menu. No input parameters are filtered, e.g., the /admin/user/users Nickname, email, firstname, lastname, and groupe parameters. Date published :...
The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presence of XSS at two input points for user information, with the "first name" and "last name" parameters. Date published : 2019-06-20 https://github.com/Creatiwity/wityCMS/issues/156
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing...
b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts...
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter. Date published : 2019-06-20 https://github.com/yzmcms/yzmcms/issues/3
Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm. Date published : 2019-06-20 http://tp-link.com/ https://www.secsignal.org/news/exploiting-routers-just-another-tp-link-0day
A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall 17.0.8 MR-8 allows remote attackers to execute arbitrary OS commands via shell metachracters in the "X-Forwarded-for" HTTP header. Date...
A shell escape vulnerability in /webconsole/Controller in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary OS commands via shell metacharacters in the "dbName" POST parameter. Date published...
SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter. Date published : 2019-06-20 https://community.sophos.com/kb/en-us/132637 https://github.com/klsecservices/Advisories/blob/master/KL-SOPHOS-2018-001.md
An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in Cloudera Manager uses a ‘returnUrl’ parameter to redirect the user to another page in Cloudera Manager once a wizard...
FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page. Date published : 2019-06-20 https://wiki.freepbx.org/display/FOP/2018-09-11+DISA+SQL+Injection Home