Monthly Archive: July 2019

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access...

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. Date published : 2019-07-31 http://www.securityfocus.com/bid/109175 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10186

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to...

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this...

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to...

In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again. Date published...

The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials. Date published : 2019-07-30 https://groups.google.com/forum/#%21topic/openedx-announce/jRXyo1HJzNk https://groups.google.com/forum/#%21topic/openedx-announce/mpyyx34LWSY

edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name. Date published : 2019-07-30 https://groups.google.com/forum/#%21topic/openedx-announce/QTvijt48bAY https://github.com/edx/edx-platform/pull/15773

In Univa Grid Engine before 8.6.3, when configured for Docker jobs and execd spooling on root_squash, weak file permissions ("other" write access) occur in certain cases (GE-6890). Date published : 2019-07-30 http://www.univa.com/resources/files/Release_Notes_Univa_Grid_Engine_8.6.6.pdf

The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 has an open redirect when resetting connections (SEC-462). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log