Monthly Archive: July 2019

cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366). Date published : 2019-07-30 https://documentation.cpanel.net/display/CL/76+Change+Log

libopenmpt before 0.3.11 allows a crash with certain malformed custom tunings in MPTM files. Date published : 2019-07-30 https://lib.openmpt.org/libopenmpt/2018/07/28/security-updates-0.3.11-0.2.10635-beta34-0.2.7561-beta20.5-p10-0.2.7386-beta20.3-p13/ http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00085.html

libopenmpt before 0.3.13 allows a crash with malformed MED files. Date published : 2019-07-30 https://lib.openmpt.org/libopenmpt/2018/10/21/security-updates-0.3.13-0.2.10933-beta36-0.2.7561-beta20.5-p11-0.2.7386-beta20.3-p14/ http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00085.html

edx-platform before 2018-07-18 allows XSS via a response to a Chemical Equation advanced problem. Date published : 2019-07-30 https://github.com/edx/edx-platform/commit/5b144559fbdba7ff673cc1c165aa2d343e07b6bd.patch https://groups.google.com/forum/#%21topic/openedx-announce/wsm5mtUhhME

A flaw was found in the Linux kernel’s NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to...

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to...

A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the ‘server_ca_cert’ setting, the Ruby agent would not properly verify...

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an...

Double Free in VLC versions

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read. Date published : 2019-07-30 https://hackerone.com/reports/502816 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00005.html

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim’s browser. Date published : 2019-07-30 https://hackerone.com/reports/570563