Monthly Archive: July 2019

In MyT 1.5.1, the User[username] parameter has XSS. Date published : 2019-07-17 https://www.exploit-db.com/exploits/47109

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by...

Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. Date published : 2019-07-17 https://support.tryshift.com/kb/article/206-shift-34-released-on-january-23-2019/

Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application. Date published : 2019-07-17 https://support.tryshift.com/kb/article/206-shift-34-released-on-january-23-2019/

Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application. Date published : 2019-07-17 https://support.tryshift.com/kb/article/206-shift-34-released-on-january-23-2019/

Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. Date published : 2019-07-17 https://support.tryshift.com/kb/article/206-shift-34-released-on-january-23-2019/

Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. Date published : 2019-07-17 http://www.securityfocus.com/bid/109298 https://www.criticalstart.com/2019/07/manageengine-privilege-escalation/

In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation. Date published : 2019-07-17 https://community.microstrategy.com/s/article/Defects-and-Enhancements-Addressed-in-MicroStrategy-10-4-6-Secure-Enterprise-Platform?language=en_US https://github.com/undefinedmode/CVE-2019-12475

In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled. Date published :...

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the...

AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. Date published : 2019-07-17 https://bugs.eclipse.org/bugs/show_bug.cgi?id=548055

Unsanitized user input in the web interface for Linksys WiFi extender products (RE6400 and RE6300 through 1.2.04.022) allows for remote command execution. An attacker can access system OS configurations and commands that are not...

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. Date published...

CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. Date published : 2019-07-17 http://www.securityfocus.com/bid/109373 https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626