Monthly Archive: July 2019

The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe...

Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be restricted. Date published : 2019-07-10 http://www.securityfocus.com/bid/109069...

SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 and 1.63.0, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Date published : 2019-07-10 http://www.securityfocus.com/bid/109077 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575

An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver file szkg64.sys contains an Arbitrary Write vulnerability due to not validating the output buffer address value from IOCtl 0x8000205F. Date published : 2019-07-09 https://www.greyhathacker.net...

Intuit Lacerte 2017 has Incorrect Access Control. Date published : 2019-07-09 https://themikewylie.com/2019/05/21/intuit-lacerte-vulnerability-and-data-exposure-cve-2018-11338-cve-2018-14833/ Intuit Lacerte Vulnerability and Data Exposure CVE-2018-11338 & CVE-2018-14833

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. Date published...

Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which...

Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming...

Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An...

Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser’s extension isolation mechanisms are disabled (web_accessible_resources)....

iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. Date published : 2019-07-09 http://www.securityfocus.com/bid/109120 https://blog.lucideus.com/2019/07/xampp-170-reflected-cross-site-scripting.html

Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. Date published : 2019-07-09 https://kb.arlo.com/000062274/Security-Advisory-for-Networking-Misconfiguration-and-Insufficient-UART-Protection-Mechanisms

Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a networking misconfiguration that allows access to restricted network interfaces. This could allow an attacker to upload or download arbitrary files and possibly execute malicious code...

The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions. Date published : 2019-07-09 https://github.com/Yoast/wordpress-seo/releases/tag/11.6-RC5 https://wpvulndb.com/vulnerabilities/9445