Monthly Archive: September 2019

The Postmatic plugin before 1.4.6 for WordPress has XSS. Date published : 2019-09-25 https://wordpress.org/plugins/postmatic/#developers https://wpvulndb.com/vulnerabilities/8183

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter. Date published : 2019-09-25 https://cybersecurityworks.com/zerodays/cve-2015-9410-blubrry.html https://github.com/cybersecurityworks/Disclosed/issues/7

The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php. Date published : 2019-09-25 https://packetstormsecurity.com/files/133594/ https://wordpress.org/plugins/alo-easymail/#developers

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as...

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12.1.0-12.1.5,...

On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data. Date published : 2019-09-25 https://support.f5.com/csp/article/K31152411?utm_source=f5support&utm_medium=RSS https://support.f5.com/csp/article/K31152411

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on...

There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system. The attack can be stored by users granted the Device Manager and Administrator roles. Date...

In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS). Date published : 2019-09-25 https://support.f5.com/csp/article/K23101430?utm_source=f5support&utm_medium=RSS https://support.f5.com/csp/article/K23101430

In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling a malicious request. Date...

IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4. Date published : 2019-09-25 http://code610.blogspot.com/2019/09/crashing-webaccesshmi-designer-21931.html

Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c. Date published : 2019-09-25 http://code610.blogspot.com/2019/09/crashing-webaccesshmi-designer-21931.html

In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918. Date published : 2019-09-25 http://code610.blogspot.com/2019/09/crashing-webaccesshmi-designer-21931.html