Monthly Archive: September 2019

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service...

Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. Date published : 2019-09-25 https://github.com/halo-dev/halo/issues/311

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer...

In IrfanView 4.53, Data from a Faulting Address controls a subsequent Write Address starting at image00400000+0x000000000001dcfc. Date published : 2019-09-25 https://github.com/cribdragg3r/offensive_research/blob/master/bugs/irfanview/0x000000000001dcfc.adoc

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory....

An issue was discovered in the string-interner crate before 0.7.1 for Rust. It allows attackers to read from memory locations associated with dangling pointers, because of a cloning flaw. Date published : 2019-09-25 https://rustsec.org/advisories/RUSTSEC-2019-0023.html

An issue was discovered in the portaudio-rs crate through 0.3.1 for Rust. There is a use-after-free with resultant arbitrary code execution because of a lack of unwind safety in stream_callback and stream_finished_callback. Date published...

An issue was discovered in the linea crate through 0.9.4 for Rust. There is double free in the Matrix::zip_elements method. Date published : 2019-09-25 https://rustsec.org/advisories/RUSTSEC-2019-0021.html

emlog through 6.0.0beta has an arbitrary file deletion vulnerability via an admin/data.php?action=dell_all_bak request with directory traversal sequences in the bak[] parameter. Date published : 2019-09-25 https://github.com/emlog/emlog/issues/48

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.) Date...

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. Date published : 2019-09-25 https://seclists.org/bugtraq/2019/Oct/32 https://www.debian.org/security/2019/dsa-4545

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. Date published : 2019-09-25 http://packetstormsecurity.com/files/154587/pfSense-2.3.4-2.4.4-p3-Remote-Code-Injection.html https://github.com/pfsense/pfsense/commits/master

The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges. The Samsung case ID is 101755. Date published : 2019-09-25 http://packetstormsecurity.com/files/154614/Samsung-Mobile-Android-SamsungTTS-Privilege-Escalation.html...

SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. Date published : 2019-09-25 https://github.com/centreon/centreon/pull/7862 https://github.com/centreon/centreon/releases