Monthly Archive: December 2019

The UBSexToken() function of a smart contract implementation for Business Alliance Financial Circle (BAFC), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function is public (by...

GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step 1 of installation. Date published : 2019-12-31 http://packetstormsecurity.com/files/151006/GeniXCMS-1.1.5-Cross-Site-Scripting.html https://github.com/semplon/GeniXCMS/issues/88

An issue was discovered in rovinbhandari FTP through 2012-03-28. receive_file in file_transfer_functions.c allows remote attackers to cause a denial of service (daemon crash) via a 0xffff datalen field value. Date published : 2019-12-31 https://packetstormsecurity.com/files/152058/robinbhandari-FTP-Remote-Denial-Of-Service.html

FiberHome an5506-04-f RP2669 devices have XSS. Date published : 2019-12-31 https://packetstormsecurity.com/files/151959/Fiberhome-AN5506-04-F-RP2669-Cross-Site-Scripting.html https://www.exploit-db.com/exploits/46498

In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI. Date published : 2019-12-31 https://packetstormsecurity.com/files/151944/Craft-CMS-3.1.12-Pro-Cross-Site-Scripting.html https://www.exploit-db.com/exploits/46496

Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and CVE-2018-19933. Date published : 2019-12-31 https://packetstormsecurity.com/files/151943/Bold-CMS-3.6.4-Cross-Site-Scripting.html https://www.exploit-db.com/exploits/46495

PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm searchtext parameter. NOTE: This product is discontinued. Date published : 2019-12-31 https://packetstormsecurity.com/files/151925/PRTG-Network-Monitor-7.1.3.3378-Cross-Site-Scripting.html https://seclists.org/fulldisclosure/2019/Mar/3

PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm errormsg or loginurl parameter. NOTE: This product is discontinued. Date published : 2019-12-31 https://packetstormsecurity.com/files/151925/PRTG-Network-Monitor-7.1.3.3378-Cross-Site-Scripting.html https://seclists.org/fulldisclosure/2019/Mar/3

The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code. Date published : 2019-12-31 https://unity3d.com/security#CVE-2019-9197 https://www.zerodayinitiative.com/advisories/ZDI-19-252/

A directory traversal and local file inclusion vulnerability in FPProducerInternetServer.exe in Ricoh MarcomCentral, formerly PTI Marketing, FusionPro VDP before 10.0 allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this...

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. Date published :...

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when the device retrieves updates scripts from the internet. Date published...

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_char_content() tries to use realloc on a block that was not allocated, leading to an invalid free and segmentation fault. Date published :...

An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur. Date published : 2019-12-31 https://sourceforge.net/p/ezxml/bugs/16/