Monthly Archive: January 2020

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote...

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. Date published : 2020-01-31 https://github.com/hashicorp/nomad/issues/7003 https://www.hashicorp.com/blog/category/nomad/

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. Date published : 2020-01-31 https://github.com/hashicorp/consul/issues/7160 https://www.hashicorp.com/blog/category/consul/

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3. Date published : 2020-01-31 JetBrains Security Bulletin Q4 2019 Home

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. Date published : 2020-01-31 https://github.com/hashicorp/consul/issues/7159 https://www.hashicorp.com/blog/category/consul/

HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. Date published : 2020-01-31 https://github.com/hashicorp/nomad/issues/7002 https://www.hashicorp.com/blog/category/nomad/

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory...

Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. Date published : 2020-01-30 http://issues.roundup-tracker.org/issue2550724...

Multiple cross-site scripting (XSS) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) image, (3) url, or (4)...

The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to nodes, which allows remote authenticated users with the permission to access content to read a link or alias to a...

Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before 0.0.7 allow remote repository users to inject arbitrary web script or HTML via a (1) tag name to the Shortlog table in templates/shortlog.php or branch name...

The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username. Date published : 2020-01-30 https://drupal.org/node/2023503 https://drupal.org/node/2023507

Gemalto Tokend 2013 has an Arbitrary File Creation/Overwrite Vulnerability Date published : 2020-01-30 http://www.securityfocus.com/bid/58618 https://exchange.xforce.ibmcloud.com/vulnerabilities/82988

OpenSC OpenSC.tokend has an Arbitrary File Creation/Overwrite Vulnerability Date published : 2020-01-30 http://www.securityfocus.com/bid/58620 https://exchange.xforce.ibmcloud.com/vulnerabilities/82987