Monthly Archive: February 2020

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file...

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. Date published : 2020-02-03 https://www.kb.cert.org/vuls/id/782301 https://kb.netgear.com/000061806/Security-Advisory-for-Unauthenticated-Remote-Buffer-Overflow-Attack-in-PPPD-on-WAC510-PSV-2020-0136

eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature). Date published : 2020-02-03 https://pyaefromucsp.blogspot.com/2020/02/eg-manager-v712-sql-injection-lead-to_56.html

eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLoginServlet?uname=admin&upass=&accessKey=eGm0n1t0r request. Date published : 2020-02-03 https://pyaefromucsp.blogspot.com/2020/02/eg-manager-v712improper-access-control_3.html

Stored XSS in the Strong Testimonials plugin before 2.40.1 for WordPress can result in an attacker performing malicious actions such as stealing session tokens. Date published : 2020-02-03 http://packetstormsecurity.com/files/156369/WordPress-Strong-Testimonials-2.40.1-Cross-Site-Scripting.html https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt

massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true). Date published : 2020-02-03 https://github.com/antonreshetov/massCode/issues/43 https://github.com/antonreshetov/massCode/issues/44

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. Date published :...

Global.py in AIL framework 2.8 allows path traversal. Date published : 2020-02-03 https://github.com/CIRCL/AIL-framework/commit/e808840f957c810b8e3944cba808716dc722581b

An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user without a password. Date...

Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field. Date published : 2020-02-03 https://github.com/prototypejs/prototype/blob/master/CHANGELOG https://medium.com/@vbharad/improper-access-control-vulnerability-in-prototype-1-6-0-1-framework-379cc3a05079

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a...

Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxxx10" is received, it will cause the regular expression engine to catastrophically backtrack...

There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message...

The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn’t contain rel="noopener" (or similar attributes such...