Monthly Archive: March 2020

Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attackers to execute arbitrary commands by uploading files. ( Date published : 2020-03-09 http://support.lexmark.com/index?page=content&id=TE828&locale=EN&userlocale=EN_US

Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization. Date published : 2020-03-09 http://support.lexmark.com/index?page=content&id=TE747&locale=EN&userlocale=EN_US

In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service. Date published : 2020-03-09 https://www.manageengine.com/products/passwordmanagerpro/issues-fixed.html http://jvn.jp/vu/JVNVU90405898/index.html

An issue was discovered in Halvotec RAQuest 10.23.10801.0. The login page is vulnerable to wildcard injection, allowing an attacker to enumerate the list of users sharing an identical password. Fixed in Release 10.24.11206.1. Date...

vega-util prior to 1.13.1 allows manipulation of object prototype. The ‘vega.mergeConfig’ method within vega-util could be tricked into adding or modifying properties of the Object.prototype. Date published : 2020-03-09 https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223

An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in...

There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to...

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore....

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, certain personal information is discoverable inspecting network responses on the ‘Edit access’ screen when sharing portfolios. Date published : 2020-03-09 https://mahara.org/interaction/forum/topic.php?id=8590 https://bugs.launchpad.net/mahara/+bug/1863043

Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special...

Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect default permissions vulnerability. A locally authenticated low-privileged malicious user could exploit this vulnerability to run an arbitrary executable with administrative privileges on the affected...

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have...

The IBM Spectrum Scale 4.2 and 5.0 file system component is affected by a denial of service security vulnerability. An attacker can force the Spectrum Scale mmfsd/mmsdrserv daemons to unexpectedly exit, impacting the functionality...

HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure...