fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file’s parent is a symlink to a directory outside of the intended extraction location. Date...
cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the ACTION parameter. Date published : 2020-04-13 https://gist.github.com/tonykuo76/d2480727faeb768a97800db3058dceed https://www.chtsecurity.com/news/6b907733-c475-4504-b3b7-793442d34335
An issue was discovered in the Responsive Poll through 1.3.4 for WordPress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage...
Fuji Electric V-Server Lite all versions prior to 4.0.9.0 contains a heap based buffer overflow. The buffer allocated to read data, when parsing VPR files, is too small. Date published : 2020-04-13 https://www.us-cert.gov/ics/advisories/icsa-20-098-04
In Rockwell Automation RSLinx Classic versions 4.11.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLinx Classic....
The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mla_gallery link=download. Date published : 2020-04-12 Media Library Assistant
The Media Library Assistant plugin before 2.82 for WordPress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. Date published : 2020-04-12 Media...
** DISPUTED ** snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified "interesting side effects." NOTE: kernel engineers dispute this finding, because...
An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. Date published : 2020-04-12 https://security.netapp.com/advisory/ntap-20210129-0002/ https://www.debian.org/security/2020/dsa-4750
Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file. Date published : 2020-04-12 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNXK7QE7EA7XSDDNOWX2A6MJNWOIYCTC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QLPN635S7J3MUXLIHYK6MDAHEIASFYP/
load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service. Date published : 2020-04-12 https://github.com/saitoha/libsixel/issues/134
eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Location. Date published : 2020-04-12 https://github.com/leona4040/PSG-6528VM-xss/blob/master/README.md
wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Date published : 2020-04-12 https://gist.github.com/pietroborrello/7c5be2d1dc15349c4ffc8671f0aad04f https://github.com/wolfSSL/wolfssl/pull/2894/
Open Upload through 0.4.3 allows XSS via index.php?action=u and the filename field. Date published : 2020-04-12 https://github.com/jenaye/cve/blob/master/readme.MD https://sourceforge.net/p/openupload/news/