Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization...
D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd. The CLI is reachable by TELNET....
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to...
Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell EMC Networking PC5500 firmware versions 4.1.0.22 and older and Dell EMC PowerEdge VRTX Switch Modules firmware versions 2.0.0.77 and older contain an information disclosure...
Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is...
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929. Date...
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. Date published : 2020-04-10 http://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html https://www.vmware.com/security/advisories/VMSA-2020-0006
There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a...
There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller’s identity in certain share scenario, successful exploit could cause information disclosure. Affected product...
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3. Date published : 2020-04-10 JetBrains Security Bulletin Q1 2020 https://gist.github.com/rubyroobs/5d273895512df5b86d5e7e1a703c8028
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd. Date published : 2020-04-10 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=53a712bae5dd919521a58d7bad773b949358add0 https://github.com/torvalds/linux/commit/53a712bae5dd919521a58d7bad773b949358add0
In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash. This was addressed in epan/dissectors/packet-bacapp.c by limiting the amount of recursion. Date published : 2020-04-10 https://security.gentoo.org/glsa/202007-13 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474
dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code...
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. Date published : 2020-04-09 https://github.com/argoproj/argo-cd/blob/a1afe44066fcd0a0ab90a02a23177164bbad42cf/util/diff/diff.go#L399 https://github.com/argoproj/argo-cd/issues/470