Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user’s privileges) to obtain unprompted microphone and camera access by loading a crafted library and...
Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user’s privileges) to obtain root access by replacing runwithroot. Date...
An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self...
An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous...
An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user’s privilege, allowing an attacker to control/install helpdesk applications and leak current applications’ configurations, including applications used as...
An issue was discovered in Deskpro before 2019.8.0. The /api/people endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve sensitive information about all users registered on the system. This includes...
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing...
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. Date published : 2020-04-01 https://www.exploit-db.com/exploits/48300 http://packetstormsecurity.com/files/157104/pfSense-2.4.4-P3-User-Manager-Cross-Site-Scripting.html
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). Date published : 2020-04-01 http://packetstormsecurity.com/files/157114/LimeSurvey-4.1.11-Cross-Site-Scripting.html https://github.com/LimeSurvey/LimeSurvey/commit/04b118acce2a74306f365ef329cbe00efc399b26
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. Date published : 2020-04-01 http://packetstormsecurity.com/files/157112/LimeSurvey-4.1.11-Path-Traversal.html https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b
An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. Date published : 2020-04-01 https://github.com/RioIsDown/TC7337
Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series...
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to launch the Repair App RPC call from a Low...
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to bypass intended access restrictions on tasks from an untrusted...