Monthly Archive: April 2020

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due...

Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 allows remote attackers to inject arbitrary web script or HTML via the applications ‘Messages’ and ‘Bulletin Board’. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36302/

Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in Application Menu. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36114/

Improper authorization vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to alter the application’s data via the applications ‘E-mail’ and ‘Messages’. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36113/

Improper input validation vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows a remote authenticated attacker to alter the application’s data via the applications ‘Workflow’ and ‘MultiReport’. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36119/

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the application ‘E-mail’. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36116/

Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in the affected product via the API. Date published : 2020-04-27 https://jvn.jp/en/jp/JVN35649781/index.html https://kb.cybozu.support/article/36118/

Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-CUBE Meeting function. Date published...

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely. Date published :...

Huawei smartphone Lion-AL00C with versions earlier than 10.0.0.205(C00E202R7P2) have a denial of service vulnerability. An attacker crafted specially file to the affected device. Due to insufficient input validation of the value when executing the...

Huawei PCManager product with versions earlier than 10.0.5.53 have a local privilege escalation vulnerability. An authenticated, local attacker can perform specific operation to exploit this vulnerability. Successful exploitation may cause the attacker to obtain...

HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.188(C00E74R3P8) have an improper authorization vulnerability. The software does not properly restrict certain user’s modification of certain configuration file, successful exploit could allow the attacker to...

Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00E156R2P4) has three out of bounds vulnerabilities. Certain driver program does not sufficiently validate certain parameters received, that would lead to several bytes out of bound...

Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00E156R2P4) has three out of bounds vulnerabilities. Certain driver program does not sufficiently validate certain parameters received, that would lead to several bytes out of bound...