An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multi_TD01, and AC18 V15.03.05.19(6318_)_CN devices. There is a buffer overflow vulnerability in the router’s web server —...
An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in...
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048. Date...
By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. Date published : 2020-05-22 https://bugzilla.mozilla.org/show_bug.cgi?id=1617370 https://security.gentoo.org/glsa/202005-03
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections...
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. Date published :...
A NULL pointer dereference flaw was found in the Linux kernel’s SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol’s category bitmap into the SELinux...
Digi XBee 2 devices do not have an effective protection mechanism against remote AT commands, because of issues related to the network stack upon which the ZigBee protocol is built. Date published : 2020-05-21...
Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. Date published : 2020-05-21 https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16 https://github.com/oblac/jodd/compare/v5.0.3…v5.0.4
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account. Date published : 2020-05-21 http://seclists.org/fulldisclosure/2020/Jun/29 http://packetstormsecurity.com/files/158201/GilaCMS-1.11.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme. Date published : 2020-05-21 http://seclists.org/fulldisclosure/2020/Jun/29 http://packetstormsecurity.com/files/158201/GilaCMS-1.11.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
There is an information leakage vulnerability in some Huawei products. An unauthenticated, adjacent attacker could exploit this vulnerability to decrypt data. Successful exploitation may leak information randomly. Affected product versions include: Anne-AL00 Versions earlier...
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a...
Element OS prior to version 12.0 and Element HealthTools prior to version 2020.04.01.04 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information. Date published : 2020-05-21 https://security.netapp.com/advisory/ntap-20200520-0001/