common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call. Date published : 2020-06-02 Gravity Forms Changelog https://github.com/wp-premium/gravityforms/compare/2.4.8…2.4.9
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users. Date published : 2020-06-02 https://developer.joomla.org/security-centre/814-20200602-core-inconsistent-default-textfilter-settings
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS. Date published : 2020-06-02 https://developer.joomla.org/security-centre/815-20200603-core-xss-in-com-modules-tag-options
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles – Categories" modules allows XSS. Date published : 2020-06-02 https://developer.joomla.org/security-centre/813-20200601-core-xss-in-modules-heading-tag-option
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. Date published : 2020-06-02 https://developer.joomla.org/security-centre/817-20200605-core-csrf-in-com-postinstall
rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service (loss of IP networking) because read_obj and write_obj do not properly access memory. This affects aarch64 (with musl...
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. Date published : 2020-06-02 http://www.openwall.com/lists/oss-security/2020/06/01/6 https://security.netapp.com/advisory/ntap-20200608-0007/
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. Date published : 2020-06-02 http://www.openwall.com/lists/oss-security/2020/06/01/3 https://security.netapp.com/advisory/ntap-20200608-0007/
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause...
An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. Date published : 2020-06-02...
An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter. Date published : 2020-06-02 http://packetstormsecurity.com/files/158062/Sysax-MultiServer-6.90-Cross-Site-Scripting.html https://github.com/wrongsid3
An issue was discovered in Sysax Multi Server 6.90. An attacker can determine the username (under which the web server is running) by triggering an invalid path permission error. This bypasses the fakepath protection...
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and...
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The...