CVE-2020-14966
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and ‘0’ characters appended or...
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and ‘0’ characters appended or...
downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and earlier allows users to download transaction files. When downloading the files, a user is able to view local...
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data....
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword,...
The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile. Date published : 2020-06-22 https://www.exploit-db.com/exploits/48619 http://packetstormsecurity.com/files/158217/BSA-Radar-1.6.7234.24750-Cross-Site-Scripting.html
Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI. Date published : 2020-06-22 http://packetstormsecurity.com/files/158428/Zyxel-Armor-X1-WAP6806-Directory-Traversal.html https://cxsecurity.com/issue/WLB-2020060088
In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg because XML external entity injection...
WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request Forgery (CSRF) attack against administrative users within the /ibi_apps/WFServlet(.ibfs) endpoint. The impact may be creation of an administrative user. It can also be exploited in...
WebFOCUS Business Intelligence 8.0 (SP6) was prone to XSS via arbitrary URL parameters. Date published : 2020-06-22 https://www.hooperlabs.xyz/disclosures/webfocus.php
Viber for Windows up to 13.2.0.39 does not properly quote its custom URI handler. A malicious website could launch Viber with arbitrary parameters, forcing a victim to send an NTLM authentication request, and either...
Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, users_management_edit.php, and user_management.php. Date published : 2020-06-22 http://hidden-one.co.in/2020/06/17/cve-2020-13888-kordil-edms-through-2-2-60rc3-allows-stored-xss/ https://sourceforge.net/projects/kordiledms/files/
documents_add.php in Kordil EDMS through 2.2.60rc3 allows Remote Command Execution because .php files can be uploaded to the documents folder. Date published : 2020-06-22 http://hidden-one.co.in/2020/06/17/cve-2020-13887-kordil-edms-through-2-2-60rc3-allows-remote-command-execution/ https://sourceforge.net/projects/kordiledms/files/
Verint Workforce Optimization (WFO) 15.2 allows HTML injection via the "send email" feature. Date published : 2020-06-22 CVE-2020-13480:Verint Workforce Optimization : HTML Injection https://tejaspingulkar.blogspot.com/2020/06/cve-2020-13480-verint-html-injection.html
Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user via the user_name, user_firstname, or user_lastname parameter. Date published : 2020-06-22 https://github.com/VictorAlagwu/CMSsite/commits/master https://www.exploit-db.com/exploits/48511