Monthly Archive: July 2020

Mida eFramework through 2.9.0 allows unauthenticated ../ directory traversal. Date published : 2020-07-23 https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html

There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required. Date published : 2020-07-23 http://packetstormsecurity.com/files/159314/Mida-eFramework-2.8.9-Remote-Code-Execution.html https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html

Mida eFramework through 2.9.0 has a back door that permits a change of the administrative password and access to restricted functionalities, such as Code Execution. Date published : 2020-07-23 http://packetstormsecurity.com/files/159239/Mida-eFramework-2.9.0-Backdoor-Access.html https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html

There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required. Date published : 2020-07-23 http://packetstormsecurity.com/files/158991/Mida-eFramework-2.9.0-Remote-Code-Execution.html...

A Reflected Cross Site Scripting (XSS) vulnerability was discovered in Mida eFramework through 2.9.0. Date published : 2020-07-23 https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html

Multiple Stored Cross Site Scripting (XSS) vulnerabilities were discovered in Mida eFramework through 2.9.0. Date published : 2020-07-23 https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html

common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled. Date published : 2020-07-23 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7UX65342HRVDQML4G4GEVEUB764EUM5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YVQB7NRBHO67Q74RS7RZCMW4ENRVBB4/

goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices allows remote attackers to execute arbitrary system commands via shell metacharacters in the lanIp POST parameter. Date published : 2020-07-23 https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68

** DISPUTED ** Tesla Model 3 vehicles allow attackers to open a door by leveraging access to a legitimate key card, and then using NFC Relay. NOTE: the vendor has developed Pin2Drive to mitigate...

A SQL injection vulnerability in softwareupdate_controller.php in the Software Update module before 1.6 for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint. Date published :...

A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint. Date published : 2020-07-23 https://github.com/munkireport/munkireport-php/releases...

A Cross-Site Scripting (XSS) vulnerability in the comment module before 4.0 for MunkiReport allows remote attackers to inject arbitrary web script or HTML by posting a new comment. Date published : 2020-07-23 https://github.com/munkireport/comment/releases https://github.com/munkireport/munkireport-php

A SQL injection vulnerability in TableQuery.php in MunkiReport before 5.6.3 allows attackers to execute arbitrary SQL commands via the order[0][dir] field on POST requests to /datatables/data. Date published : 2020-07-23 https://github.com/munkireport/munkireport-php/releases https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3

A Cross-Site Scripting (XSS) vulnerability in the managedinstalls module before 2.6 for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the last two URL parameters (through which installed packages names...