RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php. Date published : 2020-07-14 https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md https://gitlab.com/francoisjacquet/rosariosis/-/commit/c4a694860b50c4aa5c67d6568f7d0613fef1a30d
In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a...
libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for...
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. Date published : 2020-07-14 https://github.com/MISP/MISP/commit/bf4610c947c7dc372c4078f363d2dff6ae0703a8 https://github.com/MISP/MISP/compare/v2.4.128…v2.4.129
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com,...
In freewvs before 0.1.1, a directory structure of more than 1000 nested directories can interrupt a freewvs scan due to Python’s recursion limit and os.walk(). This can be problematic in a case where an...
In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1. Date published : 2020-07-14 https://github.com/schokokeksorg/freewvs/security/advisories/GHSA-9cfv-9463-8gqv...
OpenVPN Access Server older than version 2.8.4 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. Date published : 2020-07-14 https://openvpn.net/vpn-server-resources/release-notes/
A remote code execution vulnerability exists in the ESLint extension for Visual Studio Code when it validates source code after opening a project, aka ‘Visual Studio Code ESLint Extention Remote Code Execution Vulnerability’. Date...
A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka ‘Bond Denial of Service Vulnerability’. Date published : 2020-07-14 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1469
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka ‘Windows GDI Information Disclosure Vulnerability’. Date published : 2020-07-14 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1468
An elevation of privilege vulnerability exists in Microsoft OneDrive that allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka ‘Microsoft OneDrive Elevation...
An elevation of privilege vulnerability exists in the way that the SharedStream Library handles objects in memory, aka ‘Windows SharedStream Library Elevation of Privilege Vulnerability’. Date published : 2020-07-14 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1463
An information disclosure vulnerability exists when Skype for Business is accessed via Microsoft Edge (EdgeHTML-based), aka ‘Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability’. Date published : 2020-07-14 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1462