Monthly Archive: July 2020

An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests’ dirty video RAM tracking code allows such guests...

GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint. Date published : 2020-07-07 https://about.gitlab.com/releases/2020/07/06/critical-security-release-gitlab-13-1-3-released/ https://about.gitlab.com/releases/categories/releases/

The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS. Date published : 2020-07-07 https://typo3.org/security/advisory/typo3-ext-sa-2020-009 https://typo3.org/help/security-advisories

The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. Date published : 2020-07-07 https://typo3.org/security/advisory/typo3-ext-sa-2020-013 https://typo3.org/help/security-advisories

The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution. Date published : 2020-07-07 https://typo3.org/security/advisory/typo3-ext-sa-2020-011 https://typo3.org/help/security-advisories

The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS. Date published : 2020-07-07 https://typo3.org/security/advisory/typo3-ext-sa-2020-012 https://typo3.org/help/security-advisories

The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. Date published : 2020-07-07 https://typo3.org/security/advisory/typo3-ext-sa-2020-010 https://typo3.org/help/security-advisories

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication...

A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. This issue occurs during password recovery, where a difference in error messages could allow an attacker to determine if a username is...

Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page. Date published : 2020-07-07 https://github.com/inflixim4be/CVE-2020-15367...

RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding function base64_decode() uses an output buffer estimation function to compute the required buffer capacity and validate against the provided buffer size. The...

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to...

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter. Date published : 2020-07-07 https://gist.github.com/sudoninja-noob/c1722c118abc7a562a9a0de726266a19 https://www.nedi.ch/download/

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter. Date published : 2020-07-07 https://gist.github.com/sudoninja-noob/c1722c118abc7a562a9a0de726266a19 https://www.nedi.ch/download/