Monthly Archive: July 2020

Ledger Live before 2.7.0 does not handle Bitcoin’s Replace-By-Fee (RBF). It increases the user’s balance with the value of an unconfirmed transaction as soon as it is received (before the transaction is confirmed) and...

In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6. Date published : 2020-07-02 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4...

"A vulnerability in the TLS protocol implementation of the Domino server could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher’s Oracle Threat (ROBOT) attack. An attacker could iteratively...

"HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerability. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials." Date published : 2020-07-01 https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080512

IBM Security Identity Manager Virtual Appliance 7.0.2 writes information to log files which can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. IBM X-Force ID:...

IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 172015. Date published : 2020-07-01 https://www.ibm.com/support/pages/node/6242348...

IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to...

IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512. Date published : 2020-07-01 https://www.ibm.com/support/pages/node/6242348 https://exchange.xforce.ibmcloud.com/vulnerabilities/171512

NOTE: This candidate is a duplicate of CVE-2019-15011. All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Date published...

An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is a Zolo Halo DNS rebinding attack. The device was found to be vulnerable to DNS rebinding. Combined with one of...

An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is Zolo Halo LAN remote code execution. The Zolo Halo Bluetooth speaker had a GoAhead web server listening on the port...

An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control...

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. Date published : 2020-07-01 https://github.com/envoyproxy/envoy/security/advisories/GHSA-v8q7-fq78-4997 https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history

Data is truncated wrong when its length is greater than 255 bytes. Date published : 2020-07-01 https://github.com/kelektiv/node.bcrypt.js/issues/776 https://github.com/kelektiv/node.bcrypt.js/pull/806