Monthly Archive: August 2020

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (released in China and India) software. The S Secure application does not enforce the intended password requirement for a locked application. The...

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The USB driver leaks address information via kernel logging. The Samsung IDs are SVE-2020-17602, SVE-2020-17603, SVE-2020-17604 (August 2020). Date published...

The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for WordPress allows subscribe_sidebar.php&status= reflected XSS. Date published : 2020-08-31 https://wordpress.org/plugins/subscribe-sidebar/#developers https://zeroaptitude.com/pitticus/subscribe-sidebar-plugin-by-blubrry-v1-3-1-reflected-xss-20-jun-2020/

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before...

The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS. Date published : 2020-08-31 https://l0l.xyz/sec/2020/08/31/1-wordpress-crm-xss.html https://wordpress.org/plugins/chamber-dashboard-business-directory/#developers

TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by...

Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by shell injection. Date published : 2020-08-31 https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B https://www.zyxel.com/support/security_advisories.shtml

In projectworlds Online Book Store 1.0 Use of Hard-coded Credentials in source code leads to admin panel access. Date published : 2020-08-31 https://medium.com/@th3cyb3rc0p/cve-2020-24115-use-of-hardcoded-credentials-in-source-code-leads-to-admin-panel-access-77e5028ec9af https://systemweakness.com/cve-2020-24115-use-of-hardcoded-credentials-in-source-code-leads-to-admin-panel-access-77e5028ec9af

Platform mechanism AutoIP allows remote attackers to reboot the device via a crafted packet in SICK AG solutions Bulkscan LMS111, Bulkscan LMS511, CLV62x – CLV65x, ICR890-3, LMS10x, LMS11x, LMS15x, LMS12x, LMS13x, LMS14x, LMS5xx, LMS53x,...

controller/controller-comments.php in WP GDPR plugin through 2.1.1 has unauthenticated stored XSS. Date published : 2020-08-31 Unauthenticated stored XSS and content spoofing vulnerabilities in WordPress WP GDPR plugin (unpatched).

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change. Date published : 2020-08-31 Multiple vulnerabilities fixed in WordPress GiveWP plugin.

lara-google-analytics.php in Lara Google Analytics plugin through 2.0.4 for WordPress allows authenticated stored XSS. Date published : 2020-08-31 Zero-day vulnerability exploited in WordPress Lara Google Analytics plugin.

Sliced Invoices plugin for WordPress 3.8.2 and earlier allows unauthenticated information disclosure and authenticated SQL injection via core/class-sliced.php. Date published : 2020-08-31 Multiple vulnerabilities in Sliced Invoices plugin.

Dashboards and progressiveProfileForms in ForgeRock Identity Manager before 7.0.0 are vulnerable to stored XSS. The vulnerability affects versions 6.5.0.4, 6.0.0.6. Date published : 2020-08-31 https://gist.github.com/gajendkmr/261f45e06c41656131a651c920c7f406 https://www.nccgroup.com/us/our-research/?research=Technical+advisories