Monthly Archive: September 2020

WordPress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the ‘Recall Settings’ field in admin.php. An attacker can inject JavaScript code that will be stored and...

WordPress Plugin Store / Mike Rooijackers Recall Products V0.8 fails to sanitize input from the ‘Manufacturer[]’ parameter which allows an authenticated attacker to inject a malicious SQL query. Date published : 2020-09-14 https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

WordPress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter. Date published : 2020-09-14 https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

WordPress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile...

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2...

Logic error in BIOS firmware for 8th, 9th and 10th Generation Intel(R) Core(TM) Processors may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access....

MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. An attacker has to inject JavaScript code directly in the "path" or "Services+ID" parameters and send the URL to a...

Codoforum 4.8.3 allows HTML Injection in the ‘admin dashboard Manage users Section.’ Date published : 2020-09-14 https://codoforum.com/ https://vyshnavvizz.blogspot.com/2020/01/html-injection-in-codoforum-v483.html

Sagemcom F@ST3686 v1.0 HUN 3.97.0 has XSS via RgDiagnostics.asp, RgDdns.asp, RgFirewallEL.asp, RgVpnL2tpPptp.asp. Date published : 2020-09-14 http://sagemcom.com http://sagemcomfst3686v10hun3970.com

Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename. Date published : 2020-09-14 http://rukovoditel.com https://github.com/Gr3gPr1est/BugReport/blob/master/CVE-2020-21732

Gazie 7.29 is affected by: Cross Site Scripting (XSS) via http://192.168.100.7/gazie/modules/config/admin_utente.php?user_name=amministratore&Update. An attacker can inject JavaScript code, and the webapplication stores the injected code. Date published : 2020-09-14 http://gazie.com http://gazie.devincentiis.it/

A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic....

A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack. Date published : 2020-09-14 https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13318.json https://gitlab.com/gitlab-org/gitlab/-/issues/228915

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository. Date published : 2020-09-14 https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13317.json https://gitlab.com/gitlab-org/gitlab/-/issues/215703