Monthly Archive: September 2020

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. Date published :...

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Conan package upload functionality was not properly validating the supplied parameters, which resulted in the limited files disclosure. Date published : 2020-09-14...

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the...

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated. Date published : 2020-09-14 https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13289.json https://gitlab.com/gitlab-org/gitlab/-/issues/20302

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues Date published : 2020-09-14 https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13287.json https://gitlab.com/gitlab-org/gitlab/-/issues/227820

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token Date published : 2020-09-14 https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13284.json https://gitlab.com/gitlab-org/gitlab/-/issues/221040

The Secure Monitor in Microchip Atmel ATSAMA5 products use a hardcoded key to encrypt and authenticate secure applets. Date published : 2020-09-14 https://labs.f-secure.com/advisories/microchip-atsama5-soc-multiple-vulnerabilities/

CMAC verification functionality in Microchip Atmel ATSAMA5 products is vulnerable to vulnerable to timing and power analysis attacks. Date published : 2020-09-14 https://labs.f-secure.com/advisories/microchip-atsama5-soc-multiple-vulnerabilities/

Microchip Atmel ATSAMA5 products in Secure Mode allow an attacker to bypass existing security mechanisms related to applet handling. Date published : 2020-09-14 https://labs.f-secure.com/advisories/microchip-atsama5-soc-multiple-vulnerabilities/

An array index error in MikroTik RouterOS 6.41.3 through 6.46.5, and 7.x through 7.0 Beta5, allows an unauthenticated remote attacker to crash the SMB server via modified setup-request packets, aka SUP-12964. Date published :...

AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control to a less privileged software component. This can be exploited to disclose these keys and subsequently encrypt and...

A timing side channel was discovered in AT91bootstrap before 3.9.2. It can be exploited by attackers with physical access to forge CMAC values and subsequently boot arbitrary code on an affected system. Date published...

A CSRF issue in vtecrm vtenext 19 CE allows attackers to carry out unwanted actions on an administrator’s behalf, such as uploading files, adding users, and deleting accounts. Date published : 2020-09-14 https://sourceforge.net/projects/vtecrm/ https://vtenext.com/en/

A file upload vulnerability in vtecrm vtenext 19 CE allows authenticated users to upload files with a .pht extension, resulting in remote code execution. Date published : 2020-09-14 https://sourceforge.net/projects/vtecrm/ https://vtenext.com/en/