Monthly Archive: September 2020

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. Date published : 2020-09-09 https://www.debian.org/security/2020/dsa-4773 https://github.com/erlyaws/yaws/commits/master

Arbitrary File Upload in the Vehicle Image Upload component in Project Worlds Car Rental Management System v1.0 allows attackers to conduct remote code execution. Date published : 2020-09-09 https://github.com/hyd3sec/CarRentalManagement-Unauth-RCE-WebApp https://github.com/hyd3sec/CarRentalManagement-Unauth-RCE-WebApp/blob/master/CarRental-Unauth-RCE.py

A persistent cross-site scripting vulnerability in Sourcecodester Stock Management System v1.0 allows remote attackers to inject arbitrary web script or HTML via the ‘Brand Name.’ Date published : 2020-09-09 https://cxsecurity.com/issue/WLB-2020090024 https://www.sourcecodester.com/php/14366/stock-management-system-php.html

A SQL injection vulnerability in the login component in Stock Management System v1.0 allows remote attacker to execute arbitrary SQL commands via the username parameter. Date published : 2020-09-09 https://cxsecurity.com/issue/WLB-2020090028 https://www.sourcecodester.com/php/14366/stock-management-system-php.html

An Arbitrary File Upload in the Upload Image component in Sourcecodester Online Bike Rental v1.0 allows authenticated administrator to conduct remote code execution. Date published : 2020-09-09 https://packetstormsecurity.com/files/158704/Online-Bike-Rental-1.0-Shell-Upload.html https://www.sourcecodester.com/php/14374/online-bike-rental-phpmysql.html

A Cross-site scripting (XSS) vulnerability in ‘user-profile.php’ in SourceCodester Daily Tracker System v1.0 allows remote attackers to inject arbitrary web script or HTML via the ‘fullname’ parameter. Date published : 2020-09-09 http://sourcecodetester.com https://cxsecurity.com/issue/WLB-2020090030

The decode program in silk-v3-decoder Version:20160922 Build By kn007 does not strictly check data, resulting in a buffer overflow. Date published : 2020-09-09 https://github.com/kn007/silk-v3-decoder/commit/d216599502662db01c07cc0dfd95ff1f1eaaea02 https://github.com/kn007/silk-v3-decoder/issues/62

An information exposure through log file vulnerability where an administrator’s password or other sensitive information may be logged in cleartext while using the CLI in Palo Alto Networks PAN-OS software. The opcmdhistory.log file was...

An information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Palo Alto Networks PAN-OS software when the after-change-detail custom syslog field is enabled for configuration...

A buffer overflow vulnerability in the PAN-OS management web interface allows authenticated administrators to disrupt system processes and potentially execute arbitrary code with root privileges. This issue impacts only PAN-OS 10.0 versions earlier than...

An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb service to crash....

A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication...

An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is...

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions...