Monthly Archive: November 2020

JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler. Date published : 2020-11-16 JetBrains Security Bulletin Q3 2020 Home

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups. Date published : 2020-11-16 JetBrains Security Bulletin Q3 2020 Home

There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database...

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user...

BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing...

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was...

Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx. Date published : 2020-11-16 https://forums.ivanti.com/s/ https://labs.jumpsec.com/cve-2020-13773-ivanti-uem-reflected-xss/

In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. Date published : 2020-11-16 https://forums.ivanti.com/s/..&#46;

LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request. Date published : 2020-11-16 https://forums.ivanti.com/s/ https://labs.jumpsec.com/advisory-cve-2020-13769-ivanti-uem-sql-injection/

A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, =13.3, =13.5,

A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage....

When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, =13.4, =13.5,

Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, =13.4, =13.5,

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS) Date published : 2020-11-16 https://community.microfocus.com/t5/Logger/Logger-Release-Notes-7-1-1/ta-p/2837600