Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. Date published : 2020-11-15 http://seclists.org/fulldisclosure/2020/Dec/54 https://hackerone.com/reports/743505
This affects the package doc-path before 2.1.2. Date published : 2020-11-15 https://github.com/mrodrig/doc-path/blob/stable/src/path.js%23L54 https://github.com/mrodrig/doc-path/commit/3e2bb168cf303bffcd7fae5f8d05e5300c1541c7
Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series CPU Modules (R00/01/02CPU Firmware versions from ’05’ to ’19’ and R04/08/16/32/120(EN)CPU Firmware versions from ’35’ to ’51’) allows a remote attacker to cause an error in...
Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. Date published : 2020-11-15 https://jvn.jp/en/vu/JVNVU92053563/index.html https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. Date published : 2020-11-15 https://jvn.jp/en/vu/JVNVU92053563/index.html https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. Date published : 2020-11-15 https://jvn.jp/en/vu/JVNVU92053563/index.html https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Date published : 2020-11-15 https://jvn.jp/en/vu/JVNVU92053563/index.html https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
The update functionality of the Discover Media infotainment system in Volkswagen Polo 2019 vehicles allows physically proximate attackers to execute arbitrary code because some unsigned parts of a metainfo file are parsed, which can...
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. Date published : 2020-11-15 Vulnerability Exposes Over...
The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file. Date published : 2020-11-15 Child Theme Creator by Orbisius High Severity Vulnerability Patched in Child Theme Creator by Orbisius
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code. Date published : 2020-11-15 http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/
In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks. Date published : 2020-11-15 https://www.whitehack.de/advisories/HWADV2020-001.txt
Prototype pollution vulnerability in ‘controlled-merge’ versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-11-15 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28268 https://github.com/hlfshell/controlled-merge/commit/5a4b2e9ffe5a0be7f8843d4ab038599d3ae5f9d4
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can...