A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415). Date published :...
Prototype pollution vulnerability in ‘deephas’ versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-11-12 https://github.com/sharpred/deepHas/commit/2fe011713a6178c50f7deb6f039a8e5435981e20 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28271
Prototype pollution vulnerability in ‘object-hierarchy-access’ versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-11-12 https://github.com/mjpclab/object-hierarchy-access/commit/7b1aa134a8bc4a376296bcfac5c3463aef2b7572 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270
Prototype pollution vulnerability in ‘field’ versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-11-12 https://github.com/jprichardson/field/blob/2a3811dfc4cdd13833977477d2533534fc61ce06/lib/field.js#L39 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28269
The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs. Date published : 2020-11-12 https://github.com/RustSec/advisory-db/pull/478/files https://github.com/lettre/lettre
An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin
An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form...
Incorrect Access Control in the FileEditor (/Admin/Views/FileEditor/) in FlexDotnetCMS before v1.5.11 allows an authenticated remote attacker to read and write to existing files outside the web root. The files can be accessed via directory...
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one...
In Sentrifugo 3.2, admin can edit employee’s informations via this endpoint –> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from...
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File...
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and...
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field Date published : 2020-11-12 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25706 https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e
It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. Date published...