Monthly Archive: November 2020

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included...

BAB TECHNOLOGIE GmbH eibPort V3 prior to 3.8.3 devices allow denial of service (Uncontrolled Resource Consumption) via requests to the lighttpd component. Date published : 2020-11-12 https://psytester.github.io/CVE-2020-24573/

Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access. Date published : 2020-11-12 http://seclists.org/fulldisclosure/2020/Nov/26 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00414

Incorrect default permissions in the Intel(R) DSA before version 20.8.30.6 may allow an authenticated user to potentially enable denial of service via local access. Date published : 2020-11-12 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00449

Incorrect default permissions in the Intel(R) Board ID Tool version v.1.01 may allow an authenticated user to potentially enable escalation of privilege via local access. Date published : 2020-11-12 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00447

Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information...

Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript...

Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript...

Adobe Acrobat Reader for Android version 20.6.2 (and earlier) does not properly restrict access to directories created by the application. This could result in disclosure of sensitive information stored in databases used by the...

Untangle Firewall NG before 16.0 uses MD5 for passwords. Date published : 2020-11-12 https://github.com/untangle/ngfw_src/blob/1d232efe2c17a8838b59bbbeaf166dafa94676af/uvm/hier/usr/share/untangle/web/auth/index.py#L196-L200 https://github.com/untangle/ngfw_src/search?q=author%3Abmastbergen+committer-date%3A2020-08-10&type=commits

In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. An attacker can cause a change to the stack...

A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC TDC CPU555 (All versions), SINUMERIK 840D sl (All versions). Sending multiple specially crafted packets...

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows...

SQL Injection issues in various ASPX pages of ResourceXpress Meeting Monitor 4.9 could lead to remote code execution and information disclosure. Date published : 2020-11-12 https://resourcexpress.atlassian.net/wiki/spaces/RSG/pages/807698439/v1.8+HF+1+2+3+OnPrem+v5.3 https://www.resourcexpress.com/news/