Monthly Archive: November 2020

Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover. Date published : 2020-11-05 https://labs.bishopfox.com/advisories https://labs.bishopfox.com/advisories/immuta-version-2.8.2

Ubuntu’s packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code. Date published : 2020-11-05...

HCL Notes versions previous to releases 9.0.1 FP10 IF8, 10.0.1 FP6 and 11.0.1 FP1 is susceptible to a Stored Cross-site Scripting (XSS) vulnerability. An attacker could use this vulnerability to execute script in a...

HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted...

Telerik Fiddler through 5.0.20202.18177 allows attackers to execute arbitrary programs via a hostname with a trailing space character, followed by –utility-and-browser –utility-cmd-prefix= and the pathname of a locally installed program. The victim must interactively...

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace...

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace...

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can make unauthorized MySQL queries against the Orchestrator database using the /sqlExecution REST API, which had been used for...

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API. Date published : 2020-11-05...

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP...

Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. Date published : 2020-11-04 https://github.com/intelliants/subrion/commits/develop https://github.com/ngpentest007/CVE-2019-7356/blob/main/Subrion_4.2.1%20-%20CVE-2019-7356.pdf

The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory. Date published : 2020-11-04 https://support.apple.com/kb/HT212325 https://support.apple.com/kb/HT212326

The tok2strbuf() function in tcpdump 4.10.0-PRE-GIT was used by the SOME/IP dissector in an unsafe way. Date published : 2020-11-04 https://github.com/the-tcpdump-group/tcpdump/commit/e2256b4f2506102be2c6f7976f84f0d607c53d43

A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. Date published : 2020-11-04 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04051en_us