Monthly Archive: November 2020

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI...

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration...

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password. Date published : 2020-11-04 https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2117 http://www.openwall.com/lists/oss-security/2020/11/04/6

** DISPUTED ** phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents." Date published : 2020-11-04 https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22278.pdf...

Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer’s profile. Date published : 2020-11-04 https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22277.pdf https://mega.nz/file/bSQnlS4R#UY_ozLkvXgXFKzqtTRKeB9RXGi6aEQF3X6eKXdSiBt0

WeForms WordPress Plugin 1.4.7 allows CSV injection via a form’s entry. Date published : 2020-11-04 http://uploadboy.com/tvvs4p2gf03m/887/mp4 https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf

Easy Registration Forms (ER Forms) WordPress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is...

JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer’s profile. Date published : 2020-11-04 http://uploadboy.me/iypl38958pon/JomSocial.mp4.html https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22274.pdf

Neoflex Video Subscription System Version 2.0 is affected by CSRF which allows the Website’s Settings to be changed (such as Payment Settings) Date published : 2020-11-04 https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22273.pdf https://uploadboy.com/v630a7smyykc/539/mp4

IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 applications can be installed on a deprecated operating system version that could compromised the confidentiality and integrity of the service. IBM X-Force ID: 161486 Date published...

IBM App Connect Enterprise Certified Container 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web...

IBM Planning Analytics Local 2.0.9.2 and IBM Planning Analytics Workspace 57 could expose data to non-privleged users by not invalidating TM1Web user sessions. IBM X-Force ID: 186022. Date published : 2020-11-03 https://www.ibm.com/support/pages/node/6356539 https://exchange.xforce.ibmcloud.com/vulnerabilities/186022

In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of `javascript:` URIs within a link or form which would run, within the context...

In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content...