Monthly Archive: December 2020

A stored XSS vulnerability exists in Umbraco CMS

An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to...

In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users’ profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference. Date published : 2020-12-30 http://packetstormsecurity.com/files/160826/Newgen-Correspondence-Management-System-eGov-12.0-Insecure-Direct-Object-Reference.html https://www.exploit-db.com/exploits/49378

FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any...

** DISPUTED ** FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any...

The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER). Date published : 2020-12-30 https://github.com/TeamAmaze/AmazeFileManager/pull/1815 https://github.com/TeamAmaze/AmazeFileManager/compare/v3.4.1…v3.4.2

Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login. Date published : 2020-12-30 https://github.com/RocketChat/Rocket.Chat/compare/3.8.2…3.8.3 https://github.com/RocketChat/Rocket.Chat/releases/tag/3.9.1

Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will...

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting – Menu and each time any user will...

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will...

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin...

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel – Manage User tab using the Full Name of the user. This vulnerability can...

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page. Date published : 2020-12-30 http://egavilanmedia.com https://github.com/hemantsolo/CVE-Reference/blob/main/CVE-2020-29228.md

Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance. Date published : 2020-12-30...