Monthly Archive: December 2020

NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection. Date published : 2020-12-29 https://kb.netgear.com/000062634/Security-Advisory-for-Command-Injection-Vulnerability-on-DGN2200v1-PSV-2020-0411

server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint. Date published : 2020-12-29 https://advisory.checkmarx.net/advisory/CX-2020-4287 https://github.com/twitter/twitter-server/commit/e0aeb87e89a6e6c711214ee2de0dd9f6e5f9cb6c

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF. Date published : 2020-12-29 https://advisory.checkmarx.net/advisory/CX-2020-4292 wp_create_nonce()

miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program. Date published : 2020-12-29 https://github.com/webmin/webmin/commit/1163f3a7f418f249af64890f4636575e687e9de7#diff-9b33fd8f5603d4f0d1428689bc36f24af4770608a22c0d92b7a8bcc522450dc6 https://vigilance.fr/vulnerability/Webmin-code-execution-via-miniserv-pl-handle-request-34220

Vidyo 02-09-/D allows clickjacking via the portal/ URI. Date published : 2020-12-29 https://blog.vidyo.com/category/product-updates/ https://github.com/italoantunes/CVE

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user...

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code...

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each...

Prototype pollution vulnerability in ‘libnested’ versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28284 https://github.com/dominictarr/libnested/blob/d028a1b0f2e5f16fc28e568f52b936ae0bca0647/index.js#L27

Prototype pollution vulnerability in ‘getobject’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282 https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48

Prototype pollution vulnerability in ‘set-object-value’ versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28281 https://github.com/react-atomic/react-atomic-organism/blob/e5645a2f9e632ffdebc83d720498831e09754c22/packages/lib/set-object-value/src/index.js#L16

Prototype pollution vulnerability in ‘predefine’ versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28280 https://github.com/bigpipe/predefine/blob/238137e3d1b8288ff5d7529c3cbcdd371888c26b/index.js#L284

Prototype pollution vulnerability in ‘flattenizer’ versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28279 https://github.com/sahellebusch/flattenizer/pull/13

Prototype pollution vulnerability in ‘shvl’ versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2020-12-29 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28278 https://github.com/robinvdvleuten/shvl/blob/bef0a3ebade444cc6b297147ecf5242308f0892e/index.js#L10