This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. Date published : 2020-12-11 https://github.com/turquoiseowl/i18n/commit/c418e3345313dc896c1951d8c46ab0b9b12fcbd3 https://github.com/turquoiseowl/i18n/issues/387
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF. Date published : 2020-12-11 https://github.com/spatie/browsershot/issues/441%23issue-735049731 https://snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-1037064
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. Date published :...
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be...
On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role....
On BIG-IP versions 14.0.0-14.0.1 and 13.1.0-13.1.3.4, certain traffic pattern sent to a virtual server configured with an FTP profile can cause the FTP channel to break. Date published : 2020-12-11 https://support.f5.com/csp/article/K20984059
On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the...
IBM Resilient SOAR V38.0 could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation. Date published : 2020-12-11 https://www.ibm.com/support/pages/node/6380884 https://exchange.xforce.ibmcloud.com/vulnerabilities/185418
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of...
Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API. Date published : 2020-12-11 https://github.com/frappe/frappe/pull/11228 https://github.com/frappe/frappe/pull/11237
lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation. Date published : 2020-12-11 https://github.com/aheckmann/mquery/commit/792e69fd0a7281a0300be5cade5a6d7c1d468ad4
Western Digital Dashboard before 3.2.2.9 allows DLL Hijacking that leads to compromise of the SYSTEM account. Date published : 2020-12-11 https://www.westerndigital.com/support/productsecurity/wdc-20011-western-digital-dashboard-privilege-escalation
Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected versions of the registry container may allow a remote attacker to achieve root...
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. Date published : 2020-12-11 https://www.bleepingcomputer.com/news/security/sophos-fixes-sql-injection-vulnerability-in-their-cyberoam-os/ https://www.cyberoam.com/ngfw.html