Monthly Archive: December 2020

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device. Date published :...

A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country). Date published :...

TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The...

Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart. Date published : 2020-12-11 https://www.exploit-db.com/exploits/49228 https://www.opencart.com/

All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. Date published : 2020-12-11 https://snyk.io/vuln/SNYK-JS-CORENLPJSINTERFACE-1050435

This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in ‘index.js.’ It depends on a vulnerable package ‘corenlp-js-interface.’ Vulnerability can be exploited with the following PoC: Date published...

A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of...

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. Date published : 2020-12-11 https://security.netapp.com/advisory/ntap-20210115-0004/ https://support.f5.com/csp/article/K43530108

In certain configurations on version 13.1.3.4, when a BIG-IP AFM HTTP security profile is applied to a virtual server and the BIG-IP system receives a request with specific characteristics, the connection is reset and...

In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security. Date published : 2020-12-11 https://github.com/frappe/frappe/pull/11262 https://github.com/frappe/frappe/pull/11263

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain...

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain...

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain...

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain...