Monthly Archive: January 2021

A flaw was found in the X.Org Server before version 1.20.10. An out-of-bounds access in the XkbSetMap function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data...

MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button. Date published : 2021-01-19 https://github.com/MISP/MISP/commit/8283e0fbec551f45f3f181cdb2cf29cddc23df66

Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile. Date published : 2021-01-19 https://seclists.org/fulldisclosure/2021/Jan/20

D-Link DCS-5220 devices have a buffer overflow. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Date published : 2021-01-19 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10203

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups)....

** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via...

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a...

XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section. Date published : 2021-01-19 https://www.exploit-db.com/exploits/49437

MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs. Date published : 2021-01-19 https://github.com/MISP/MISP/commit/829c3199ba3afdecb52e0719509f3df4463be5b4

MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp. Date published : 2021-01-19 https://github.com/MISP/MISP/commit/741243f707cac7de1a3769a38e03004f037f4a3d

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. Date published : 2021-01-19 https://github.com/MISP/MISP/commit/afbf95a478b6e94f532ca0776c79da1b08be7eed

HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data. Date published : 2021-01-19 https://www.chtsecurity.com/news/eb024200-7cf9-4c58-a063-c451dbc9daef https://www.twcert.org.tw/tw/cp-132-4328-97765-1.html

HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data. Date published : 2021-01-19 https://www.chtsecurity.com/news/eb024200-7cf9-4c58-a063-c451dbc9daef https://www.twcert.org.tw/tw/cp-132-4327-50e99-1.html

HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions. Date published : 2021-01-19 https://www.chtsecurity.com/news/eb024200-7cf9-4c58-a063-c451dbc9daef https://www.twcert.org.tw/tw/cp-132-4326-3d9d2-1.html