Monthly Archive: January 2021

An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private...

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application’s availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before...

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can...

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on...

Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. Date...

An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload...

Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin’s cookie if the admin account happens to be...

Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. Date published : 2021-01-15 https://docs.docker.com/docker-for-mac/release-notes/#docker-desktop-community-2500 Tweets by _r3ggi

An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script...

An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the...

An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side...

An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin...

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim’s API token if they click on a maliciously crafted link Date published : 2021-01-15 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22171.json https://gitlab.com/gitlab-org/gitlab-pages/-/issues/262

A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8. Date published : 2021-01-15 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22168.json https://gitlab.com/gitlab-org/gitlab/-/issues/289950