An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. There is cross-site scripting (XSS) in the console. Date published : 2021-02-21 https://dl.managed-protection.com/u/cyberprotect/rn/15/user/en-US/AcronisCyberProtect15_relnotes.htm https://www.acronis.com
An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the custom field name is not sanitized. This may be problematic depending on CSP settings. Date published : 2021-02-21 https://mantisbt.org/bugs/view.php?id=27768
An issue was discovered in Acronis Cyber Protect before 15 Update 1 build 26172. Because the local notification service misconfigures CORS, information disclosure can occur. Date published : 2021-02-21 https://dl.managed-protection.com/u/cyberprotect/rn/15/user/en-US/AcronisCyberProtect15_relnotes.htm https://www.acronis.com
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users’ sessions and...
ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen. Date published : 2021-02-19 https://4sightwebsite.azurewebsites.net/mf_releaseNotes https://appsource.microsoft.com/en-us/product/web-apps/acctech-systems-pty-ltd.modernflow-saas?tab=overview
components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound
SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server. Date published : 2021-02-19 https://www.l0l.xyz/sec/2021/01/05/1-webdesktop-root-ssrf.html
The slashify package 1.0.0 for Node.js allows open-redirect attacks, as demonstrated by a localhost:3000///example.com/ substring. Date published : 2021-02-19 https://security.netapp.com/advisory/ntap-20210401-0004/ https://securitylab.github.com/advisories/GHSL-2020-199-open-redirect-slashify
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. Date published : 2021-02-19 https://myconnectionserver.visualware.com/support/newrelease.html
The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. Date published : 2021-02-19 https://security.gentoo.org/glsa/202105-07 https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. Date published : 2021-02-19 http://packetstormsecurity.com/files/161560/Yeastar-TG400-GSM-Gateway-91.3.0.3-Path-Traversal.html Home
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack...
A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by...
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation,...