Monthly Archive: February 2021

Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie...

In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload...

A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. Date published : 2021-02-18 http://hacktheplanet.nu/djihax.pdf http://kth.diva-portal.org/smash/get/diva2:1463784/FULLTEXT01.pdf

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF...

The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF...

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge . Date published : 2021-02-18 https://github.com/yeikos/js.merge/blob/master/src/index.ts%23L64 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require(‘three’) function build_blank (n) { var ret = "rgb(" for (var i = 0;...

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. Date published : 2021-02-18 https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 https://github.com/FasterXML/jackson-dataformats-binary/issues/186

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset(‘atouch HACKEDb’) Date published : 2021-02-18 https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d https://github.com/omrilotan/async-git/pull/14

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab’s documentation) Steps to reproduce by Karan Bamal:...

Buffer overflow in FinalWire Ltd AIDA64 Engineer 6.00.5100 allows attackers to execute arbitrary code by creating a crafted input that will overwrite the SEH handler. Date published : 2021-02-18 https://www.exploit-db.com/exploits/46991

OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts

An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. Date published :...

An issue was discovered in the yottadb crate before 1.2.0 for Rust. For some memory-allocation patterns, ydb_subscript_next_st and ydb_subscript_prev_st have a use-after-free. Date published : 2021-02-17 https://rustsec.org/advisories/RUSTSEC-2021-0022.html