config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used. Date published : 2021-02-13 https://github.com/cvandeplas/pystemon/commit/dbeb87afefdb63de2f4cff69b6f10c5965d14b54 https://www.huntr.dev/bounties/1-other-pystemon/
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short...
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a...
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model. Date published : 2021-02-13 191008 https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txt
An issue was discovered in OpenZFS through 2.0.3. When an NFS share is exported to IPv6 addresses via the sharenfs feature, there is a silent failure to parse the IPv6 address data, and access...
TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI. Date published : 2021-02-12 https://gokay.org/tp-links-archer-c5v-improper-authorization/
In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP. Date published : 2021-02-12 https://gokay.org/tp-link-archer-c5v-base64-cookie/
Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure. Date published : 2021-02-12 https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html
Telegram before 7.4 (212543) Stable on macOS stores the local passcode in cleartext, leading to information disclosure. Date published : 2021-02-12 https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html
DSUtility.dll in Pelco Digital Sentry Server before 7.19.67 has an arbitrary file write vulnerability. The AppendToTextFile method doesn’t check if it’s being called from the application or from a malicious user. The vulnerability is...
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim’s account. Date published...
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked. Date published : 2021-02-12 https://github.com/jet-pentest/CVE-2021-27187 https://www.dnb.com/business-directory/company-profiles.pryaniki_ooo.13b676c626e38d534ff1a6a2a9fc7e6a.html
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the...
NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain...