Monthly Archive: March 2021

/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. Date published : 2021-03-18 https://gist.github.com/kukuxumushi/0b7d90a917ac3480066c4cbf7519b40a

TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS). Date published : 2021-03-18 https://gist.github.com/ArtemBrylev/51106b7cf8929b3ecfb9dd7c9e7b0fcf https://www.tadviser.ru/index.php/%D0%9F%D1%80%D0%BE%D0%B4%D1%83%D0%BA%D1%82:TranzWare_Online

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL....

A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. Date published : 2021-03-18 https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 https://www.johnsoncontrols.com/cyber-solutions/security-advisories

WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens,...

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Date published...

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. Date published : 2021-03-18 https://docs.konghq.com/enterprise/changelog/#core-1 https://medium.com/@sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3

** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor’s position is that this is intended behavior because of...

In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter. Date published : 2021-03-18 https://securityforeveryone.com/blog/wowonder-0-day-vulnerability-cve-2021-26935 https://www.exploit-db.com/exploits/49657

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub...

FastStone Image Viewer

FastStone Image Viewer v.

FastStone Image Viewer

FastStone Image Viewer