Monthly Archive: March 2021

FastStone Image Viewer

SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php. Date published : 2021-03-18 http://seeddms.com https://tuhin1729.medium.com/cve-2021-26216-ffb33321dc91

SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php. Date published : 2021-03-18 http://seeddms.com https://tuhin1729.medium.com/cve-2021-26215-7ce6800be822

In JetBrains PhpStorm before 2020.3, source code could be added to debug logs. Date published : 2021-03-18 Home JetBrains Security Bulletin Q4 2020

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c. Date published : 2021-03-18 https://security.gentoo.org/glsa/202107-33 https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. Date published : 2021-03-18 https://security.gentoo.org/glsa/202107-33...

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. Date published : 2021-03-18 https://security.gentoo.org/glsa/202107-33 https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. Date published : 2021-03-18 https://security.gentoo.org/glsa/202107-33 https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because...

Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an...

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email...

Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with...

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV...

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the ‘text/csv’ content-type...