Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request. Date published : 2021-04-14 https://github.com/gongfuxiang/shopxo/issues/23
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to...
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error. Date published : 2021-04-13 https://support.lenovo.com/us/en/product_security/LEN-59174
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver’s device object. Date published : 2021-04-13 https://support.lenovo.com/us/en/product_security/LEN-59174
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker. Date...
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. Date published : 2021-04-13 http://packetstormsecurity.com/files/162195/htmly-2.8.0-Cross-Site-Scripting.html https://github.com/danpros/htmly/issues/456
The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint. Date published : 2021-04-13 https://github.com/awillix/research/blob/main/cve/CVE-2021-30176.md https://pro.zerof.ru
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. Date published : 2021-04-13 https://github.com/awillix/research/blob/main/cve/CVE-2021-30175.md https://pro.zerof.ru
An issue was discovered in Wind River VxWorks through 6.8. There is a possible stack overflow in dhcp server. Date published : 2021-04-13 https://support2.windriver.com/index.php?page=security-notices
An issue was discovered in Wind River VxWorks before 6.5. There is a possible heap overflow in dhcp client. Date published : 2021-04-13 https://cert-portal.siemens.com/productcert/pdf/ssa-560465.pdf https://support2.windriver.com/index.php?page=security-notices
An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE. Date published : 2021-04-13 https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-29997 https://support2.windriver.com/index.php?page=security-notices
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts....
Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed,...
The Grav admin plugin prior to version 1.10.11 does not correctly verify caller’s privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin,...