themegrill-demo-importer before 1.6.3 allows CSRF, as demonstrated by wiping the database. Date published : 2021-05-04 https://www.openwall.com/lists/oss-security/2020/02/19/1 https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. Date published : 2021-05-04 https://www.openwall.com/lists/oss-security/2020/02/19/1 https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
All versions of Windscribe VPN for Mac and Windows
SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload. Date published : 2021-05-04 https://github.com/matrix https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-1-6-Hotfix-3?language=en_US
iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via...
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory. Date published : 2021-05-03 https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/c7a9a01c94987082b223d3e59969ede64363da63
An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. There is a double free in merge_sort::merge(). Date published : 2021-05-03 https://rustsec.org/advisories/RUSTSEC-2021-0053.html
The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. Date published : 2021-05-03 https://github.com/rkesters/gnuplot/commit/23671d4d3d28570fb19a936a6328bfac742410de https://www.npmjs.com/package/@rkesters/gnuplot
CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router’s addressing scheme and may re-route, add, remove or change low level communication packages. Date...
CODESYS Gateway 3 before 3.5.17.0 has a NULL pointer dereference that may result in a denial of service (DoS). Date published : 2021-05-03 https://customers.codesys.com/index.php https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14637&token=8dbd75ae7553ae3be25e22f741db783b31e14799&download=
CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. Date published : 2021-05-03 https://customers.codesys.com/index.php https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14639&token=fa836f8bd4a2184aa9323a639ca9f2aaf1538412&download=
CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF). Date published : 2021-05-03 https://customers.codesys.com/index.php https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14638&token=30b75ee95d0d94527894dfd8cdc5432575a8eff8&download=
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via ‘__proto__’ through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object...
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn’t match the...