Monthly Archive: June 2021

Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a...

Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In verions prior to 4.6, an attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6...

Contiki-NG is an open-source, cross-platform operating system for internet of things devices. The RPL-Classic and RPL-Lite implementations in the Contiki-NG operating system versions prior to 4.6 do not validate the address pointer in the...

Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file". Date published : 2021-06-18 https://github.com/gdraheim/zziplib/issues/68

Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file. Date published : 2021-06-17 https://en.0day.today/exploit/22090 https://packetstormsecurity.com/files/124149/WordPress-Elemin-Shell-Upload.html

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project’s scope by other means). If the $patternselect parameter to validateAddress()...

Quassel through 0.13.1, when –require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system. Date published : 2021-06-17 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JOFTSGJUJHCA3KGQBO6OZXWU7JFKVHMJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/

Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors. Date published : 2021-06-17 https://www.synology.com/security/advisory/Synology_SA_21_12

Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors. Date published : 2021-06-17 https://www.synology.com/security/advisory/Synology_SA_21_11

Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. Date published : 2021-06-17 https://www.synology.com/security/advisory/Synology_SA_21_11

Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. Date...

Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors. Date published : 2021-06-17 https://www.synology.com/security/advisory/Synology_SA_21_10

Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been...

An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field. Date published : 2021-06-17 MantisBT 2.25.2...