Monthly Archive: July 2021

Cross Site Scripting (XSS) vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by...

Web Path Directory Traversal in the Novus HTTP Server. The Novus HTTP Server is affected by the Directory Traversal for Arbitrary File Access vulnerability. A remote, unauthenticated attacker using an HTTP GET request may...

A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. Date published : 2021-07-19 https://blog.sonarsource.com/etherpad-code-execution-vulnerabilities https://etherpad.org/#download

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. Date published : 2021-07-19 Change Log https://github.com/rauschecker/CVEs/tree/main/CVE-2021-34676

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. Date published : 2021-07-19 Change Log https://github.com/rauschecker/CVEs/tree/main/CVE-2021-34675

A remote denial of service (DoS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x:...

A remote cross-site scripting (XSS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below; Aruba Instant 6.5.x: 6.5.4.13 and below; Aruba Instant 8.3.x: 8.3.0.7...

NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function. Date published :...

Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL. Date published : 2021-07-19 https://github.com/swordbytes/Advisories/blob/master/2021/Advisory_CVE-2021-33501.pdf https://swordbytes.com/blog/security-advisory-overwolf-1-click-remote-code-execution-cve-2021-33501/

Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. Date published : 2021-07-19 https://medium.com/sylabs https://support.sylabs.io/a/solutions/articles/42000086439

sz.chat version 4 allows injection of web scripts and HTML in the message box. Date published : 2021-07-19 https://borrachariadofael.sz.chat/webchat/conversation/6009c625415e206dc77172d3

DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was...

Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of...

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing...