Monthly Archive: July 2021

Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. Date published : 2021-07-17 https://www.manageengine.com/products/ad-manager/release-notes.html#7110

Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. Date published : 2021-07-17 https://www.manageengine.com/products/ad-manager/release-notes.html#7110

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8...

Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. Date published : 2021-07-17 https://www.manageengine.com/products/ad-manager/release-notes.html#7110

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. Date published : 2021-07-17...

A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than...

chatwoot is vulnerable to Inefficient Regular Expression Complexity Date published : 2021-07-16 https://huntr.dev/bounties/1625088985607-chatwoot/chatwoot https://github.com/chatwoot/chatwoot/commit/aa7db90cd2d23dbcf22a94f1e4c100dd909e2172

URI.js is vulnerable to URL Redirection to Untrusted Site Date published : 2021-07-16 https://huntr.dev/bounties/1625558772840-medialize/URI.js https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481

A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges under certain conditions during a BIOS update performed by Lenovo Vantage. Date published :...

Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without...

Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission. Date...

A DLL search path vulnerability was reported in Lenovo PCManager, prior to version 3.0.500.5102, that could allow privilege escalation. Date published : 2021-07-16 https://iknow.lenovo.com.cn/detail/dc_197169.html

Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage. Date...

A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code. Date published : 2021-07-16 https://support.lenovo.com/us/en/product_security/LEN-65529