A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary...
Arbitrary file upload vulnerability in SourceCodester Learning Management System v 1.0 allows attackers to execute arbitrary code, via the file upload to lmsstudent_avatar.php. Date published : 2021-07-28 https://github.com/TCSWT/Learning-Management-System/blob/main/README.md
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. Date published : 2021-07-28 https://github.com/jesusgm/deepmergefn/blob/master/index.js%23L6 https://snyk.io/vuln/SNYK-JS-DEEPMERGEFN-1310984
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input. Date published : 2021-07-28 https://github.com/magynhard/curly-bracket-parser/blob/master/src/curly-bracket-parser/curly-bracket-parser.js%23L31 https://snyk.io/vuln/SNYK-JS-CURLYBRACKETPARSER-1297106
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path. Date published : 2021-07-28 https://github.com/mguinness/elFinder.AspNet/commit/675049b39284a9e84f0915c71d688da8ebc7d720 https://snyk.io/vuln/SNYK-DOTNET-ELFINDERASPNET-1315153
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code. Date published : 2021-07-28 https://github.com/videojs/video.js/commit/b3acf663641fca0f7a966525a72845af7ec5fab2 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1533588
IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...
IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks....
Cross Site Scripting vulnerabiity exists in WDScanner 1.1 in the system management page. Date published : 2021-07-28 https://github.com/TideSec/WDScanner/issues/41
eGain Chat 15.5.5 allows XSS via the Name (aka full_name) field. Date published : 2021-07-28 http://packetstormsecurity.com/files/163687/eGain-Chat-15.5.5-Cross-Site-Scripting.html
Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic...
Telegram Web K Alpha 0.6.1 allows XSS via a document name. Date published : 2021-07-27 https://github.com/morethanwords/tweb/commit/11d2fe01363889f20c8baa2217ed4aad445c5551
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_RANGE File Contents Request PDU. Date published : 2021-07-27 https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9 https://github.com/FreeRDP/FreeRDP/compare/2.3.2…2.4.0
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU. Date published : 2021-07-27 https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9 https://github.com/FreeRDP/FreeRDP/compare/2.3.2…2.4.0