Monthly Archive: July 2021

Cross Site Request Forgerly (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account. Date published : 2021-07-14 https://github.com/thinkcmf/thinkcmf/issues/580

Cross Site Scripting (XSS) vulnerability in umeditor v1.2.3 via /public/common/umeditor/php/getcontent.php. Date published : 2021-07-14 https://github.com/fex-team/umeditor/issues/624

SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php. Date published : 2021-07-14 https://github.com/yundiao/ectouch/issues/1

In setNiNotification of GpsNetInitiatedHandler.java, there is a possible permissions bypass due to an empty mutable PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed...

dandavison delta before 0.8.3 on Windows resolves an executable’s pathname as a relative path from the current directory. Date published : 2021-07-13 https://github.com/dandavison/delta/releases/tag/0.8.3 https://github.com/dandavison/delta/commit/f01846bd443aaf92fdd5ac20f461beac3f6ee3fd

LINE client for iOS before 10.16.3 allows cross site script with specific header in WebView. Date published : 2021-07-13 https://hackerone.com/reports/988332

An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that...

An issue was discovered in Echo ShareCare 8.15.5. The TextReader feature in General/TextReader/TextReader.cfm is susceptible to a local file inclusion vulnerability when processing remote input in the textFile parameter from an authenticated user, leading...

An issue was discovered in Echo ShareCare 8.15.5. The UnzipFile feature in Access/EligFeedParse_Sup/UnzipFile_Upd.cfm is susceptible to a command argument injection vulnerability when processing remote input in the zippass parameter from an authenticated user, leading...

An issue was discovered in Echo ShareCare 8.15.5. The file-upload feature in Access/DownloadFeed_Mnt/FileUpload_Upd.cfm is susceptible to an unrestricted upload vulnerability via the name1 parameter, when processing remote input from an authenticated user, leading to...

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be...

Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%system32) with malicious ones. Date published : 2021-07-13 https://advisories.stormshield.eu...

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be...

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be...