Monthly Archive: August 2021

A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts. Date published : 2021-08-30 https://github.com/Indexhibit/indexhibit/issues/18

A configuration issue in Indexhibit 2.1.5 allows authenticated attackers to modify .php files, leading to getshell. Date published : 2021-08-30 https://github.com/Indexhibit/indexhibit/issues/17

Stack-based Buffer Overflow vulnerability in the ONVIF server component of Victure PC420 smart camera allows an attacker to execute remote code on the target device. This issue affects: Victure PC420 firmware version 1.2.2 and...

A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such...

Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205224

Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205225

Zoho ManageEngine Log360 before Build 5225 allows stored XSS. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205225

Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205219

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205224

Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. Date published : 2021-08-29 https://www.manageengine.com/cloud-security/release-notes.html#build%204117

Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. Date published : 2021-08-29 https://www.manageengine.com/log-management/readme.html#Build%205219

Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause...

MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. Date published : 2021-08-29 https://download.hexagongeospatial.com/en/downloads/webgis/geomedia-webmap-2020-update-2 https://www.hexagongeospatial.com/products/power-portfolio/geomedia-webmap

squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal...