Monthly Archive: September 2021

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious m4a file, potentially resulting in arbitrary code execution in the context of the...

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious psd file, potentially resulting in arbitrary code execution in the context of the...

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious m4a file, potentially resulting in arbitrary code execution in the context of the...

Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the...

e7d Speed Test (aka speedtest) 0.5.3 allows a path-traversal attack that results in information disclosure via the "GET /.." substring. Date published : 2021-09-27 https://github.com/e7d/speedtest/releases https://old.reddit.com/r/HackingTechniques/comments/poc55t/directory_traversal_bypass_on_e7d_speedtest/

The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. Date published : 2021-09-27 https://docs.pingidentity.com/bundle/pingfederate-103/page/cou1615333347158.html

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that...

An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102018

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102042

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102054

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102088

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102211

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102080

An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter. Date published : 2021-09-27 https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102067