Monthly Archive: September 2021

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full...

Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker...

MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database. Date published : 2021-09-22 https://github.com/mari0x00/MaianAffiliate-Code-execution-and-XSS

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions...

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should...

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. Date published : 2021-09-22 https://www.manageengine.com https://www.manageengine.com/products/ad-manager/release-notes.html#7111

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. Date published : 2021-09-22 https://www.manageengine.com https://www.manageengine.com/products/ad-manager/release-notes.html#7111

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP. Date published : 2021-09-22 https://mattermost.com/security-updates/

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with...

A flaw was found in Ansible, where a user’s controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in...

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute...

Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause...

Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause...

A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in...