Monthly Archive: September 2021

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not...

An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler. Date published : 2021-09-30 https://fortiguard.com/advisory/FG-IR-20-189

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when...

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to locally escalate privileges in...

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199282. Date published : 2021-09-30...

IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application’s build number to calculate a certain encryption key. Date published : 2021-09-29 https://medium.com/nestedif/vulnerability-disclosure-statically-derived-encryption-key-zoho-r-a-p-907088263197 https://www.manageengine.com/remote-desktop-management/hotfix-readme.html

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. Date published : 2021-09-29 https://medium.com/nestedif/vulnerability-disclosure-hardcoded-keys-password-zoho-r-a-p-318aa9bba2e https://www.manageengine.com/remote-desktop-management/hotfix-readme.html

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. Date published : 2021-09-29 https://medium.com/nestedif/vulnerability-disclosure-hardcoded-keys-password-zoho-r-a-p-318aa9bba2e https://www.manageengine.com/remote-desktop-management/hotfix-readme.html

PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect. Date published : 2021-09-29 http://packetstormsecurity.com/files/164345/PlaceOS-1.2109.1-Open-Redirection.html https://github.com/PlaceOS/auth/issues/36

Craft CMS before 3.7.14 allows CSV injection. Date published : 2021-09-29 https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714—2021-09-28 https://github.com/craftcms/cms/security/advisories/GHSA-h7vq-5qgw-jwwq

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial of service. A crafted message must be sent from an authenticated agent to the manager....

The Safari app extension bundled with 1Password for Mac 7.7.0 through 7.8.x before 7.8.7 is vulnerable to authorization bypass. By targeting a vulnerable component of this extension, a malicious web page could read a...

A cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result,...