Monthly Archive: September 2021

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through...

IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 202865. Date published...

IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 201778. Date published : 2021-09-15 https://www.ibm.com/support/pages/node/6488945 https://exchange.xforce.ibmcloud.com/vulnerabilities/201778

Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3)...

The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all versions up to and including 3.01 Date...

A Memory Corruption vulnerability for PDF files in Autodesk Navisworks 2019, 2020, 2021, 2022 may lead to code execution through maliciously crafted DLL files. Date published : 2021-09-15 https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0008

A maliciously crafted PDF file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the PDF file. This vulnerability can be exploited to execute arbitrary code....

A Out-Of-Bounds Read/Write Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files or information disclosure. Date published : 2021-09-15 https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001

Visual Studio Code Spoofing Vulnerability Date published : 2021-09-15 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26437

Windows Scripting Engine Memory Corruption Vulnerability Date published : 2021-09-15 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26435

Visual Studio Elevation of Privilege Vulnerability Date published : 2021-09-15 https://www.zerodayinitiative.com/advisories/ZDI-21-1077/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26434

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging...

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user...

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. Date published :...