Monthly Archive: September 2021

An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the...

IBM Security Guardium 11.3 could allow a an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 196345. Date published : 2021-09-15 https://www.ibm.com/support/pages/node/6488941 https://exchange.xforce.ibmcloud.com/vulnerabilities/196345

VMware ESXi (6.7 before ESXi670-202006401-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an out-of-bounds read vulnerability in NVMe functionality. A malicious actor with local non-administrative access to...

A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. Date published : 2021-09-15 CVE-2020-35340 –...

An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file. Date published : 2021-09-15 https://www.porlockz.com/A-arbitrary-file-upload-vulnerability-in-jizhicms-v1-5/

A cross-site scripting (XSS) vulnerability in RGCMS v1.06 allows attackers to obtain the administrator’s cookie via a crafted payload in the Name field under the Message Board module Date published : 2021-09-15 https://www.porlockz.com/A-xss-vulnerability-in-RGCMS-V1-06/

An arbitrary file upload vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted .txt file which is later changed to a PHP file. Date published : 2021-09-15 https://www.porlockz.com/A-arbitrary-file-upload-vulnerability-in-RGCMS-V1-06/

An arbitrary file write vulnerability in RGCMS v1.06 allows attackers to execute arbitrary code via a crafted PHP file. Date published : 2021-09-15 https://www.porlockz.com/A-arbitrary-file-write-vulnerability-in-RGCMS-V1-06/

An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file. Date published : 2021-09-15 https://github.com/liufee/cms/issues/44

emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles. Date published : 2021-09-15 https://github.com/emlog/emlog/issues/50

MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. Date published : 2021-09-15 https://github.com/T3qui1a/metinfo_sqlinjection/issues/1

MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. Date published : 2021-09-15 https://github.com/Echox1/metinfo_csrf/issues/1

An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code. Date published : 2021-09-15 https://github.com/youseries/ureport/issues/485

UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page. Date published : 2021-09-15 https://github.com/youseries/ureport/issues/484