Monthly Archive: September 2021

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any...

The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend....

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 Date published : 2021-09-13 https://support.microfocus.com/kb/doc.php?id=7025259 https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html

Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 Date published : 2021-09-13 https://support.microfocus.com/kb/doc.php?id=7025258 https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html

Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 Date published : 2021-09-13 https://support.microfocus.com/kb/doc.php?id=7025257 https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html

Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4 Date published : 2021-09-13 https://support.microfocus.com/kb/doc.php?id=7025256 https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html

Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar Date published : 2021-09-13 https://yandex.com/bugbounty/i/hall-of-fame-browser/

Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing Date published : 2021-09-13 https://yandex.com/bugbounty/i/hall-of-fame-browser/

An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file. Date published : 2021-09-13 https://github.com/Kitesky/KiteCMS/issues/3

A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account. Date published : 2021-09-13 https://github.com/Kitesky/KiteCMS/issues/3

An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file. Date published : 2021-09-13 https://github.com/yilezhu/Czar.Cms/issues/6

This affects the package set-value before =3.0.0

This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the...

A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their...