Monthly Archive: October 2021

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. . Date published : 2021-10-29...

Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters. Date published : 2021-10-29 https://www.exploit-db.com/exploits/50305

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field. Date published : 2021-10-29 https://www.exploit-db.com/exploits/50306

DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not...

Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS)...

DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands...

libmysofa is vulnerable to Heap-based Buffer Overflow Date published : 2021-10-29 https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1 https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1

Certain HP Enterprise LaserJet and PageWide MFPs may be vulnerable to stored cross site scripting (XSS). Date published : 2021-10-29 https://support.hp.com/us-en/document/ish_4577473-4577502-16/hpsbpi03744

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick...

A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross-Site Scripting (XSS). Date published : 2021-10-29 https://support.hp.com/us-en/document/ish_4433829-4433857-16/hpsbpi03742

SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication. Date published : 2021-10-29 https://github.com/RobertDra/CVE-2021-31862/blob/main/README.md https://www.sysaid.com/product/on-premise/latest-release

Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows attackers to execute arbitrary code via the index parameter. Date published : 2021-10-29 http://tenda.com https://github.com/Lyc-heng/routers/blob/main/routers/stack3.md

Buffer Overflow vulnerability in Tenda AC9 V1.0 through V15.03.05.19(6318), and AC9 V3.0 V15.03.06.42_multi, allows attackers to execute arbitrary code via the urls parameter. Date published : 2021-10-29 http://tenda.com https://github.com/Lyc-heng/routers/blob/main/routers/stack2.md

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Date published : 2021-10-29...