Monthly Archive: November 2021

PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has...

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially...

Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an improper access control privilege escalation vulnerability that could allow an attacker to establish a connection that could lead to full local privilege...

Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality. Date published : 2021-11-30 https://www.manageengine.com/network-configuration-manager/release-notes.html#125488 https://manageengine.com

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. Date published : 2021-11-30 https://www.manageengine.com/products/support-center/readme.html#11016 https://manageengine.com

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. Date published : 2021-11-30 https://manageengine.com https://www.manageengine.com/products/support-center/readme.html#11016

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. Date published : 2021-11-30 https://www.manageengine.com/products/support-center/readme.html#11016 https://manageengine.com

An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through...

An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands...

An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router’s MAC address. The device default Wi-Fi password corresponds to...

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Date published : 2021-11-30 https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/

An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version

Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version

Unrestricted File Upload in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version