Monthly Archive: December 2021

ForeScout – SecureConnector Local Service DoS – A low privilaged user which doesn’t have permissions to shutdown the secure connector service writes a large amount of characters in the installationPath. This will cause the...

Emuse – eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service. Date published : 2021-12-29 https://www.gov.il/en/departments/faq/cve_advisories

Emuse – eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by...

A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file. Date published : 2021-12-29 https://www.zyxel.com/support/Zyxel_security_advisory_for_sensitive_information_vulnerabilities_of_NBG6604_home_router.shtml

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. Date published : 2021-12-29...

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page....

In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin...

In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable against self-stored XSS in the contacts field as it allows loading XSS payloads fetched via an iframe. Date published : 2021-12-29 https://github.com/ifmeorg/ifme/commit/83fd44ef8921a8dcf394a012e44901ab08596bdc https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25990

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for...

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin. Date published : 2021-12-29 https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988

This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an...

A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability...

Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attacker can bypass authentication and access the panel with an administrative account. Date published : 2021-12-28 https://drive.google.com/file/d/1-WiC1RDbcUqNB5sYd2h2n4rcU873s3gM/view?usp=sharing https://drive.google.com/file/d/1WS_pa2PzLS1EplBu7pjx7hXlyBwCepP9/view?usp=sharing

SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting (XSS) vulnerability. The attacker can steal the user’s session by injecting malicious JavaScript codes which leads to Session Hijacking and cause user’s credentials...