Monthly Archive: January 2022

Products.ATContentTypes are the core content types for Plone 2.1 – 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when...

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper shipped with laminas-form, many messages will contain the submitted value. However, in...

Potential arbitrary file deletion vulnerability has been identified in HP Support Assistant software. Date published : 2022-01-28 https://support.hp.com/us-en/document/ish_5585999-5586023-16

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received. Date published : 2022-01-28 https://git.kernel.org/pub/scm/network/connman/connman.git/log/ https://www.openwall.com/lists/oss-security/2022/01/25/1

An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read. Date published : 2022-01-28 https://git.kernel.org/pub/scm/network/connman/connman.git/log/ https://www.openwall.com/lists/oss-security/2022/01/25/1

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read. Date published...

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification...

A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability...

A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping...

VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windows (5.x prior to 5.5.3) contains a denial-of-service vulnerability in the Cortado ThinPrint component. The issue exists in TrueType font parser. A malicious actor...

Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters. Date published : 2022-01-28 https://github.com/GibbonEdu/core/issues/1594 https://github.com/truonghuuphuc/CVE

SYNEL – eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system. Date published...

SYNEL – eharmony Directory Traversal. Directory Traversal – is an attack against a server or a Web application aimed at unauthorized access to the file system. on the "Name" parameter the attacker can return...

A SQL injection vulnerability exists in ZFAKA