Monthly Archive: March 2022

BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an...

Multiple versions of GlobalProtect-openconnect are affected by incorrect access control in GPService through DBUS, GUI. The way GlobalProtect-Openconnect is set up enables arbitrary users to start a VPN connection to arbitrary servers. By hosting...

GlobalProtect-openconnect versions prior to 1.4.3 are affected by incorrect access control in GPService through DBUS, GUI Application. The way GlobalProtect-Openconnect is set up enables arbitrary users to execute commands as root by submitting the...

WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process. Date published : 2022-03-22 https://www.exploit-db.com/exploits/50542

Faust v2.35.0 was discovered to contain a heap-buffer overflow in the function realPropagate() at propagate.cpp. Date published : 2022-03-22 https://github.com/grame-cncm/faust/issues/653

A Cross Site Scripting (XSS) vulnerabililty exists in enhanced-github v5.0.11 via the file name parameter. Date published : 2022-03-22 https://github.com/softvar/enhanced-github/issues/96

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface. Date published : 2022-03-22 https://doudoudedi.github.io/2022/02/21/TOTOLINK-N600R-Command-Injection/

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost. Date published : 2022-03-22 https://doudoudedi.github.io/2022/02/21/TOTOLINK-N600R-Command-Injection/

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the pingCheck function. Date published : 2022-03-22 https://doudoudedi.github.io/2022/02/21/TOTOLINK-N600R-Command-Injection/

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi. Date published : 2022-03-22 https://doudoudedi.github.io/2022/02/21/TOTOLINK-N600R-Command-Injection/

In CMDBuild from version 3.0 to 3.3.2 payload requests are saved in a temporary log table, which allows attackers with database access to read the password of the users who login to the application...

Use After Free in op_is_set_bp in GitHub repository radareorg/radare2 prior to 5.6.6. Date published : 2022-03-22 https://huntr.dev/bounties/37da2cd6-0b46-4878-a32e-acbfd8f6f457 https://github.com/radareorg/radare2/commit/a7ce29647fcb38386d7439696375e16e093d6acb

In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code. Date published : 2022-03-22 https://helpdesk.bitrix24.com/open/15536776/

Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse(). Date published : 2022-03-22 https://github.com/wollardj/simple-plist/issues/60