Monthly Archive: March 2022

The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device’s screen, record video of the device’s physical environment,...

An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. Date published : 2022-03-18 https://github.com/MISP/MISP/commit/08a07a38ae81f3b55d81cfcd4501ac1eb1c9c4dc

An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. Date published : 2022-03-18 https://github.com/MISP/MISP/commit/8dcf414340c5ddedfebbc972601646d38e1d0717

An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. Date...

An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. Date published : 2022-03-18 https://github.com/MISP/MISP/commit/8cc93687dcd68e1774b55a5c4e8125c0c8ddc288

scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion. Date published : 2022-03-18 https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a https://github.com/babelouest/glewlwyd/releases/tag/v2.6.2

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the...

golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey. Date published : 2022-03-18 https://groups.google.com/g/golang-announce/c/-cp44ypCT5s https://groups.google.com/g/golang-announce

In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution. Date published : 2022-03-18 https://packetstormsecurity.com/files/166336/Pluck-CMS-4.7.16-Shell-Upload.html

**REJECT** Veeam Backup & Replication 10.x and 11.x has an Untrusted Search Path. Date published : 2022-03-18

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php. Date published : 2022-03-18 https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php. Date published : 2022-03-18 https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. Date published : 2022-03-18 https://github.com/JCCD/Contao-Managed-Edition-1.5-RCE/blob/main/VulnerabilityDetails.md

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions