Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted...
Monthly Archive: April 2022
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported, Date published : 2022-04-30 https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893 https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d
static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. Date published : 2022-04-29 https://github.com/babelouest/glewlwyd/commit/e3f7245c33897bf9b3a75acfcdb8b7b93974bf11
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping. Date published : 2022-04-29 https://github.com/woodpecker-ci/woodpecker/pull/879 https://github.com/woodpecker-ci/woodpecker/releases/tag/v0.15.1
DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator’s physical location via the AeroScope protocol. Date published : 2022-04-29 not sure about just anyone, you'd need gear and...
USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding is not blocked. NOTE:...
USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product. Date published : 2022-04-29 https://github.com/orangecertcc/security-research/security/advisories/GHSA-rj5c-j274-vw7g
USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product. Date published : 2022-04-29 https://github.com/orangecertcc/security-research/security/advisories/GHSA-rcp9-qm7c-5mmx
USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product. Date published : 2022-04-29 https://github.com/orangecertcc/security-research/security/advisories/GHSA-4vr2-wxp6-w29v
A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages. Date published : 2022-04-29 https://dolosgroup.io/blog https://www.automationanywhere.com/products/automation-360
Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin
Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube’s Subscribe To Comments Reloaded plugin mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription. Date published : 2022-04-29 https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities Subscribe...
Small HTTP Server version 3.06 suffers from a remote buffer overflow vulnerability via long GET request. Date published : 2022-04-29 https://packetstormsecurity.com/files/166622/Small-HTTP-Server-3.06-Remote-Buffer-Overflow.html
ALLMediaServer 1.6 is vulnerable to Buffer Overflow via MediaServer.exe. Date published : 2022-04-29 https://packetstormsecurity.com/files/166465/ALLMediaServer-1.6-Remote-Buffer-Overflow.html