Monthly Archive: April 2022

An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack of input validation in calls to do_verify in sr_unix/do_verify.c allows attackers to attempt to jump to a NULL pointer by corrupting a...

An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack of parameter validation in calls to memcpy in check_and_set_timeout in sr_unix/ztimeoutroutines.c allows attackers to attempt to read from a NULL pointer. Date...

Seowon 130-SLC router all versions as of 2021-09-15 is vulnerable to Remote Code Execution via the queriesCnt parameter. Date published : 2022-04-15 https://www.exploit-db.com/exploits/50295

Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code. Date published : 2022-04-15 https://csirt.divd.nl/cves/CVE-2021-40386/

Authenticated (admin+) Stored Cross-Site Scripting (XSS) in WP Maintenance (WordPress plugin)

Under certain circumstances the session token is not cleared on logout. Date published : 2022-04-15 https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02 https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher...

Notable before 1.9.0-beta.8 doesn’t effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to...

Bitrix through 7.5.0 allows remote attackers to execute arbitrary code by using the restore.php Upload From Local Disk feature. Date published : 2022-04-15 https://github.com/sartlabs/0days/blob/main/Bitrix/Exploit.txt

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap...

ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar. Date published : 2022-04-15 https://github.com/saysky/ForestBlog/issues/76

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails. Date published :...

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the browser did not show full URL, such as port number. Date...

An Address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted malicious webpage/URL, user may be tricked for a short period of time (until the page...