Monthly Archive: May 2022

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this...

An improper link resolution before file access (‘Link Following’) vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file...

A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability...

TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition...

A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor. Date published : 2022-05-05 https://github.com/jflyfox/jfinal_cms/issues/28

MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/. Date published : 2022-05-05 https://github.com/0xRaw/CVE-2021-42183 https://github.com/MasaCMS/MasaCMS

A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000. Attackers can execute OS commands in cyrus.events.php with GET param logs and POST param rp. Date published : 2022-05-05 https://medium.com/@rootless724/artica-proxy-4-30-cyrus-events-php-rce-3aa2a868c695

IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or...

A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose...

RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with...

OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition. Date published : 2022-05-05...

OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code. Date published :...

Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. Date published : 2022-05-05 https://projects.eclipse.org/projects/iot.cyclonedds https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02

Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. Date published : 2022-05-05 https://projects.eclipse.org/projects/iot.cyclonedds https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02