Monthly Archive: May 2022

Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php. Date published : 2022-05-20 https://cxsecurity.com/issue/WLB-2022030105

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability. Date published : 2022-05-20 https://packetstormsecurity.com/files/166430 https://www.foxitsoftware.com/support/security-bulletins.php

BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level. Date published : 2022-05-20 https://www.exploit-db.com/exploits/50815

Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. Date published : 2022-05-20 https://www.exploit-db.com/exploits/50817

Private Internet Access v3.3 contains an unquoted service path which allows attackers to escalate privileges to the system level. Date published : 2022-05-20 https://www.exploit-db.com/exploits/50804

HMA VPN v5.3.5913.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. Date published : 2022-05-20 https://cxsecurity.com/issue/WLB-2022020111 https://www.exploit-db.com/exploits/50765

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php. Date published : 2022-05-20 https://www.exploit-db.com/exploits/50740

Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php. Date published : 2022-05-20 https://www.exploit-db.com/exploits/50739

Popcorn Time 0.4.7 has a Stored XSS in the ‘Movies API Server(s)’ field via the ‘settings’ page. The ‘nodeIntegration’ configuration is set to on which allows the ‘webpage’ to use ‘NodeJs’ features, an attacker...

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an ‘ID’ that can be...

Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host...

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app...

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on...

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a...