Monthly Archive: May 2022

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Snap Deploy (Windows) before build 3640 Date published : 2022-05-16 https://security-advisory.acronis.com/advisories/SEC-3082

Local privilege escalation due to a DLL hijacking vulnerability. The following products are affected: Acronis Snap Deploy (Windows) before build 3640 Date published : 2022-05-16 https://security-advisory.acronis.com/advisories/SEC-3081

Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis Snap Deploy (Windows) before build 3640 Date published : 2022-05-16 https://security-advisory.acronis.com/advisories/SEC-3080

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder...

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who...

Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution. Date published : 2022-05-16 Prime95 Buffer Overflow (RCE) https://packetstormsecurity.com/files/166840/Prime95-30.7-Build-9-Buffer-Overflow.html

Gnuboard 5.55 and 5.56 is vulnerable to Cross Site Scripting (XSS) via bbs/member_confirm.php. Date published : 2022-05-16 https://gratis-herring-da5.notion.site/Gnuboard-Reflected-XSS-25d593d8a2b84a46a998bfd5816c54fc

A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file. Date published : 2022-05-16 https://github.com/totaljs/framework https://www.youtube.com/watch?v=E2784z7Bu2c

In the POST request of the appointment.php page of HMS v.0, there are SQL injection vulnerabilities in multiple parameters, and database information can be obtained through injection. Date published : 2022-05-16 https://github.com/kabirkhyrul/HMS/discussions/15 https://github.com/kabirkhyrul/HMS/tree/1.0

In HMS 1.0 when requesting appointment.php through POST, multiple parameters can lead to a SQL injection vulnerability. Date published : 2022-05-16 https://github.com/kabirkhyrul/HMS/discussions/15 https://github.com/kabirkhyrul/HMS/tree/1.0

An arbitrary file upload vulnerability in the file upload module of Connect-Multiparty v2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. Date published : 2022-05-16 https://www.youtube.com/watch?v=i3xJR-91rrM

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. Date published : 2022-05-16 https://www.youtube.com/watch?v=C6QPKooxhAo

Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files. Date published : 2022-05-16 http://packetstormsecurity.com/files/167166/Konica-Minolta-bizhub-MFP-Printer-Terminal-Sandbox-Escape.html https://sec-consult.com/vulnerability-lab/

Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges. Date published : 2022-05-16 https://sec-consult.com/vulnerability-lab/ https://sec-consult.com/vulnerability-lab/advisory/sandbox-escape-with-root-access-clear-text-passwords-in-konica-minolta-bizhub-mfp-printer-terminals/