🛡 Cybersecurity & Privacy 🛡 - News

2021-08-31 18:19:30 QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout

The NAS maker issued two security advisories about the RCE and DoS flaws, adding to a flurry of advisories from the vast array of companies whose products use OpenSSL.

Read

via "Threat Post". Open / Comment

2021-08-31 08:33:05 CVE-2021-36356

KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:33:04 CVE-2021-27556

The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:33:04 CVE-2021-40330

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:33:00 CVE-2021-27557

A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:32:59 CVE-2021-36981

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:32:58 CVE-2021-39178

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:32:57 CVE-2020-13639

A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 08:32:57 CVE-2021-27558

A cross site scripting (XSS) issue in EasyCorp ZenTao 12.5.3 allows remote attackers to execute arbitrary web script via various areas such as data-link-creator.

Read

via "National Vulnerability Database". Open / Comment

2021-08-31 01:32:45 CVE-2021-39133

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.

Read

via "National Vulnerability Database". Open / Comment