News aggregator

CVE-2020-1982

National Vulnerability Database - Wed, 07/08/2020 - 13:15
Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol. These cloud services include Cortex Data Lake, the Customer Support Portal, and the Prisma Access infrastructure. Conditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud-delivered services. We do not believe that any communication is impacted as a result of known attacks against TLS 1.0. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.14; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. PAN-OS 7.1 is not impacted by this issue.
Categories: Security News

CVE-2020-2030

National Vulnerability Database - Wed, 07/08/2020 - 13:15
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; and all versions of PAN-OS 7.1 and PAN-OS 8.0. This issue does not impact PAN-OS 9.0, PAN-OS 9.1, or Prisma Access services.
Categories: Security News

CVE-2020-2031

National Vulnerability Database - Wed, 07/08/2020 - 13:15
An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. This issue does not impact PAN-OS 8.1, PAN-OS 9.0, or Prisma Access services.
Categories: Security News

CVE-2020-11994

National Vulnerability Database - Wed, 07/08/2020 - 12:15
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
Categories: Security News

CVE-2020-5839

National Vulnerability Database - Wed, 07/08/2020 - 12:15
Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
Categories: Security News

CVE-2020-6938

National Vulnerability Database - Wed, 07/08/2020 - 12:15
A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files.
Categories: Security News

CVE-2020-14476

National Vulnerability Database - Wed, 07/08/2020 - 11:15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
Categories: Security News

CVE-2020-11849

National Vulnerability Database - Wed, 07/08/2020 - 10:15
Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager. Affecting versions prior to 4.7.3 and 4.8.1 hot fix 1. The vulnerability could allow information exposure that can result in an elevation of privilege or an unauthorized access.
Categories: Security News

CVE-2020-3973

National Vulnerability Database - Wed, 07/08/2020 - 10:15
The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged.
Categories: Security News

CVE-2020-5764

National Vulnerability Database - Wed, 07/08/2020 - 10:15
MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode. An attacker can exploit this by connecting to the MX Transfer session as a "sender" and sending a MessageType of "FILE_LIST" with a "name" field containing directory traversal characters (../). This will result in the file being transferred to the victim's phone, but being saved outside of the intended "/sdcard/MXshare" directory. In some instances, an attacker can achieve remote code execution by writing ".odex" and ".vdex" files in the "oat" directory of the MX Player application.
Categories: Security News

CVE-2020-7140

National Vulnerability Database - Wed, 07/08/2020 - 10:15
A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gateway Option) could be exploited remotely to cause a remote cross-site scripting (XSS). HPE has provided the following information to resolve this vulnerability in HPE IceWall SSO DFW and Dgfw: https://www.hpe.com/jp/icewall_patchaccess
Categories: Security News

CVE-2020-3931

National Vulnerability Database - Wed, 07/08/2020 - 06:15
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
Categories: Security News

CVE-2020-15600

National Vulnerability Database - Tue, 07/07/2020 - 18:15
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
Categories: Security News

CVE-2020-15599

National Vulnerability Database - Tue, 07/07/2020 - 17:15
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
Categories: Security News

CVE-2020-8916

National Vulnerability Database - Tue, 07/07/2020 - 17:15
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to restrict access in your debug environments.
Categories: Security News

CVE-2020-12821

National Vulnerability Database - Tue, 07/07/2020 - 16:15
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
Categories: Security News

CVE-2020-15008

National Vulnerability Database - Tue, 07/07/2020 - 16:15
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12.
Categories: Security News

CVE-2020-8519

National Vulnerability Database - Tue, 07/07/2020 - 16:15
SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql
Categories: Security News

CVE-2020-8520

National Vulnerability Database - Tue, 07/07/2020 - 16:15
SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql
Categories: Security News

CVE-2020-8521

National Vulnerability Database - Tue, 07/07/2020 - 16:15
SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql
Categories: Security News

Pages