News aggregator

CVE-2020-9032

National Vulnerability Database - Sun, 02/16/2020 - 23:15
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to kernlog.php.
Categories: Security News

CVE-2020-9033

National Vulnerability Database - Sun, 02/16/2020 - 23:15
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to authlog.php.
Categories: Security News

CVE-2020-9020

National Vulnerability Database - Sun, 02/16/2020 - 23:15
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
Categories: Security News

CVE-2020-9021

National Vulnerability Database - Sun, 02/16/2020 - 23:15
Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through timeconfig.py via shell metacharacters in the htmlNtpServer parameter.
Categories: Security News

CVE-2020-9022

National Vulnerability Database - Sun, 02/16/2020 - 23:15
An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS.
Categories: Security News

CVE-2020-9023

National Vulnerability Database - Sun, 02/16/2020 - 23:15
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password eclipse). Also, bluetooth is the root password.
Categories: Security News

CVE-2020-9034

National Vulnerability Database - Sun, 02/16/2020 - 22:15
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices mishandle session validation, leading to unauthenticated creation, modification, or elimination of users.
Categories: Security News

CVE-2020-9016

National Vulnerability Database - Sun, 02/16/2020 - 17:15
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
Categories: Security News

CVE-2020-9013

National Vulnerability Database - Sun, 02/16/2020 - 16:15
Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.
Categories: Security News

CVE-2020-9007

National Vulnerability Database - Sun, 02/16/2020 - 15:15
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
Categories: Security News

CVE-2020-9012

National Vulnerability Database - Sun, 02/16/2020 - 15:15
A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.
Categories: Security News

CVE-2019-20456

National Vulnerability Database - Sun, 02/16/2020 - 14:15
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.
Categories: Security News

CVE-2020-8996

National Vulnerability Database - Sun, 02/16/2020 - 13:15
AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.
Categories: Security News

CVE-2020-8997

National Vulnerability Database - Sun, 02/16/2020 - 13:15
Abbott FreeStyle Libre 14-day before February 2020 and FreeStyle Libre 2 before February 2020 allow remote attackers to enable write access via a specific NFC unlock command.
Categories: Security News

CVE-2020-7050

National Vulnerability Database - Sat, 02/15/2020 - 13:19
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts.
Categories: Security News

CVE-2019-13965

National Vulnerability Database - Fri, 02/14/2020 - 17:15
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
Categories: Security News

CVE-2019-13966

National Vulnerability Database - Fri, 02/14/2020 - 17:15
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
Categories: Security News

CVE-2019-13967

National Vulnerability Database - Fri, 02/14/2020 - 17:15
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.
Categories: Security News

CVE-2019-15592

National Vulnerability Database - Fri, 02/14/2020 - 17:15
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
Categories: Security News

CVE-2019-15594

National Vulnerability Database - Fri, 02/14/2020 - 17:15
GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.
Categories: Security News

Pages