Riasztások

NVD: all CVE · 2020. október 28.

CVE-2020-16262

Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation.
NVD: all CVE · 2020. október 28.

CVE-2020-16263

Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.
NVD: all CVE · 2020. október 28.

CVE-2020-25966

Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value.
NVD: all CVE · 2020. október 28.

CVE-2020-26130

Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary.
NVD: all CVE · 2020. október 28.

CVE-2020-26131

Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenDHCPServer.exe (Regular) or the OpenDHCPLdap.exe (LDAP Based) binary.
NVD: all CVE · 2020. október 28.

CVE-2020-26132

An issue was discovered in Home DNS Server 0.10. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the HomeDNSServer.exe binary.
NVD: all CVE · 2020. október 28.

CVE-2020-26133

An issue was discovered in Dual DHCP DNS Server 7.40. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the DualServer.exe binary.
NVD: all CVE · 2020. október 28.

CVE-2018-19943

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later
NVD: all CVE · 2020. október 28.

CVE-2018-19949

If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
NVD: all CVE · 2020. október 28.

CVE-2018-19953

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
NVD: all CVE · 2020. október 28.

CVE-2020-16256

The API on Winston 1.5.4 devices is vulnerable to CSRF.
NVD: all CVE · 2020. október 28.

CVE-2020-16258

Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials.
Linux security Advisories · 2020. október 28.

SUSE: 2020:3073-1 important: pacemaker>

An update that solves one vulnerability and has three fixes is now available.
NVD: all CVE · 2020. október 28.

CVE-2020-4782

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
NVD: all CVE · 2020. október 28.

CVE-2020-15278

Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue.
NVD: all CVE · 2020. október 28.

CVE-2020-16257

Winston 1.5.4 devices are vulnerable to command injection via the API.
NVD: all CVE · 2020. október 28.

CVE-2020-4767

IBM Sterling Connect Direct for Microsoft Windows 4.7, 4.8, 6.0, and 6.1 could allow a remote attacker to cause a denial of service, caused by a buffer over-read. Bysending a specially crafted request, the attacker could cause the application to crash. IBM X-Force ID: 188906.
Linux security Advisories · 2020. október 28.

RedHat: RHSA-2020-4401:01 Important: Red Hat JBoss Enterprise Application>

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
Linux security Advisories · 2020. október 28.

RedHat: RHSA-2020-4402:01 Important: Red Hat JBoss Enterprise Application>

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
Linux security Advisories · 2020. október 28.

Ubuntu 4609-1: GOsa vulnerabilities>

Several security issues were fixed in gosa.