Hírolvasó

NVD: all CVE · 2021. február 1.

CVE-2020-21180

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page.
NVD: all CVE · 2021. február 1.

CVE-2021-21287

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-20287 (yccms)

Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-20289 (yccms)

Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.
NVD: all CVE · 2021. február 1.

CVE-2020-20287

Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.
NVD: all CVE · 2021. február 1.

CVE-2020-20289

Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.

New and Improved Report Abuse Portal and API!

The Report Abuse (CERT) Portal and Report Abuse API have played a significant role in MSRC’s response to suspected cyberattacks, privacy issues, and abuse originating from Microsoft Online Services. With the contributions from our wonderful community of reporters, we continue to gain insightful perspectives into the various types of attacks that threaten our online services, our cloud, and our customers.  To further commit to MSRC’s mission of responding to and defending against these types of security incidents, our team has …

New and Improved Report Abuse Portal and API! Read More »

NVD: fully analised CVE · 2021. február 1.

CVE-2021-21286 (avideo)

AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash.
NVD: fully analised CVE · 2021. február 1.

CVE-2021-3283 (nomad)

HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
NVD: fully analised CVE · 2021. február 1.

CVE-2021-3024 (vault)

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
NVD: fully analised CVE · 2021. február 1.

CVE-2021-3282 (vault)

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
NVD: all CVE · 2021. február 1.

CVE-2021-21286

AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash.
NVD: all CVE · 2021. február 1.

CVE-2021-3024

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
NVD: all CVE · 2021. február 1.

CVE-2021-3282

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
NVD: all CVE · 2021. február 1.

CVE-2021-3283

HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-13562 (openemr, phpgacl)

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-13563 (openemr, phpgacl)

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-13564 (openemr, phpgacl)

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-25594 (vault)

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
NVD: fully analised CVE · 2021. február 1.

CVE-2020-28426 (kill-process-on-port)

All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.