Ubuntu Security Notice 5133-1 - It was discovered that ICU contains a use after free issue. An attacker could use this issue to cause a denial of service with crafted input.
52f5aa9af62d018440d8e83a72361ff0609279aa3218e9be66014191e68d7e57Pentaho allows users to create and manage Data Sources. Users can select a Data Source when creating a Dashboard through the Pentaho User Console. When a Data Source is added, Pentaho makes a HTTP request to the dashboards editor (/pentaho/api/repos/dashboards/editor) in order to test the connection by executing a test SQL query. However, further examination revealed that by utilizing CVE-2021-31602, an authentication bypass of Spring APIs, it is possible for an unauthenticated user to execute arbitrary SQL queries on any Pentaho datasource and thus retrieve data from the related databases.
aafd5de6352edfc97e93496f171ced94b49f52a6817c483a7aec6ee26649a0e9Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
2a00c01b9e899d658a8c916b7f69fd826cff814e5ab5b947806aa8dfd91c3e07HealthForYou version 1.11.1 and HealthCoach version 2.9.2 are missing a server-side password policy. When creating an account or changing your password the mobile and web application both check the password against the password policy. But the API assumes that the given password is already checked therefore an attacker can intercept the HTTP request and change it to a weak password.
76436b526ba9f4f32e343d01e9e2fa685e376cf002a7d94b46c1f713090fd4b3Red Hat Security Advisory 2021-4134-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.
a88eb764b65ec66c46ee3c76b70894989188f4e5965d111b4da0fa51f31687dfPentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.
df24858a662120cb07ae1d884fbbf73c40dde32c2c707e40ade959b4c867fc35Backdoor.Win32.Jokerdoor malware suffers from a buffer overflow vulnerability.
f9ac0dc563179b905dfc07b61a0149825ae2536c624a7f6cfb6a2ab07774f0eeRed Hat Security Advisory 2021-4130-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.
e8817b7475fcd78d00b1e034f0f524743e2b13cedea16cb733a200b676c97c57Pentaho Business Analytics and Pentaho Business Server versions 9.1 and below suffer from an authentication bypass vulnerability related to Spring APIs.
7f8a25e1b9943928e3d57e11e94b4b22917396971502415544f387e2340268c3PHP Event Calendar Lite Edition suffers from a persistent cross site scripting vulnerability.
09c617426974d7713fb8ccab94dcccb7210bc336670db3a9f3be869096871afbIBM Sterling B2B Integrator suffers from a cross site scripting vulnerability. Versions affected include 5.2.0.0 through 5.2.6.5_3, 6.0.0.0 through 6.0.3.4, and 6.1.0.0 through 6.1.0.2.
b6d82ee2ddf3add475ca8f0e7254bd649739bfd47a776b2327a65546609217f5Backdoor.Win32.Ncx.b malware suffers from a code execution vulnerability.
47fc600df53efe7d5ddc71a7f247222ee2018c1c58652d07dd06fcd09771d24cImportExportTools NG version 10.0.4 suffers from an html injection vulnerability.
465fb0bd0b588f37cc0e2a9d0ddf87d7e2ac303878dfbdd275bc942ba514d07fPentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.
4aaf1b95b9800f81d2e66519aadddc6609e2f04e00314708ec9fc5479517ea37Red Hat Security Advisory 2021-4132-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.
109d37dacc152c7201d9057d84aa66c0523cc939924c87f5d2d8031ddb6be127PHP Event Calendar Lite Edition suffers from a remote SQL injection vulnerability that allows for authentication bypass.
3faf37775ad2f15a9b2f6c16d0cf7e32bcf7f871fe41a4df925d3d66c307459eBackdoor.Win32.Ncx.b malware suffers from a buffer overflow vulnerability.
de842114bff7044aacff49933ad7ecf0413dbb215c8efb1bc77300dd7112aa60Pentaho allows users to upload various files of different file types. The upload service is implemented under the /pentaho/UploadService endpoint. The file types allowed by the application are csv, dat, txt, tar, zip, tgz, gz, gzip. When uploading a file with an extension other than the allowed file types, the application responds with the error message of UploadFileServlet.ERROR_0011 - File type not allowed. Allowable types are csv,dat,txt,tar,zip,tgz,gz,gzip. However, the file extension check can be bypassed by including a single dot "." at the end of the filename.
88d6bd09be7fc284d1910e9a75bbeb0651c9da3a240f985ed3f97efbddeb9345Payment Terminal versions 2.x and 3.x suffer from multiple cross site scripting vulnerabilities.
27a22428ead7127a84801eae1be728ca02501f8c8a79f21fd3ad57d22d4d25f5Red Hat Security Advisory 2021-4133-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.
55b1c367292bbdb62a4f4100dc6751df2844edde8cb290b99b3d7c708acfbae2Pentaho allows users to create and run Pentaho Report Bundles (.prpt). Users can create PRPT reports by utilizing the Pentaho Designer application and can include BeanShell Script functions to ease the production of complex reports. However, the BeanShell Script functions can allow for the execution of arbitrary Java code when Pentaho PRPT Reports are run by Pentaho Business Analytics. This functionality allows any user with sufficient privileges to upload or edit an existing Pentaho Report Bundle (through Pentaho Designer) and execute arbitrary code in the context of the Pentaho application user running on the web server.
9f8cbd9f5ed4747e5a6fd8e34452cf38b7608a4e96f8f1551a4a3068ced9694910-Strike Network Inventory Explorer Pro version 9.31 suffers from an unquoted service path vulnerability.
4f0a6092e4c9264325b7d86141204520d03a4780c30c8b04cd8eae9096d43f78Backdoor.Win32.Optix.03.b malware suffers from a code execution vulnerability.
97b8e09b93614293932596d037cf5fe1190a33c7cb61ee0089546ab7541385a4Khamenei.ir suffers from a remote SQL injection vulnerability.
0ade2eca419824b2ce0fa2099f840485ed70eb3df59af6f97f13c77201098c23
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed