Archive | Security Bulletins RSS feed for this section

CVE-2019-9085

Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php.

Leave a comment Continue Reading →

CVE-2019-7229

The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: “Utilization of USB/SD Card to flash the device” and “Remote provisioning process via ABB Panel Builder 600 over FTP.” Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software […]

Leave a comment Continue Reading →

CVE-2019-9958

CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin’s session to process their requests.

Leave a comment Continue Reading →

CVE-2017-17945

The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.

Leave a comment Continue Reading →

CVE-2019-9957

Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload can then be triggered by accessing the […]

Leave a comment Continue Reading →

CVE-2019-10271

An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. To perform such a modification, one […]

Leave a comment Continue Reading →

CVE-2019-12880

BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm.

Leave a comment Continue Reading →

CVE-2019-11648

An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information.

Leave a comment Continue Reading →

CVE-2019-11647

A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack.

Leave a comment Continue Reading →

CVE-2019-12940 (livezilla)

LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (memory consumption) in knowledgebase.php via a large integer value of the depth parameter.

Leave a comment Continue Reading →