Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-3907: [R3] Multiple Premisys Identicard Vulnerabilities - Research Advisory | Tenable®

Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).

CVE
#vulnerability

Related news

CVE-2021-36185: PSIRT Advisories | FortiGuard

A improper neutralization of special elements used in an OS command ('OS Command Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

CVE-2021-36184: PSIRT Advisories | FortiGuard

A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.

CVE-2021-36184: FortiGuard

A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.

CVE-2020-12814: PSIRT Advisories | FortiGuard

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.

CVE-2021-41746: SQL injection · Issue #1 · purple-WL/Yonyou-TurboCRM-SQL-injection

SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.

CVE-2021-21745: Security Bulletin Details

ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.

CVE-2021-37123: Security Advisory - Improper Authentication Vulnerability in Huawei Product

There is an improper authentication vulnerability in Hero-CT060 before 1.0.0.200. The vulnerability is due to that when an user wants to do certain operation, the software does not insufficiently validate the user's identity. Successful exploit could allow the attacker to do certain operations which the user are supposed not to do.

CVE-2021-40542: Unauthenticated Reflect Cross-site Scripting in Ajax_url_encode.php file · Issue #189 · OS4ED/openSIS-Classic

Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.

CVE-2021-3833: Automatic update & upgrade system - Integria IMS

Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user and the MD5 hash stored in the database. An attacker with a specific formatted password could exploit this vulnerability in order to login in the system with different passwords.

CVE-2021-24016: PSIRT Advisories | FortiGuard

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

CVE-2021-37104: Security Advisory - Server-Side Request Forgery Vulnerability in Huawei Product

There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do.

CVE-2021-34413: Security Bulletin

All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

CVE-2021-34413: CWE - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition (4.5)

All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

CVE-2021-21742: Security Bulletin Details

There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.

CVE-2021-21742: Security Bulletin Details

There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.

CVE-2021-40309: Offensive Security’s Exploit Database Archive

A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.

CVE-2021-33044: Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVE-2021-33045: Security Advisory - Identity authentication bypass vulnerability found in some Dahua products

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

CVE-2021-36621: Offensive Security’s Exploit Database Archive

Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907