Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42092: Security Advisory ZAA-2021-16 | Zammad

An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.

CVE

Related news

CVE-2021-43397: Release Notes Version 3.6.x | LiquidFiles Documentation

LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin.

CVE-2021-36183: PSIRT Advisories | FortiGuard

An improper authorization vulnerability [CWE-285] in FortiClient for Windows versions 7.0.1 and below and 6.4.2 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for Forticlient updates.

CVE-2021-40345

An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.

CVE-2021-40344

An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.

CVE-2021-42087: Security Advisory ZAA-2021-15 | Zammad

An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API.

CVE-2021-42089: Security Advisory ZAA-2021-13 | Zammad

An issue was discovered in Zammad before 4.1.1. The REST API discloses sensitive information.

CVE-2021-42086: Security Advisory ZAA-2021-09 | Zammad

An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request.

CVE-2021-42084: Security Advisory ZAA-2021-11 | Zammad

An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial of service.

CVE-2021-42090: Security Advisory ZAA-2021-14 | Zammad

An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.

CVE-2021-42091: Security Advisory ZAA-2021-08 | Zammad

An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration.

CVE-2021-42085: Security Advisory ZAA-2021-17 | Zammad

An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar.

CVE-2021-42088: Security Advisory ZAA-2021-12 | Zammad

An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled.

CVE-2021-42094: Security Advisory ZAA-2021-18 | Zammad

An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.

CVE-2021-42093: Security Advisory ZAA-2021-10 | Zammad

An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.

CVE-2021-39889: HackerOne

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

CVE-2021-22535: Potential information disclosure vulnerability (CVE-2021-22535)

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.

CVE-2019-15597: HackerOne

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.

CVE-2019-15599: HackerOne

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907