Security
Headlines
HeadlinesLatestCVEs

Tag

#debian

CVE-2021-43509: Simple-Client-Management-System-Exploit/CVE-2021-43509 at main · r4hn1/Simple-Client-Management-System-Exploit

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.

CVE
Open in Source
#sql#vulnerability#web#windows#apple#debian#apache
CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVE-2022-24130: XTERM - Change Log

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2021-46660: Release Notes for Manager+Agents | Signiant Help

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

CVE-2021-4034

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

CVE-2021-4034

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

CVE-2022-23220: org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc… · gregkh/usbview@bf374fa

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.

CVE-2022-23220: org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc… · gregkh/usbview@bf374fa

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.

CVE-2021-23225: The Complete RRDTool-based Graphing Solution

Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.