Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#ios#android#mac#windows#google#microsoft#ubuntu#linux#debian#cisco#red_hat#dos#redis#js#git#java#oracle#intel#rce#perl#ldap#samba#ssrf#pdf#vmware#log4j#bios#buffer_overflow#oauth#auth#ssh#telnet#dell#postgres#chrome#firefox#sap#ssl
CVE-2019-15654: Trustwave Security Advisories

Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext.

CVE-2019-15656: Security Advisories | Trustwave

D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.

CVE-2020-0822: Security Update Guide - Microsoft Security Response Center

An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'.

CVE-2020-8436: RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin

XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter.

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

CVE-2020-3865: About the security content of iCloud for Windows 10.9.2

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution.