#nginx

CVE-2021-31584: Sipwise C5 NGCP CSC Cross Site Request Forgery ≈ Packet Storm

Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.

3 years ago

CVE

Open in Source

#csrf #vulnerability #web #debian #apache #php #nginx

CVE-2021-20989: Advisory: Fibaro Home Center - Multiple Vulnerabilities (CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992)

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.

3 years ago

CVE

Open in Source

#vulnerability #web #js #php #nginx #oauth #auth #ssh

CVE-2021-21333: Clean-up the template loading code by clokep · Pull Request #9200 · matrix-org/synapse

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.

3 years ago

CVE

Open in Source

#sql #web #ubuntu #debian #redis #git #xpath #nginx #oauth #auth #postgres #docker #ssl

CVE-2020-29238: High-Speed, Secure & Anonymous VPN Service | ExpressVPN

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.

3 years ago

CVE

Open in Source

#web #nginx #buffer_overflow #ssl

CVE-2021-22877: Wrong (malformed) external storage credentials saved in `oc_storages_credentials` · Issue #24600 · nextcloud/server

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

3 years ago

CVE

Open in Source

#sql #web #mac #apple #amazon #ubuntu #redis #git #intel #php #ldap #nginx #samba #pdf #oauth #auth #docker #chrome #webkit #ssl

CVE-2021-26563: TALOS-2020-1158 || Cisco Talos Intelligence Group

Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.

3 years ago

CVE

Open in Source

#vulnerability #linux #cisco #git #intel #rce #ldap #nginx #auth

CVE-2020-27733: List of bug fixes and feature enhancements

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVE-2020-35416: PHPJabbers Appointment Scheduler 2.3 Cross Site Scripting ≈ Packet Storm

Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.

3 years ago

CVE

Open in Source