Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2020-10549: exploits/CVE-2020-10549.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

CVE
#sql#vulnerability#git
CVE-2020-1963

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

CVE-2020-13448: CVE-2020-13448 - QuickBox - Authenticated RCE/Privilege Escalation

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

CVE-2020-13632: 1080459 - chromium - An open-source project to help move the web forward.

ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

CVE-2020-13434: SQLite: View Ticket

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

CVE-2020-13249: sanity checks for client-supplied OK packet content · mariadb-corporation/mariadb-connector-c@2759b87

libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.

CVE-2020-13166: SSD Advisory - MyLittleAdmin PreAuth RCE - SSD Secure Disclosure

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

CVE-2020-13144: 2. Open edX Architecture — Open edX Developer's Guide documentation

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

CVE-2020-12625: Release Roundcube Webmail 1.4.4 · roundcube/roundcubemail

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.