Mail Thread Index

• Date Index

• [FD] Bagisto: Insecure installation in sub-directories, devsecweb--- via Fulldisclosure
• [FD] Bagisto: Default credentials for admin interface, devsecweb--- via Fulldisclosure
• [FD] Roundcube issue - Auth bypass via Improper Session Management, Balázs Hambalkó
• [FD] Sagemcom router insecure deserialization > privilege escalation, Ryan Delaney
• [FD] Kamailio vulnerable to header smuggling possible due to bypass of remove_hf, Sandro Gauci
• [FD] [RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting, RedTeam Pentesting GmbH
• [FD] SEC Consult SA-20200902-0 :: Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W, SEC Consult Vulnerability Lab
• [FD] Hyland OnBase 19.x and below - SQL Injection, Adaptive Security Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Insufficient Logging (Client-Side Enforcement of Server-Side Security), Adaptive Security Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - CSRF, Adaptive Security Consulting via Fulldisclosure
• [FD] Full Disclosure - Telnet Hardcoded credentials - CVE-2018-20432, CSW Research Lab
• [FD] Noise-Java AESGCMFallbackCipherState.encryptWithAd() insufficient boundary checks, Pietro Oliva via Fulldisclosure
• [FD] Noise-Java AESGCMOnCtrCipherState.encryptWithAd() insufficient boundary checks, Pietro Oliva via Fulldisclosure
• [FD] Noise-Java ChaChaPolyCipherState.encryptWithAd() insufficient boundary checks, Pietro Oliva via Fulldisclosure
• [FD] Pulse Secure Windows Client <9.1.6 (CVE-2020-13162) - exploit, Red Timmy Security
• [FD] Open Source Tool | vPrioritization | Risk Prioritization Framework, Pramod Rana
• [FD] Hyland OnBase 19.x and below - Insufficient Authorization (Client-Side Enforcement of Server-Side Security), AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Log Injection And Denial Of Service, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Hardcoded PKI Certificates And AES Key Material, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Unity Client Malformed Image Denial Of Service, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - DLL Hijacking, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Path Traversal, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Insecure Deserialization, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - XML External Entity (XXE) Injection, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Unrestricted File Upload, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Hyland OnBase 19.x and below - Data Import Denial Of Service, AdaptiveSecurity Consulting via Fulldisclosure
• [FD] Two vulnerabilities found in MikroTik's RouterOS, Q C
• [FD] Cross-Site Scripting Vulnerabilities in IlchCMS 2.1.37, Daniel Bishtawi via Fulldisclosure
• [FD] CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze, Jason Geffner
• [FD] CVE-2020-8152 – Elevation of Privilege in Backblaze, Jason Geffner
• [FD] Windows TCPIP Finger Command / C2 Channel and Bypassing Security Software, hyp3rlinx
• [FD] ARA-2020-005: Insecure Direct Object Reference in 1CRM (CVE-2020-15958), Andreas Sperber
• [FD] ModSecurity v3 affected by DoS (CVE-2020-15598), Christian Folini
• [FD] [CVE-2020-16171] Acronis Cyber Backup <= v12.5 Build 16341 Full Unauthenticated SSRF, Julien Ahrens (RCE Security)
• [FD] Apache + PHP <= 7.4.10 open_basedir bypass, Havijoori via Fulldisclosure
• [FD] Navy Federal Reflective Cross Site Scripting (XSS), Juan Avila
  • <Possible follow-ups>
  • Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS), AdaptiveSecurity Consulting via Fulldisclosure
• [FD] APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0, Apple Product Security via Fulldisclosure
• [FD] APPLE-SA-2020-09-16-2 tvOS 14.0, Apple Product Security via Fulldisclosure
• [FD] APPLE-SA-2020-09-16-3 Safari 14.0, Apple Product Security via Fulldisclosure
• [FD] APPLE-SA-2020-09-16-4 watchOS 7.0, Apple Product Security via Fulldisclosure
• [FD] APPLE-SA-2020-09-16-5 Xcode 12.0, Apple Product Security via Fulldisclosure
• [FD] Seat Reservation System 1.0 Unauthenticated Remote Code Execution (CVE-2020-25763), Ava Tester One
  • [FD] Seat Reservation System 1.0 Unauthenticated SQL Injection (CVE-2020-25762), Ava Tester One
• [FD] Visitor Management System in PHP 1.0 - Authenticated SQL Injection, Ava Tester One
• [FD] Visitor Management System in PHP 1.0 - Unauthenticated Stored XSS, Ava Tester One
• [FD] [CVE-2020-25203] Frame Preview "com.framer.viewer.FramerViewActivity" Arbitrary URL Loading, Julien Ahrens (RCE Security)
• [FD] Google's osconfig agent - local privilege escalation, Imre Rad
• [FD] APPLE-SA-2020-09-24-1 macOS Catalina 10.15.6 Supplemental Update, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave, Apple Product Security via Fulldisclosure
• [FD] Regarding the semi-recent OnBase vulnerabilities, Ken
• [FD] [SYSS-2019-049] Insufficient Session Expiration (CWE-613) in REDDOXX MailDepot (CVE-2019-19199), Micha Borrmann
• [FD] [SYSS-2020-024] Qiata FTA - Persistent Cross-Site Scripting, Patrick Hener
• [FD] [SYSS-2020-025] DOMOS 5.8 - OS Command Injection, Patrick Hener
• [FD] Critical Information Disclosure on WP Courses plugin <= 2.0.29 exposes private course videos and materials, Red Timmy Security