Recent Advisories


CVE-2020-29177

Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php.

  • Published: Thu 02 Dec 2021

CVE-2020-29176

An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.

  • Published: Thu 02 Dec 2021

CVE-2021-25783

Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulnerability via the function Article Search.

  • Published: Thu 02 Dec 2021

CVE-2021-25784

Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulnerability via the function Edit Article.

  • Published: Thu 02 Dec 2021

CVE-2021-25785

Taocms v2.5Beta5 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Management column.

  • Published: Thu 02 Dec 2021

CVE-2020-36129

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.

  • Published: Thu 02 Dec 2021

CVE-2021-28237

LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via decode_preR13.

  • Published: Thu 02 Dec 2021

CVE-2021-28236

LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference via out_dxfb.c.

  • Published: Thu 02 Dec 2021

CVE-2020-36133

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.

  • Published: Thu 02 Dec 2021

CVE-2020-36135

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c.

  • Published: Thu 02 Dec 2021

CVE-2020-36134

AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c.

  • Published: Thu 02 Dec 2021

CVE-2020-36131

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.

  • Published: Thu 02 Dec 2021

CVE-2020-36130

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.

  • Published: Thu 02 Dec 2021

CVE-2021-43327

An issue was discovered on Renesas RX65 and RX65N devices. With a VCC glitch, an attacker can extract the security ID key from the device. Then, the protected firmware can be extracted.

  • Published: Thu 02 Dec 2021

CVE-2021-44050

CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.

  • Published: Thu 02 Dec 2021

CVE-2021-40333

Weak Password Requirements vulnerability in Hitachi Energy FOX61x, XCM20 allows an attacker to gain unauthorized access to the Data Communication Network (DCN) routing configuration. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.

  • Published: Thu 02 Dec 2021

CVE-2021-40334

Missing Handler vulnerability in the proprietary management protocol (port TCP 5558) of Hitachi Energy FOX61x, XCM20 allows an attacker that exploits the vulnerability by activating SSH on port TCP 5558 to cause disruption to the NMS and NE communication. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.

  • Published: Thu 02 Dec 2021

CVE-2021-43795

Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.

  • Published: Thu 02 Dec 2021

CVE-2015-20106

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

  • Published: Thu 02 Dec 2021

CVE-2015-20105

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues

  • Published: Thu 02 Dec 2021

CVE-2021-3944

bookstack is vulnerable to Cross-Site Request Forgery (CSRF)

  • Published: Thu 02 Dec 2021

CVE-2021-44518

An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.

  • Published: Thu 02 Dec 2021

CVE-2021-23261

Authenticated administrators may override the system configuration file and cause a denial of service.

  • Published: Thu 02 Dec 2021

CVE-2021-23264

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

  • Published: Thu 02 Dec 2021

CVE-2021-23262

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.

  • Published: Thu 02 Dec 2021

Note: This page is generated by our securitybot and has not been checked for errors.