Security CERT Global

• TP-Link TL-WR841N V13 (JP) vulnerable to OS command injection
  TP-Link TL-WR841N V13 (JP) is vulnerable to OS command injection. ... read more
• お知らせ：「インシデント報告Webフォーム」メンテナンス(2021/02/04)のお知らせ
  ... read more
• CVE-2021-21239
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic ... read more
• CVE-2021-21238
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic ... read more
• CVE-2020-26285
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which ... read more
• CVE-2021-21253
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which ... read more
• CVE-2020-26295
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to ... read more
• CVE-2020-8554
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the ... read more
• CVE-2020-8568
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability ... read more
• CVE-2020-8567
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to ... read more
• CVE-2020-8569
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot ... read more
• CVE-2020-8570
  Gravedad: NonePublicado: 21/01/2021Last revised: 21/01/2021Descripción: *** Pendiente de traducción *** Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current ... read more
• ESB-2020.4102.2 – UPDATE [Cisco] Cisco Secure Web Appliance : Multiple vulnerabilities
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4102.2 Cisco Secure Web Appliance Privilege Escalation Vulnerability 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ... read more
• ESB-2021.0261 – [Appliance] Mitsubishi Electric MELFA : Denial of service – Remote/unauthenticated
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0261 Advisory (icsa-21-021-04) Mitsubishi Electric MELFA 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mitsubishi Electric ... read more
• ESB-2021.0259 – [Win] Delta Electronics TPEditor: Execute arbitrary code/commands – Remote with user interaction
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0259 Advisory (icsa-21-021-02) Delta Electronics TPEditor 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics ... read more
• ESB-2021.0257 – [Debian] drupal7: Multiple vulnerabilities
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0257 Debian LTS Advisory DLA-2530-1 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: drupal7 Publisher: Debian ... read more
• ESB-2021.0260 – [Appliance] Honeywell OPC UA Tunneller: Multiple vulnerabilities
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0260 Advisory (icsa-21-021-03) Honeywell OPC UA Tunneller 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Honeywell ... read more
• ESB-2021.0258 – [Win] Delta Electronics ISPSoft: Execute arbitrary code/commands – Existing account
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0258 Advisory (icsa-21-021-01) Delta Electronics ISPSoft 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics ... read more
• ESB-2021.0262 – [Win][Appliance] WAGO M&M Software fdtCONTAINER: Execute arbitrary code/commands – Existing account
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0262 Advisory (icsa-21-021-05) WAGO M&M Software fdtCONTAINER 22 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WAGO ... read more
• CVE-2020-6776 (praesensa_firmware, praesideo_firmware)
  A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger ... read more
• CVE-2021-21722 (zxv10_b860a_firmware)
  A ZTE Smart STB is impacted by an information leak vulnerability. The device did not fully verify the log, so attackers could use this vulnerability to obtain sensitive user information ... read more
• CVE-2021-22166 (gitlab)
  An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method ... read more
• CVE-2021-21009 (campaign_classic)
  Adobe Campaign Classic Gold Standard 10 (and earlier), 20.3.1 (and earlier), 20.2.3 (and earlier), 20.1.3 (and earlier), 19.2.3 (and earlier) and 19.1.7 (and earlier) are affected by a server-side request ... read more
• CVE-2020-24639 (airwave_glass)
  There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete ... read more
• CVE-2020-24638 (airwave_glass)
  Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root ... read more
• CVE-2021-0206 (junos)
  A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to send a specific packet causing the packet forwarding engine (PFE) to crash and restart, resulting in ... read more
• CVE-2021-0203 (junos)
  On Juniper Networks EX and QFX5K Series platforms configured with Redundant Trunk Group (RTG), Storm Control profile applied on the RTG interface might not take affect when it reaches the ... read more
• CVE-2021-0207 (junos)
  An improper interpretation conflict of certain data between certain software components within the Juniper Networks Junos OS devices does not allow certain traffic to pass through the device upon receipt ... read more
• CVE-2021-0202 (junos)
  On Juniper Networks MX Series and EX9200 Series platforms with Trio-based MPC (Modular Port Concentrator) where Integrated Routing and Bridging (IRB) interface is configured and it is mapped to a ... read more
• CVE-2021-0208 (junos, junos_evolved)
  An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS allows an attacker to send a malformed RSVP packet when bidirectional LSPs are ... read more
• CVE-2020-6572 (chrome)
  Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page. ... read more
• CVE-2020-8554
  Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, ... read more
• CVE-2020-8569
  Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference ... read more
• CVE-2020-8568
  Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file ... read more
• CVE-2020-8567
  Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects ... read more
• CVE-2020-8570
  Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which ... read more
• CVE-2020-6777 (praesensa_firmware, praesideo_firmware)
  A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin ... read more
• CVE-2020-29493 (emc_avamar_server, emc_integrated_data_protection_appliance)
  DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of ... read more
• CVE-2020-29587 (simplcommerce)
  SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results ... read more
• CVE-2021-0205 (junos)
  When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using IPv6 source or destination prefix, it may incorrectly match the ... read more
• CVE-2021-0204 (junos)
  A sensitive information disclosure vulnerability in delta-export configuration utility (dexp) of Juniper Networks Junos OS may allow a locally authenticated shell user the ability to create and read database files ... read more
• CVE-2020-35749 (simple_board_job)
  Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php. ... read more
• CVE-2020-29494 (emc_avamar_server, emc_integrated_data_protection_appliance)
  Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the ... read more
• CVE-2020-29495 (emc_avamar_server, emc_integrated_data_protection_appliance)
  DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain an OS Command Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution ... read more
• WAGO M&M Software fdtCONTAINER
  This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in the M&M (a WAGO subsidiary) fdtCONTAINER application. ... read more
• Delta Electronics TPEditor
  This advisory contains mitigations for Untrusted Pointer Dereference, and Out-of-bounds Write vulnerabilities in Delta Electronics TPEditor programming software for Delta text panels. ... read more
• Delta Electronics ISPSoft
  This advisory contains mitigations for a Use After Free vulnerability in Delta Electronics ISPSoft PLC program development tool. ... read more
• Honeywell OPC UA Tunneller
  This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, Improper Check for Unusual or Exceptional Conditions, and Uncontrolled Resource Consumption vulnerabilities in Honeywell's OPC UA Tunneller software. ... read more
• Mitsubishi Electric MELFA
  This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric's MELFA robot controllers. ... read more
• CVE-2021-21253
  OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat ... read more
Older posts