Apache Releases Security Advisory for Tomcat

US-CERT All NCAS Products - Fri, 01/15/2021 - 16:43
Original release date: January 15, 2021

The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.   

CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version.  

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

RCE Vulnerability Affecting Microsoft Defender

US-CERT All NCAS Products - Thu, 01/14/2021 - 14:30
Original release date: January 14, 2021

Microsoft has released a security advisory to address a remote code execution vulnerability, CVE-2021-1647, in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Cisco Releases Security Updates for Multiple Products

US-CERT All NCAS Products - Thu, 01/14/2021 - 14:25
Original release date: January 14, 2021

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Juniper Networks Releases Security Updates for Multiple Products

US-CERT All NCAS Products - Thu, 01/14/2021 - 14:23
Original release date: January 14, 2021

Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system.

CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services

US-CERT All NCAS Products - Thu, 01/14/2021 - 04:00
Original release date: January 13, 2021
Background

These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.

Technical Details

The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.

Phishing

CISA observed cyber threat actors using phishing emails with malicious links to harvest credentials for users’ cloud service accounts (Phishing: Spearphishing Link [T1566.002]). The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access [TA0001] to the user’s cloud service account (Valid Accounts [T1078]). CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.

In one case, an organization did not require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts (Brute Force [T1110]).

Forwarding Rules

In several engagements, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts (Email Collection: Email Forwarding Rule [T1114.003]).

Modified Forwarding

In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts.

Keyword Search Rule

Threat actors also modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account.

New Rule Creation and Forwarding

In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

Authentication

CISA verified that the threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA). In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack (Use Alternate Authentication Material: Web Session Cookie [T1550.004]).

The threat actors attempted brute force logins (Brute Force [T1110]) on some accounts. However, this activity was not successful. This thwarted attempt was due, in part, to the threat actors not guessing a correct username/password combination, as well as the organization’s use of MFA to access their cloud environment.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

US-CERT All NCAS Products - Wed, 01/13/2021 - 20:44
Original release date: January 13, 2021

CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices.

In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks.

CISA encourages users and administrators to review AR21-013A and apply the recommendations to strengthen cloud environment configurations.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Microsoft Releases January 2021 Security Updates

US-CERT All NCAS Products - Tue, 01/12/2021 - 21:35
Original release date: January 12, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s January 2021 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

NSA Cybersecurity Directorate Releases 2020 Year in Review

US-CERT All NCAS Products - Tue, 01/12/2021 - 16:22
Original release date: January 12, 2021

The National Security Agency (NSA) Cybersecurity Directorate has released its 2020 Year in Review, outlining key milestones and mission outcomes achieved during NSA Cybersecurity’s first full year of existence. Highlights include NSA Cybersecurity’s contributions to the 2020 elections, Operation Warp Speed, and the Department of Defense’s pandemic-influenced transition to telework.

For further details on those and other accomplishments, CISA encourages users and administrators to read the NSA Cybersecurity 2020 Year in Review.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Mozilla Releases Security Update for Thunderbird

US-CERT All NCAS Products - Tue, 01/12/2021 - 16:15
Original release date: January 12, 2021

Mozilla has released a security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.6.1 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Adobe Releases Security Updates for Multiple Products

US-CERT All NCAS Products - Tue, 01/12/2021 - 16:07
Original release date: January 12, 2021

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

SAP Releases January 2021 Security Updates

US-CERT All NCAS Products - Tue, 01/12/2021 - 16:04
Original release date: January 12, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for January 2021 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Microsoft Releases Security Updates for Edge

US-CERT All NCAS Products - Mon, 01/11/2021 - 19:16
Original release date: January 11, 2021

Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Vulnerability Summary for the Week of January 4, 2021

US-CERT All NCAS Products - Mon, 01/11/2021 - 13:06
Original release date: January 11, 2021


The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info 1234n -- minicms Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. 2021-01-05 7.5 CVE-2020-36052
MISC asciitable.js_project -- asciitable.js The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. 2021-01-04 7.5 CVE-2020-7771
MISC
MISC asus -- dsl-n17u_firmware The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings. 2021-01-04 10 CVE-2020-35219
MISC
MISC chatter-social -- creeper Creeper is an experimental dynamic, interpreted language. The binary release of Creeper Interpreter 1.1.3 contains potential malware. The compromised binary release was available for a few hours between December 26, 2020 at 3:22 PM EST to December 26, 2020 at 11:00 PM EST. If you used the source code, you are **NOT** affected. This only affects the binary releases. The binary of unknown quality has been removed from the release. If you have downloaded the binary, please delete it and run a reputable antivirus scanner to ensure that your computer is clean. 2021-01-04 7.5 CVE-2020-26292
CONFIRM clickhouse-driver_project -- clickhouse-driver clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. 2021-01-06 7.5 CVE-2020-26759
MISC
MISC cse_bookstore_project -- cse_bookstore CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running. 2021-01-04 7.5 CVE-2020-36112
MISC dell -- emc_isilon_onefs Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability on a SmartLock Compliance mode cluster. The compadmin user connecting using ISI PRIV LOGIN SSH or ISI PRIV LOGIN CONSOLE can elevate privileges to the root user if they have ISI PRIV HARDENING privileges. 2021-01-05 7.2 CVE-2020-26181
MISC djv_project -- djv This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine. 2021-01-04 10 CVE-2020-28464
MISC
MISC
MISC drivergenius -- drivergenius_firmware MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1. 2021-01-03 7.1 CVE-2020-28841
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. 2021-01-06 7.5 CVE-2020-36185
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. 2021-01-06 7.5 CVE-2020-36181
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. 2021-01-07 7.5 CVE-2020-36182
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. 2021-01-07 7.5 CVE-2020-36183
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. 2021-01-06 7.5 CVE-2020-36184
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. 2021-01-07 7.5 CVE-2020-36179
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. 2021-01-06 7.5 CVE-2020-36186
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. 2021-01-06 7.5 CVE-2020-36187
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. 2021-01-06 7.5 CVE-2020-36188
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. 2021-01-06 7.5 CVE-2020-36189
MISC
MISC fasterxml -- jackson-databind FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. 2021-01-07 7.5 CVE-2020-36180
MISC
MISC google -- android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) (Exynos chipsets) software. The Mali GPU driver allows out-of-bounds access and a device reset. The Samsung ID is SVE-2020-19174 (January 2021). 2021-01-05 7.1 CVE-2021-22495
MISC ibm -- sterling_b2b_integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges. IBM X-Force ID: 172452. 2021-01-05 9 CVE-2019-4728
XF
CONFIRM ipeak -- ipeakcms ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page. 2021-01-05 7.5 CVE-2021-3018
MISC
MISC
MISC
MISC
MISC ispconfig -- ispconfig ISPConfig before 3.2.2 allows SQL injection. 2021-01-05 7.5 CVE-2021-3021
MISC
MISC linux -- linux_kernel mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332. 2021-01-05 8.3 CVE-2020-36158
MISC
MISC
MISC
MISC proofpoint -- inside_threat_management rcdsvc in the Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) before 7.9 allows remote authenticated users to execute arbitrary code as SYSTEM because of improper deserialization over named pipes. 2021-01-06 9 CVE-2020-8884
MISC
CONFIRM proofpoint -- insider_threat_management_server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteImage API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. 2021-01-06 7.5 CVE-2020-10658
MISC
CONFIRM proofpoint -- insider_threat_management_server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouseWithChunksV2 API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. 2021-01-06 7.5 CVE-2020-10656
MISC
CONFIRM proofpoint -- insider_threat_management_server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouse API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. 2021-01-06 7.5 CVE-2020-10655
MISC
CONFIRM redlion -- crimson A NULL pointer deference vulnerability has been identified in the protocol converter. An attacker could send a specially crafted packet that could reboot the device running Crimson 3.1 (Build versions prior to 3119.001). 2021-01-06 7.8 CVE-2020-27279
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 7.5 CVE-2016-20004
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 7.5 CVE-2016-20001
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 7.5 CVE-2016-20002
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 7.5 CVE-2016-20005
MISC thecodingmachine -- gotenberg A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution. 2021-01-07 7.5 CVE-2020-13450
MISC
MISC thecodingmachine -- gotenberg An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros. 2021-01-07 7.5 CVE-2020-13451
MISC
MISC thecodingmachine -- gotenberg In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution. 2021-01-07 7.5 CVE-2020-13452
MISC
MISC thedaylightstudio -- fuel_cms FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2021-01-05 7.5 CVE-2020-26045
MISC
MISC
MISC uclouvain -- openjpeg A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability. 2021-01-05 7.1 CVE-2020-27843
MISC uclouvain -- openjpeg A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. 2021-01-05 8.3 CVE-2020-27844
MISC ultimatemember -- ultimate_member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access. 2021-01-04 7.5 CVE-2020-36155
MISC
MISC
MISC ultimatemember -- ultimate_member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Roles. Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability (or any custom Ultimate Member role) and effectively be granted those privileges. 2021-01-04 7.5 CVE-2020-36157
MISC
MISC
MISC win911 -- mobile-911_server An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation. 2021-01-05 7.2 CVE-2020-13541
MISC Back to top

 

Medium Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info 1234n -- minicms Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter. 2021-01-05 5 CVE-2020-36051
MISC advancedcustomfields -- advanced_custom_fields The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. 2021-01-06 4.3 CVE-2020-36172
MISC apache -- flink Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. 2021-01-05 5 CVE-2020-17518
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
MISC
MLIST
MLIST
MLIST
MLIST apache -- flink A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master. 2021-01-05 5 CVE-2020-17519
MISC
MLIST
MLIST
MLIST
MLIST
MLIST
MISC
MLIST
MLIST
MLIST broadcom -- ca_service_catalog CA Service Catalog 17.2 and 17.3 contain a vulnerability in the default configuration of the Setup Utility that may allow a remote attacker to cause a denial of service condition. 2021-01-05 5 CVE-2020-29478
CONFIRM dell -- emc_powerstore_firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 2021-01-05 4.6 CVE-2020-29502
MISC dell -- emc_powerstore_firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 2021-01-05 4.6 CVE-2020-29501
MISC dell -- emc_powerstore_firmware Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 2021-01-05 4.6 CVE-2020-29500
MISC dell -- wyse_management_suite Dell Wyse Management Suite versions prior to 3.1 contain an open redirect vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites. 2021-01-04 5.8 CVE-2020-29498
MISC dell -- wyse_thinos Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. 2021-01-04 6.4 CVE-2020-29492
MISC dell -- wyse_thinos Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. 2021-01-04 5 CVE-2020-29491
MISC digisol -- dg-hr3400_firmware Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. 2021-01-06 4.3 CVE-2020-35262
MISC
MISC
MISC dovecot -- dovecot An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). 2021-01-04 6.5 CVE-2020-24386
MISC
FULLDISC
CONFIRM
MISC
CONFIRM
MISC
GENTOO
DEBIAN dovecot -- dovecot Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. 2021-01-04 5 CVE-2020-25275
MISC
FULLDISC
CONFIRM
CONFIRM
MISC
GENTOO
DEBIAN expresstech -- quiz_and_survey_master An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files). 2021-01-01 6.4 CVE-2020-35951
MISC
MISC ffmpeg -- ffmpeg decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations. 2021-01-04 5 CVE-2020-35965
MISC
MISC
MISC ffmpeg -- ffmpeg track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing. 2021-01-03 4.3 CVE-2020-35964
MISC
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyPreviewAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20313
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read, a different issue than CVE-2018-20310 because of a different opcode. 2021-01-07 6.8 CVE-2018-20312
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20315
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyCheckLicence race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20314
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read, a different issue than CVE-2018-20310 because of a different opcode. 2021-01-07 6.8 CVE-2018-20316
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyCPDFAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20311
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyGetAppEdition race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20309
MISC foxitsoftware -- phantompdf Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyDoAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read. 2021-01-07 6.8 CVE-2018-20310
MISC gigamon -- gigavue-os GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext. 2021-01-05 4 CVE-2020-23249
MISC gjson_project -- gjson GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call. 2021-01-05 5 CVE-2020-36067
MISC gjson_project -- gjson GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. 2021-01-05 5 CVE-2020-36066
MISC gnu -- binutils There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34. 2021-01-04 4.3 CVE-2020-35496
MISC
FEDORA gnu -- binutils There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34. 2021-01-04 5.8 CVE-2020-35494
MISC
FEDORA gnu -- binutils A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34. 2021-01-04 4.3 CVE-2020-35493
MISC
FEDORA gnu -- binutils There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34. 2021-01-04 4.3 CVE-2020-35495
MISC
FEDORA gnu -- binutils There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34. 2021-01-04 4.3 CVE-2020-35507
MISC gnu -- glibc The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. 2021-01-04 5 CVE-2019-25013
MISC
MISC golang -- go In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) 2021-01-02 5 CVE-2020-28851
MISC golang -- go In x/text in Go 1.15.4, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) 2021-01-02 5 CVE-2020-28852
MISC google -- android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The quram library allows attackers to execute arbitrary code or cause a denial of service (memory corruption) during dng decoding. The Samsung ID is SVE-2020-18811 (January 2021). 2021-01-05 6.8 CVE-2021-22493
MISC google -- android An issue was discovered in the fingerprint scanner on Samsung Note20 mobile devices with Q(10.0) software. When a screen protector is used, the required image compensation is not present. Consequently, inversion can occur during fingerprint enrollment, and a high False Recognition Rate (FRR) can occur. The Samsung ID is SVE-2020-19216 (January 2021). 2021-01-05 4.3 CVE-2021-22494
MISC google -- android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Broadcom Bluetooth chipsets) software. The Bluetooth UART driver has a buffer overflow. The Samsung ID is SVE-2020-18731 (January 2021). 2021-01-05 5.8 CVE-2021-22492
MISC hp -- integrated_lights-out_4 A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4) firmware. The vulnerability could be remotely exploited to disclose the serial number and other information. 2021-01-05 5 CVE-2020-7202
MISC htmlsanitizer_project -- htmlsanitizer HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372. 2021-01-04 4.3 CVE-2020-26293
MISC
MISC
CONFIRM
MISC ibm -- api_connect IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. IBM X-Force ID: 190990. 2021-01-05 6.4 CVE-2020-4899
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391. 2021-01-04 6.8 CVE-2020-4917
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 could allow a local privileged attacker to upload arbitrary files. By intercepting the request and modifying the file extention, the attacker could execute arbitrary code on the server. IBM X-Force ID: 191705. 2021-01-04 4.6 CVE-2020-4928
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. IBM X-Force ID: 191287. 2021-01-04 6.5 CVE-2020-4912
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 has insufficient logout controls which could allow an authenticated privileged user to impersonate another user on the system. IBM X-Force ID: 191395. 2021-01-04 5.5 CVE-2020-4919
XF
CONFIRM ibm -- curam_social_program_management IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942. 2021-01-04 6.8 CVE-2020-4942
XF
CONFIRM ibm -- emptoris_strategic_supply_management IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. This may lead to information disclosure via man in the middle methods. IBM X-Force ID: 190984. 2021-01-07 4.3 CVE-2020-4893
XF
CONFIRM ibm -- emptoris_strategic_supply_management IBM Emptoris Strategic Supply Management 10.1.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 190989. 2021-01-07 5 CVE-2020-4898
XF
CONFIRM ibm -- sterling_b2b_integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow an authenticated user to create a privileged account due to improper access controls. IBM X-Force ID: 188896. 2021-01-05 6.5 CVE-2020-4762
XF
CONFIRM ibm -- sterling_b2b_integrator IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 188895. 2021-01-05 5 CVE-2020-4761
XF
CONFIRM invisioncommunity -- ips_community_suite Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. 2021-01-05 4.3 CVE-2021-3026
MISC kamadak-exif_project -- kamadak-exif kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version 0.5.3. No workaround is available. Applications that do not pass files with the PNG signature to Reader::read_from_container are not affected. 2021-01-06 4.3 CVE-2021-21235
MISC
MISC
CONFIRM lanproxy_project -- lanproxy ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet. 2021-01-05 5 CVE-2021-3019
MISC
MISC limit_login_attempts_project -- limit_login_attempts The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts. 2021-01-06 5 CVE-2012-10001
MISC loopring -- loopring The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation. 2021-01-03 5 CVE-2020-35962
MISC
MISC mcafee -- network_security_management Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via a carefully crafted HTTP request. 2021-01-05 4.3 CVE-2020-7336
CONFIRM mikrotik -- routeros In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter. 2021-01-04 4.3 CVE-2021-3014
MISC
MISC mk-auth -- mk-auth MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI. 2021-01-03 4 CVE-2021-3005
MISC
MISC mk-auth -- mk-auth MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI. 2021-01-04 6.8 CVE-2021-21495
MISC
MISC ninjaforms -- ninja_forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. 2021-01-06 5 CVE-2020-36175
MISC ninjaforms -- ninja_forms The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. 2021-01-06 5 CVE-2020-36173
MISC ninjaforms -- ninja_forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. 2021-01-06 4.3 CVE-2020-36174
MISC nxlog -- nxlog The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.) 2021-01-05 4.3 CVE-2020-35488
MISC orangehrm -- orangehrm SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. 2021-01-05 5.5 CVE-2020-29437
MISC
MISC
CONFIRM
MISC pagelayer -- pagelayer An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of authorization, but a nonce was present in a publicly viewable page. The greatest impact was the pagelayer_save_content function that allowed pages to be modified and allowed XSS to occur. 2021-01-01 6.5 CVE-2020-35947
MISC
MISC pagelayer -- pagelayer An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS. 2021-01-01 6.8 CVE-2020-35944
MISC
MISC proofpoint -- insider_threat_management_server The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM web console's ImportAlertRules feature. The vulnerability allows a remote attacker (with admin or config-admin privileges in the console) to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. 2021-01-06 6.5 CVE-2020-10657
MISC
CONFIRM redlion -- crimson An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. 2021-01-06 5 CVE-2020-27283
MISC redlion -- crimson The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. 2021-01-06 6.4 CVE-2020-27285
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 5 CVE-2016-20008
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 5 CVE-2016-20003
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 5 CVE-2016-20006
MISC rest\/json_project -- rest\/json The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 5 CVE-2016-20007
MISC seal_finance_project -- seal_finance The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021. 2021-01-03 5 CVE-2021-3006
MISC
MISC seopanel -- seo_panel Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter. 2021-01-01 4.3 CVE-2021-3002
MISC
MISC solarwinds -- web_help_desk SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. 2021-01-06 4.9 CVE-2019-16954
MISC
MISC
MISC stableyieldcredit_project -- stableyieldcredit The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should. 2021-01-03 5 CVE-2021-3004
MISC
MISC thecodingmachine -- gotenberg A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files. 2021-01-07 5 CVE-2020-13449
MISC
MISC thedaylightstudio -- fuel_cms FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account and also impact other visitors. 2021-01-05 4.3 CVE-2020-26046
MISC
MISC treasuredata -- fluent_bit flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion. 2021-01-03 6.8 CVE-2020-35963
MISC
MISC
MISC uclouvain -- openjpeg There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability. 2021-01-05 4.3 CVE-2020-27845
MISC uclouvain -- openjpeg There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability. 2021-01-05 4.3 CVE-2020-27842
MISC uclouvain -- openjpeg There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability. 2021-01-05 4.3 CVE-2020-27841
MISC ultimatemember -- ultimate_member The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms. 2021-01-06 5 CVE-2020-36170
MISC ultimatemember -- ultimate_member An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page could supply the parameter um-role with a value set to any role (e.g., Administrator) during a profile update, and effectively escalate their privileges. 2021-01-04 6.5 CVE-2020-36156
MISC
MISC
MISC veno_file_manager_project -- veno_file_manager Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. Using the traversal allows an attacker to download sensitive files from the server. 2021-01-04 5 CVE-2020-22550
MISC
MISC veritas -- desktop_and_laptop_option Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operational information on the backup processing status through a URL that did not require authentication. 2021-01-05 5 CVE-2020-36159
MISC vikisolutions -- vera An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in. 2021-01-05 5.5 CVE-2019-20484
MISC webform_report_project -- webform_report The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 5 CVE-2019-25012
MISC win911 -- win-911 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed. 2021-01-05 4.6 CVE-2020-13539
MISC
MISC win911 -- win-911 An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed. 2021-01-05 4.6 CVE-2020-13540
MISC Back to top

 

Low Vulnerabilities Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info beetel -- 777vr1_firmware Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. 2021-01-06 3.5 CVE-2020-25498
MISC
MISC
MISC
MISC dell -- emc_unity_operating_environment Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in multiple log files. A local authenticated attacker with access to the log files may use the exposed password to gain access with the privileges of the compromised user. 2021-01-05 2.1 CVE-2020-26199
MISC dell -- unisphere Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scripting (XSS) vulnerability. An authenticated malicious user may potentially exploit this vulnerability to inject javascript code and affect other authenticated users’ sessions. 2021-01-05 3.5 CVE-2020-35170
MISC dell -- wyse_management_suite Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 2021-01-04 3.5 CVE-2020-29496
MISC dell -- wyse_management_suite Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 2021-01-04 3.5 CVE-2020-29497
MISC electronjs -- zonote zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true). 2021-01-01 3.5 CVE-2020-35717
MISC
MISC
MISC
MISC gigamon -- gigavue-os GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in internal database. 2021-01-05 2.1 CVE-2020-23250
MISC google -- android An issue was discovered on LG mobile devices with Android OS 10 software. There was no write protection for the MTK protect2 partition. The LG ID is LVE-SMP-200028 (January 2021). 2021-01-05 2.1 CVE-2021-3022
MISC ibm -- cloud_pak_system IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191274. 2021-01-04 3.5 CVE-2020-4910
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191273. 2021-01-04 3.5 CVE-2020-4909
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. IBM X-Force ID: 191288. 2021-01-04 2.1 CVE-2020-4913
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM X-Force ID: 191392. 2021-01-04 2.1 CVE-2020-4918
XF
CONFIRM ibm -- cloud_pak_system IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191390. 2021-01-04 3.5 CVE-2020-4916
XF
CONFIRM ibm -- emptoris_strategic_supply_management IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190986. 2021-01-07 3.5 CVE-2020-4895
XF
CONFIRM mk-auth -- mk-auth MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly. 2021-01-04 3.5 CVE-2021-21494
MISC
MISC semperplugins -- all_in_one_seo_pack An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XSS. 2021-01-01 3.5 CVE-2020-35946
MISC
MISC solarwinds -- web_help_desk SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. 2021-01-04 3.5 CVE-2019-16960
MISC
MISC
MISC solarwinds -- web_help_desk SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. 2021-01-04 3.5 CVE-2019-16956
MISC
MISC
MISC tenda -- f3_firmware Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior. 2021-01-01 3.3 CVE-2020-35391
MISC vikisolutions -- vera An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application. 2021-01-05 3.5 CVE-2019-20483
MISC zohocorp -- manageengine_desktop_central Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. 2021-01-06 3.5 CVE-2019-16962
MISC
MISC Back to top

 

Severity Not Yet Assigned Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info actionpack_gem_for_ruby_on_rails -- actionpack_gem_for_ruby_on_rails In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. 2021-01-06 not yet calculated CVE-2020-8264
MISC
MISC advanced_webhost_billing_system -- advanced_webhost_billing_system
  Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page. 2021-01-08 not yet calculated CVE-2020-25950
MISC asp.net -- cute_editor
  Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. 2021-01-07 not yet calculated CVE-2020-24903
MISC barco -- multiple_products
  Barco TransForm NDN-210 Lite, NDN-210 Pro, NDN-211 Lite, and NDN-211 Pro before 3.8 allows Command Injection (issue 1 of 4). The NDN-210 has a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. 2021-01-07 not yet calculated CVE-2020-17500
MISC
CONFIRM
MISC barco -- transform_n
  Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. 2021-01-08 not yet calculated CVE-2020-17502
MISC
CONFIRM
MISC barco -- transform_n
  The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. 2021-01-08 not yet calculated CVE-2020-17503
MISC
CONFIRM
MISC barco -- transform_n
  The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters "x_modules" and "y_modules" are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. 2021-01-08 not yet calculated CVE-2020-17504
MISC
CONFIRM
MISC bssi -- web-sesame
  A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments. 2021-01-06 not yet calculated CVE-2020-29041
MISC
MISC buns -- buns
  This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule). 2021-01-08 not yet calculated CVE-2020-7794
MISC cairosvg -- cairosvg
  CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. 2021-01-06 not yet calculated CVE-2021-21236
MISC
MISC
CONFIRM
MISC ceph -- ceph A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible. 2021-01-08 not yet calculated CVE-2020-25678
MISC
MISC cisco -- jabber
  Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory. 2021-01-07 not yet calculated CVE-2020-26085
CISCO citrix -- secure_mail Citrix Secure Mail for Android before 20.11.0 suffers from improper access control allowing unauthenticated access to read limited calendar related data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. 2021-01-06 not yet calculated CVE-2020-8275
MISC citrix -- secure_mail
  Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. 2021-01-06 not yet calculated CVE-2020-8274
MISC cockpit -- cockpit
  Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. 2021-01-08 not yet calculated CVE-2020-35131
MISC
MISC
MISC d-link -- dsl-2888a_devices
  An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI. 2021-01-08 not yet calculated CVE-2020-24577
MISC
CONFIRM
MISC dell -- client_and_commerical_consumer_platforms
  Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. 2021-01-04 not yet calculated CVE-2020-5361
MISC dell -- inspiron_5675_bios
  Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the RuntimeServices structure to execute arbitrary code in System Management Mode (SMM). 2021-01-08 not yet calculated CVE-2020-26186
MISC dell -- multiple_products
  Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user. 2021-01-05 not yet calculated CVE-2020-29489
MISC dell -- multiple_products
  Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a Denial of Service vulnerability on NAS Servers with NFS exports. A remote authenticated attacker could potentially exploit this vulnerability and cause Denial of Service (Storage Processor Panic) by sending specially crafted UDP requests. 2021-01-05 not yet calculated CVE-2020-29490
MISC drupal -- aes_encryption
  The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 not yet calculated CVE-2017-20001
MISC drupal -- kcfinder_integration
  uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy. 2021-01-01 not yet calculated CVE-2018-25002
MISC
MISC
MISC eaton -- easysoft
  Eaton's easySoft software v7.20 and prior are susceptible to file parsing type confusion remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user upload a malformed .E70 file in the application. The vulnerability arises due to improper validation of user data supplied through E70 file which is causing Type Confusion. 2021-01-07 not yet calculated CVE-2020-6656
MISC
MISC
MISC
MISC eaton -- easysoft
  The Eaton's easySoft software v7.20 and prior are susceptible to Out-of-bounds remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user to upload the malformed .E70 file in the application. The vulnerability arises due to improper validation and parsing of the E70 file content by the application. 2021-01-07 not yet calculated CVE-2020-6655
MISC
MISC evolucare -- ecsimaging
  ** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has an OS Command Injection vulnerability via shell metacharacters and an IFS manipulation. The parameter "file" on the webpage /showfile.php can be exploited to gain root access. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. 2021-01-07 not yet calculated CVE-2021-3029
MISC
MISC formstone -- formstone
  Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, force malware execution, user redirection and others. 2021-01-07 not yet calculated CVE-2020-26768
MISC foxit -- multiple_products
  The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop. 2021-01-07 not yet calculated CVE-2018-18689
MISC
MISC
CONFIRM
MISC foxit -- multiple_products
  The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader. 2021-01-07 not yet calculated CVE-2018-18688
MISC
MISC
CONFIRM
MISC foxit -- pdf_activex
  Foxit PDF ActiveX before 5.5.1 allows remote code execution via command injection because of the lack of a security permission control. 2021-01-07 not yet calculated CVE-2018-19418
MISC
CONFIRM google -- chrome Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16023
MISC
MISC google -- chrome Use after free in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16026
MISC
MISC google -- chrome Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21110
MISC
MISC
GENTOO google -- chrome Insufficient policy enforcement in WebUI in Google Chrome prior to 87.0.4280.141 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. 2021-01-08 not yet calculated CVE-2021-21111
MISC
MISC
GENTOO google -- chrome Insufficient data validation in cros-disks in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. 2021-01-08 not yet calculated CVE-2020-16035
MISC
MISC google -- chrome Use after free in clipboard in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16037
MISC
MISC google -- chrome Use after free in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21114
MISC
MISC
GENTOO google -- chrome Use after free in drag and drop in Google Chrome on Linux prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21107
MISC
MISC
GENTOO google -- chrome User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21115
MISC
MISC
GENTOO google -- chrome Heap buffer overflow in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21116
MISC
MISC
GENTOO google -- chrome Use after free in media in Google Chrome on OS X prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16038
MISC
MISC google -- chrome
  Inappropriate implementation in PDFium in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file. 2021-01-08 not yet calculated CVE-2020-16029
MISC
MISC google -- chrome
  Inappropriate implementation in cookies in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass cookie restrictions via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16036
MISC
MISC google -- chrome
  Insufficient data validation in sharing in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16032
MISC
MISC google -- chrome
  Inappropriate implementation in filesystem in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. 2021-01-08 not yet calculated CVE-2020-16019
MISC
MISC google -- chrome
  Insufficient data validation in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16031
MISC
MISC google -- chrome
  Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16030
MISC
MISC google -- chrome
  Insufficient policy enforcement in developer tools in Google Chrome prior to 87.0.4280.66 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from the user's disk via a crafted Chrome Extension. 2021-01-08 not yet calculated CVE-2020-16027
MISC
MISC google -- chrome
  Heap buffer overflow in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16028
MISC
MISC google -- chrome
  Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16040
MISC
MISC google -- chrome
  Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16017
MISC
MISC google -- chrome
  Heap buffer overflow in clipboard in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16025
MISC
MISC google -- chrome
  Heap buffer overflow in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16024
MISC
MISC google -- chrome
  Inappropriate implementation in cryptohome in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass discretionary access control via a malicious file. 2021-01-08 not yet calculated CVE-2020-16020
MISC
MISC google -- chrome
  Inappropriate implementation in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a local attacker to bypass policy restrictions via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16034
MISC
MISC google -- chrome
  Use after free in extensions in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16039
MISC
MISC google -- chrome
  Use after free in media in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21108
MISC
MISC
GENTOO google -- chrome
  Out of bounds read in networking in Google Chrome prior to 87.0.4280.88 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16041
MISC
MISC google -- chrome
  Uninitialized Use in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16042
MISC
MISC google -- chrome
  Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. 2021-01-08 not yet calculated CVE-2020-16043
MISC
MISC
GENTOO google -- chrome
  Race in image burner in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to perform OS-level privilege escalation via a malicious file. 2021-01-08 not yet calculated CVE-2020-16021
MISC
MISC google -- chrome
  Inappropriate implementation in WebUSB in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof security UI via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16033
MISC
MISC google -- chrome
  Inappropriate implementation in base in Google Chrome prior to 86.0.4240.193 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16016
MISC
MISC google -- chrome
  Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16022
MISC
MISC google -- chrome
  Use after free in PPAPI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16014
MISC
MISC google -- chrome
  Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16013
MISC
MISC google -- chrome
  Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16012
MISC
MISC google -- chrome
  Use after free in payments in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21109
MISC
MISC
GENTOO google -- chrome
  Insufficient data validation in WASM in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16015
MISC
MISC google -- chrome
  Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21113
MISC
MISC
GENTOO google -- chrome
  Use after free in Blink in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21112
MISC
MISC
GENTOO google -- chrome
  Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2020-16018
MISC
MISC google -- chrome
  Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. 2021-01-08 not yet calculated CVE-2021-21106
MISC
MISC
GENTOO ibm -- emptoris_contract_management
  IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190979. 2021-01-07 not yet calculated CVE-2020-4892
XF
CONFIRM ibm -- emptoris_contract_management_and_emptoris_spend_analysis
  IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190988. 2021-01-07 not yet calculated CVE-2020-4897
XF
CONFIRM
CONFIRM ibm -- emptoris_sourcing
  IBM Emptoris Sourcing 10.1.0, 10.1.1, and 10.1.3 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. IBM X-Force ID: 190987. 2021-01-07 not yet calculated CVE-2020-4896
XF
CONFIRM ibm -- engineering_requirements_quality_assistant_on-premises
  IBM Engineering Requirements Quality Assistant On-Premises could allow an authenticated user to obtain sensitive information due to improper input validation. IBM X-Force ID: 186282. 2021-01-08 not yet calculated CVE-2020-4667
XF
CONFIRM ibm -- engineering_requirements_quality_assistant_on-premises
  IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186281. 2021-01-08 not yet calculated CVE-2020-4666
XF
CONFIRM ibm -- engineering_requirements_quality_assistant_on-premises
  IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186235. 2021-01-08 not yet calculated CVE-2020-4664
XF
CONFIRM ibm -- engineering_requirements_quality_assistant_on-premises
  IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186234. 2021-01-08 not yet calculated CVE-2020-4663
XF
CONFIRM ibm -- jazz_foundation_products IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188127. 2021-01-08 not yet calculated CVE-2020-4733
XF
CONFIRM ibm -- jazz_foundation_products
  IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 183189. 2021-01-08 not yet calculated CVE-2020-4544
XF
CONFIRM ibm -- jazz_foundation_products
  IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 181862. 2021-01-08 not yet calculated CVE-2020-4487
XF
CONFIRM ibm -- jazz_foundation_products
  IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186698. 2021-01-08 not yet calculated CVE-2020-4691
XF
CONFIRM ibm -- jazz_foundation_products
  IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186790. 2021-01-08 not yet calculated CVE-2020-4697
XF
CONFIRM ibm -- security_verify_privilege_manager
  IBM Security Verify Privilege Manager 10.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A local attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 184883. 2021-01-08 not yet calculated CVE-2020-4606
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may include sensitive information in its URLs increasing the risk of such information being caputured by an attacker. IBM X-Force ID: 193654. 2021-01-08 not yet calculated CVE-2020-5018
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 does not invalidate session after a password reset which could allow a local user to impersonate another user on the system. IBM X-Force ID: 193657. 2021-01-08 not yet calculated CVE-2020-5021
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 193655. 2021-01-08 not yet calculated CVE-2020-5019
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 193656. 2021-01-08 not yet calculated CVE-2020-5020
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may allow a local user to obtain access to information beyond their intended role and permissions. IBM X-Force ID: 193653. 2021-01-08 not yet calculated CVE-2020-5017
XF
CONFIRM ibm -- spectrum_protect_plus
  IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may allow unauthenticated and unauthorized access to VDAP proxy which can result in an attacker obtaining information they are not authorized to access. IBM X-Force ID: 193658. 2021-01-08 not yet calculated CVE-2020-5022
XF
CONFIRM ibm -- websphere_extreme_scale
  IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 177932. 2021-01-06 not yet calculated CVE-2020-4336
XF
CONFIRM innokas -- yhtma_oy_vital_signs_monitor
  Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 HL7 v2.x injection vulnerabilities exist in the affected products that allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. 2021-01-08 not yet calculated CVE-2020-27260
MISC innokas -- yhtma_oy_vital_signs_monitor
  Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface. 2021-01-08 not yet calculated CVE-2020-27262
MISC invision_community -- ips_community_suite
  Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php). 2021-01-08 not yet calculated CVE-2021-3025
MISC
MISC krpano -- panorama_viewer
  The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. 2021-01-07 not yet calculated CVE-2020-24900
MISC krpano -- panorama_viewer
  The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. 2021-01-07 not yet calculated CVE-2020-24901
MISC liferay -- cms_portal
  Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload. 2021-01-07 not yet calculated CVE-2020-25476
MISC
MISC
MISC linux -- linux_kernel
  A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system. 2021-01-07 not yet calculated CVE-2020-27835
MISC marvell -- qcconvergeconsole
  Marvell QConvergeConsole GUI <= 5.5.0.74 is affected by a path traversal vulnerability. The deleteEventLogFile method of the GWTTestServiceImpl class lacks proper validation of a user-supplied path prior to using it in file deletion operations. An authenticated, remote attacker can leverage this vulnerability to delete arbitrary remote files as SYSTEM or root. 2021-01-08 not yet calculated CVE-2020-5804
MISC marvell -- qcconvergeconsole
  In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored in cleartext in tomcat-users.xml. OS-level users on the QCC host who are not authorized to use QCC may use the plaintext credentials to login to QCC. 2021-01-08 not yet calculated CVE-2020-5805
MISC mdbook -- mdbook
  mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it. 2021-01-04 not yet calculated CVE-2020-26297
MISC
MISC
MISC
CONFIRM
MISC mendixsso -- mendixsso
  MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. 2021-01-06 not yet calculated CVE-2020-8160
MISC
MISC mercusys -- mercury_xg18_devices
  MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI. 2021-01-07 not yet calculated CVE-2021-23242
MISC
MISC
MISC mercusys -- mercury_xg18_devices
  MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. 2021-01-07 not yet calculated CVE-2021-23241
MISC
MISC
MISC monocms -- monocms_blog
  MonoCMS Blog 1.0 is affected by incorrect access control that can lead to remote arbitrary code execution. At monofiles/category.php:27, user input can be saved to category/[foldername]/index.php causing RCE. 2021-01-07 not yet calculated CVE-2020-28672
MISC mozilla -- firefox Mozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-35114
MISC
MISC mozilla -- firefox
  When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-26979
MISC
MISC mozilla -- firefox
  When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-26976
MISC
MISC mozilla -- firefox
  When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-26975
MISC
MISC mozilla -- firefox
  The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-26972
MISC
MISC mozilla -- firefox
  By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. 2021-01-07 not yet calculated CVE-2020-26977
MISC
MISC mozilla -- multiple_products Mozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-35113
MISC
MISC
MISC
MISC mozilla -- multiple_products
  Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-26973
MISC
MISC
MISC
MISC mozilla -- multiple_products
  When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-35111
MISC
MISC
MISC
MISC mozilla -- multiple_products
  If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-35112
MISC
MISC
MISC
MISC mozilla -- multiple_products
  When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-26974
MISC
MISC
MISC
MISC mozilla -- multiple_products
  Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-26971
MISC
MISC
MISC
MISC mozilla -- multiple_products
  Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. 2021-01-07 not yet calculated CVE-2020-26978
MISC
MISC
MISC
MISC multiple_vendors -- multiple_2fa_security_keys
  An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF). 2021-01-07 not yet calculated CVE-2021-3011
MISC
MISC netapp -- element_os
  Element OS versions prior to 1.8P1 and 12.2 are susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code execution. 2021-01-08 not yet calculated CVE-2020-8584
MISC nextcloud -- contacts
  A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. 2021-01-06 not yet calculated CVE-2020-8281
MISC
MISC nextcloud -- contacts
  A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. 2021-01-06 not yet calculated CVE-2020-8280
MISC
MISC node.js -- node.js Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. 2021-01-06 not yet calculated CVE-2020-8265
MISC
FEDORA
MISC
DEBIAN node.js -- node.js
  Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. 2021-01-06 not yet calculated CVE-2020-8287
MISC
FEDORA
MISC
DEBIAN nvidia -- gpu_display_driver NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. 2021-01-08 not yet calculated CVE-2021-1056
CONFIRM nvidia -- gpu_display_driver
  NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL in which user-mode clients can access legacy privileged APIs, which may lead to denial of service, escalation of privileges, and information disclosure. 2021-01-08 not yet calculated CVE-2021-1052
CONFIRM nvidia -- gpu_display_driver
  NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL in which improper validation of a user pointer may lead to denial of service. 2021-01-08 not yet calculated CVE-2021-1053
CONFIRM nvidia -- gpu_display_driver
  NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service. 2021-01-08 not yet calculated CVE-2021-1054
CONFIRM nvidia -- gpu_display_driver
  NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which improper access control may lead to denial of service and information disclosure. 2021-01-08 not yet calculated CVE-2021-1055
CONFIRM nvidia -- gpu_display_driver
  NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which an operation is performed which may lead to denial of service or escalation of privileges. 2021-01-08 not yet calculated CVE-2021-1051
CONFIRM nvidia -- vgpu

  NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and vGPU plugin, in which an input index is not validated, which may lead to tampering of data or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1060
CONFIRM nvidia -- vgpu
  NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and vGPU plugin, in which an input data size is not validated, which may lead to tampering of data or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1058
CONFIRM nvidia -- vgpu_manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which input data is not validated, which may lead to tampering of data or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1065
CONFIRM nvidia -- vgpu_manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input offset is not validated, which may lead to a buffer overread, which in turn may cause tampering of data, information disclosure, or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1063
CONFIRM nvidia -- vgpu_manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which it obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer, which may lead to information disclosure or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1064
CONFIRM nvidia -- vgpu_manager
  NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input index is not validated, which may lead to integer overflow, which in turn may cause tampering of data, information disclosure, or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1059
CONFIRM nvidia -- vgpu_manager
  NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which a race condition may cause the vGPU plugin to continue using a previously validated resource that has since changed, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1061
CONFIRM nvidia -- vgpu_manager
  NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which input data is not validated, which may lead to unexpected consumption of resources, which in turn may lead to denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1066
CONFIRM nvidia -- vgpu_manager
  NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which an input data length is not validated, which may lead to tampering of data or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1062
CONFIRM nvidia -- virtual_gpu_manager NVIDIA Virtual GPU Manager NVIDIA vGPU manager contains a vulnerability in the vGPU plugin in which it allows guests to allocate some resources for which the guest is not authorized, which may lead to integrity and confidentiality loss, denial of service, or information disclosure. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). 2021-01-08 not yet calculated CVE-2021-1057
CONFIRM pearson -- vue_vts_installer
  The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative privileges via a Trojan horse application. 2021-01-04 not yet calculated CVE-2020-36154
MISC
MISC phpfusion -- phpfusion
  login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. 2021-01-03 not yet calculated CVE-2020-35952
MISC phpgurukul -- hospital_management_system
  PHPGURUKUL Hospital Management System V 4.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, doctors, patients, change admin password, get appointment history and access all session logs. 2021-01-07 not yet calculated CVE-2020-35745
MISC
MISC
MISC portland_labs -- concrete5
  The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. 2021-01-08 not yet calculated CVE-2021-3111
MISC
MISC pwntools -- pwntools
  This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. 2021-01-08 not yet calculated CVE-2020-28468
MISC
MISC
MISC quixplorer -- quixplorer
  Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. 2021-01-07 not yet calculated CVE-2020-24902
MISC red_hat -- jbcs_httpd
  A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity. 2021-01-07 not yet calculated CVE-2020-25680
MISC rock_rms -- rock_rms Rock RMS versions before 8.10 and versions 9.0 through 9.3 fails to properly validate files uploaded in the application. The only protection mechanism is a file-extension blacklist that can be bypassed by adding multiple spaces and periods after the file name. This could allow an attacker to upload ASPX code and gain remote code execution on the application. The application typically runs as LocalSystem as mandated in the installation guide. Patched in versions 8.10 and 9.4. 2021-01-07 not yet calculated CVE-2019-18643
MISC rock_rms -- rock_rms
  Rock RMS version before 8.6 is vulnerable to account takeover by tampering with the user ID parameter in the profile update feature. The lack of validation and use of sequential user IDs allows any user to change account details of any other user. This vulnerability could be used to change the email address of another account, even the administrator account. Upon changing another account's email address, performing a password reset to the new email address could allow an attacker to take over any account. 2021-01-07 not yet calculated CVE-2019-18642
MISC rocket.chat_technologies_corp -- rocket.chat
  An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.7.1. 2021-01-08 not yet calculated CVE-2020-28208
MISC
MLIST
MLIST
MISC
MISC rockwell_automation -- rslinx_classic
  A denial-of-service vulnerability exists in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic 2.57.00.14 CPR 9 SR 3. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. 2021-01-07 not yet calculated CVE-2020-13573
MISC socket.io -- engine.io
  Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. 2021-01-08 not yet calculated CVE-2020-36048
MISC
MISC
MISC socket.io -- socket.io-parser
  socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. 2021-01-08 not yet calculated CVE-2020-36049
MISC
MISC
MISC softmaker -- office_textmaker
  An exploitable signed conversion vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. A specially crafted document can cause the document parser to miscalculate a length used to allocate a buffer, later upon usage of this buffer the application will write outside its bounds resulting in a heap-based memory corruption. An attacker can entice the victim to open a document to trigger this vulnerability. 2021-01-06 not yet calculated CVE-2020-13545
MISC softmaker -- office_textmaker
  An exploitable sign extension vulnerability exists in the TextMaker document parsing functionality of SoftMaker Office 2021’s TextMaker application. A specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop’s index being used to write outside the bounds of a heap buffer during the reading of file data. An attacker can entice the victim to open a document to trigger this vulnerability. 2021-01-06 not yet calculated CVE-2020-13544
MISC sonicwall -- netextender
  SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier. 2021-01-09 not yet calculated CVE-2020-5147
CONFIRM sonicwall -- sma100_apliiance
  A vulnerability in SonicWall SMA100 appliance allow an authenticated management-user to perform OS command injection using HTTP POST parameters. This vulnerability affected SMA100 Appliance version 10.2.0.2-20sv and earlier. 2021-01-09 not yet calculated CVE-2020-5146
CONFIRM sourcecodester -- restaurant_reservation_system
  Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. 2021-01-07 not yet calculated CVE-2020-26773
MISC
MISC spring-boot-actuator-logview -- spring-boot-actuator-logview
  spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. 2021-01-05 not yet calculated CVE-2021-21234
MISC
MISC
CONFIRM
MISC tp-link -- tl-wr840n_6_eu_devices
  oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables). NOTE: oal_ipt_addBridgeIsolationRules is not the only function that calls util_execSystem. 2021-01-06 not yet calculated CVE-2020-36178
MISC
MISC
MISC ts-process-promises -- ts-process-promises
  This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC: 2021-01-08 not yet calculated CVE-2020-7784
MISC vela -- vela
  Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets. 2021-01-04 not yet calculated CVE-2020-26294
MISC
CONFIRM
MISC veritas -- aptare
  An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a directory at the configuration file locations. When the Windows system restarts, a malicious OpenSSL engine could exploit arbitrary code execution as SYSTEM. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. 2021-01-06 not yet calculated CVE-2020-36161
MISC veritas -- backup_exec
  An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. 2021-01-06 not yet calculated CVE-2020-36167
CERT-VN
MISC veritas -- cloudpoint An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. The CloudPoint Windows Agent leverages OpenSSL. This OpenSSL library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems users can create directories under <drive>:\. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, which may result in arbitrary code execution. This would give the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. 2021-01-06 not yet calculated CVE-2020-36162
MISC veritas -- desktop_and_laptop_option
  An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. On start-up, it loads the OpenSSL library from /ReleaseX64/ssl. This library attempts to load the /ReleaseX64/ssl/openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:/ReleaseX64/ssl/openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This impacts DLO server and client installations. 2021-01-06 not yet calculated CVE-2020-36165
MISC veritas -- enterprise_vault
  An issue was discovered in Veritas Enterprise Vault through 14.0. On start-up, it loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file (which does not exist) at the following locations in both the System drive (typically C:\) and the product's installation drive (typically not C:\): \Isode\etc\ssl\openssl.cnf (on SMTP Server) or \user\ssl\openssl.cnf (on other affected components). By default, on Windows systems, users can create directories under C:\. A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This vulnerability only affects a server with MTP Server, SMTP Archiving IMAP Server, IMAP Archiving, Vault Cloud Adapter, NetApp File server, or File System Archiving for NetApp as File Server. 2021-01-06 not yet calculated CVE-2020-36164
MISC veritas -- infoscale
  An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka VIOM) Windows Management Server 7.x through 7.4.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf, where <drive> could be the default Windows installation drive such as C:\ or the drive where a Veritas product is installed. By default, on Windows systems, users can create directories under any top-level directory. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. 2021-01-06 not yet calculated CVE-2020-36166
MISC veritas -- netbackup
  An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCenter through 8.3.0.1. Processes using OpenSSL attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under the top level of any drive. If a low privileged user creates an affected path with a library that the Veritas product attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This vulnerability affects master servers, media servers, clients, and OpsCenter servers on the Windows platform. The system is vulnerable during an install or upgrade and post-install during normal operations. 2021-01-06 not yet calculated CVE-2020-36169
MISC veritas -- netbackup_and_opscenter
  An issue was discovered in Veritas NetBackup and OpsCenter through 8.3.0.1. NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This affects NetBackup master servers, media servers, clients, and OpsCenter servers on the Windows platform. The system is vulnerable during an install or upgrade on all systems and post-install on Master, Media, and OpsCenter servers during normal operations. 2021-01-06 not yet calculated CVE-2020-36163
MISC veritas -- resiliency_platform
  An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It leverages OpenSSL on Windows systems when using the Managed Host addon. On start-up, it loads the OpenSSL library. This library may attempt to load the openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. 2021-01-06 not yet calculated CVE-2020-36168
MISC veritas -- system_recovery
  An issue was discovered in Veritas System Recovery before 21.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the from \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data and installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. 2021-01-06 not yet calculated CVE-2020-36160
MISC videolan -- vlc_media_player
  A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. 2021-01-08 not yet calculated CVE-2020-26664
MISC
MISC
MISC wolfssl -- wolfssl
  RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. 2021-01-06 not yet calculated CVE-2020-36177
MISC
MISC
MISC
MISC
MISC wordpress -- wordpress An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side. 2021-01-01 not yet calculated CVE-2020-35945
MISC
MISC wordpress -- wordpress PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts. 2021-01-01 not yet calculated CVE-2020-35939
MISC wordpress -- wordpress PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. 2021-01-01 not yet calculated CVE-2020-35938
MISC wordpress -- wordpress Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. 2021-01-01 not yet calculated CVE-2020-35936
MISC wordpress -- wordpress The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. (The mechanism for deciding whether a user was entitled to add a role did not work in various custom-role scenarios.) 2021-01-01 not yet calculated CVE-2020-35935
MISC wordpress -- wordpress A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. 2021-01-01 not yet calculated CVE-2020-35933
MISC wordpress -- wordpress Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to team_import_xml_layouts. 2021-01-01 not yet calculated CVE-2020-35937
MISC wordpress -- wordpress
  The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. 2021-01-06 not yet calculated CVE-2020-36176
MISC wordpress -- wordpress
  An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file. 2021-01-01 not yet calculated CVE-2020-35949
MISC
MISC wordpress -- wordpress
  The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin). 2021-01-01 not yet calculated CVE-2020-35934
MISC wordpress -- wordpress
  An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint). 2021-01-01 not yet calculated CVE-2020-35950
MISC
MISC wordpress -- wordpress
  Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE: exploitability depends on PHP objects that might be present with certain other plugins or themes. 2021-01-01 not yet calculated CVE-2020-35932
MISC wordpress -- wordpress
  The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. 2021-01-06 not yet calculated CVE-2020-36171
MISC wordpress -- wordpress
  An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. 2021-01-01 not yet calculated CVE-2020-35948
MISC
MISC Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity

US-CERT All NCAS Products - Fri, 01/08/2021 - 19:13
Original release date: January 8, 2021

CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A.

In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools—including a CISA-developed tool, Sparrow, released on December 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise.

CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

US-CERT All NCAS Products - Fri, 01/08/2021 - 17:36
Original release date: January 8, 2021

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

  • Compromising or bypassing federated identity solutions;
  • Using forged authentication tokens to move laterally to Microsoft cloud environments; and
  • Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

US-CERT Alerts - Fri, 01/08/2021 - 17:36
Original release date: January 8, 2021
Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

  • Compromising or bypassing federated identity solutions;
  • Using forged authentication tokens to move laterally to Microsoft cloud environments; and
  • Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

Technical Details

Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Supernova).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.

CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).

The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).

This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.

MitigationsDetection

Guidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.

The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3]

Detection Tools

CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA.

There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:

  • CISA's Sparrow,
  • Open-source utility Hawk, and
  • CrowdStrike's Azure Reporting Tool (CRT).

Additionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.

Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.

General Guidance on Using Detection Tools
  1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.
  2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.
  3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.
Sparrow

CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.

CISA advises Sparrow users to take the following actions.

  1. Use Sparrow to detect any recent domain authentication or federation modifications.
    1. Domain and federation modification operations are uncommon and should be investigated.
  2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials.
    1. Create a timeline for all credential changes, focusing on recent wholesale changes.
    2. Review the “top actors” for activity in the environment and the number of credential modifications performed.
    3. Monitor changes in application and service principal credentials.
    4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.
  3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.
  4. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs.
  5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens.
    1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.
  6. Review the PowerShell logs that Sparrow exports.
    1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.
    2. Review PowerShell usage for users with PowerShell in the environment.
  7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD.
    1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.
  8. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.
  9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items.
    1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.
    2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5]
    3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.
    4. Check for changes to applications with regards to the accessing of resources such as mail or file items.
Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users should review login details for administrator accounts and take the following steps.

  1.  Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).
  2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes.
    1. PowerShell logging does not reveal the exact cmdlet that was run on the tenant.
  3. Look for users with unusual sign-in locations, dates, and times.
  4. Check permissions of service principals and applications in M365/Azure AD.
  5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.
  6. Review mailbox rules and recent mailbox rule changes.
CrowdStrike Azure Reporting Tool

CrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their AzureAD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Detection Tool Distinctions
  • Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.
  • CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.
  • CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.
  • As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.
  • CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.
  • Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.
Detection Methods

Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6]

Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).

Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider

These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity.

Export sign-in logs from the Azure AD portal and look at the Authentication Method field.

Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.

Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers

Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.

Detection Method 2: Identifying certificate export events in ADFS

Look for:

  1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.
  2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.
  3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \microsoft##wid\tsql\query (exclude processes regularly making this pipe connection on the machine).
  4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).

Detection Method 3: Customizing SAML response to identify irregular access

This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8]

Detection Method 4: Detecting malicious ADFS trust modification

A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9]
Network defenders should look for:

  1. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.)
    1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.
  2. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.

Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as AzureAD (establishing a foothold)

After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).

The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged AzureAD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Network defenders should take the following steps.

  1. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials.
    1. Look for unusual application usage, such as dormant or forgotten applications being used again.
    2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.
  2. Look for unexpected trust relationships that have been added to AzureAD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]
  3. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.
  4. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.
  5. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence.

Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application

In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11]

Network defenders should use Sparrow to:

  1. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.
  2. Create a timeline for all credential changes.
  3. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).
  4. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions).
    1. Export and view this activity via the ServicePrincipal_Operations_Export.
  5. Record OAuth consent and consent to applications
    1. Export and view this record via the Consent_Operations_Export file.
  6. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph.
    1. Review Microsoft Graph API permissions granted to service principals.
    2. Export and view this activity via the ApplicationGraphPermissions csv file.
      1. Note: Hawk can also return the full list of service principal permissions for further investigation.
    3. Review top actors and the amount of credential modifications performed.
    4. Monitor changes in application credentials.
  7. Identify manipulation of custom or third-party applications.
    1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.
  8. Review modifications to federation trust settings.
    1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
      1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.

Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).

Network defenders should:

  1. In MailItemsAccessed  operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).
  2. Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).
  3. Check the permissions of an application in M365/AzureAD using Sparrow.
    1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.
    2. Network defenders will see the IP address that Graph API uses.
    3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.
  4. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.
Microsoft Telemetry Nuances

The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.

Service principal logging is available using the Azure Portal via the "Service Principal Sign-ins" feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.

Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, "There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible."[13]

Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.

The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.

A properly configured SIEM can provide:

  1. Longer term storage of log data.
  2. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.
  3. Ability to query use of application connectors in Azure.

Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • central@cisa.dhs.gov (UNCLASS)
  • us-cert@dhs.sgov.gov (SIPRNET)
  • us-cert@dhs.ic.gov (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.

Resources

Azure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

Volexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/

Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF

Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/

CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Feedback

CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.cisa.gov/forms/feedback.

References Revisions
  • Initial version: January 8, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers

US-CERT All NCAS Products - Fri, 01/08/2021 - 16:09
Original release date: January 8, 2021

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the MS-ISAC Advisory 2021-001 and Zyxel Security Advisory for CVE-2020-29583 and apply the necessary updates and mitigation recommendations.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Mozilla Releases Security Updates for Firefox, Firefox for Android, and Firefox ESR

US-CERT All NCAS Products - Thu, 01/07/2021 - 17:17
Original release date: January 7, 2021

Mozilla has released security updates to address a vulnerability in Firefox, Firefox for Android, and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Google Releases Security Updates for Chrome

US-CERT All NCAS Products - Thu, 01/07/2021 - 17:13
Original release date: January 7, 2021

Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise

US-CERT All NCAS Products - Wed, 01/06/2021 - 19:20
Original release date: January 6, 2021

CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.

  • Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed.
  • Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.

The updated supplemental guidance also includes forensic analysis and reporting requirements.

CISA has also updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17, 2020. This update includes new information on initial access vectors, updated mitigation recommendations, and new indicators of compromise (IOCs).

Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review CISA Emergency Directive 21-01 - Supplemental Guidance v.3 for recommendations on operating the SolarWinds Orion Platform. Review the following resources for additional information on the SolarWinds Orion compromise.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

Pages