mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter

The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications...

CVE-2018-1285

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files...

CVE-2018-1285

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files...

CVE-2018-1285

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files...

Cross site scripting

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files...

CVE-2018-1285

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files...

PT-2020-5531 · Apache +2 · Log4Net +2

Name of the Vulnerable Software and Affected Versions: Apache log4net versions prior to 2.0.10 Description: The issue is related to errors in restricting XML links to external objects XXE in the log4net logging library on the .NET Framework platform. Exploitation of this issue may allow a remote...

Unauthorized Access

Roundcube Webmail is vulnerable to unauthorized access. An attacker can access arbitrary files on the host's filesystem, including configuration files due to a flaw related to file-based attachment plugins and task=settings&action=upload-display&from=timezone requests...

CVE-2020-6652

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager IPM v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the...

CVE-2020-6652 Incorrect privilege assignment allowing non-admin users to upload config files

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager IPM v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the...

CVE-2020-6652

CVE-2020-6652 affects Eaton Intelligent Power Manager (IPM) v1.67 and earlier. The vulnerability is an incorrect privilege assignment that lets non-admin users upload system configuration files by sending specially crafted requests, potentially enabling manipulation of configurations with paramet...

Grafana Information Disclosure Vulnerability (CNVD-2020-27230)

Grafana is a set of open source monitoring tools from Grafana Labs that provide a visual monitoring interface. The tool is primarily used to monitor and analyze Graphite, InfluxDB, and Prometheus, among others. A security vulnerability exists in Grafana versions 6.x through 6.3.6, which stems fro...

CVE-2020-12459

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contain a secretkey and a bindpassword are world readable...

CVE-2020-12459

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contain a secretkey and a bindpassword are world readable...

CVE-2020-5405

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...

Arbitrary File Deletion Vulnerability in ETA CMS (CNVD-2020-26406)

ETA CMS is a simple, practical and efficient website builder. ETA CMS has an arbitrary file deletion vulnerability that can be exploited by attackers to delete configuration files...

Arbitrary File Deletion Vulnerability in ETA CMS (CNVD-2020-26404)

ETA CMS is a simple, practical and efficient website builder. ETA CMS has an arbitrary file deletion vulnerability that can be exploited by attackers to delete configuration files...

TeamViewer Insecure Directory Permissions Privilege Escalation

The version of TeamViewer Desktop installed on the remote Windows host upto 14.7.1965 allows a bypass of remote-login access control where different customers' used a shared AES key for all installations. Attacker can used the said key to decrypt protected information stored in the registry or...

Arbitrary File Read Vulnerability in EDI CMS

ETA CMS is a simple, practical and efficient website builder. ETA CMS has an arbitrary file read vulnerability that can be exploited by an attacker to read configuration files on the server...

Arbitrary File Deletion Vulnerability in CMS

ETA CMS is a simple, practical and efficient website builder. ETA CMS has an arbitrary file deletion vulnerability that can be exploited by attackers to delete configuration files...