CVE-2021-26843

An issue was discovered in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the dedotdot function may cause a Denial-of-Service daemon crash due to overlapping memory ranges being passed to memcpy. This can triggered with an HTTP GET request for a crafted...

CVE-2021-21289

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which...

CVE-2021-21289

Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which...

CVE-2019-25018

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT...

CVE-2019-25018

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT...

Huawei EulerOS: Security Advisory for php-pear (EulerOS-SA-2021-1164)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local...

Updated python-pip packages fix security vulnerabilities

It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack CVE-2019-20916. urllib3 before 1.25.9 allows CRLF...

Amazon Linux AMI : php7-pear (ALAS-2021-1466)

The version of php7-pear installed on the remote host is prior to 1.10.12-4.30. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1466 advisory. ArchiveTar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked...

OX App Suite Cross-Site Scripting Vulnerability (CNVD-2021-03043)

OX App Suite is a modular platform designed for telcos, hosting companies and vendors to deliver a wide range of cloud-based services. A cross-site scripting vulnerability exists in OX App Suite 7.10.4. An attacker could exploit this vulnerability via an inline image with a specially crafted...

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename...

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename...

Cross site scripting

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename...

CVE-2021-23932

CVE-2021-23932 corresponds to an XSS vulnerability in OX App Suite up to version 7.10.4, exploitable via an inline image with a crafted filename. The connected sources confirm the vulnerability description and affected product, but do not provide any remediation details (e.g., patched version) wi...

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename...

Open-xchange OX App Suite 跨站脚本漏洞

OX App Suite is a modular platform designed for telcos, hosting companies and vendors to deliver a wide range of cloud-based services. A cross-site scripting vulnerability exists in OX App Suite 7.10.4. An attacker could exploit this vulnerability via an inline image with a specially crafted...

CVE-2020-27262

Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting XSS vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web...

Medium: php-pear

Issue Overview: ArchiveTar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. CVE-2020-28948 ArchiveTar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack such as file:// to overwrite...

Amazon Linux 2 : php-pear (ALAS-2021-1584)

The version of php-pear installed on the remote host is prior to 1.10.12-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1584 advisory. ArchiveTar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked...

Lukashinsch Spring Boot Actuator Logview Path Traversal Vulnerability

Lukashinsch Spring Boot Actuator Logview is a codebase by the individual developer Ffay Lukashinsch that provides Spring Boot with the ability to view logs via a web interface. A path traversal vulnerability exists in spring-boot-actuator-logview versions prior to 0.2.13, which stems from the...