PT-2019-15690 · Matrix +2 · Matrix Synapse +2

Name of the Vulnerable Software and Affected Versions: Matrix Synapse versions prior to 1.5.0 Description: The issue concerns the mishandling of signature checking on some federation APIs. Events sent over "/send join", "/send leave", and "/invite" API endpoints may not be correctly signed, or ma...

asterisk -- Re-invite with T.38 and malformed SDP causes crash

The Asterisk project reports: If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur...

Lark Technologies: [CSRF] No Csrf protection against sending invitation to join the team.

A Cross-Site Request Forgery CSRF vulnerability was found on a "Create Invite" endpoint, which could result in any users being added to a team by tricking another user to run this Proof of Concept. We thank @imrannisar for reporting this to our team...

CVE-2019-15297

respjsipt38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference...

ALPINE-CVE-2019-15297

respjsipt38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference...

WordPress invite-anyone plugin access control error vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. invite-anyone is an invitation notification plugin used in it. An access control error vulnerability exists in the WordPress...

WordPress invite-anyone plugin input validation error vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. invite-anyone is an invitation notification plugin used in it. An input validation error vulnerability exists in the WordPress...

WordPress invite-anyone plugin cross-site request forgery vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. invite-anyone is an invitation notification plugin used in it. A cross-site request forgery vulnerability exists in the WordPress...

CVE-2017-18544

The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF...

CVE-2017-18545

The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input...

CVE-2017-18543

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations...

CVE-2017-18543

The CVE-2017-18543 entry concerns the WordPress plugin Invite Anyone, specifically versions before 1.3.16, which has incorrect access control for email-based invitations. The vulnerability is supported by multiple connected sources that describe the plugin’s access-control flaw, its impact, and t...

CVE-2017-18544

The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF...

ALPINE-CVE-2019-13161

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chansip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to a...

CVE-2019-13161

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chansip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to a...

Null pointer dereference

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chansip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to a...

CVE-2019-13161

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chansip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to a...

CVE-2019-13161

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chansip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to a...

CVE-2019-13161

CVE-2019-13161 affects Asterisk Open Source (through 13.x/14.x/15.x/16.x and Certified Asterisk up to 13.21-cert3). The issue is a pointer dereference in chan_sip during SDP negotiation, which can crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. Exploitation requires forc...

CVE-2018-15635

Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a...