Debian DSA-4773-1 : yaws - security update

Two vulnerabilities were discovered in yaws, a high performance HTTP 1.1 webserver written in Erlang. - CVE-2020-24379 The WebDAV implementation is prone to a XML External Entity XXE injection vulnerability. - CVE-2020-24916 The CGI implementation does not properly sanitize CGI requests allowing ...

USN-4582-1: Vim vulnerabilities

It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS. CVE-2017-17087 It was discovered that Vim incorrectly handled restricted mode. A local attacker...

CVE-2020-9480

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

CVE-2020-8820

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed...

Cross site scripting

An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed...

ALERT! Hackers targeting IoT devices with a new P2P botnet malware

Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining. Discovered by Qihoo 360's Netlab security team, the HEH Botnet — written in Go language a...

The rexec service is running

This remote host is running a rexec service. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for ksh (EulerOS-SA-2020-2108)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP3 : ksh (EulerOS-SA-2020-2108)

According to the version of the ksh package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass...

EulerOS Virtualization for ARM 64 3.0.2.0 : vim (EulerOS-SA-2020-1957)

According to the version of the vim packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, i...

Arbitrary Code Execution

is-my-json-valid is vulnerable to arbitrary code execution. An attacker is able to executing arbitrary Javascript code and/or shell commands if the schema is allowed to be modified...

[SECURITY] [DLA 2284-1] ksh security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2284-1 [email protected] https://www.debian.org/lts/security/ Brian May July 21, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------...

Command Execution Vulnerability in SSH of UPS Management Module at VitiTech Ltd.

VitiTech is an uninterruptible power supply, automation control equipment and industrial battery company. A command execution vulnerability exists in SSH, the UPS management module of Verti Technologies Ltd. The vulnerability can be exploited to remotely execute system shell commands bypassing...

CVE-2020-3332

A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input...

CVE-2020-3332

A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input...

Input validation

A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input...

CVE-2020-9480

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

Authentication flaw

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

PYSEC-2020-95

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

CVE-2019-14894

A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms...