Atlassian Jira < 8.5.5 / 8.6.x < 8.8.2 / 8.9.x < 8.9.1 Multiple Cross-Site Scripting (XSS)

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.5.5, or version 8.6.x prior to 8.8.2, 8.9.x prior to 8.9.1. It is, therefore, affected by a multiple Cross-Site scripting XSS vulnerabilities. - Remote attackers can inject...

CVE-2020-14610

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite component: Attachments / File Upload. The supported version that is affected is 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

CVE-2020-14610

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite component: Attachments / File Upload. The supported version that is affected is 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

Design/Logic Flaw

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite component: Attachments / File Upload. The supported version that is affected is 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

CVE-2020-14610

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite component: Attachments / File Upload. The supported version that is affected is 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

Unspecified Vulnerability in Oracle E-Business Suite (CNVD-2020-44272)

Oracle E-Business Suite E-Business Suite is the United States Oracle Oracle company's set of fully integrated global business management software. The software provides customer relationship management, service management, financial management and other functions.Applications Framework OA...

Nextcloud: Access control missing while viewing the attachments in the "All boards"

The vulnerability lies in the "view attachment" of the tasks . When a user uploads the file to the Task, the attachment is given a numeric number and is increased +1 on further uploads. It is easy for any user to view and download all the files uploaded to the tasks by any user. The access is not...

Threat Source newsletter for July 2, 2020

Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers. Our latest research you should catch up on is the Valak malware. This information-stealer sneaks its way onto victim machines by hijacking legitimate email threads. The threat actors send their phishing emails and attachments in...

Atlassian JIRA Server and Data Center Cross-Site Scripting Vulnerability (CNVD-2020-53364)

Atlassian JIRA Server and Atlassian JIRA Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. Atlassian JIRA Server is the server version of a defect tracking management system that is used to track and manage all...

Atlassian JIRA Server and Data Center Cross-Site Scripting Vulnerability (CNVD-2020-53365)

Atlassian JIRA Server and Atlassian JIRA Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. Atlassian JIRA Server is the server version of a defect tracking management system that is used to track and manage all...

Atlassian JIRA Server and Data Center Cross-Site Scripting Vulnerability (CNVD-2020-53363)

Atlassian JIRA Server and Atlassian JIRA Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. Atlassian JIRA Server is the server version of a defect tracking management system that is used to track and manage all...

CVE-2020-4024

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml...

Hakbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments

A ransomware campaign, dubbed Hakbit, is targeting mid-level employees across Austria, Switzerland and Germany with malicious Excel attachments delivered via the popular email provider GMX. The spear-phishing based campaign is low volume and so far targeted the pharmaceutical, legal, financial,...

CVE-2020-12782

Openfind MailGates contains a Command Injection flaw, when receiving email with specific strings, malicious code in the mail attachment will be triggered and gain unauthorized access to system files...

Fedora 31 : roundcubemail (2020-2a1a6a8432)

RELEASE 1.4.6 - Installer: Fix regression in SMTP test section 7417 ---- RELEASE 1.4.5 - Fix bug in extracting required plugins from composer.json that led to spurious error in log 7364 - Fix so the database setup description is compatible with MySQL 8 7340 - Markasjunk: Fix regression in jsevent...

UBUNTU-CVE-2020-14933

DISPUTED compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method such as wakeup or destruct,...

PT-2020-14070 · Squirrelmail · Squirrelmail

Name of the Vulnerable Software and Affected Versions: SquirrelMail version 1.4.22 Description: The issue arises in compose.php, where the $attachments value from an HTTP POST request is passed to unserialize. This could potentially lead to PHP object injection. However, the vendor disputes this,...

WordPress has unspecified vulnerabilities (CNVD-2021-24379)

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in WordPress, which can be exploited by attackers to inject JavaScript code to...

PT-2020-3638 · WordPress · Wordpress

Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34 Description: The issue is related to the injection of...

Debian DLA-2244-1 : libphp-phpmailer security update

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language. The Content-Type and Content-Disposition headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. F...