netty: Information disclosure via the local system temporary directory

In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the...

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel CSV injection due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while...

ALPINE-CVE-2021-42013

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

ALPINE-CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Apple Pay Can be Abused to Make Contactless Payments From Locked iPhones

Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet. "An attacker only needs a stolen, powered on iPhone. The...

GHSA-36MJ-6R7R-MQHF User can obtain JWT token even if account is disabled

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. Someone who never had an account cannot exploit this vulnerability. The fix ensures tokens are generated only for enabled...

User can obtain JWT token even if account is disabled

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. Someone who never had an account cannot exploit this vulnerability. The fix ensures tokens are generated only for enabled...

OPENSUSE-SU-2021:3256-1 Security update for postgresql12

This update for postgresql12 fixes the following issues: - CVE-2021-3677: Fixed memory disclosure in certain queries bsc1189748. - Fixed build with llvm12 on s390x bsc1185952. - Re-enabled icu for PostgreSQL 10 bsc1179945. - Made the dependency of postgresqlXX-server-devel on llvm and clang...

OPENSUSE-SU-2021:3255-1 Security update for postgresql13

This update for postgresql13 fixes the following issues: - CVE-2021-3677: Fixed memory disclosure in certain queries bsc1189748. - Fixed build with llvm12 on s390x bsc1185952. - Re-enabled icu for PostgreSQL 10 bsc1179945. - Made the dependency of postgresqlXX-server-devel on llvm and clang...

wildfly-elytron: possible timing attack in ScramServer

A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality...

Important: kernel-livepatch-4.14.241-184.433

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.241-184.433 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.241-184.433 or yum update --advisory ALAS2LIVEPATCH-2021-063 to update your system. New...

Important: kernel-livepatch-4.14.232-177.418

Issue Overview: No CVE associated with this advisory Affected Packages: kernel-livepatch-4.14.232-177.418 Issue Correction: Please ensure you have live patching enabled. Run yum update kernel-livepatch-4.14.232-177.418 or yum update --advisory ALAS2LIVEPATCH-2021-060 to update your system. New...

Apache Struts Debug Mode Enabled (HTTP) - Active Check

The remote host is running an Apache Struts application with enabled debug mode. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2021:3119-1 Security update for postgresql12

This update for postgresql12 fixes the following issues: - CVE-2021-3677: Fixed memory disclosure in certain queries bsc1189748. - Fixed build with llvm12 on s390x bsc1185952. - Re-enabled icu for PostgreSQL 10 bsc1179945. - Made the dependency of postgresqlXX-server-devel on llvm and clang...

Mobility 安全漏洞

NetMotion Mobility is a mobile VPN software from NetMotion, Inc. It is used to securely extend corporate networks to mobile environments. A security vulnerability exists in Mobility that stems from a problem with the access controls on the Mobility Read/Write API for validating user access, which...

DRUPAL-CORE-2021-010

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. This advisory is not covered by Drupal Steward...

ECOA Building Automation System - Configuration Download Information Disclosure

Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure Date: 25.06.2021 Exploit Author: Neurogenesia Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Configuration Download Information Disclosure Vendor: ECOA Technologies Corp. Produc...

ECOA Building Automation System Hardcoded SSH Credentials

ECOA Building Automation System Hard-coded Credentials SSH Access Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS FLASH ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1...

ECOA Building Automation System Remote Privilege Escalation

ECOA Building Automation System Remote Privilege Escalation Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS FLASH ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECO...

ECOA Building Automation System Cookie Poisoning / Authentication Bypass

ECOA Building Automation System Cookie Poisoning Authentication Bypass Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS FLASH ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System -...