ABB Cylon Aspect 3.08.01 Arbitrary File Deletion

ABB Cylon Aspect 3.08.01 databaseFileDelete.php Arbitrary File Delete Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.01 Summary: ASPECT is an award-winning scalable building energy...

VICIdial 2.14-917a SQL Injection

KL-001-2024-011: VICIdial Unauthenticated SQL Injection Title: VICIdial Unauthenticated SQL Injection Advisory ID: KL-001-2024-011 Publication Date: 2024-09-10 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt 1. Vulnerability Details Affected Vendor: VICIdial Affect...

VICIdial 2.14-917a Remote Code Execution Vulnerability

An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. Title: VICIdial Authenticated Remo...

VICIdial 2.14-917a SQL Injection Vulnerability

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database. Title: VICIdial Unauthenticated SQL Injection Publication URL:...

VICIdial 2.14-917a Remote Code Execution

KL-001-2024-012: VICIdial Authenticated Remote Code Execution Title: VICIdial Authenticated Remote Code Execution Advisory ID: KL-001-2024-012 Publication Date: 2024-09-10 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt 1. Vulnerability Details Affected Vendor:...

VICIdial Authenticated Remote Code Execution

Vulnerability Details Affected Vendor: VICIdial Affected Product: VICIdial Affected Version: 2.14-917a Platform: GNU/Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' CVE ID: CVE-2024-8504 2. Vulnerability Description An...

The vulnerability of the 389-ds-base package for Debian GNU/Linux and Red Hat Enterprise Linux systems allows a hacker to trigger a service failure.

The vulnerability of the 389-ds-base package for Debian GNU/Linux and Red Hat Enterprise Linux exists due to insufficient validation of input data. Exploiting this vulnerability could allow a malicious actor to cause service failures when changing the userPassword parameter using improperly...

Journyx 11.5.4 Authenticated Remote Code Execution

KL-001-2024-008: Journyx Authenticated Remote Code Execution Title: Journyx Authenticated Remote Code Execution Advisory ID: KL-001-2024-008 Publication Date: 2024.08.07 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-008.txt 1. Vulnerability Details Affected Vendor: Journ...

Journyx 11.5.4 XML Injection

KL-001-2024-010: Journyx Unauthenticated XML External Entities Injection Title: Journyx Unauthenticated XML External Entities Injection Advisory ID: KL-001-2024-010 Publication Date: 2024.08.07 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-010.txt 1. Vulnerability Detail...

Journyx 11.5.4 Cross Site Scripting

KL-001-2024-009: Journyx Reflected Cross Site Scripting Title: Journyx Reflected Cross Site Scripting Advisory ID: KL-001-2024-009 Publication Date: 2024.08.07 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-009.txt 1. Vulnerability Details Affected Vendor: Journyx Affecte...

Journyx 11.5.4 Cross Site Scripting Vulnerability

Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the errordescription during an active directory login flow. Title: Journyx Reflected Cross Site Scripting Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-009.txt 1. Vulnerability...

Journyx 11.5.4 Authenticated Remote Code Execution Vulnerability

Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow. Title: Journyx Authenticated Remote Code Execution Advisory ID: KL-001-2024-008 Publication Date: 2024.08.07 Publication URL:...

Journyx 11.5.4 Unauthenticated Password Reset Bruteforce Vulnerability

Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password. Title: Journyx Unauthenticated...

Journyx 11.5.4 XML Injection Vulnerability

Journyx version 11.5.4 has an issue where the soapcgi.pyc API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. Title:...

Journyx Unauthenticated XML External Entities Injection

Vulnerability Details Affected Vendor: Journyx Affected Product: Journyx jtime Affected Version: 11.5.4 Platform: GNU/Linux CWE Classification: CWE-611: Improper Restriction of XML External Entity Reference CVE ID: CVE-2024-6893 2. Vulnerability Description The "soapcgi.pyc" API handler allows...

Journyx Unauthenticated Password Reset Bruteforce

Vulnerability Details Affected Vendor: Journyx Affected Product: Journyx jtime Affected Version: 11.5.4 Platform: GNU/Linux CWE Classification: CWE-321: Use of Hard-coded Cryptographic Key, CWE-334: Small Space of Random Values, CWE-799: Improper Control of Interaction Frequency CVE ID:...

Journyx Authenticated Remote Code Execution

Vulnerability Details Affected Vendor: Journyx Affected Product: Journyx jtime Affected Version: 11.5.4 Platform: GNU/Linux CWE Classification: CWE-94: Improper Control of Generation of Code 'Code Injection', CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval...

Journyx Reflected Cross Site Scripting

Vulnerability Details Affected Vendor: Journyx Affected Product: Journyx jtime Affected Version: 11.5.4 Platform: GNU/Linux CWE Classification: CWE-81: Improper Neutralization of Script in an Error Message Web Page CVE ID: CVE-2024-6892 2. Vulnerability Description Attackers can craft a...

ROS-20240805-08

A vulnerability in the golang package of the Debian GNU/Linux operating system is related to a lack of protection for service data. data. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information A vulnerability in the golang package of the...

ROS-20240730-15

A vulnerability in the dstring.c component of the Debian GNU/Linux operating system cpio package is caused by an integer overflow. overflow. Exploitation of the vulnerability could allow an attacker to cause a stack overflow via a generated file...