CVSS 3.1 Base Score 7.5 (Confidentiality impacts). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.Ĭross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.Ī flaw was found in Unzip. This affects versions up to, and including, 3.9.15.Ī flaw was found in Moodle in versions 3.11 to 3.11.4. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length.
0 kommentar(er)
