logos

 

 

 

 

 

 

 

 

Vulnerability Alerts - 2020/08/08

Previous  | Next

HMTALK - DAVIEWINDY
CVE-2020-7822 (Published: 2020/08/04 15:15:00)
DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
https://www.hmtalk.com/

CALENDAR01_PROJECT - CALENDAR01
CVE-2020-5616 (Published: 2020/08/04 02:15:00)
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] free edition ver1.0.0, [Gallery01] free edition ver1.0.3 and earlier, [CalendarForm01] free edition ver1.0.3 and earlier, and [Link01] free edition ver1.0.0 allows remote attackers to bypass authentication and log in to the product with administrative privileges via unspecified vectors.
https://jvn.jp/en/jp/JVN73169744/index.html

CALENDAR01_PROJECT - CALENDAR01
CVE-2020-5615 (Published: 2020/08/04 02:15:00)
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
https://jvn.jp/en/jp/JVN73169744/index.html

IBM - SECURITY_SECRET_SERVER
CVE-2020-4459 (Published: 2020/08/04 16:15:00)
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
https://exchange.xforce.ibmcloud.com/vulnerabilities/181395

-
CVE-2020-16272 (Published: 2020/08/03 17:15:00)
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
https://danzinger.wien/exploiting-keepassrpc/

-
CVE-2020-16271 (Published: 2020/08/03 17:15:00)
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
https://danzinger.wien/exploiting-keepassrpc/

DELTAWW - CNCSOFT_SCREENEDITOR
CVE-2020-16203 (Published: 2020/08/04 19:15:00)
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. An uninitialized pointer may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
https://us-cert.cisa.gov/ics/advisories/icsa-20-217-01

DELTAWW - CNCSOFT_SCREENEDITOR
CVE-2020-16199 (Published: 2020/08/04 19:15:00)
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
https://us-cert.cisa.gov/ics/advisories/icsa-20-217-01

KDE - ARK
CVE-2020-16116 (Published: 2020/08/03 20:15:00)
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
https://github.com/KDE/ark/commits/master

-
CVE-2020-15467 (Published: 2020/08/04 13:15:00)
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
https://github.com/fireeye/Vulnerability-Disclosures

-
CVE-2020-14319 (Published: 2020/08/03 17:15:00)
It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2.
https://bugzilla.redhat.com/show_bug.cgi?id=1854373

APACHE - SKYWALKING
CVE-2020-13921 (Published: 2020/08/05 14:15:00)
**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.
http://www.openwall.com/lists/oss-security/2020/08/05/3