Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

CVE-2019-15654: Trustwave Security Advisories

Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#ios#android#mac#windows#microsoft#linux#cisco#red_hat#dos#apache#git#java#oracle#wordpress#php#backdoor#rce#vmware#lenovo#buffer_overflow#asus#huawei#auth#ibm#ruby#mongo#sap#wifi#ssl
CVE-2019-15656: Security Advisories | Trustwave

D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.

CVE-2020-0822: Security Update Guide - Microsoft Security Response Center

An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'.

CVE-2020-8436: RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin

XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter.

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

CVE-2020-3865: About the security content of iCloud for Windows 10.9.2

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution.

Calling for security research in Azure Sphere, now generally available

Today, Microsoft released Azure Sphere into General Availability (GA). Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. Azure Sphere is an end-to-end solution for securely connecting existing equipment and for creating new IoT devices with built-in security. The solution includes hardware, OS, and a cloud service, as well as ongoing security and OS updates to help ensure devices remain secured as threats evolve over time.