Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

CVE-2020-24303: grafana/CHANGELOG.md at main · grafana/grafana

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#google#microsoft#amazon#ubuntu#linux#debian#ddos#apache#redis#nodejs#js#git#java#php#perl#ldap#pdf#aws#oauth#auth#ssh#ruby#rpm#postgres#docker#chrome#firefox#sap#ssl
CVE-2020-13300

GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.

CVE-2020-11110: grafana/CHANGELOG.md at main · grafana/grafana

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

CVE-2020-4067: coturn/ChangeLog at aab60340b201d55c007bcdc853230f47aa2dfdf1 · coturn/coturn

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.

CVE-2020-12689: security - [OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

CVE-2020-8895: See notes on Google Earth releases

Untrusted Search Path vulnerability in the windows installer of Google Earth Pro versions prior to 7.3.3 allows an attacker to insert malicious local files to execute unauthenticated remote code on the targeted system.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVE-2019-10475: Jenkins Security Advisory 2019-10-23

A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

CVE-2019-10440: Jenkins Security Advisory 2019-10-16

Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.