时间 | 节点 | |
---|---|---|
2021-04-14 19:27:53 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Microsoft Exchange Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28481, CVE-2021-28482. |
2021-04-14 19:27:52 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Microsoft Exchange Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28481, CVE-2021-28483. |
2021-04-14 19:27:51 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Microsoft Exchange Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28480, CVE-2021-28482, CVE-2021-28483. |
2021-04-14 19:27:50 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Microsoft Exchange Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. |
2021-04-14 19:27:24 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Outlook Microsoft Outlook Memory Corruption Vulnerability |
2021-04-14 19:27:22 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint Microsoft SharePoint Denial of Service Update |
2021-04-14 19:24:55 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system. |
2021-04-14 19:24:53 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree. |
2021-04-14 19:24:50 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet. |
2021-04-14 19:23:50 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. |
2021-04-14 19:23:49 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java that allow the attacker to gain NTLM hashes of a privileged user. |
2021-04-14 19:23:46 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:SAP NetWeaver SAP NetWeaver Master Data Management, versions - 710, 710.750, allows a malicious unauthorized user with access to the MDM Server subnet to find the password using a brute force method. If successful, the attacker could obtain access to highly sensitive data and MDM administrative privileges leading to information disclosure vulnerability thereby affecting the confidentiality and integrity of the application. This happens when security guidelines and recommendations concerning administrative accounts of an SAP NetWeaver Master Data Management installation have not been thoroughly reviewed. |
2021-04-13 23:25:53 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Solr 有新的漏洞组件被发现啦,组件ID:Apache Solr 有新的漏洞组件被发现啦,组件ID:Apache When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts. |
2021-04-13 23:25:49 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Apache In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. |
2021-04-13 23:25:36 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Solr 有新的漏洞组件被发现啦,组件ID:Apache Solr 有新的漏洞组件被发现啦,组件ID:Apache When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs. |
2021-04-13 23:24:51 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Solr 有新的漏洞组件被发现啦,组件ID:Apache Solr 有新的漏洞组件被发现啦,组件ID:Apache The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. |
2021-04-13 23:21:08 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token |
2021-04-10 19:09:27 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:通达 |
2021-04-09 20:00:14 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks. |
2021-04-09 20:00:11 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks. |
2021-04-09 20:00:08 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates. |
2021-04-09 20:00:03 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions. |
2021-04-09 19:59:53 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:IBM WebSphere IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197502. |
2021-04-09 19:59:23 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jira The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. |
2021-04-09 19:59:18 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:ZCMS zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. |
2021-04-09 00:02:40 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Docker 有新的漏洞组件被发现啦,组件ID:Apache Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com). |
2021-04-09 00:02:21 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds. |
2021-04-09 00:02:15 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name, allowing attackers with View/Create permission to create views with invalid or already-used names. |
2021-04-09 00:02:13 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jenkins Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with Computer/Configure permission to replace a node with one of a different type. |
2021-04-09 00:02:02 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Cisco IOS A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating system (OS) of an affected device. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to an affected command. A successful exploit could allow the attacker to execute commands on the underlying Linux OS with root privileges. |
2021-04-08 04:00:18 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Seafile Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality." |
2021-04-08 04:00:09 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Django In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. |
2021-04-08 03:59:30 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:F5 An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c. |
2021-04-08 03:58:58 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:海康威视 |
2021-04-07 08:00:56 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. |
2021-04-07 08:00:55 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. |
2021-04-07 07:59:06 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. |
2021-04-07 07:59:05 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links. |
2021-04-07 07:59:03 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field. |
2021-04-07 07:58:59 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Redmine Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting. |
2021-04-06 11:58:56 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:用友 |
2021-04-03 18:09:14 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Apache CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. |
2021-04-03 18:09:06 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server. |
2021-04-03 18:09:01 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. |
2021-04-03 18:08:53 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server. |
2021-04-03 18:08:49 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. |
2021-04-03 18:08:43 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects. |
2021-04-03 18:08:40 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other |
2021-04-03 18:08:33 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. |
2021-04-02 22:04:23 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system |
2021-04-02 22:04:19 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:GitLab Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command. |
2021-04-02 22:04:02 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Django django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). |
2021-04-02 02:02:54 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Docker BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker use cases in which a mail server is configured. |
2021-04-02 02:02:52 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Synology DiskStation Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter. |
2021-04-02 02:02:40 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:Jira The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. |
2021-04-02 02:02:14 | 知名组件CVE监控 | 有新的漏洞组件被发现啦,组件ID:F5 When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |