当前节点:cve-famous
时间节点
2021-03-17 06:01:44知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0

2021-03-17 06:01:02知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:通达
2021-03-13 02:04:53知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

2021-03-13 02:04:48知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

2021-03-13 02:04:31知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Remote Code Execution Vulnerability

2021-03-13 02:03:55知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Information Disclosure Vulnerability

2021-03-13 02:02:12知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

2021-03-13 02:02:05知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Spoofing Vulnerability

2021-03-13 02:01:00知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-03-13 02:00:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-03-12 06:02:24知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:ZCMS
A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter.

2021-03-12 06:02:16知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

2021-03-12 06:02:14知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. This is fixed in version 1.1.21 by using yaml.safe_load() instead of yaml.load().

2021-03-12 06:01:25知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:IBM WebSphere
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When application security is disabled and JAX-RPC applications are present, an attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary xml files on the system. This does not occur if Application security is enabled. IBM X-Force ID: 193556.

2021-03-12 06:00:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-03-11 10:03:36知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check. This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges. This could result in complete compromise of system confidentiality, integrity, and availability.

2021-03-11 10:03:33知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:RTX
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.

2021-03-11 10:01:11知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation.

2021-03-11 10:01:04知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

2021-03-11 10:01:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

2021-03-11 10:00:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-03-11 10:00:58知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-03-11 10:00:58知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:深信服
2021-03-10 14:01:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
In the "Time in Status" app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS.

2021-03-10 14:01:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Elasticsearch
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

2021-03-08 22:00:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:致远
2021-03-07 06:01:22知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.

2021-03-07 06:00:55知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:致远
2021-03-06 10:01:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.

2021-03-06 10:01:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.

2021-03-05 14:01:15知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2021-03-05 13:35:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Zabbix
In Zabbix before 4.0.28rc1, 5.x before 5.0.8rc1, 5.1.x and 5.2.x before 5.2.4rc1, and 5.3.x and 5.4.x before 5.4.0alpha1, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method.

2021-03-05 13:35:14知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.

2021-03-05 13:35:11知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request.

2021-03-05 13:35:05知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.

2021-03-03 19:40:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

2021-03-03 19:40:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

2021-03-03 19:40:50知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.

2021-03-03 19:40:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

2021-03-03 19:40:48知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

2021-03-03 19:40:46知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

2021-03-03 19:40:44知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

2021-03-03 19:40:34知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.

2021-03-03 11:47:38知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.

2021-03-03 11:47:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache Tomcat
有新的漏洞组件被发现啦,组件ID:Apache
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

2021-03-03 11:46:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache Tomcat
有新的漏洞组件被发现啦,组件ID:Apache
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

2021-03-03 11:46:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory. This issue affected Apache AsterixDB unreleased builds between commits 580b81aa5e8888b8e1b0620521a1c9680e54df73 and 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d. Note: this CVE may be REJECTed as the issue did not affect any released versions of Apache AsterixDB

2021-03-03 11:46:46知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.

2021-03-02 10:55:04知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jupyter
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.

2021-02-27 23:08:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SaltStack
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

2021-02-27 23:07:30知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SaltStack
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.

2021-02-27 23:07:28知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SaltStack
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

2021-02-27 23:06:24知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Use of unmaintained third party components vulnerability in faad in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via a crafted file path.

2021-02-27 23:06:16知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.

2021-02-27 23:05:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.

2021-02-27 23:03:44知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Improper access control vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows local users to obtain sensitive information via a crafted kernel module.