当前节点:cve
时间节点
2021-07-26 21:36:48cassandra.cerias.purdue.edu
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.

生成的支持包包含私有的 s/MIME 和 PGP 密钥,如果包含的文件夹没有被隐藏。此问题影响: OTRS AG (((OTRS))) Community Edition 6.0. x version 6.0.1及更高版本。7.0. x version 7.0.27 and previous versions; 8.0. x version 8.0.14 and previous versions.
2021-07-26 21:36:48cassandra.cerias.purdue.edu
In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19.

在项目创建屏幕中,可以将恶意 JS 代码注入到特定字段。代码可能在 Reporting 屏幕中执行。这个问题影响: OTRS AG 时间统计: 7.0.19之前的7.0. x 版本。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

代理程序能够列出客户用户的电子邮件,而不需要批量操作屏幕上的权限。此问题影响: OTRS AG ((OTRS))) Community Edition: 6.0. x version 6.0.1及更高版本。7.0.27之前的7.0. x 版本。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

这会影响3.7.0之前的包 jszip。创建一个新的 zip 文件,其文件名设置为 Object prototype 值(例如 g _ proto _,toString,等等) ,结果是返回一个带有修改过的原型实例的对象。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

在研究 DIRSTUDIO-1219时发现,当使用任何 SASL 身份验证机制(DIGEST-MD5,GSSAPI)时,没有应用配置的 StartTLS 加密。在调查 DIRSTUDIO-1220时,注意到没有应用任何配置的 SASL 保密层。这个问题影响 Apache Directory Studio version 2.0.0.v20210213-M16和以前的版本。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

代理可以在日历中列出约会,而不需要所需的权限。此问题影响: OTRS AG ((OTRS))) Community Edition: 6.0. x version 6.0.1及更高版本。7.0.27之前的7.0. x 版本。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.

可以创建一个包含特殊链接的电子邮件,它可以用来执行 XSS 攻击。此问题影响: OTRS AG ((OTRS))) Community Edition: 6.0. x version 6.0.1及更高版本。7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
2021-07-26 21:36:48cassandra.cerias.purdue.edu
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts

萤火虫 iii 容易受到过多认证尝试的不当限制
2021-07-26 21:36:48cassandra.cerias.purdue.edu
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

* * 拒绝 * * 不要使用此候选人编号。没有。原因: 这位候选人被其 CNA 撤回。进一步的调查表明,这不是一个安全问题。注释: 无。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH FlexiServer v6.00 suffers from a syslog?file=/.. path traversal vulnerability.

NCH FlexiServer v6.00存在一个 syslog? file =/. . path 遍历漏洞。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH Axon PBX v2.22 and earlier allows path traversal for file disclosure via the logprop?file=/.. substring.

NCH Axon PBX v2.22和更早的版本允许通过 logprop? file =/. . substring 进行文件披露的路径遍历。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH Axon PBX v2.22 and earlier allows path traversal for file deletion via the logdelete?file=/.. substring.

NCH Axon PBX v2.22和更早的版本允许通过 logdelete? file =/. . substring 进行文件删除的路径遍历。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH IVM Attendant v5.12 and earlier allows path traversal via viewfile?file=/.. to read files.

NCH IVM Attendant v5.12和更早版本允许通过 viewfile? file =/. . 读取文件进行路径遍历。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.

NCH IVM Attendant v5.12及更早版本允许通过 logdeleteselected check0参数进行文件删除的路径遍历。
2021-07-26 21:36:48cassandra.cerias.purdue.edu
NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element's pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Autodial function.

NCH IVM Attendant v5.12和更早版本在上传 ZIP 归档中的插件时遭遇到目录遍历缺陷。如果将 ZIP 元素的路径名设置为 Windows 启动文件夹、内置 Out-Going Message 函数的文件或内置 Autodial 函数的文件,则可能导致代码执行。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading.

在 NCH Quorum v2.03和更早版本中,经过身份验证的用户可以通过 logprop? file =/. . 使用目录遍历来读取文件。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading.

在 NCH Quorum v2.03和更早版本中,经过身份验证的用户可以通过 documentprop? file =/. . 使用目录遍历来读取文件。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion.

在 NCH Quorum v2.03和更早版本中,经过身份验证的用户可以通过 documentdelete? file =/. . 使用目录遍历来删除文件。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via the Mailbox name (stored).

在 NCH IVM 跨网站脚本服务器 v5.12和更早版本中,可以通过邮箱名称(已存储)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected).

存在于 NCH IVM 跨网站脚本服务器 v5.12和更早的通过/oglist? folder = (reflected)中。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected).

跨网站脚本存在于 NCH IVM Attendant v5.12和更早的 via/ogmpprop? id = (reflected)中。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected).

跨网站脚本存在于 NCH IVM Attendant v5.12和更早的 via/msglist? mbx = (reflected)中。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
NCH Quorum v2.03 and earlier allows local users to discover cleartext login information relating to users by reading the local .dat configuration files.

NCH Quorum v2.03和更早版本允许本地用户通过读取本地信息来发现与用户相关的明文登录信息。Dat 配置文件。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的扩展名(存储)中。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的版本中,通过行名(存储)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的出站拨号计划(存储)中。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的版本中,通过黑名单 IP 地址(存储)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored).

跨网站脚本(XSS)存在于 NCH Axon PBX v2.22和更早的 SipRule 字段(存储)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的版本中,通过主电话字段(存储)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的版本中,通过客户名字段(已存储)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /planprop?id= (reflected).

跨网站脚本(XSS)存在于 NCH Axon PBX v2.22和更早的通过/planprop? id = (反射)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /extensionsinstruction?id= (reflected).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的 via/extensionsinstruction? id = (reflected)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected).

跨网站脚本存在于 NCH Axon PBX v2.22和更早的版本中,通过/ipblacklist? errorip = (reflected)。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, XSS exists via User Display Name (stored).

在 NCH Quorum v2.03和更早版本中,XSS 通过用户显示名(存储)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, XSS exists via Conference Description (stored).

在 NCH Quorum v2.03和更早的版本中,XSS 通过会议描述(存储)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, XSS exists via /uploaddoc?id= (reflected).

在 NCH Quorum v2.03和更早的版本中,XSS 通过/uploaddoc? id = (反射)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, XSS exists via /conference?id= (reflected).

在 NCH Quorum v2.03和更早的版本中,XSS 通过/conference? id = (反射)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH Quorum v2.03 and earlier, XSS exists via /conferencebrowseuploadfile?confid= (reflected).

在 NCH Quorum v2.03和更早的版本中,XSS 通过/赋值/浏览/上传/文件? confluid = (reflected)存在。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files.

NCH Reflect CRM 3.01允许本地用户通过读取配置文件来发现明文用户帐户信息。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH WebDictate v2.13 and earlier, authenticated users can abuse logprop?file=/.. path traversal to read files on the filesystem.

在 NCH WebDictate v2.13和更早版本中,经过身份验证的用户可以滥用 logprop? file =/. . path 遍历来读取文件系统上的文件。
2021-07-26 21:36:47cassandra.cerias.purdue.edu
In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field. An authenticated user can add or modify the affected field to inject arbitrary JavaScript.

在 NCH WebDictate v2.13版本中,在收件人姓名字段中存在持久跨网站脚本。经过身份验证的用户可以添加或修改受影响的字段,以插入任意的 JavaScript。
2021-07-26 10:08:52cassandra.cerias.purdue.edu
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.

亚马逊 Echo Dot 设备通过2021-07-02有时允许攻击者通过一系列复杂的硬件和软件攻击获取敏感信息。注意: 据报道,有供应商营销声明安全删除个人内容通过工厂重置。此外,据报道,该供应商表示,他们正在进行缓解。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.

* * 拒绝 * * 不要使用此候选人编号。没有。原因: 这位候选人被其 CNA 撤回。注释: 无。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
ASRock 4x4 BOX-R1000 before BIOS P1.40 allows privilege escalation via code execution in the SMM.

在 BIOS p 1.40之前,ASRock 4 x4 BOX-R1000允许权限提升通过 SMM 中的代码执行。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if the credentials are incorrect.

贝克霍夫自动化有限公司的不正确访问控制。KG CX9020固件版本 CX9020 _ cb3011 _ wec7 _ hps _ v602 _ tc31 _ b4016.6允许远程攻击者通过“ CE 远程显示工具”绕过身份验证,因为如果凭据不正确,它不会关闭 Windows CE 端的传入连接。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;

向 MongoDB 服务器发送特制的命令可能会导致生成人为的日志条目或者分割日志条目。这个问题影响到 MongoDB Server 3.6版本在3.6.20之前; MongoDB Server 4.0版本在4.0.21之前; MongoDB Server 4.2版本在4.2.10之前;
2021-07-25 12:34:40cassandra.cerias.purdue.edu
All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

包 gitlogplus 的所有版本通过主功能都很容易受到 Command Injection 的攻击,因为 options 属性被附加到命令后面,不需要进行消毒。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
SQL injection vulnerability in Learning Management System v 1.0 allows remote attackers to execute arbitrary SQL statements through the id parameter to obtain sensitive database information.

Learning Management System v 1.0中的 SQL 注入漏洞允许远程攻击者通过 id 参数执行任意 SQL 语句以获取敏感的数据库信息。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Arbitrary file upload vulnerability in Victor CMS v 1.0 allows attackers to execute arbitrary code via the file upload to \CMSsite-master\admin\includes\admin_add_post.php.

Victor CMS v 1.0中的任意文件上传漏洞允许攻击者通过上传到 CMSsite-master admin includes admin _ add _ post.php 的文件执行任意代码。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to feedback_process.php.

在 SourceCodester 电子商务网站 v 1.0版本中的跨网站脚本攻击漏洞允许远程攻击者通过 subject 字段注入任意 web 脚本或 HTM 到 feedback _ process.php。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Arbitrary file upload vulnerability in SourceCodester Responsive Ordering System v 1.0 allows attackers to execute arbitrary code via the file upload to Product_model.php.

在 SourceCodester Responsive Ordering System v 1.0中,任意文件上传漏洞允许攻击者通过文件上传到 Product _ model.php 执行任意代码。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to prodViewUpdate.php.

在 SourceCodester 电子商务网站 v 1.0中,任意文件上传漏洞允许攻击者通过上传到 prodViewUpdate.php 的文件执行任意代码。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Arbitrary file upload vulnerability in SourceCodester Travel Management System v 1.0 allows attackers to execute arbitrary code via the file upload to updatepackage.php.

在 SourceCodester 差旅管理系统 v 1.0中,任意文件上传漏洞允许攻击者通过文件上传到 updatepackage.php 来执行任意代码。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.

在房屋租赁和物业清单1.0的“ Register”模块中存在多个存储的跨网站脚本漏洞,允许经过身份验证的攻击者通过在除电话号码和备用电话号码以外的所有文本字段中精心制作的有效负载来执行任意的 web 脚本或 HTML。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.

在线医生预约系统1.0的“更新个人资料”模块中存在多个存储的跨网站脚本/病毒漏洞,允许经过身份验证的攻击者通过在名字、姓氏和地址文本字段中精心制作的有效载荷来执行任意 web 脚本或 HTML。
2021-07-25 12:34:40cassandra.cerias.purdue.edu
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.

Bludit 3.13.1的 backup/plugin.php 中的代码注入漏洞允许攻击者通过一个精心设计的 ZIP 文件执行任意代码。