Archive for December, 2020

CVE-2020-26165

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
Source: NIST
CVE-2020-26165

CVE-2020-35931

An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a null value for a Subtype entry of the Annotation dictionary, in an incremental update.
Source: NIST
CVE-2020-35931

CVE-2019-25011

NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments.
Source: NIST
CVE-2019-25011

CVE-2020-35930

Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url parameter, as demonstrated by the seo/seopanel/websites.php URI.
Source: NIST
CVE-2020-35930

Microsoft Reveals That Russian Attackers Accessed Some of its Source Code

Malicious SolarWinds Orion backdoor installed in Microsoft’s network led to the attackers viewing some of its source code.
Source: DarkReading
Microsoft Reveals That Russian Attackers Accessed Some of its Source Code

CVE-2020-25797

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Source: NIST
CVE-2020-25797

CVE-2020-25799

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Source: NIST
CVE-2020-25799

CVE-2020-11832

In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability.
Source: NIST
CVE-2020-11832

CVE-2020-11834

In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability.
Source: NIST
CVE-2020-11834

CVE-2020-11833

In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability.
Source: NIST
CVE-2020-11833