Archive for the ‘Uncategorized’ Category

CVE-2020-4873

IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
Source: NIST
CVE-2020-4873

CVE-2020-4881

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 190851.
Source: NIST
CVE-2020-4881

CVE-2021-22498

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.
Source: NIST
CVE-2021-22498

CVE-2021-25325

MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript: URLs.
Source: NIST
CVE-2021-25325

CVE-2021-3184

MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
Source: NIST
CVE-2021-3184

CVE-2021-25324

MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
Source: NIST
CVE-2021-25324

CVE-2021-25323

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
Source: NIST
CVE-2021-25323

CVE-2020-27733

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
Source: NIST
CVE-2020-27733

CVE-2020-4871

IBM Planning Analytics 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 190834.
Source: NIST
CVE-2020-4871

CVE-2021-3183

Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile.
Source: NIST
CVE-2021-3183