Etiqueta: government

New vulnerability on the NVD: CVE-2019-20801

An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application’s file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user’s data) via cross-origin requests.

Published at: May 17, 2020 at 08:15PM
View on website

New vulnerability on the NVD: CVE-2019-20802

An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application’s file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user’s data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim’s device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker.

Published at: May 17, 2020 at 08:15PM
View on website

New vulnerability on the NVD: CVE-2019-18666

An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through 613EUbeta were tested. Versions through 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. After 6.12b01, the root credentials were changed but the telnet service can still be started without authorization.

Published at: May 15, 2020 at 02:15PM
View on website

New vulnerability on the NVD: CVE-2019-19721

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.

Published at: May 15, 2020 at 02:15PM
View on website

New vulnerability on the NVD: CVE-2019-20389

An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user’s browser without proper output encoding.

Published at: May 15, 2020 at 02:15PM
View on website