» 2019 » 5월

CVE-2019-12252 (manageengine_servicedesk_plus)

Posted on 2019년 5월 22일2019년 5월 22일 by admin

CVE-2019-12252 (manageengine_servicedesk_plus)

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

Source: CVE-2019-12252 (manageengine_servicedesk_plus)

CVE-2019-12190 (centos_web_panel)

Posted on 2019년 5월 22일2019년 5월 22일 by admin

CVE-2019-12190 (centos_web_panel)

XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.

Source: CVE-2019-12190 (centos_web_panel)

CVE-2019-12253

Posted on 2019년 5월 22일2019년 5월 22일 by admin

CVE-2019-12253

my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.

Source: CVE-2019-12253

CVE-2019-12251

Posted on 2019년 5월 22일2019년 5월 22일 by admin

CVE-2019-12251

sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.

Source: CVE-2019-12251

CVE-2019-12250 (identityserver4)

Posted on 2019년 5월 22일2019년 5월 22일 by admin

CVE-2019-12250 (identityserver4)

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log.

Source: CVE-2019-12250 (identityserver4)

CVE-2019-10319

Posted on 2019년 5월 21일2019년 5월 21일 by admin

CVE-2019-10319

A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.

Source: CVE-2019-10319

CVE-2019-10320

Posted on 2019년 5월 21일2019년 5월 21일 by admin

CVE-2019-10320

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

Source: CVE-2019-10320

CVE-2019-11816

Posted on 2019년 5월 21일2019년 5월 21일 by admin

CVE-2019-11816

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.

Source: CVE-2019-11816

CVE-2019-10076

Posted on 2019년 5월 21일2019년 5월 21일 by admin

CVE-2019-10076

A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

Source: CVE-2019-10076

CVE-2019-10077

Posted on 2019년 5월 21일2019년 5월 21일 by admin

CVE-2019-10077

A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

Source: CVE-2019-10077