» 2020 » 9월

CVE-2020-12058

Posted on 2020년 9월 3일2020년 9월 4일 by admin

CVE-2020-12058

Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/order_status.php, catalog/admin/tax_rates.php, catalog/admin/languages.php, catalog/admin/countries.php, catalog/admin/tax_classes.php, catalog/admin/reviews.php, or catalog/admin/zones.php; or the zpage or spage parameter to catalog/admin/geo_zones.php.

Source: CVE-2020-12058

CVE-2020-24949

Posted on 2020년 9월 3일2020년 9월 4일 by admin

CVE-2020-24949

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

Source: CVE-2020-24949

CVE-2020-7381

Posted on 2020년 9월 3일2020년 9월 4일 by admin

CVE-2020-7381

In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.

Source: CVE-2020-7381

CVE-2020-4638

Posted on 2020년 9월 3일2020년 9월 4일 by admin

CVE-2020-4638

IBM API Connect’s API Manager 2018.4.1.0 through 2018.4.1.12 is vulnerable to privilege escalation. An invitee to an API Provider organization can escalate privileges by manipulating the invitation link. IBM X-Force ID: 185508.

Source: CVE-2020-4638

CVE-2020-4337

Posted on 2020년 9월 3일2020년 9월 4일 by admin

CVE-2020-4337

IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an attacker to launch phishing attacks by tricking the server to generate user registration emails that contain malicious URLs. IBM X-Force ID: 177933.

Source: CVE-2020-4337

CVE-2020-7729

Posted on 2020년 9월 3일2020년 9월 3일 by admin

CVE-2020-7729

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Source: CVE-2020-7729

CVE-2020-25087

Posted on 2020년 9월 3일2020년 9월 3일 by admin

CVE-2020-25087

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/languages.php.

Source: CVE-2020-25087

CVE-2020-25089

Posted on 2020년 9월 3일2020년 9월 3일 by admin

CVE-2020-25089

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/discounts.php.

Source: CVE-2020-25089

CVE-2020-25093

Posted on 2020년 9월 3일2020년 9월 3일 by admin

CVE-2020-25093

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in blog.php. within application/views/templates/clothesshop, application/views/templates/onepage, and application/views/templates/redlabel.

Source: CVE-2020-25093

CVE-2020-25088

Posted on 2020년 9월 3일2020년 9월 3일 by admin

CVE-2020-25088

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/blog/blogpublish.php.

Source: CVE-2020-25088