CVE-2020-25845
Multiple functions of NHIServiSignAdapter failed to verify the users’ file path, which leads to the SMB request being redirected to a malicious host, resulting in the leakage of user’s credential.
Source: CVE-2020-25845
[월:] 2020년 12월
CVE-2020-35743
CVE-2020-35743
HGiga MailSherlock contains a SQL injection flaw. Attackers can inject and launch SQL commands in a URL parameter of specific cgi pages.
Source: CVE-2020-35743
CVE-2020-35742
CVE-2020-35742
HGiga MailSherlock contains a vulnerability of SQL Injection. Attackers can inject and launch SQL commands in a URL parameter.
Source: CVE-2020-35742
CVE-2020-25843
CVE-2020-25843
NHIServiSignAdapter fails to verify the length of digital credential files’ path which leads to a heap overflow loophole. Remote attackers can use the leak to execute code without privilege.
Source: CVE-2020-25843
CVE-2020-25842
CVE-2020-25842
The encryption function of NHIServiSignAdapter fail to verify the file path input by users. Remote attacker can access arbitrary files through the flaw without privilege.
Source: CVE-2020-25842
CVE-2019-7726
CVE-2019-7726
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
Source: CVE-2019-7726
CVE-2019-7725
CVE-2019-7725
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP’s serialization format when JSON can be used to eliminate the risk).
Source: CVE-2019-7725
CVE-2016-9021
CVE-2016-9021
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
Source: CVE-2016-9021
CVE-2016-9023
CVE-2016-9023
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
Source: CVE-2016-9023
CVE-2016-9025
CVE-2016-9025
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
Source: CVE-2016-9025