CVE-2020-36369

Stack overflow vulnerability in parse_statement_list Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

Source: CVE-2020-36369

CVE-2021-29507

### Impact
_What kind of vulnerability is it? Who is impacted?_
The vulnerable component could be crashed when the configuration file is intentionally/ unintentionally containing the special characters.
All the applications which are using could fail to generate their dlt logs in system.

### Patches
_Has the problem been patched? What versions should users upgrade to?_
There is solution for the problem but the patch is not integrated yet.

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Check the integrity of information in configuration file manually.

### References
_Are there any links users can visit to find out more?_
N/A

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [ GENIVI/dlt-daemon ](https://github.com/GENIVI/dlt-daemon/issues)
* Email us at [Mailinglist](mailto:https://lists.genivi.org/mailman/listinfo/genivi-diagnostic-log-and-trace_lists.genivi.org)

Source: CVE-2021-29507

CVE-2021-29505

### Impact
The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.17.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream’s documentation for [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html).

### Credits

V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)

Source: CVE-2021-29505

CVE-2020-36371

Stack overflow vulnerability in parse_mul_div_rem Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

Source: CVE-2020-36371

CVE-2020-18395

A NULL-pointer deference issue was discovered in GNU_gama::set() in ellipsoid.h in Gama 2.04 which can lead to a denial of service (DOS) via segment faults caused by crafted inputs.

Source: CVE-2020-18395

CVE-2020-36370

Stack overflow vulnerability in parse_unary Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.

Source: CVE-2020-36370

CVE-2020-26641

A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.

Source: CVE-2020-26641

CVE-2021-22519

Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). The vulnerability could allow remote attackers to execute arbitrary code on affected installations of SiteScope.

Source: CVE-2021-22519

CVE-2021-33587

The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Source: CVE-2021-33587

CVE-2020-26642

A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML.

Source: CVE-2020-26642