Recent Advisories


CVE-2019-15625

A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.

  • Published: Sat 18 Jan 2020

CVE-2019-19696

A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites.

  • Published: Sat 18 Jan 2020

CVE-2019-19697

An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administrator privileges on the target machine in order to exploit the vulnerability.

  • Published: Sat 18 Jan 2020

CVE-2019-20357

A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.

  • Published: Sat 18 Jan 2020

CVE-2020-7222

An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (ability to see every option but not modify them).

  • Published: Sat 18 Jan 2020

CVE-2020-7104

The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via the wp-admin/admin-ajax.php total_questions parameter.

  • Published: Fri 17 Jan 2020

CVE-2014-5007

Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

  • Published: Fri 17 Jan 2020

CVE-2019-17634

Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present whena report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system whenthe report is opened in Memory Analyzer.

  • Published: Fri 17 Jan 2020

CVE-2019-17635

Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.

  • Published: Fri 17 Jan 2020

CVE-2019-19339

It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.

  • Published: Fri 17 Jan 2020

CVE-2020-5397

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

  • Published: Fri 17 Jan 2020

CVE-2019-10956

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated user, using a specially crafted URL command, to execute commands as root.

  • Published: Fri 17 Jan 2020

CVE-2019-10957

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user?s browser.

  • Published: Fri 17 Jan 2020

CVE-2019-10958

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to network configuration to supply system commands to the server, leading to remote code execution as root.

  • Published: Fri 17 Jan 2020

CVE-2019-14596

Improper access control in the installer for Intel(R) Chipset Device Software INF Utility before version 10.1.18 may allow an authenticated user to potentially enable denial of service via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-14600

Uncontrolled search path element in the installer for Intel(R) SNMP Subagent Stand-Alone for Windows* may allow an authenticated user to potentially enable escalation of privilege via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-14601

Improper permissions in the installer for Intel(R) RWC 3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-14613

Improper access control in driver for Intel(R) VTune(TM) Amplifier for Windows* before update 8 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-14615

Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-14629

Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access.

  • Published: Fri 17 Jan 2020

CVE-2019-17125

A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.

  • Published: Fri 17 Jan 2020

CVE-2019-17127

A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation.

  • Published: Fri 17 Jan 2020

CVE-2020-3940

VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability.

  • Published: Fri 17 Jan 2020

CVE-2020-6862

V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Information leak vulnerability. Unauthorized users could log in directly to obtain page information without entering a verification code.

  • Published: Fri 17 Jan 2020

CVE-2019-15854

An issue was discovered in Maarch RM before 2.5. A privilege escalation vulnerability allows an authenticated user with lowest privileges to give herself highest administration privileges via a crafted PUT request to an unauthorized resource.

  • Published: Fri 17 Jan 2020

Note: This page is generated by our securitybot and has not been checked for errors.