upnpd on certain NETGEAR devices allows remote (LAN) attackers to execute arbitrary code via a stack-based buffer overflow. This affects R6400v2 V220.127.116.11_10.0.75, R6400 V18.104.22.168_1.0.41, R7000P V22.214.171.124_10.1.66, XR300 V126.96.36.199_10.3.36, R8000 V188.8.131.52, R8300 V184.108.40.206, R8500 V220.127.116.11, R7300DST V18.104.22.168, R7850 V22.214.171.124, R7900 V126.96.36.199, RAX20 V188.8.131.52, RAX80 V184.108.40.206, and R6250 V220.127.116.11.
The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn’t verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk Avian 1.2.0 before 2020-10-27. The FileOutputStream.write() method in FileOutputStream.java has a boundary check to prevent out-of-bounds memory read/write operations. However, an integer overflow leads to bypassing this check and achieving the out-of-bounds access. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment.
The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.
IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.
A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users.
IBM Maximo Spatial Asset Management 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186024.
IBM Maximo Spatial Asset Management 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 186023.
Ghimob is a full-fledged spy in your pocket, Kaspersky says.