ReadyTalk Avian JVM versions 1.2.0 before 27th October 2020 suffer from a FileOutputStream.write() integer overflow vulnerability.
6900d0810f32c7a4085388df479ec9c677eafb362f0ace4123fc2d63eacfd040TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
820ebca1a60727c3c7198c5f8d186f030d053aca8aaa88544be3fdcb57017f5eNoise-Java suffers from an issue located in the AESGCMOnCtrCipherState.encryptWithAd() method defined in AESGCMOnCtrCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.
a99df3ee9f5acff0704d48e5d7c762aa97aa9cf1ebaf6936dab504c89c499e99Noise-Java suffers from an issue located in the ChaChaPolyCipherState.encryptWithAd() method defined in ChaChaPolyCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.
f3994b64ff5442dca9b210aa3ea273c585602af6661380803b314457b75427d5Noise-Java suffers from an issue located in the AESGCMFallbackCipherState.encryptWithAd() method defined in AESGCMFallbackCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.
4e410b9fd9e7aa4bb4aa52ef1b488bee68cddf57081ac0029713f8e54a1eba53Avian JVM version 1.2.0 suffers from a silent return issue in the vm::arrayCopy method defined in classpath-common.h, where multiple boundary checks are performed to prevent out-of-bounds memory read/write. One of these boundary checks makes the code return silently when a negative length is provided instead of throwing an exception.
53ead956cdf9e9e2c075fcdfff1ae5c760e139f9927afb026cac0d5b93cd5921Avian JVM version 1.2.0 suffers from multiple vm::arrayCopy() integer overflow vulnerabilities.
f95c4205b8ecd4cf340fed2f7ac5947cbf815565adc1c0184abd2d90668c51dcTP-LINK Cloud Cameras NCXXX suffer from a DelMultiUser stack overflow vulnerability.
8ceea48329dd3d48af63a7ccdec830b47ac2bcf4bf77d8735c577b80b70e19b4TP-LINK Cloud Cameras including products NC260 and NC450 suffer from a command injection vulnerability. The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization.
7c6daeba86b10ee66abb00c8b005635251b71f86700d9246cd9f53c346cb9ee0TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from having a hardcoded encryption key. The issue is located in the methods swSystemBackup and sym.swSystemRestoreFile, where a hardcoded encryption key is used in order to encrypt/decrypt a config backup file. The algorithm in use is DES ECB with modified s-boxes and permutation tables.
8a9bf019904b9da201926fdb2f4eca44ec5bb26ff30a3e12709465ed196958caTP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a command injection vulnerability. The issue is located in the swSystemSetProductAliasCheck method of the ipcamera binary (Called when setting a new alias for the device via /setsysname.fcgi), where despite a check on the name length, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root.
51f53a1e5bba2a9ada63d195865ebededf26762f4a245d45d4e986eb40f62c20TP-LINK cloud cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a remote null pointer dereference vulnerability.
9f1d7280c6b43c3460d7edc998309cea3240cebfc388e46f582ecf935c7deb71WordPress Pods plugin versions 2.4.3 and below suffer from cross site request forgery and cross site scripting vulnerabilities.
0d05523785cc3c3d6afe4c0cd58b19ca76dd69c34245e15bfa829cfa9677b80dWordPress Bulletproof-Security version .51 suffers from SSRF, cross site scripting, and remote SQL injection vulnerabilities.
f48eb2e59a5e952f39b016be11e5ff6296d87aa734b6ee5886bc652f1e3ef960WordPress Buddypress plugin versions 1.9.1 and below suffer from a privilege escalation vulnerability.
fa0ee4897fffef374ba31d9600f656b4b67d282b9dee8e74e5f06db89ccd0ac0WordPress Buddypress plugin versions 1.9.1 and below suffer from a persistent cross site scripting vulnerability.
cb6e6a7f1e53ac871ca5f03ab6a3fb79940b35b8a9e403602f1639a1c1c52a7bmplayer versions 4.4.1 and below NULL pointer dereference exploit.
376e5f60a06701cdee772cf805e9548c3f3f6f36aca1a4e40871d91d04d2af41Gnome Panel versions 2.28.0 and below denial of service proof of concept exploit.
e29183e7a8b1eb5a52dcb852b6fcd168a4575c018ec59fb9bfc89dd06299d339
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed