Rocket.Chat versions 3.7.1 and below suffers from an email address enumeration vulnerability.
023ad89f274a1ee4b96e849967a0021876dca5479963125bc3acb45d9a8cf6faMicro Focus GroupWise is a messaging software for email and personal information management. Trovent Security GmbH discovered that the GroupWise web application transmits the session ID in HTTP GET requests in the URL when email content is accessed. The exposed session ID can be recorded in the browser history of the client and in log files of the web server or reverse proxy server. A possible attacker with access to the browser history or the server log files is able to take control of the user session with the help of the session ID. Versions prior to 18.4.2 are affected.
45d877f2bc8d1d68f308fad7fe918c90f982d284964eee41b93805a3c6fb1ad2Polar Flow for Android version 5.7.1 stores the username and password in clear text in a file on mobile devices.
534a0fb256871c4890c13c7c9eff7a99819ffd05819971ead460bbca15cc9fb0Zepp version 6.1.4-play suffers from a user account enumeration flaw in the password reset function.
dd2dc79c277146022bd841a6e3457f872018f219fbac2d90f8f9b9a7a5da6c35Vivellio version 1.2.1 suffers from a user account enumeration vulnerability.
9aa331eb49d5ca81107403e34cb621efd48b0ab98fde44fda72063a46ecc82e7OpenEMR versions 6.0.0 and 6.1.0-dev suffer from an authenticated remote SQL injection vulnerability in the calendar search functionality.
f3e63ffea1416dffa063591f3a4d64e9cd1199687a6d7273f62fcad46fd75f81Dolibarr ERP and CRM version 13.0.2 suffer from a remote code execution vulnerability.
0dd7e4e38cc6c0c22d88da8c1315ae0c0f36dd8f9385afa1c3a2edd42c937216Dolibarr ERP and CRM version 13.0.2 suffer from a persistent cross site scripting vulnerability.
6afececee15157d0a85c82e9913e53a3fb7f9193f24e64dca4bef906cb032bebHealthForYou version 1.11.1 and HealthCoach version 2.9.2 are missing a server-side password policy. When creating an account or changing your password the mobile and web application both check the password against the password policy. But the API assumes that the given password is already checked therefore an attacker can intercept the HTTP request and change it to a weak password.
76436b526ba9f4f32e343d01e9e2fa685e376cf002a7d94b46c1f713090fd4b3Rocket.Chat 3.12.1 unauthenticated NoSQL injection to remote code execution exploit.
6cc7a6718184e75f62ebb827e74fccd6d5ea6f81f3b7154e5d7bcf6d903d1721VeryFitPro version 3.2.8 sends unencrypted cleartext transmission of sensitive information.
9e9f6ef8313838133d2645a4ff7f6a0403b2a9655c9a0a2e6218c1e2d72dce6dRocket.Chat version 3.12.1 unauthenticated NoSQL injection to remote code execution exploit.
0be208ca27f19e3836059d4021ef8dda5bf461cc74443365d9e3da6d93edec14HealthForYou version 1.11.1 and HealthCoach version 2.9.2 have a vulnerability that allows for account takeover with only prior knowledge of the user's email address needed.
108eb293e5b0d2d18abfd3b3ef0cfabcfe3878c71ef3e5fb6ce42e26588c10f0HealthForYou version 1.11.1 and HealthCoach version 2.9.2 suffer from a user enumeration vulnerability.
42f3483603f56524c0a83a32c43ca70dcb2416daaa8123abc8aa7afb35f560feERPNext versions 12.18.0 and 13.0.0 suffer from reflective and persistent cross site scripting vulnerabilities.
699a6d07a77fc3e81b2deafe5caea2a355ca696143d694138925ef128a29180bERPNext versions 12.18.0 and 13.0.0 suffer from an authenticated remote SQL injection vulnerability.
523163a0deb062c88867d1adebaf1f37f29d520b23f43bd038e1cf829c50a149Rocket.Chat suffers from a path traversal vulnerability.
a823a92ff65ccf73b793d0906e547c53c9b8e1c3527968cc2868bbf6547c16d5It has been noticed that Rocket.Chat has quietly fixed a persistent cross site scripting vulnerability but as of 12/18/2020 no release contains these fixes.
8c199a1077b7412e93c844e5a21669bc17d54b1e683c9354eb1d77fb10d0d5bcRocket.Chat version 2.1.0 suffers from a cross site scripting vulnerability.
ac733a335a493d27656586a910398bfb94e6aef3ce4a22c9de4f99112440c929Rocket.Chat versions prior to 2.1.0 suffer from a cross site scripting vulnerability.
d40bdb82931534076286057f602347f40cff460733e21b45ae5ef31f85d45b1fThis advisory describes a vulnerability that affects Toshiba Bluetooth Host Stack implementations up to version 4.0.23. A vulnerability has been discovered that enables the attacker to remotely perform a denial of service (DoS) against the host.
afac835d95351affa9150b1c3de9d4648a67d9b51242cbbca4586e35acbec055
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed