BenTasker.co.uk

Home
Blog
Whitepapers
Documentation
Videos
Shop
Photography

Home / Blog

Latest Posts

Writing (and backdooring) a ChaCha20 based CSPRNG
The Pitfalls of Building an Elasticsearch backed Search Engine
Building a Raspberry Pi Based Music Kiosk
Recovering files from SD Cards and How to protect yourself
videos v0.15

This site should work without Javascript enabled. If you find something doesn't, please Contact Me.

Security

Spamhaus still parties like it's 1999	16 October 2019
Twitter Screws Up With Data It Shouldn't Hold	09 October 2019
The Curious Case of BitFi and Secret Persistence	16 July 2019
A guide to designing Account Security Mechanisms	26 March 2017
Don't Use Web2Tor/Tor2Web (especially Onion.cab)	04 March 2017
The State of Mobile Banking (in the UK)	21 June 2016
The DVLA is routinely sending sensitive details via email	28 December 2014
Understanding Password Storage	22 June 2014
My Own Little HeartBleed Headache	19 April 2014
Why You Shouldn't be using SHA1 or MD5 to Store Passwords	07 June 2013

Page 1 of 3

Start
Prev
1
2
3
Next
End

Recent CVEs

CVE-2016-11023 (odata4j)
CVE-2016-11024 (odata4j)
CVE-2018-11106
CVE-2018-11802 (solr)
CVE-2018-13371 (fortios)
CVE-2018-17954
CVE-2019-10180 (certificate_system, dogtagpki)
CVE-2019-11254 (kubernetes)
CVE-2019-13495 (xgs2210-52hp_firmware)
CVE-2019-14868 (ksh)

Return to listing

CVE-2016-11023 (odata4j)

odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

CVE-2016-11024 (odata4j)

odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

CVE-2018-11106

NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5.

CVE-2018-11802 (solr)

In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).

CVE-2018-13371 (fortios)

An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component.

CVE-2018-17954

A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-.

CVE-2019-10180 (certificate_system, dogtagpki)

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.

CVE-2019-11254 (kubernetes)

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

CVE-2019-13495 (xgs2210-52hp_firmware)

In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.

CVE-2019-14868 (ksh)

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

Latest Posts

Writing (and backdooring) a ChaCha20 based CSPRNG
The Pitfalls of Building an Elasticsearch backed Search Engine
Building a Raspberry Pi Based Music Kiosk
Recovering files from SD Cards and How to protect yourself
videos v0.15

License Details
Privacy Policy
Cookies
Stored Data
Sitemap

Donations BTC: 14hJYqCNLi7yJH8QkUqB2VEg3jx4pXBN5X / https://paypal.me/BTasker

Based on a template by JoomSpirit, customised by B Tasker

JoomSpirit

About this template