GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the „remember me“ feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the „remember me“ feature.
Kategorie: CVE > CWE-1004
CVE-2021-37412
The TechRadar app 1.1 for Confluence Server allows XSS via the Title field of a Radar.
CVE-2021-27046
A Memory Corruption vulnerability for PDF files in Autodesk Navisworks 2019, 2020, 2021, 2022 may lead to code execution through maliciously crafted DLL files.
CVE-2021-27045
A maliciously crafted PDF file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the PDF file. This vulnerability can be exploited to execute arbitrary code.
CVE-2020-21127
MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
CVE-2020-21126
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
CVE-2020-21125
An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code.
CVE-2020-21124
UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
CVE-2020-21122
UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports.
CVE-2020-21121
Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.