CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41256 – Intent URI permissions manipulation in nextcloud news-android
https://notcve.org/view.php?id=CVE-2021-41256
nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible. nextcloud news-android es un cliente Android para la aplicación de lectura de noticias/feeds Nextcloud. En las versiones afectadas, la aplicación Nextcloud News para Android presenta un problema de seguridad por el que una aplicación maliciosa instalada en el mismo dispositivo puede enviarle una intención arbitraria que es reflejada, dando involuntariamente acceso de lectura y escritura a proveedores de contenido no exportados en Nextcloud News para Android. Los usuarios deben actualizar a versión 0.9.9.63 o superior lo antes posible • https://github.com/nextcloud/news-android/blob/master/security/GHSL-2021-1033_Nextcloud_News_for_Android.md https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85 https://github.com/nextcloud/news-android/security/advisories/GHSA-2q9v-q3cc-h9f3 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12724
https://notcve.org/view.php?id=CVE-2019-12724
An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $_POST['name'] parameter. Se detectó un problema en el plugin News de Teclib hasta la versión 1.5.2 para GLPI. Permite un ataque de tipo XSS almacenado por medio del parámetro $_POST['nombre']. • https://github.com/pluginsGLPI/news/blob/master/front/alert.form.php https://github.com/pluginsGLPI/news/pull/69 https://github.com/pluginsGLPI/news/releases/tag/1.5.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15982 – News 1.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2017-15982
Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. Dynamic News Magazine & Blog CMS 1.0 permite que se produzca inyección SQL mediante el parámetro id en admin/admin_process.php para la edición de formularios. News Magazine and Blog CMS version 1.0 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/43077 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2014-6290
https://notcve.org/view.php?id=CVE-2014-6290
The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. La extensión News (tt_news) anterior a 3.5.2 para TYPO3 permite a atacantes remotos tener un impacto no especificado a través de vectores relacionados con un problema de 'la deserialización insegura'. • http://typo3.org/extensions/repository/view/tt_news http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-003 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4748
https://notcve.org/view.php?id=CVE-2013-4748
SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la extensión News system (news) antes de 1.3.3 para TYPO3, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://osvdb.org/89134 http://typo3.org/extensions/repository/view/news http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/81192 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •