CVE-2019-12723
https://notcve.org/view.php?id=CVE-2019-12723
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user. Se detectó un problema en el plugin Fields hasta versión 1.9.2 de Teclib para GLPI. Esto permite una Inyección SQL por medio de los parámetros container_id y old_order en el archivo ajax/reorder.php por parte de un usuario no identificado. • https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php https://github.com/pluginsGLPI/fields/pull/317 https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-10232
https://notcve.org/view.php?id=CVE-2019-10232
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php. Teclib GLPI, hasta la versión 9.3.3, tiene una inyección SQL mediante el parámetro "cycle" en /scripts/unlock_tasks.php. • https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-10231
https://notcve.org/view.php?id=CVE-2019-10231
Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerability allowing bypass of authentication. This occurs in Auth::checkPassword() (inc/auth.class.php). Teclib GLPI, en versiones anteriores a la 9.4.1.1, se ha visto afectado por una vulnerabilidad de manipulación de tipos en PHP que permite la omisión de la autenticación. Esto ocurre en Auth::checkPassword(), en inc/auth.class.php. • https://github.com/glpi-project/glpi/pull/5520 https://github.com/glpi-project/glpi/releases/tag/9.4.1.1 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2018-7289 – Armadito Antivirus 0.12.7.2 - Detection Bypass
https://notcve.org/view.php?id=CVE-2018-7289
An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. This happens because characters that cannot be converted from Unicode are replaced with '?' characters. • https://www.exploit-db.com/exploits/44169 https://github.com/armadito/armadito-windows-driver/issues/5 • CWE-172: Encoding Error •