5 results (0.012 seconds)

CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0

The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources. • https://hackerone.com/reports/2546437 • CWE-1391: Use of Weak Credentials •

CVSS: 9.8EPSS: 38%CPEs: 1EXPL: 0

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. Una vulnerabilidad de XML External Entity (XEE) permite la falsificación de solicitudes del lado del servidor (SSRF) y la posible ejecución de código en Sophos Mobile administrado localmente entre las versiones 5.0.0 y 9.7.4. • https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0

The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction. El motor de análisis Sophos AV versiones anteriores a 14-01-2020 permite una omisión de la detección de virus por medio de un archivo ZIP diseñado. Esto afecta a Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server y Secure Web Gateway. • https://blog.zoller.lu/p/release-mode-coordinated-disclosure-ref.html https://community.sophos.com/b/security-blog/posts/sophos-comments-to-cve-2020-9363 • CWE-436: Interpretation Conflict •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg(). iThemes Mobile antes de 1.2.8 para WordPress tiene una vulnerabilidad XSS a través de add_query_arg () y remove_query_arg (). • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html https://ithemes.com/coordinated-wordpress-plugin-security-update • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action. Vulnerabilidad de inyección SQL en login.php en Allomani Mobile v2.5 permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "username" en una acción de login. • https://www.exploit-db.com/exploits/9273 http://www.exploit-db.com/exploits/9273 http://www.vupen.com/english/advisories/2009/2029 https://exchange.xforce.ibmcloud.com/vulnerabilities/52012 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •