Security Advisories

2023

• Frappe Framework
  • Insufficient Access Controls in Global Search
• Frappe Learning
  • SQL Injection in People Search
  • Insufficient Access Controls in Course Review
• Frappe press
  • SQL Injection in Sites Listing
• CyberPanel
  • WebTerminal Authentication Bypass
  • Authentication Bypass and Local File Inclusion (LFI) in CloudAPI
  • Authentication Bypass in File Manager’s Upload Functionality
  • Security Middleware Bypass
  • Bypass of Security Controls in commandInjectionCheck()
  • Insecure Generation and Storage of API Tokens
  • Broken Authentication and Local File Inclusion (LFI) in /api/FetchRemoteTransferStatus endpoint

2021

• Nagios Cross-Platform Agent (NCPA) v2.0 - 2.3.1
  • CVE-2021-43584: DOM-based Cross-Site Scripting (XSS) via name element of the Tail Event Logs functionality.
• Pentaho Business Analytics v9.1.0.0 build 324
  • CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles
  • CVE-2021-34684: Unauthenticated SQL Injection via Dashboard Editor at /api/repos/dashboards/editor endpoint
  • CVE-2021-31601: Insufficient Access Control of Data Source Management Service.
  • CVE-2021-31602: Authentication Bypass of Spring APIs
  • CVE-2021-31600: Jackrabbit User Enumeration
  • CVE-2021-34685: Bypass of Filename Extension Restrictions at /pentaho/UploadService endpoint

2017

• deepin-session-ui v4.0.6:
  • Local Authentication Bypass