ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
Listen "Second Episode!"
Episode Synopsis
In this episode of security headlines the following vulnerabilities are mentioned:
For wordpress:
WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability
Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting
Wordpress Plugin PicUploader 1.0 - Remote File Upload
WordPress StatTraq 1.3.0 SQL Injection
WordPress WP Forms 1.5.8.2 Cross Site Scripting
WordPress WPForms 1.5.9 Cross Site Scripting
Tor:
Medium CVE-2020-10592: Torproject TOR
Medium CVE-2020-10593: Torproject TOR
TROVE-2020-002 TROVE-2020-004
remotely triggerable memory leak on relays and clients
Causing denial of service
https://trac.torproject.org/projects/tor/ticket/33619
Sharepoint:
SharePoint Workflows XOML Injection which is now a metasploit module
https://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Joomla:
Joomla GMapFP 3.30 Arbitrary File Upload
Joomla HDWPlayer 4.2 SQL Injection
Joomla! com_hdwplayer 4.2 search.php SQL Injection
Jenkins:
jenkins-2-plugins: Execute arbitrary code commands
openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects
allowed for remote code execution (CVE-2020-2167)
Weechat:
Medium CVE-2020-9759: Weechat Weechat
Medium CVE-2020-9760: Weechat Weechat
https://weechat.org/doc/security/
One crash and one buffer overflow based on nick prefixes.
SCADA:
New scada vulnerability affecting Schneider Electric IGSS SCADA Software
https://www.zerodayinitiative.com/advisories/upcoming/
https://www.us-cert.gov/ics/advisories/icsa-20-084-02
http/3 QUIC vuln:
Specially formatted HTTP/3 messages may cause the Traffic Management
Microkernel (TMM) to produce a core file. (CVE-2020-5859)
https://support.f5.com/csp/article/K61367237
Check us out at:
https://firosolutions.com
https://watchers.firosolutions.com
https://blog.firosolutions.com
https://status.firosolutions.com
For wordpress:
WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability
Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting
Wordpress Plugin PicUploader 1.0 - Remote File Upload
WordPress StatTraq 1.3.0 SQL Injection
WordPress WP Forms 1.5.8.2 Cross Site Scripting
WordPress WPForms 1.5.9 Cross Site Scripting
Tor:
Medium CVE-2020-10592: Torproject TOR
Medium CVE-2020-10593: Torproject TOR
TROVE-2020-002 TROVE-2020-004
remotely triggerable memory leak on relays and clients
Causing denial of service
https://trac.torproject.org/projects/tor/ticket/33619
Sharepoint:
SharePoint Workflows XOML Injection which is now a metasploit module
https://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Joomla:
Joomla GMapFP 3.30 Arbitrary File Upload
Joomla HDWPlayer 4.2 SQL Injection
Joomla! com_hdwplayer 4.2 search.php SQL Injection
Jenkins:
jenkins-2-plugins: Execute arbitrary code commands
openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects
allowed for remote code execution (CVE-2020-2167)
Weechat:
Medium CVE-2020-9759: Weechat Weechat
Medium CVE-2020-9760: Weechat Weechat
https://weechat.org/doc/security/
One crash and one buffer overflow based on nick prefixes.
SCADA:
New scada vulnerability affecting Schneider Electric IGSS SCADA Software
https://www.zerodayinitiative.com/advisories/upcoming/
https://www.us-cert.gov/ics/advisories/icsa-20-084-02
http/3 QUIC vuln:
Specially formatted HTTP/3 messages may cause the Traffic Management
Microkernel (TMM) to produce a core file. (CVE-2020-5859)
https://support.f5.com/csp/article/K61367237
Check us out at:
https://firosolutions.com
https://watchers.firosolutions.com
https://blog.firosolutions.com
https://status.firosolutions.com
More episodes of the podcast Security Headlines
Introducing Hacker Talk
03/03/2022
Fuzzing with Patrick Ventuzelo
24/10/2021
Osint Special with Jay Townsend
17/08/2021
Security Headlines with Kolja Weber
19/01/2021
ChalmersCTF with Michael Dubell
17/12/2020
Security Headlines with Antoine Jacoutot
04/12/2020
DynaGuard Special
30/11/2020
Security Headlines with Jonas Lejon
20/11/2020
Security Headlines with Johan Rydberg Moller
13/11/2020
Security Headlines with Eijah
06/11/2020
In God we trust