Advisory

Information regarding uncovered vulnerabilities in software or services

CVE-2021-3429 cloud-init exposed credentials under certain conditions

Vendor: CanonicalProduct: cloud-initCategory: CWE-200 Information ExposureVersion: v21.1 and belowFixed: v21.1.19CVE: CVE-2021-3429 Summary Cloud-init enables engineers to automate operating system configuration, primarily within different cloud environments. Cloud-init can also function as a standalone configuration tool independent of any cloud provider. Cloud-init includes an optional configuration module, chpasswd, which sets passwords for Read more…

By cpearson, ago

Security Advisory – Multiple Cross Site Scripting Vulnerabilities in EspoCRM

Product: EspoCRM Vendor: Letrium LTD/Open source software Version: 4.5.0, possibly earlier Category: Cross Site Scripting Vendor notified: 2017-03-24 Patched: 2017-04-03 Disclosed: 2017-04-22 Researcher: Carl Pearson Summary Multiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address Read more…

By cpearson, ago

Security Advisory – Cross Site Request Forgery in Chyrp Lite

Product: Chyrp Lite Vendor: Open source community Version: 2016.04 “Lago” and earlier Category: Cross site request forgery (CSRF) Vendor Notified: 2017-01-05 Patched: 2017-01-06 Disclosed: 2017-03-06 Researcher(s): Carl Pearson CVE: CVE-2017-1000008 Summary A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An Read more…

By cpearson, ago