Jameelnabbo

#10229de 53,640
27.1CVSS total
Vulnerabilidades · 3
Alta
1
Crítica
2
PT-2019-12881
7.5
2019-06-03
Icewarp · Icewarp Mail Server · CVE-2019-12593
**Name of the Vulnerable Software and Affected Versions** IceWarp Mail Server versions prior to 10.4.5 **Description** The issue is related to a local file inclusion vulnerability. This can be exploited via the `/webmail/calendar/minimizer/index.php` API endpoint, specifically by manipulating the `style` parameter using directory traversal techniques, such as `..%5c`. **Recommendations** For versions prior to 10.4.5, update to version 10.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/webmail/calendar/minimizer/index.php` endpoint until a patch is applied.
PT-2019-12731
9.8
2019-05-22
Nagios · Nagios Xi · CVE-2019-12279
**Name of the Vulnerable Software and Affected Versions** Nagios XI version 5.6.1 **Description** The issue concerns a potential SQL injection via the `username` parameter to "login.php?forgotpass" (also known as the reset password form). However, the vendor disputes this as a vulnerability, stating that the proof of concept does not demonstrate a valid SQL injection and that the `username` value is passed through SQL escaping functions when creating the SQL query. **Recommendations** For Nagios XI version 5.6.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2019-1631
9.8
2019-02-15
Pallets · Jinja2 · CVE-2019-8341
**Name of the Vulnerable Software and Affected Versions** Jinja2 version 2.10 **Description** An issue was discovered in the from string function of Jinja2, which is prone to Server Side Template Injection (SSTI). The function takes the `source` parameter as a template object, renders it, and then returns it. An attacker can exploit this issue by using {{INJECTION COMMANDS}} in a URI. It is noted that the maintainer and multiple third parties believe this vulnerability is not valid because users should not use untrusted templates without sandboxing. **Recommendations** For Jinja2 version 2.10, as a temporary workaround, consider disabling the `from string` function until a patch is available or ensure that all templates used with this function are trusted and sandboxed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.