Author: Cyberthreat Blog

Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request.

WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php.

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an ‘xxx.pht’ or ‘xxx.phtml’ file, they could bypass a safety check and execute any code.

In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector could crash. This was addressed in epan/dissectors/packet-rgmp.c by validating an IPv4 address.

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php – for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.