Product: Nagios Cross-Platform Agent (NCPA)
Vendor: Nagios Enterprises
Affected Version(s): 2.0 to 2.3.1
Author(s): Altion Malka (CENSUS Labs)
Reference(s): CVE-2021-43584.md, NagiosEnterprises/ncpa#830
Security Vulnerabilities:
- CVE-2021-43584 - DOM-based XSS via 'name' element of 'Tail Event Logs' functionality in Nagios Cross-Platform Agent (NCPA) versions 2.0 to 2.3.1
This vulnerability was introduced in NCPA version 2.0 and it was applicable up until version 2.3.1.
Product: Pentaho Business Analytics
Vendor: Hitachi Vantara
Affected Version(s): 9.1.0.0 build 324
Author(s): Alberto Favero (HawSec) & Altion Malka
Reference(s): HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
Security Vulnerabilities:
- CVE-2021-31599 - Remote Code Execution through Pentaho Report Bundles
- CVE-2021-34684 - Unauthenticated SQL Injection via Dashboard Editor at '/api/repos/dashboards/editor' endpoint
- CVE-2021-31601 - Insufficient Access Control of Data Source Management Service
- CVE-2021-31602 - Authentication Bypass of Spring APIs
- CVE-2021-31600 - Jackrabbit User Enumeration
- CVE-2021-34685 - Bypass of Filename Extension Restrictions at '/pentaho/UploadService' endpoint
Product: deepin-session-ui
Vendor: Deepin (Wuhan deepin Technology Co.,Ltd.)
Affected Version(s): 4.0.6
Author(s): Altion Malka
Reference(s): Local Authentication Bypass in deepin-session-ui.md
Security Vulnerabilities:
- Local Authentication Bypass in deepin-session-ui 4.0.6