Each great research deserves
some great advisories.
Research is one of Shielder’s pillars. The company invests from 25% to 100% of their employees' work time in training and security research and they pay back with these great advisories.
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
CVE-2019-9202: a Command Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to achieve remote code execution via a malicious host record.
CVE-2019-9204: a SQL Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to inject additional SQL statements via the incident_id parameter.
CVE-2019-9203: An Authorization Bypass vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows unauthenticated users to bypass the authentication checks via a void token.
CVE-2019-9164: a command injection vulnerability in Nagios XI before 5.5.11 allows authenticated users to execute arbitrary remote commands via a new autodiscovery job.
CVE-2019-9166: a privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php.
CVE-2019-9165: a SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers with a valid 'fusekey' API key to execute arbitrary SQL commands via a malicious user id.
CVE-2019-9167: a cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.