2022-02-21T21:46:00ZReliable Energy Analytics LLCdick@reliableenergyanalytics.comReliable Energy Analytics LLCdns:reliableenergyanalytics.comReliable Energy Analytics LLCSAG-PM (TM)1.1.8CVE-2020-36242NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-362429.1In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixThis vulnerability is exploited during file encryption. SAG-PM does not perform file encryption using this component and is most likely not vulnerable to this CVE.cryptography3.3.1CVE-2014-8564NVDhttps://nvd.nist.gov/vuln/detail/CVE-2014-85645.0The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.2022-02-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixThis vulnerability is exploited when Elliptic curve certificates are used. SAG-PM does not perform any elliptic curve certificate functions from this component and is most likely not vulnerable to this CVEidna2.10CVE-2012-4870NVDhttps://nvd.nist.gov/vuln/detail/CVE-2012-48704.3Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) context parameter to panel/index_amp.php or (2) panel/dhtml/index.php; (3) clid or (4) clidname parameters to panel/flash/mypage.php; (5) PATH_INFO to admin/views/freepbx_reload.php; or (6) login parameter to recordings/index.php.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixFalse positive returned by NIST NVD matching idna to clidname. The actual component listed in the CVE is not used by SAG-PM idna2.10CVE-2006-4346NVDhttps://nvd.nist.gov/vuln/detail/CVE-2006-43467.5Asterisk 1.2.10 supports the use of client-controlled variables to determine filenames in the Record function, which allows remote attackers to (1) execute code via format string specifiers or (2) overwrite files via directory traversals involving unspecified vectors, as demonstrated by the CALLERIDNAME variable.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixFalse positive returned by NIST NVD matching idna to CALLERIDNAME. The actual component listed in the CVE is not used by SAG-PMidna2.10CVE-2020-12100NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-121007.5In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixFalse positive returned by NIST NVD matching ply to deeply.The actual component listed in the CVE is not used by SAG-PMply3.11CVE-2019-18183NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-181839.8pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixFalse positive returned by NIST NVD matching ply to apply.The actual component listed in the CVE is not used by SAG-PMply3.11CVE-2011-1487NVDhttps://nvd.nist.gov/vuln/detail/CVE-2011-14875.0The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixFalse positive returned by NIST NVD matching ply to apply.The actual component listed in the CVE is not used by SAG-PMply3.11CVE-2020-1747NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-17479.8A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.2021-07-21T00:00:00.000Znot_affectedcode_not_reachablewill_not_fixNo action required as the vulnerability was reported in prior versions of PyYAML than the one used by SAG-PM PyYAML5.3.1