3 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. Fossil versiones anteriores a 2.14.2 y versiones 2.15.x anteriores a 2.15.2, a menudo se salta la comprobación del nombre de host durante la comprobación del certificado TLS • https://fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBTRZ5HCOUTIIKJF3T37NORI4P7EVYCY • CWE-295: Improper Certificate Validation •

CVSS: 8.8EPSS: 1%CPEs: 9EXPL: 0

Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository. Fossil versiones anteriores a 2.10.2, versiones 2.11.x anteriores a 2.11.2 y versiones 2.12.x anteriores a 2.12.1, permite a usuarios autenticados remotos ejecutar código arbitrario. Un atacante debe tener privilegios de registro en el repositorio • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00065.html http://www.openwall.com/lists/oss-security/2020/08/25/1 https://fossil-scm.org/forum/info/a05ae3ce7760daf6 https://fossil-scm.org/fossil/vdiff?branch=sec2020-2.12-patch&diff=1&w https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARYF4YMYXCANXUDS3B3CA4JGUZNUJOJA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVZK4K7SFBQRCGCHS76HW2LTSEH2KSUM https://secur • CWE-862: Missing Authorization •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0

http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117. http_transport.c en Fossil en versiones anteriores a la 2.4, cuando se utiliza el protocolo SSH sync, permite que atacantes remotos asistidos por un usuario ejecuten comandos arbitrarios mediante una URL ssh con un carácter guión inicial en el nombre del host. Esta vulnerabilidad está relacionada con CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116 y CVE-2017-1000117. • https://bugzilla.opensuse.org/show_bug.cgi?id=1071709 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BLAFCQGE7C5UMX75LESNUMKTXTURUVQM https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki#v2_4 https://www.fossil-scm.org/xfer/info/1f63db591c77108c •