CVSS: 6.5EPSS: 1%CPEs: 11EXPL: 0CVE-2020-6393 – chromium-browser: Insufficient policy enforcement in Blink
https://notcve.org/view.php?id=CVE-2020-6393
11 Feb 2020 — Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Una aplicación insuficiente de la política en Blink en Google Chrome versiones anteriores a 80.0.3987.87, permitió a un atacante remoto filtrar datos de origen cruzados por medio de una página HTML diseñada. Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 80.0.3987.87. Issues addressed include informat... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 1%CPEs: 11EXPL: 1CVE-2020-6394 – chromium-browser: Insufficient policy enforcement in Blink
https://notcve.org/view.php?id=CVE-2020-6394
11 Feb 2020 — Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page. Una aplicación insuficiente de la política en Blink en Google Chrome versiones anteriores a 80.0.3987.87, permitió a un atacante remoto omitir la política de seguridad de contenido por medio de una página HTML diseñada. Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 80.0.3987.87. Issues addres... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html •
CVSS: 8.8EPSS: 2%CPEs: 11EXPL: 0CVE-2020-6402 – chromium-browser: Insufficient policy enforcement in downloads
https://notcve.org/view.php?id=CVE-2020-6402
11 Feb 2020 — Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. Una aplicación insuficiente de la política en downloads en Google Chrome sobre OS X versiones anteriores a 80.0.3987.87, permitió a un atacante que convenció a un usuario a instalar una extensión maliciosa para ejecutar código arbitrario por medio de una extensión de Chrome diseñada. Chr... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2015-5741 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5741
08 Feb 2020 — The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. La biblioteca net/http en el archivo net/http/transfer.go en Go versiones anteriores a 1.4.3, no analiza apropiadamente los encabezados HTTP, lo que permite a atacantes remotos llevar a cabo ataques de tráfico no autorizado de peticiones HTTP por medio de un... • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.9EPSS: 0%CPEs: 574EXPL: 0CVE-2019-13163
https://notcve.org/view.php?id=CVE-2019-13163
07 Feb 2020 — The Fujitsu TLS library allows a man-in-the-middle attack. This affects Interstage Application Development Cycle Manager V10 and other versions, Interstage Application Server V12 and other versions, Interstage Business Application Manager V2 and other versions, Interstage Information Integrator V11 and other versions, Interstage Job Workload Server V8, Interstage List Works V10 and other versions, Interstage Studio V12 and other versions, Interstage Web Server Express V11, Linkexpress V5, Safeauthor V3, Ser... • https://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/interstage-systemwalker-tls-202001.html • CWE-326: Inadequate Encryption Strength •
CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 1CVE-2019-15606 – nodejs: HTTP header values do not have trailing optional whitespace trimmed
https://notcve.org/view.php?id=CVE-2019-15606
07 Feb 2020 — Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons Una inclusión de espacios en blanco finales en los valores de encabezado HTTP en Nodejs versiones 10, 12 y 13, causa una omisión de autorización según las comparaciones de valores de encabezado. A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is valida... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 7.5EPSS: 4%CPEs: 20EXPL: 1CVE-2019-15604 – nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string
https://notcve.org/view.php?id=CVE-2019-15604
07 Feb 2020 — Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Una Comprobación Inapropiada del Certificado en Node.js versiones 10, 12 y 13, causa que el proceso se aborte cuando se envía un certificado X.509 diseñado. An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication. Rogier Scho... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-172: Encoding Error CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 32%CPEs: 26EXPL: 2CVE-2019-15605 – nodejs: HTTP request smuggling using malformed Transfer-Encoding header
https://notcve.org/view.php?id=CVE-2019-15605
07 Feb 2020 — HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed El tráfico no autorizado de peticiones HTTP en Node.js versiones 10, 12 y 13, causa la entrega maliciosa de la carga útil cuando la codificación de transferencia es malformada. A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use thi... • https://github.com/jlcarruda/node-poc-http-smuggling • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1712 – systemd: use-after-free when asynchronous polkit queries are performed
https://notcve.org/view.php?id=CVE-2020-1712
05 Feb 2020 — A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Se detectó una vulnerabilidad uso de la memoria previamente liberada de la pila en systemd versiones anteriores a v245-rc1, donde se llevaron a cabo consultas de Polkit asinc... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712 • CWE-416: Use After Free •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14898 – kernel: incomplete fix for race condition between mmget_not_zero()/get_task_mm() and core dumping in CVE-2019-11599
https://notcve.org/view.php?id=CVE-2019-14898
04 Feb 2020 — The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls. La corrección para el CVE-2019-11599, que afectaba al kernel de Linux versiones anteriores a 5.0.10, no estaba completa. Un usuario local podría usar este fallo para conseguir infomación confidencial, causar una dene... • https://bugs.chromium.org/p/project-zero/issues/detail?id=1790 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-667: Improper Locking •