CVSS: 8.1EPSS: 1%CPEs: 10EXPL: 1CVE-2019-6251 – webkitgtk: processing maliciously crafted web content lead to URI spoofing
https://notcve.org/view.php?id=CVE-2019-6251
14 Jan 2019 — WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge. WebKitGTK y WPE WebKit versiones anteriores a 2.24.1 permite la suplantación de la barra de direcciones en determinadas redirecciones de JavaScript. Un atacante puede hacer que el contenido web malicioso se muestre como si se tratara de ... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00025.html • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 18%CPEs: 6EXPL: 2CVE-2018-20346 – Apple Security Advisory 2019-1-22-3
https://notcve.org/view.php?id=CVE-2018-20346
21 Dec 2018 — SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. SQLite anterior a la versión 3.25.3, cuando la extensión FTS3 está habilitada, encuentra un desbordamiento de enteros (y el desbordamiento del búfer result... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00040.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 2%CPEs: 10EXPL: 0CVE-2017-16232 – LibTIFF 4.0.8 Memory Leak
https://notcve.org/view.php?id=CVE-2017-16232
21 Dec 2018 — LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue ** EN DISPUTA ** LibTIFF 4.0.8 tiene múltiples vulnerabilidades de fuga de memoria, lo que permite que los atacantes provoquen una denegación de servicio (consumo de memoria), tal y como queda demostrado con tif_open.c, tif_lzw.c y tif_aux.c. NOTA: los terceros eran inca... • http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.1EPSS: 81%CPEs: 8EXPL: 0CVE-2018-16873 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16873
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git"... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 3%CPEs: 8EXPL: 0CVE-2018-16874 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16874
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. En Go en versiones anteriores a la 1.1... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-18849 – Ubuntu Security Notice USN-3826-1
https://notcve.org/view.php?id=CVE-2018-18849
26 Nov 2018 — In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. En Qemu 3.0.0, lsi_do_msgin en hw/scsi/lsi53c895a.c permite el acceso fuera de límites desencadenando un valor msg_len inválido. Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. It was discovered that QEMU incorrectly handled the Slirp... • http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00004.html • CWE-125: Out-of-bounds Read •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2017-5934 – Ubuntu Security Notice USN-3794-1
https://notcve.org/view.php?id=CVE-2017-5934
15 Oct 2018 — Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad Cross-Site Scripting (XSS) en el diálogo de enlaces en el editor de la interfaz gráfica de MoinMoin en versiones anteriores a la 1.9.10 permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. It was discovered that MoinMoin incorrectly handled certain i... • http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-12477 – obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories
https://notcve.org/view.php?id=CVE-2018-12477
09 Oct 2018 — A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce. Una vulnerabilidad de neutralización incorrecta de secuencias CRLF en Open Build Service permite que los atacantes remotos provoquen el borrado de directorios engañando a obs-service-refresh_patches para que ... • https://bugzilla.suse.com/show_bug.cgi?id=1108189 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 66%CPEs: 26EXPL: 1CVE-2018-5740 – A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named
https://notcve.org/view.php?id=CVE-2018-5740
28 Aug 2018 — "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2. "deny-answer-aliases" es una característica poco utilizada que ... • https://github.com/sischkg/cve-2018-5740 • CWE-617: Reachable Assertion •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-14522
https://notcve.org/view.php?id=CVE-2018-14522
23 Jul 2018 — An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes. Se ha descubierto un problema en aubio 0.4.6. Puede ocurrir una señal SEGV en aubio_pitch_set_unit en pitch/pitch.c, tal y como queda demostrado con aubionotes. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00031.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •