CVSS: 8.4EPSS: 0%CPEs: 5EXPL: 0CVE-2020-8026 – inn: non-root owned files
https://notcve.org/view.php?id=CVE-2020-8026
A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions. Una vulnerabilidad de Permisos Predeterminados Incorrectos en el paquete de inn en openSUSE Leap versión 15.2, openSUSE Tumbleweed, openSUSE Leap versión 15.1, permite a atacantes locales con control del nuevo usuario escalar sus privilegios a root. Este problema afecta a: inn versión 2.6.2-lp152.1.26 y versiones anteriores de openSUSE Leap versión 15.2. inn versión 2.6.2-4.2 y versiones anteriores de openSUSE Tumbleweed. inn versión 2.5.4-lp151.3.3.1 y versiones anteriores de openSUSE Leap versión 15.1 • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html https://bugzilla.suse.com/show_bug.cgi?id=1172573 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-17353
https://notcve.org/view.php?id=CVE-2020-17353
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. El archivo scm/define-stencil-command.scm en LilyPond versiones hasta 2.20.0 y versiones 2.21.x hasta 2.21.4, cuando -dsafe es usada, carece de restricciones en embedded-ps y embedded-svg, como es demostrado al incluir código PostScript peligroso • http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX https://www.debian.org/security/202 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2020-16118
https://notcve.org/view.php?id=CVE-2020-16118
In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c. En GNOME Balsa versiones anteriores a 2.6.0, un operador de servidor malicioso o un man in the middle puede desencadenar una desreferencia del puntero NULL y un bloqueo del cliente mediante el envío de una respuesta PREAUTH hacia la función imap_mbox_connect en la biblioteca libbalsa/imap/imap-handle.c • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00045.html https://gitlab.gnome.org/GNOME/balsa/-/commit/4e245d758e1c826a01080d40c22ca8706f0339e5 https://gitlab.gnome.org/GNOME/balsa/-/issues/23 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-15917
https://notcve.org/view.php?id=CVE-2020-15917
common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled. El archivo common/session.c en Claws Mail versiones anteriores a 3.17.6, presenta una violación de protocolo porque los datos del sufijo después de STARTTLS son manejados inapropiadamente • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00090.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00051.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00013.html https://git.claws-mail.org/?p=claws.git%3Ba=blob%3Bf=RELEASE_NOTES https://git.claws-mail.org/?p=claws.git%3Ba=commit% •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6535 – chromium-browser: Insufficient data validation in WebUI
https://notcve.org/view.php?id=CVE-2020-6535
Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a crafted HTML page. Una comprobación de datos insuficiente en WebUI en Google Chrome versiones anteriores a 84.0.4147.89, permitió a un atacante remoto que había comprometido el proceso del renderizador inyectar scripts o HTML hacia una página privilegiada por medio de una página HTML diseñada • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00041.html https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop.html https://crbug.com/1073409 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTRPPTKZ2RKVH • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •