Page 2 of 202 results (0.003 seconds)

CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 1

04 Feb 2020 — Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. Una Comprobación de Entrada Inapropiada en Nextcloud Server versión 15.0.7, permite a los administradores de grupo crear usuarios con los ID de carpetas del sistema. An update that fixes 6 vulnerabilities is now available. This update for nextcloud fixes the following issues. Nextcloud was updated to 15.0.14. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html • CWE-20: Improper Input Validation •

CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 0

24 Jan 2020 — : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1. Una vulnerabilidad de Permisos Predeterminados Incorrectos en lib... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html • CWE-276: Incorrect Default Permissions •

CVSS: 8.8EPSS: 19%CPEs: 4EXPL: 2

09 Jan 2020 — In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. En phpMyAdmin versiones 4 anteriores a 4.9.4 y versiones 5 anteriores a 5.0.1, una inyección SQL se presenta en la página de cuentas de usuario. Un usuario malicioso podría inyectar SQL personalizado en lugar de su propio nombre de usuario c... • https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0

07 Oct 2019 — The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary El binario /usr/sbin/pinger empaquetado con squid en SUSE Linux Enterprise Server 15 anterior e incluyendo la versión 4.8-5.8.1 y en SUSE Linux Enterprise Server 12 anterior e incl... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html • CWE-276: Incorrect Default Permissions •

CVSS: 6.5EPSS: 3%CPEs: 7EXPL: 2

20 Feb 2019 — A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6. Una vulnerabilidad de salto de directorio en el componente de aplicación web de Micro Focus Filr, en versiones 3.x, permite que un atacante remoto autenticado como usuario con pocos privilegios descargue archivos arbitrarios del se... • https://packetstorm.news/files/id/151803 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 1%CPEs: 7EXPL: 2

20 Feb 2019 — A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6. Una vulnerabilidad de escalado de privilegios local en el componente famtd de Micro Focus Filr 3.0 permite que un atacante local autenticado como usuario con bajos privilegios escale a root. Esta vulnerabilidad afecta a todas las versiones 3.x de Filr anterio... • https://packetstorm.news/files/id/151803 • CWE-264: Permissions, Privileges, and Access Controls CWE-269: Improper Privilege Management •

CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 2

29 Nov 2018 — A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. Un desbordamiento de búfer basado en pila en la función find_green() de dcraw hasta la versión 9.28, tal y como se emplea en ufraw-batch y muchos otros productos, podría permitir que un atacante remoto provoque el secuestro de un flu... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890086 • CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0

28 Nov 2018 — Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. Node.js: Todas las versiones anteriores a la 6.15.0 y 8.14.0: separación de petición HTTP. Si se puede convencer a Node.js para que emplee datos Unicode no saneados proporcionados por el us... • https://access.redhat.com/errata/RHSA-2019:1821 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-115: Misinterpretation of Input •

CVSS: 7.5EPSS: 3%CPEs: 9EXPL: 0

28 Nov 2018 — Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Denegación de servicio (DoS) HTTP mediante Slowloris. Un atacante puede provocar una denegación de servicio (DoS) enviando cabeceras muy lentamente, mant... • http://www.securityfocus.com/bid/106043 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1

12 Nov 2018 — In libwpd 0.10.2, there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack. This is related to WPXTable.h. En libwpd 0.10.2, hay una desreferencia de puntero NULL en la función WP6ContentListener::defineTable en WP6ContentListener.cpp que conducirá a un ataque de denegación de servicio (DoS). Esto está relacionado con WPXTable.h. An update that fixes one vulnerability is now available. • https://access.redhat.com/errata/RHSA-2019:2126 • CWE-476: NULL Pointer Dereference •