CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-20637 – varnish: not clearing pointer between two client requests leads to information disclosure
https://notcve.org/view.php?id=CVE-2019-20637
08 Apr 2020 — An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers. Se detectó un problema en Varnish Cache versiones anteriores a 6.0.5 LTS, versiones... • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-11653 – varnish: remote clients may cause Varnish to assert and restart which could result in DoS
https://notcve.org/view.php?id=CVE-2020-11653
08 Apr 2020 — An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. Se detectó un problema en Varnish Cache versiones anteriores a 6.0.6 LTS, versiones 6.1.x y versiones 6.2.x anteriores a 6.2.3 y versiones 6.3.x anteriores a 6.3.2. Se presenta cuando la comunicación con un proxy de terminación TLS ... • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html • CWE-400: Uncontrolled Resource Consumption CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2020-6095 – Gentoo Linux Security Advisory 202009-05
https://notcve.org/view.php?id=CVE-2020-6095
27 Mar 2020 — An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. Se presenta una vulnerabilidad de denegación de servicio explotable en la funcionalidad GstRTSPAuth de GStreamer/gst-rtsp-server versión 1.14.5. Una petición de configuración RTSP especialmente diseñada puede ca... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00029.html • CWE-476: NULL Pointer Dereference CWE-690: Unchecked Return Value to NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1772 – Information Disclosure
https://notcve.org/view.php?id=CVE-2020-1772
27 Mar 2020 — It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Es posible diseñar peticiones de Contraseña Perdida con wildcards en el valor de Token, permite a un atacante recuperar Token(s) válidos, generados por usuarios que ya solicitaron nuevas co... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1770 – Information disclosure in support bundle files
https://notcve.org/view.php?id=CVE-2020-1770
27 Mar 2020 — Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Unos archivos generados por el paquete de soporte podrían contener información confidencial que podría sin querer ser revelada. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
27 Mar 2020 — In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edi... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-16: Configuration •
CVSS: 9.8EPSS: 2%CPEs: 6EXPL: 0CVE-2020-10938 – Debian Security Advisory 4675-1
https://notcve.org/view.php?id=CVE-2020-10938
24 Mar 2020 — GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c. GraphicsMagick versiones anteriores a la versión 1.3.35, tiene un desbordamiento de enteros y un desbordamiento del búfer en la región heap de la memoria en la función HuffmanDecodeImage en el archivo magick/compress.c. Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in inform... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6425 – chromium-browser: Insufficient policy enforcement in extensions
https://notcve.org/view.php?id=CVE-2020-6425
23 Mar 2020 — Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. Una aplicación de política insuficiente en extensions de Google Chrome versiones anteriores a 80.0.3987.149, permitió a un atacante que convenció a un usuario para instalar una extensión maliciosa omitir el aislamiento del sitio por medio de una Extensión de Chrome diseñada. Multiple vulnerabil... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 1%CPEs: 11EXPL: 0CVE-2020-10802 – Ubuntu Security Notice USN-4639-1
https://notcve.org/view.php?id=CVE-2020-10802
22 Mar 2020 — In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores ... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 3%CPEs: 11EXPL: 0CVE-2020-10803 – Ubuntu Security Notice USN-4639-1
https://notcve.org/view.php?id=CVE-2020-10803
22 Mar 2020 — In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •