Page 31 of 215 results (0.012 seconds)

CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 1

CVE-2019-3820 – gnome-shell: partial lock screen bypass

https://notcve.org/view.php?id=CVE-2019-3820

It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions. Se ha descubierto que la pantalla de bloqueo de gnome-shell, desde la versión 3.15.91 no restringió correctamente todas las acciones contextuales. Un atacante con acceso físico a una estación de trabajo bloqueada podría invocar ciertos atajos de teclado y, potencialmente, otras acciones. A vulnerability was found where the gnome-shell lock screen, since version 3.15.91, does not properly restrict all contextual actions. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00049.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3820 https://gitlab.gnome.org/GNOME/gnome-shell/issues/851 https://usn.ubuntu.com/3966-1 https://access.redhat.com/security/cve/CVE-2019-3820 https://bugzilla.redhat.com/show_bug.cgi?id=1669391 • CWE-285: Improper Authorization CWE-287: Improper Authentication •

CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 1

CVE-2019-3814 – dovecot: Improper certificate validation

https://notcve.org/view.php?id=CVE-2019-3814

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. Se ha descubierto que Dovecot, en versiones anteriores a la 2.2.36.1 y 2.3.4.1, gestiona de manera incorrecta los certificados del cliente. Un atacante remoto en posesión de un certificado válido con un campo "username" vacío podría emplear este problema para suplantar a otros usuarios. It was discovered that Dovecot incorrectly handled client certificates. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html https://access.redhat.com/errata/RHSA-2019:3467 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201904-19 https://www.dovecot.org/list/dovecot/2019-Feb • CWE-295: Improper Certificate Validation •

CVSS: 5.3EPSS: 0%CPEs: 57EXPL: 1

CVE-2019-7317 – libpng: use-after-free in png_image_free in png.c

https://notcve.org/view.php?id=CVE-2019-7317

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. La función png_image_free en el archivo png.c en libpng versiones 1.6.x anteriores a 1.6.37, presenta un uso de la memoria previamente liberada porque la función png_image_free_function es llamada bajo png_safe_execute. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html http://www.securityfocus.com/bid/108098 https:/ • CWE-400: Uncontrolled Resource Consumption CWE-416: Use After Free •

CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 0

CVE-2018-18506 – Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied

https://notcve.org/view.php?id=CVE-2018-18506

When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65. Cuando la autodetección del proxy está habilitada, si un servidor web proporciona un archivo de autoconfiguración de proxy (PAC) o si dicho archivo se carga localmente, este último puede especificar peticiones al host local que están destinadas a enviarse a través del proxy hacia otro servidor. Este comportamiento está prohibido por defecto cuando un proxy se configura manualmente. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html http://www.securityfocus.com/bid/106773 https://access.redhat.com/errata/RHSA-2019:0622 https://access.redhat.com/errata/RHSA-2019:0623 https://access.redhat.com/errata/RHSA-2019:0680 https:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.8EPSS: 2%CPEs: 18EXPL: 4

CVE-2019-6116 – Ghostscript 9.26 - Pseudo-Operator Remote Code Execution

https://notcve.org/view.php?id=CVE-2019-6116

In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution. En Artifex Ghostscript hasta la versión 9.26, los procedimientos ephemeral o transient pueden permitir el acceso a los operadores del sistema, lo que conduce a la ejecución remota de código. It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints. Ghostscript has an issue with pseudo-operators that can lead to remote code execution. • https://www.exploit-db.com/exploits/46242 http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00048.html http://packetstormsecurity.com/files/151307/Ghostscript-Pseudo-Operator-Remote-Code-Execution.html http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html http://www.openwall.com/lists/oss-security/2019/01/23/5 http://www.openwall.com/lists/oss-security/2019/03/21/1 http: •