CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-12244
https://notcve.org/view.php?id=CVE-2020-12244
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation. Se detectó un problema en PowerDNS Recursor versiones 4.1.0 hasta 4.3.0, donde los registros en la sección de respuestas de una respuesta NXDOMAIN que carece de SOA no fueron comprobados apropiadamente en las función SyncRes::processAnswer, permitiendo a un atacante omitir la comprobación DNSSEC. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00052.html http://www.openwall.com/lists/oss-security/2020/05/19/3 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF https://www.debian.org/security/2020/dsa-4691 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 1CVE-2020-12108 – mailman: arbitrary content injection via the options login page
https://notcve.org/view.php?id=CVE-2020-12108
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. El archivo /options/mailman en GNU Mailman versiones anteriores a 2.1.31, permite una Inyección de Contenido Arbitrario. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html https://bugs.launchpad.net/mailman/+bug/1873722 https://code.launchpad.net/mailman https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html https://lists.debian.org/debian-lts-announce/202 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2020-12672
https://notcve.org/view.php?id=CVE-2020-12672
GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c. GraphicsMagick versiones hasta 1.3.35, presenta un desbordamiento del búfer en la región heap de la memoria en la función ReadMNGImage en el archivo coders/png.c. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00012.html https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025 https://lists.debian.org/debian-lts-announce/2020/06/msg00004.html https://security.gentoo.org/glsa/202209-19 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 2CVE-2020-12640
https://notcve.org/view.php?id=CVE-2020-12640
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. Roundcube Webmail versiones anteriores a la versión 1.4.4, permite a atacantes incluir archivos locales y ejecutar código por medio de un salto de directorio en un nombre de plugin en archivo rcube_plugin_api.php. • https://github.com/mbadanoiu/CVE-2020-12640 http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://roundcube.net/news/2020/04/29/security-updates-1. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 12%CPEs: 7EXPL: 2CVE-2020-12641 – Roundcube Webmail Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-12641
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. El archivo rcube_image.php en Roundcube Webmail versiones anteriores a la versión 1.4.4, permite a atacantes ejecutar código arbitrario por medio de metacaracteres de shell en un ajuste de configuración para im_convert_path o im_identify_path. Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. • https://github.com/mbadanoiu/CVE-2020-12641 http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1. • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •