Page 36 of 550 results (0.011 seconds)

CVSS: 5.3EPSS: 0%CPEs: 16EXPL: 1

CVE-2017-7829 – Mozilla: From address with encoded null character is cut off in message header display

https://notcve.org/view.php?id=CVE-2017-7829

It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2. Es posible suplantar la dirección de correo del remitente y mostrar una dirección de envío arbitraria al correo receptor. La dirección de envío real no se muestra si viene precedida de un carácter nulo en la cadena de muestra. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1423432 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://usn.ubuntu.com/3529-1 https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7829 https://bugzilla.redhat.com/show_bug • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0

CVE-2017-7846 – Mozilla: JavaScript Execution via RSS in mailbox:// origin

https://notcve.org/view.php?id=CVE-2017-7846

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2. Es posible ejecutar código JavaScript en el canal RSS analizado cuando el canal RSS se ve como un sitio web, por ejemplo, a través de "View -> Feed article -> Website" o en el formato estándar de "View -> Feed article -> default format". La vulnerabilidad afecta a las versiones anteriores a la 52.5.2 de Thunderbird. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1411716 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7846 https://bugzilla.redhat.com/show_bug.cgi?id=1530187 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0

CVE-2017-7847 – Mozilla: Local path string can be leaked from RSS feed

https://notcve.org/view.php?id=CVE-2017-7847

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2. El CSS creado en un feed RSS puede filtrar y revelar cadenas de rutas locales que pueden contener el nombre de un usuario. La vulnerabilidad afecta a las versiones anteriores a la 52.5.2 de Thunderbird. • http://www.securityfocus.com/bid/102258 http://www.securitytracker.com/id/1040123 https://access.redhat.com/errata/RHSA-2018:0061 https://bugzilla.mozilla.org/show_bug.cgi?id=1411708 https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html https://www.debian.org/security/2017/dsa-4075 https://www.mozilla.org/security/advisories/mfsa2017-30 https://access.redhat.com/security/cve/CVE-2017-7847 https://bugzilla.redhat.com/show_bug.cgi?id=1530190 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.3EPSS: 89%CPEs: 17EXPL: 1

CVE-2017-17405 – Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection

https://notcve.org/view.php?id=CVE-2017-17405

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution. Ruby en versiones anteriores a la 2.4.3 permite la inyección de comandos Net::FTP. • https://www.exploit-db.com/exploits/43381 http://www.securityfocus.com/bid/102204 http://www.securitytracker.com/id/1042004 https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0584 https://access.redhat.com/errata/RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2019:2806 https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html https://lists.debian.org/debian-lts-announce • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0

CVE-2017-15097 – postgresql: Start scripts permit database administrator to modify root-owned files

https://notcve.org/view.php?id=CVE-2017-15097

Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. Se encontraron vulnerabilidades de escalado de privilegios en los scripts de inicialización de Red Hat de PostgreSQL. Un atacante con acceso a la cuenta de usuario de postgres podría usar estas vulnerabilidades para obtener acceso root en la máquina del servidor. • http://www.securitytracker.com/id/1039983 https://access.redhat.com/errata/RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3405 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15097 https://access.redhat.com/security/cve/CVE-2017-15097 https://bugzilla.redhat.com/show_bug.cgi?id=1508985 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •