CVE-2023-47272
https://notcve.org/view.php?id=CVE-2023-47272
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). Roundcube 1.5.x anterior a 1.5.6 y 1.6.x anterior a 1.6.5 permite XSS a través de un encabezado Content-Type o Content-Disposition (utilizado para la vista previa o descarga de archivos adjuntos). • https://github.com/roundcube/roundcubemail/commit/5ec496885e18ec6af956e8c0d627856c2257ba2d https://github.com/roundcube/roundcubemail/releases/tag/1.5.6 https://github.com/roundcube/roundcubemail/releases/tag/1.6.5 https://lists.debian.org/debian-lts-announce/2023/12/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GILSR762MJB3BNJOVOCMW2JXEPV46IIQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFRGBPET73URF6364CI547ZVWQESJLGK https: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-1194 – Use-after-free in parse_lease_state()
https://notcve.org/view.php?id=CVE-2023-1194
An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory. Se encontró una falla de lectura de memoria Out-Of-Bounds (OOB) en parse_lease_state en la implementación KSMBD del servidor samba en el kernel y CIFS en el kernel de Linux. Cuando un atacante envía el comando CREATE con un payload mal formada a KSMBD, debido a una verificación faltante de `NameOffset` en la función `parse_lease_state()`, el objeto `create_context` puede acceder a memoria no válida. • https://access.redhat.com/security/cve/CVE-2023-1194 https://bugzilla.redhat.com/show_bug.cgi?id=2154176 https://security.netapp.com/advisory/ntap-20231221-0006 https://www.spinics.net/lists/stable-commits/msg303065.html • CWE-125: Out-of-bounds Read CWE-416: Use After Free •
CVE-2023-5859
https://notcve.org/view.php?id=CVE-2023-5859
Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low) La interfaz de usuario de seguridad incorrecta en Imagen sobre Imagen en Google Chrome anterior a 119.0.6045.105 permitía a un atacante remoto realizar una suplantación de dominio a través de una página HTML local manipulada. (Severidad de seguridad de Chrome: baja) • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_31.html https://crbug.com/1482045 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MHLJRFWZNY6BFOW25Q4FEESVWZKS4C2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBA4KD5ZSV6XWWFLVR5UBYKKNOYMH33H https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHWLT3M2AQDFD7RNAM3NJMYUC5KHMO5V https://security.gentoo.org/glsa/202311-11 https://secu • CWE-346: Origin Validation Error •
CVE-2023-5858
https://notcve.org/view.php?id=CVE-2023-5858
Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low) La implementación inadecuada en WebApp Provider en Google Chrome anterior a 119.0.6045.105 permitió a un atacante remoto ofuscar la interfaz de usuario de seguridad a través de una página HTML manipulada. (Severidad de seguridad de Chrome: baja) • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_31.html https://crbug.com/1457704 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MHLJRFWZNY6BFOW25Q4FEESVWZKS4C2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBA4KD5ZSV6XWWFLVR5UBYKKNOYMH33H https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHWLT3M2AQDFD7RNAM3NJMYUC5KHMO5V https://security.gentoo.org/glsa/202311-11 https://secu • CWE-346: Origin Validation Error •
CVE-2023-5857
https://notcve.org/view.php?id=CVE-2023-5857
Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially execute arbitrary code via a malicious file. (Chromium security severity: Medium) La implementación inadecuada en Descargas en Google Chrome anterior a 119.0.6045.105 permitía a un atacante remoto ejecutar potencialmente código arbitrario a través de un archivo malicioso. (Severidad de seguridad de Chromium: media) • https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_31.html https://crbug.com/1493435 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MHLJRFWZNY6BFOW25Q4FEESVWZKS4C2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBA4KD5ZSV6XWWFLVR5UBYKKNOYMH33H https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHWLT3M2AQDFD7RNAM3NJMYUC5KHMO5V https://security.gentoo.org/glsa/202311-11 https://secu •