CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-06 • CWE-16: Configuration •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10938
https://notcve.org/view.php?id=CVE-2020-10938
GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c. GraphicsMagick versiones anteriores a la versión 1.3.35, tiene un desbordamiento de enteros y un desbordamiento del búfer en la región heap de la memoria en la función HuffmanDecodeImage en el archivo magick/compress.c. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00051.html https://lists.debian.org/debian-lts-announce/2020/04/msg00007.html https://sourceforge.net/p/graphicsmagick/code/ci/5b4dd7c6674140a115ec9424c8d19c6a458fac3e https://www.debian.org/security/2020/dsa-4675 • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6425 – chromium-browser: Insufficient policy enforcement in extensions
https://notcve.org/view.php?id=CVE-2020-6425
Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. Una aplicación de política insuficiente en extensions de Google Chrome versiones anteriores a 80.0.3987.149, permitió a un atacante que convenció a un usuario para instalar una extensión maliciosa omitir el aislamiento del sitio por medio de una Extensión de Chrome diseñada. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html https://crbug.com/1031670 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DDNOAGIX5D77TTHT6YPMVJ5WTXTCQEI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWANFIR3 • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 0%CPEs: 11EXPL: 0CVE-2020-10802
https://notcve.org/view.php?id=CVE-2020-10802
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0.2, se ha detectado una vulnerabilidad de inyección SQL donde determinados parámetros no se escapan apropiadamente al generar determinadas consultas para acciones de búsqueda en la biblioteca libraries/classes/Controllers/Table/TableSearchController.php. Un atacante puede generar un nombre de base de datos o tabla diseñados. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html https://lists.debian.org/debian-lts-announce/2020/03/msg00028.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 11EXPL: 0CVE-2020-10803
https://notcve.org/view.php?id=CVE-2020-10803
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0.2, se detectó una vulnerabilidad de inyección SQL donde un código malicioso podría ser usado para desencadenar un ataque de tipo XSS mediante la recuperación y visualización de resultados (en archivo tbl_get_field.php y biblioteca libraries/clases/Display/Results.php). El atacante debe poder insertar datos diseñados en determinadas tablas de la base de datos, que cuando se recuperaban (por ejemplo, por medio de la pestaña Browse) pueden desencadenar el ataque de tipo XSS. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html https://lists.debian.org/debian-lts-announce/2020/03/msg00028.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •