CVSS: 8.0EPSS: 1%CPEs: 11EXPL: 0CVE-2020-10802 – Ubuntu Security Notice USN-4639-1
https://notcve.org/view.php?id=CVE-2020-10802
22 Mar 2020 — In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores ... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 3%CPEs: 11EXPL: 0CVE-2020-10803 – Ubuntu Security Notice USN-4639-1
https://notcve.org/view.php?id=CVE-2020-10803
22 Mar 2020 — In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.0EPSS: 2%CPEs: 10EXPL: 0CVE-2020-10804
https://notcve.org/view.php?id=CVE-2020-10804
22 Mar 2020 — In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). En phpMyAdmin versiones 4.x anteriores a 4.9.5 y versiones 5.x anteriores a 5.0.2, se encontró una vulner... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17185 – freeradius: eap-pwd: DoS issues due to multithreaded BN_CTX access
https://notcve.org/view.php?id=CVE-2019-17185
21 Mar 2020 — In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack. En FreeRADIUS versiones 3.0.x anteriores a 3.0.20, el módulo EAP-pwd utilizó una instancia OpenSSL BN_CTX global para manejar todos los protocolos de enlace. Esto significa que vari... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-662: Improper Synchronization •
CVSS: 6.1EPSS: 5%CPEs: 8EXPL: 0CVE-2019-18860 – squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
https://notcve.org/view.php?id=CVE-2019-18860
20 Mar 2020 — Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. Squid versiones anteriores a 4.9, cuando determinados navegadores web son usados, maneja inapropiadamente HTML en el parámetro host (también se conoce como hostname) en el archivo cachemgr.cgi. A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way. Jeriko One disco... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 3CVE-2020-5267 – Possible XSS vulnerability in ActionView
https://notcve.org/view.php?id=CVE-2020-5267
19 Mar 2020 — In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2. En ActionView versiones anteriores a 6.0.2.2 y 5.2.4.2, se presenta una posible vulnerabilidad de tipo XSS en los asistentes de escape literal de JavaScript de ActionView. Las vistas que usan los métodos "j" o "escape_javascript" p... • https://github.com/GUI/legacy-rails-CVE-2020-5267-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.8EPSS: 2%CPEs: 5EXPL: 0CVE-2020-10592 – Debian Security Advisory 4644-1
https://notcve.org/view.php?id=CVE-2020-10592
19 Mar 2020 — Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002. Tor versiones anteriores a 0.3.5.10, versiones 0.4.x anteriores a 0.4.1.9 y versiones 0.4.2.x anteriores a 0.4.2.7, permite a atacantes remotos causar una Denegación de Servicio (consumo de CPU), también se conoce como TROVE-2020-002. Multiple vulnerabilities were found in Tor, the worst of which could allow remote attackers to cause a Denial of Se... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00045.html •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2020-10593 – Gentoo Linux Security Advisory 202003-50
https://notcve.org/view.php?id=CVE-2020-10593
19 Mar 2020 — Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004. This occurs in circpad_setup_machine_on_circ because a circuit-padding machine can be negotiated twice on the same circuit. Tor versiones anteriores a 0.3.5.10, versiones 0.4.x anteriores a 0.4.1.9 y versiones 0.4.2.x anteriores a 0.4.2.7, permite a atacantes remotos causar una Denegación de servicio (pérdida de memoria), también se conoce como TROVE-2... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00045.html • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.5EPSS: 5%CPEs: 6EXPL: 0CVE-2019-12921 – Debian Security Advisory 4675-1
https://notcve.org/view.php?id=CVE-2019-12921
18 Mar 2020 — In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG. En GraphicsMagick versiones anteriores a 1.3.32, el componente text filename permite a atacantes remotos leer archivos arbitrarios por medio de una imagen diseñada debido a TranslateTextEx para SVG. Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in ... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2020-0556 – bluez: Improper access control in subsystem could result in privilege escalation and DoS
https://notcve.org/view.php?id=CVE-2020-0556
12 Mar 2020 — Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access El control de acceso incorrecto en el subsistema para BlueZ anterior a la versión 5.54 puede permitir que un usuario no autenticado permita potencialmente la escalada de privilegios y la denegación de servicio a través del acceso adyacente It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A lo... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00008.html • CWE-266: Incorrect Privilege Assignment •