CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-12420 – spamassassin: crafted email message can lead to DoS
https://notcve.org/view.php?id=CVE-2019-12420
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. En Apache SpamAssassin versiones anteriores a 3.4.3, un mensaje puede ser diseñado de una forma que use recursos excesivos. La actualización recomendada a SA versión 3.4.3 lo antes posible es la solución recomendada, pero los detalles no serán compartidos públicamente. • http://www.openwall.com/lists/oss-security/2019/12/12/2 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747 https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011fe4b2699f0fe9%40%3Cusers.spamassassin.apache.org%3E https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe717ccd1be940c92%40%3Cannounce.spamassassin.apache.org%3E https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11805 – spamassassin: crafted configuration files can run system commands without any output or errors
https://notcve.org/view.php?id=CVE-2018-11805
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. En Apache SpamAssassin versiones anteriores a 3.4.3, se pueden configurar archivos CF nefastos para ejecutar comandos de sistema sin ningún resultado o error. Con esto, las explotaciones pueden ser inyectadas en varios escenarios. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00003.html http://www.openwall.com/lists/oss-security/2019/12/12/1 http://www.openwall.com/lists/oss-security/2020/01/30/2 http://www.openwall.com/lists/oss-security/2020/01/30/3 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647 https://lists.apache.org/thread.html/0b5c73809d0690527341d940029f743807b70550050fd23ee869c5e5%40%3Cusers.spamassassin.apache.org%3E https://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2019-17358
https://notcve.org/view.php?id=CVE-2019-17358
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. Cacti versiones hasta 1.2.7, está afectado por múltiples instancias de deserialización no segura de la biblioteca lib/functions.php de datos controlados por parte del usuario para llenar matrices. Un atacante autenticado podría usar esto para influir en los valores de los datos del objeto y controlar las acciones tomadas por Cacti o potencialmente causar una corrupción de la memoria en el módulo PHP. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-17358 https://github.com/Cacti/cacti/blob/79f29cddb5eb05cbaff486cd634285ef1fed9326/lib/functions.php#L3109 https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed4 • CWE-502: Deserialization of Untrusted Data CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2013-7371
https://notcve.org/view.php?id=CVE-2013-7371
node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370) node-connects versiones anteriores a 2.8.2, presenta una vulnerabilidad de tipo cross site scripting en el middleware de Sencha Labs Connect (vulnerabilidad debido a una corrección incompleta para el CVE-2013-7370) • http://www.openwall.com/lists/oss-security/2014/04/21/2 http://www.openwall.com/lists/oss-security/2014/05/13/1 https://access.redhat.com/security/cve/cve-2013-7371 https://exchange.xforce.ibmcloud.com/vulnerabilities/92710 https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting https://security-tracker.debian.org/tracker/CVE-2013-7371 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-7370
https://notcve.org/view.php?id=CVE-2013-7370
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware node-connect versiones anteriores a 2.8.1, presenta una vulnerabilidad de tipo XSS en el middleware Sencha Labs Connect. • http://www.openwall.com/lists/oss-security/2014/04/21/2 http://www.openwall.com/lists/oss-security/2014/05/13/1 https://access.redhat.com/security/cve/cve-2013-7370 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7370 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-7370 https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting https://security-tracker.debian.org/tracker/CVE-2013-7370 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •