CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-16116
https://notcve.org/view.php?id=CVE-2020-16116
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal. En el archivo kerfuffle/jobs.cpp en KDE Ark versiones anteriores a 20.08.0, un archivo diseñado puede instalar archivos fuera del directorio de extracción por medio de un salto de directorio de ../ • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00023.html https://github.com/KDE/ark/commits/master https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f https://kde.org/info/security/advisory-20200730-1.txt https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMVXSQNCBILVSJLX32ODNU6KUY2X7HRM https://lists.fedoraproject.org/archives/list/package-announce%40lists&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15900
https://notcve.org/view.php?id=CVE-2020-15900
A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b. Se encontró un problema de corrupción de memoria en Artifex Ghostscript versiones 9.50 y 9.52. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=log http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00006.html https://artifex.com/security-advisories/CVE-2020-15900 https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=5d499272b95a6b890a1397e11d20937de000d31b https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b https://github.com/ArtifexSoftware/ghostpdl/commits/master/psi/zstring.c https: • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-787: Out-of-bounds Write •
CVSS: 3.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-15103 – Integer Overflow in FreeRDP
https://notcve.org/view.php?id=CVE-2020-15103
In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto En FreeRDP versiones anteriores o igual a 2.1.2, se presenta un desbordamiento de enteros debido a una falta de saneamiento de entrada en el canal rdpegfx. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00010.html https://github.com/FreeRDP/FreeRDP/blob/616af2d5b86dc24c7b3e89870dbcffd841d9a535/ChangeLog#L4 https://github.com/FreeRDP/FreeRDP/pull/6382 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4r38-6hq7-j3j9 https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y35HBHG2INICLSGCIKNAR7GCXEHQACQ https://lists.fedoraproject.org/archives/list&#x • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-15917
https://notcve.org/view.php?id=CVE-2020-15917
common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled. El archivo common/session.c en Claws Mail versiones anteriores a 3.17.6, presenta una violación de protocolo porque los datos del sufijo después de STARTTLS son manejados inapropiadamente • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00090.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00051.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00013.html https://git.claws-mail.org/?p=claws.git%3Ba=blob%3Bf=RELEASE_NOTES https://git.claws-mail.org/?p=claws.git%3Ba=commit% •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-6535 – chromium-browser: Insufficient data validation in WebUI
https://notcve.org/view.php?id=CVE-2020-6535
Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a crafted HTML page. Una comprobación de datos insuficiente en WebUI en Google Chrome versiones anteriores a 84.0.4147.89, permitió a un atacante remoto que había comprometido el proceso del renderizador inyectar scripts o HTML hacia una página privilegiada por medio de una página HTML diseñada • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00041.html https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop.html https://crbug.com/1073409 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTRPPTKZ2RKVH • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •