CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 2CVE-2020-27783 – python-lxml: mXSS due to the use of improper parser
https://notcve.org/view.php?id=CVE-2020-27783
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. Se detectó una vulnerabilidad de tipo XSS en el módulo de limpieza de python-lxml. El analizador del módulo no imitaba apropiadamente los navegadores, lo que causaba comportamientos diferentes entre el sanitizador y la página del usuario. • https://advisory.checkmarx.net/advisory/CX-2020-4286 https://bugzilla.redhat.com/show_bug.cgi?id=1901633 https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK https://security.netapp.com/advisory/ntap-20210521-0003 https://www.debian.org/security/2020/dsa-481 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 54EXPL: 0CVE-2020-9490 – httpd: Push diary crash on specifically crafted HTTP/2 header
https://notcve.org/view.php?id=CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. Apache HTTP Server versiones 2.4.20 hasta 2.4.43.. Un valor especialmente diseñado para el encabezado "Cache-Digest" en una petición HTTP/2 resultaría en un bloqueo cuando el servidor realmente intenta un PUSH HTTP/2 un recurso mas tarde. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00081.html http://packetstormsecurity.com/files/160392/Apache-2.4.43-mod_http2-Memory-Corruption.html https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490 https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E https://lists& • CWE-400: Uncontrolled Resource Consumption CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1720 – postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
https://notcve.org/view.php?id=CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. Se detectó un fallo en "ALTER ... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720 https://www.postgresql.org/about/news/2011 https://access.redhat.com/security/cve/CVE-2020-1720 https://bugzilla.redhat.com/show_bug.cgi?id=1798852 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 1CVE-2019-15604 – nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string
https://notcve.org/view.php?id=CVE-2019-15604
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Una Comprobación Inapropiada del Certificado en Node.js versiones 10, 12 y 13, causa que el proceso se aborte cuando se envía un certificado X.509 diseñado. An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0602 https://hackerone.com/reports/746733 https://nodejs.org/en/blog/release/v10.19.0 https://nodejs.org/en/blog/release/v12.15.0 https://nodejs.org/en/b • CWE-172: Encoding Error CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0CVE-2019-15605 – nodejs: HTTP request smuggling using malformed Transfer-Encoding header
https://notcve.org/view.php?id=CVE-2019-15605
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed El tráfico no autorizado de peticiones HTTP en Node.js versiones 10, 12 y 13, causa la entrega maliciosa de la carga útil cuando la codificación de transferencia es malformada. A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0708 https://hackerone& • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •