CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10179 – pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab
https://notcve.org/view.php?id=CVE-2019-10179
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code. Se detectó una vulnerabilidad en todas las versiones de pki-core 10.x.x, donde el Key Recovery Authority (KRA) Agent Service no saneó apropiadamente la página de búsqueda de petición de recuperación, permitiendo una vulnerabilidad de tipo Cross Site Scripting (XSS) Reflejado. Un atacante podría engañar a una víctima autenticada para que ejecute un código Javascript especialmente diseñado. It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10179 https://access.redhat.com/security/cve/CVE-2019-10179 https://bugzilla.redhat.com/show_bug.cgi?id=1695901 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10221 – pki-core: Reflected XSS in getcookies?url= endpoint in CA
https://notcve.org/view.php?id=CVE-2019-10221
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser. Se detectó una vulnerabilidad de tipo Cross Site Scripting Reflejado en todas las versiones de pki-core 10.x.x, en el módulo pki-ca del servidor pki-core. Este fallo es debido a la falta de saneamiento de los parámetros GET URL. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10221 https://access.redhat.com/security/cve/CVE-2019-10221 https://bugzilla.redhat.com/show_bug.cgi?id=1732565 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10146 – pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page
https://notcve.org/view.php?id=CVE-2019-10146
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser. Se detectó un fallo de tipo Cross Site Scripting Reflejado en todos los módulos pki-core versiones 10.x.x del servidor pki-core debido a que el CA Agent Service no sanea apropiadamente la página de petición de certificado. Un atacante podría inyectar un valor especialmente diseñado que será ejecutado en el navegador de la víctima. A Reflected Cross Site Scripting flaw was found in the pki-ca module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10146 https://access.redhat.com/security/cve/CVE-2019-10146 https://bugzilla.redhat.com/show_bug.cgi?id=1710171 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2732 – Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
https://notcve.org/view.php?id=CVE-2020-2732
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. Se detectó un fallo en la manera en que el hipervisor de KVM manejó la emulación de instrucciones para un invitado L2 cuando la virtualización anidada está habilitada. En algunas circunstancias, un invitado L2 puede engañar al invitado L0 para que acceda a recursos L1 confidenciales que deberían estar inaccesibles para el invitado L2. A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. • https://bugzilla.redhat.com/show_bug.cgi?id=1805135 https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d https://linux.oracle.com/errata/ELSA-2020-5540.html https://linux.oracle.com/errata/ELSA-2020-5542.html https://linux.oracle.com/errata/ELSA-2020-5543.html https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html https://lists.debian.org/debian • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-3864 – webkitgtk: Non-unique security origin for DOM object contexts
https://notcve.org/view.php?id=CVE-2020-3864
A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin. Se abordó un problema lógico con una comprobación mejorada. Este problema se corrigió en iCloud para Windows versión 7.17, iTunes versión 12.10.4 para Windows, iCloud para Windows versión 10.9.2, tvOS versión 13.3.1, Safari versión 13.0.5, iOS versión 13.3.1 y iPadOS versión 13.3.1. • https://support.apple.com/en-us/HT210918 https://support.apple.com/en-us/HT210920 https://support.apple.com/en-us/HT210922 https://support.apple.com/en-us/HT210923 https://support.apple.com/en-us/HT210947 https://support.apple.com/en-us/HT210948 https://access.redhat.com/security/cve/CVE-2020-3864 https://bugzilla.redhat.com/show_bug.cgi?id=1876518 • CWE-346: Origin Validation Error •