CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 2CVE-2019-18345 – DAViCal CalDAV Server 1.1.8 Reflective Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-18345
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application. Se detectó un problema de tipo XSS reflejado en DAViCal versiones hasta 1.1.8. • http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html https://gitlab.com/davical-project/davical/blob/master/ChangeLog https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html https://seclists.org/bugtraq/2019/Dec/30 https://wiki.davical.org/index.php/Main_Page https://www.davical.org https://www.debian.org/security/2019/dsa-4582 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 32EXPL: 0CVE-2019-13734 – sqlite: fts3: improve shadow table corruption detection
https://notcve.org/view.php?id=CVE-2019-13734
Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Una escritura fuera de limites en SQLite en Google Chrome versiones anteriores a la versión 79.0.3945.79, permitió a un atacante remoto explotar potencialmente una corrupción de la pila por medio de una página HTML especialmente diseñada. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html https://access.redhat.com/errata/RHSA-2019:4238 https://access.redhat.com/errata/RHSA-2020:0227 https://access.redhat.com/errata/RHSA-2020:0229 https://access.redhat.com/errata/RHSA-2020:0273 https://access.redhat.com/errata/RHSA-2020:0451 https://access.redhat.com/errata/RHSA-2020:0463 https://access.redhat.com/errata/RHSA-2020:0 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 5EXPL: 0CVE-2012-1577
https://notcve.org/view.php?id=CVE-2012-1577
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0. El archivo lib/libc/stdlib/random.c en OpenBSD devuelve 0 cuando es sembrado con 0. • http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/random.c#rev1.16 http://www.openwall.com/lists/oss-security/2012/03/23/14 https://github.com/ensc/dietlibc/blob/master/CHANGES https://security-tracker.debian.org/tracker/CVE-2012-1577 • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 0CVE-2016-1000108
https://notcve.org/view.php?id=CVE-2016-1000108
yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. yaws versiones anteriores a la versión 2.0.4, no intenta abordar los conflictos de espacio de nombres de RFC sección 3875 versión 4.1.18 y, por lo tanto, no protege las aplicaciones CGI de la presencia de datos de clientes no seguros en la variable de entorno HTTP_PROXY, lo que podría permitir a atacantes remotos redireccionar el tráfico HTTP saliente de la aplicación CGI hacia un servidor proxy arbitrario por medio de un encabezado Proxy especialmente diseñado en una petición HTTP, también se conoce como un problema "httpoxy". • http://www.openwall.com/lists/oss-security/2016/07/18/6 https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1 https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000108.json https://security-tracker.debian.org/tracker/CVE-2016-1000108 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2013-4133
https://notcve.org/view.php?id=CVE-2013-4133
kde-workspace before 4.10.5 has a memory leak in plasma desktop kde-workspace versiones anteriores a la versión 4.10.5, tiene una pérdida de memoria en el escritorio plasma • http://lists.opensuse.org/opensuse-updates/2013-08/msg00002.html http://www.openwall.com/lists/oss-security/2013/07/16/4 http://www.securityfocus.com/bid/61201 https://access.redhat.com/security/cve/cve-2013-4133 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4133 https://exchange.xforce.ibmcloud.com/vulnerabilities/85797 https://security-tracker.debian.org/tracker/CVE-2013-4133 • CWE-404: Improper Resource Shutdown or Release •