XSS in branch name

h3. Issue Summary Advisory: Stored Cross-site scripting Description =========== Short summary of the vulnerability. A stored cross-site scripting XSS vulnerability was discovered in the Commits section of the Bitbucket application. An attacker can create a branch and inject an XSS payload into th...

GHSA-W8RC-PGXQ-X2CJ Negative charge in shopping cart in Shopizer

Impact Using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. Patches Adding a back-end verification to check that quantity parameter isn't negative. If so, it is set to 1. Patched in 2.11.0 Workarounds Without...

CVE-2020-8834

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATEHOSTR1 to store r1 state in kvmppchventry plus in kvmppcsave,restoretm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to pani...

Design/Logic Flaw

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATEHOSTR1 to store r1 state in kvmppchventry plus in kvmppcsave,restoretm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to pani...

CVE-2020-8834 Linux kernel KVM Power8 conflicting use of HSTATE_HOST_R1

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATEHOSTR1 to store r1 state in kvmppchventry plus in kvmppcsave,restoretm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to pani...

CVE-2020-8834

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATEHOSTR1 to store r1 state in kvmppchventry plus in kvmppcsave,restoretm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to pani...

Design/Logic Flaw

GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits...

CVE-2019-5487

An improper access control vulnerability exists in Gitlab EE v12.3.3, v12.2.7, & v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits...

CVE-2019-5487

The CVE-2019-5487 entry concerns an improper access control in GitLab Enterprise Edition (GitLab EE) prior to v12.3.3, v12.2.7, and v12.1.13. The vulnerability arises in the group search feature when used with Elasticsearch, allowing leakage of private data (private code, merge requests, commits)...

CVE-2017-1000115

A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository...

CVE-2008-1290

ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion SVN commits, which allows remote attackers to obtain sensitive information...

CVE-2019-10073

The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616...

CVE-2018-17200

The Apache OFBiz HTTP engine org.apache.ofbiz.service.engine.HttpEngine.java handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the serviceContent parameter in the request and deserializes it using XStream. This XStream instance is slightly guard...

Cross site scripting

The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616...

Security update for zypper, libzypp and libsolv (moderate)

openSUSE Security Update: Security update for zypper, libzypp and libsolv Announcement ID: openSUSE-SU-2019:1927-1 Rating: moderate References: 1047962 1049826 1053177 1065022 1099019 1102261 1110542 1111319 1112911 1113296 1114908 1115341 1116840 1118758 1119373 1119820 1119873 1120263 1120463...

Bitbucket sends email notifications to unlicensed users for pushed commits in a repository

h3. Issue Summary An unlicensed user will continue to receive email notifications for pushed commits for repositories that the user was watching and receiving notifications when active. h3. Steps to Reproduce User1 enables email repository email notifications to be sent immediately User1 watches...

Bitbucket sends email notifications to unlicensed users for pushed commits in a repository

h3. Issue Summary An unlicensed user will continue to receive email notifications for pushed commits for repositories that the user was watching and receiving notifications when active. h3. Steps to Reproduce User1 enables email repository email notifications to be sent immediately User1 watches...

CVE-2019-11479

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kerne...

Server Side Request Forgery in Apache Axis

A Server Side Request Forgery SSRF vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2...

CVE-2019-0227

A Server Side Request Forgery SSRF vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2...