SUSE-SU-2021:1554-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.11+9 April 2021 CPU CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms bsc1185055 CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder...

Cross site scripting

An out-of-bounds write vulnerability exists in the importstl.cc:importstl functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2021-23012

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash...

Insecure Proxy Configuration in Hubs Cloud Reticulum — Mozilla

Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service...

CVE-2021-31411

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 Vaadin 14.0.3 through Vaadin 14.5.2, 3.0 prior to 6.0 Vaadin 15 prior to 19, and 6.0.0 through 6.0.5 Vaadin 19.0.0 through 19.0.4 allows local users to inject malicious code...

CVE-2021-31411

The CVE-2021-31411 issue affects com.vaadin:flow-server in these ranges: 2.0.9–2.5.2 (Vaadin 14.0.3–14.5.2), 3.0 before 6.0 (Vaadin 15 before 19), and 6.0.0–6.0.5 (Vaadin 19.0.0–19.0.4). Its root cause is insecure temporary directory usage during frontend rebuilds, allowing local users to inject ...

[SECURITY] Fedora 33 Update: libtpms-0.8.2-0.20210426git729fc6a4ca.fc33

A library providing TPM functionality for VMs. Targeted for integration into Qemu...

Authentication flaw

An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a Authentication Bypass in the Web Interface. This interface does not properly restrict access to internal functionality. Despite presenting a password login page on first access, authentication is not required to access...

Server side request forgery (ssrf)

An Unauthenticated Server-Side Request Forgery SSRF vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI =6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Sinc...

CVE-2020-22782

Etherpad 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance...

CVE-2020-22782

Etherpad 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance...

Design/Logic Flaw

Etherpad 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance...

CVE-2020-22782

Etherpad 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance...

CVE-2021-27648

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors...

CVE-2021-27648

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors...

Design/Logic Flaw

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors...

CVE-2021-27648

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors...

CVE-2020-36326

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in...

Remote Code Execution and download tracking in Mintegral SDK

"This affects all versions of package com.mintegral.msdk:alphab. The Android SDK distributed by the company contains malicious functionality in this module that tracks: 1. Downloads from Google urls either within Google apps or via browser including file downloads, e-mail attachments and Google...

py vulnerable to Regular Expression Denial of Service

A denial of service via regular expression in the py.path.svnwc component of py aka python-py through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality...