Security update for python3 (important)

openSUSE Security Update: Security update for python3 Announcement ID: openSUSE-SU-2020:2333-1 Rating: important References: 1155094 1174091 1174571 1174701 1177211 1178009 1179193 1179630 Cross-References: CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-5010 CVE-2020-14422 CVE-2020-26116...

SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)

This update for python3 fixes the following issues : Fixed CVE-2020-27619 bsc1178009, where Lib/test/multibytecodecsupport calls eval on content retrieved via HTTP. Change setuptools and pip version numbers according to new wheels Handful of changes to make python36 compatible with SLE15 and SLE1...

CVE-2020-29364

In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles...

GitHub Security Lab: Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks

This bug was reported directly to GitHub Security Lab...

Command Injection

KildClient is vulnerable to command injection. Lack of validation of strings before launching the program specified by the BROWSER environment variable allows remote attackers to conduct argument-injection attacks via a malicious URL...

Kaspersky: [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service

Note! Thank you for your report. For the purposes of the further analysis of the vulnerability, that you kindly report to us, could you please fill all fields in square brackets. This information will help us to respond you more quickly and triage your report. Thanks a lot for your assistance...

Ubuntu 16.04 LTS / 18.04 LTS : Squid regression (USN-4446-2)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4446-2 advisory. USN-4446-1 fixed vulnerabilities in Squid. The update introduced a regression when using Squid with the icap or ecap protocols. This update fixes the...

CVE-2020-7694

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

Server Side Template Injection Payloads

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template...

Security Bulletin: Log Analysis is vulnerable to Injection Attacks

Summary Operating system commands can be included in user input as parameters and be executed on the system which lead to injection attacks. Vulnerability Details Third Party Entry: PSIRT-ADV0018499 DESCRIPTION: Created from Advisory: ADV0018499 CVSS Base score: 8.4 CVSS Vector:...

CVE-2019-12416

we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default...

CVE-2019-12416

we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default...

Design/Logic Flaw

we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default...

CVE-2019-12416

we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default...

CVE-2019-12416

CVE-2019-12416 concerns two reported injection attacks against DeltaSpike’s windowhandler.js, active only when the ClientSideWindowStrategy is explicitly selected (not the default). The connected Red Hat and OSV/GHSA entries repeat this description and confirm the issue is tied to DeltaSpike, wit...

CVE-2020-5249

In Puma RubyGem before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is...

Ubuntu 18.04 LTS : Django vulnerability (USN-4264-1)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4264-1 advisory. Simon Charette discovered that Django incorrectly handled input in the PostgreSQL module. A remote attacker could possibly use this to perform SQL injection...

Critical Flaws in Magento e-Commerce Platform Allow Code-Execution

Critical vulnerabilities in Adobe’s Magento e-commerce platform – a favorite target of the Magecart cybergang – could lead to arbitrary code execution. Adobe issued patches on Tuesday as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating. In Adobe...

PSF-2019-16 Email header injection in Address objects

It is possible to inject email headers using CR or LF character. The fix disallows CR and LF characters in email.headerregistry.Address arguments to guard against header injection attacks...

Design/Logic Flaw

An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, they are prone to keystroke injection attacks...