Updated log4net packages fix security vulnerability

Updated log4net packages fix security vulnerability This patch fixes a security vulnerability reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could...

OPENSUSE-SU-2020:0716-1 Security update for gcc9

This update includes the GNU Compiler Collection 9. This update ships the GCC 9.3 release. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgccs1, libstdc++6 and others are now built by the gcc 9 packages. T...

DEBIAN-CVE-2020-8035

The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting XSS vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL...

UBUNTU-CVE-2020-8035

The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting XSS vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL...

SQL Injection Vulnerability in Website Building System of Zonglian Information Technology Co.

Zonglian Technology customizes the official website for each enterprise, and establishes the website construction plan suitable for the enterprise according to the budget, design, industry and enterprise image. With the appropriate display, display effect, site framework, through the integration ...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2020-1365)

The version of java-1.7.0-openjdk installed on the remote host is prior to 1.7.0.261-2.6.22.1.83. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1365 advisory. Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization...

Mail.ru: capsula.mail.ru - Admin blind stored XSS

Stored XSS in capsula.mail.ru admin interface via vector demonstrated in 873818. Хранимый xss в панели администратора на capsula.mail.ru через окно "оценки процесса покупки"...

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

CVE-2020-5408

CVE-2020-5408 (IBM) affects IBM Sterling Connect:Direct Web Services. A fixed null initialization vector in CBC mode for the queryable text encryptor may allow a dictionary attack to derive unencrypted values, exposing sensitive information. Remediation is via upgrading to supported fixes: IBM St...

Code injection

Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator...

Researcher Spots New Malware Claimed to be 'Tailored for Air‑Gapped Networks'

A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks. Dubbed 'Ramsa...

keycloak: security issue on reset credential flow

A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application...

Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities.

Summary IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat. Vulnerability Details CVEID: CVE-2020-1938 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by a file...

Fedora: Security Advisory for community-mysql (FEDORA-2020-136dc82437)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

binutils security and bug fix update

2.30-73.0.1 - Forward-port of Oracle patches from 2.30-68.0.2. - Reviewed-by: Elena Zannoni 2.30-68.0.2 - Backport the non-cycle-detecting-capable deduplicating CTF linker - Backport a fix for an upstream hashtab crash no upstream bug number, triggered by the above. - Fix deduplication of...

containers/image: Container images read entire image manifest into memory

A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashi...

CVE-2020-2897

Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful...

CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file with...

qt5-qtsvg: Invalid parsing of malformed url reference resulting in a denial of service

An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp...

CVE-2020-11763

An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprisin...