[SECURITY] [DSA 4811-1] libxstream-java security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4811-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff December 15, 2020 https://www.debian.org/security/faq -...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

@ist-group/skolid-client-components (>=0.7.0 <=0.10.2) potentially affected by unknown CVE via personnummer (=2.1.1)

personnummer NPM version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on personnummer and may be impacted: - @ist-group/skolid-client-components =0.7.0, =0.10.2 Source cves: unknown CVE Source advisory: OSV:GHSA-VPGC-7H78-GX8F...

fleek-response (>=0.4.2 <=0.4.3), fleek-router (>=0.4.2 <=1.2.3) potentially affected by unknown CVE via swagger-injector (>=1.2.0 <=2.0.9)

swagger-injector NPM version =1.2.0, =0.4.2, =0.4.2, =1.2.3 Source cves: unknown CVE Source advisory: OSV:GHSA-V4X8-GW49-7HV4...

fd-dcc (>=1.0.0 <=2.1.4), test_sdk_aki (>=1.0.3 <=1.0.4) +1 more potentially affected by unknown CVE via axioss (=0.0.1-security)

axioss NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on axioss and may be impacted: - fd-dcc =1.0.0, =1.0.3, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-8W9J-6WG6-QV4F...

CVE-2017-1000219

creationtimestamp| type| source ---|---|--- 2020-09-01 16:43:55+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-63m4-fhf2-cmf7...

CVE-2016-1000249

creationtimestamp| type| source ---|---|--- 2020-09-01 16:38:33+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-2r7f-4h2c-5x73...

CVE-2016-5682

creationtimestamp| type| source ---|---|--- 2020-09-01 15:30:58+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-p239-93f7-h6xf...

CVE-2016-1000226

creationtimestamp| type| source ---|---|--- 2020-09-01 15:28:45+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-7f59-x49p-v8mq...

CVE-2016-3942

creationtimestamp| type| source ---|---|--- 2020-09-01 15:24:24+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-r87w-47m8-22w3...

CVE-2015-9239

creationtimestamp| type| source ---|---|--- 2020-09-01 15:17:48+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-c2v2-7rcg-2ch7...

CVE-2013-7379

creationtimestamp| type| source ---|---|--- 2020-08-31 22:59:07+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-9vxc-g2jx-qj3p...

CVE-2020-8912

creationtimestamp| type| source ---|---|--- 2020-08-10 20:22:32+00:00| published-proof-of-concept| https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw...

CVE-2020-15134

Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL i...

CVE-2020-15134

Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL i...

CVE-2020-15133

CVE-2020-15133 affects the faye-websocket library prior to 0.11.0. The issue is a lack of certificate verification in TLS handshakes: Faye::WebSocket::Client uses EM::Connection#start_tls for wss: connections and does not validate the server’s TLS certificate by default, enabling potential man-in...

CVE-2020-15133

In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not...

Information Exposure

Overview Versions of auth0 before 2.27.1 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logg...

Sensitive Data Exposure

Overview Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The package supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files. Recommendation Upgrade to version...

XXE attack in Mapfish Print

Impact A user can do to an XML External Entity XXE attack with the provided SDL style. Patches Use version = 3.24 Workarounds No References https://cwe.mitre.org/data/definitions/611.html https://github.com/mapfish/mapfish-print/pull/1397/commits/e1d0527d13db06b2b62ca7d6afb9e97dacd67a0e For more...