DEBIAN-CVE-2020-7788

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context...

AZL-45153 CVE-2020-7788 affecting package nodejs-nodemon 2.0.3-5

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context...

GHSA-QQGX-2P2H-9C37 ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Overview The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. Patch...

DEBIAN-CVE-2020-27756

In ParseMetaGeometry of MagickCore/geometry.c, image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. This flaw can be triggered by a crafted input file processed by ImageMagick and could impact application availability. The patch uses...

UBUNTU-CVE-2020-27756

In ParseMetaGeometry of MagickCore/geometry.c, image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. This flaw can be triggered by a crafted input file processed by ImageMagick and could impact application availability. The patch uses...

Regular Expression Denial of Service

Overview fast-csv and @fast-csv/parse before version 4.3.6 has a possible ReDoS vulnerability Regular Expression Denial of Service when using ignoreEmpty option when parsing. Impact You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is...

@here/cli (>=1.5.0 <=1.6.1), @node-amazon/mws (>=0.0.2 <=0.0.3) +10 more potentially affected by CVE-2020-26256 via @fast-csv/parse (>=4.1.4 <=4.3.3)

@fast-csv/parse NPM version =4.1.4, =1.5.0, =0.0.2, =2.1.0, =1.0.0, =1.2.127, =1.2.135, =1.2.111, =6.42.0, =4.1.4, =0.0.1, =0.0.6 Source cves: CVE-2020-26256 Source advisory: OSV:GHSA-8CV5-P934-3HWP...

Prototype Pollution

Overview ini is an An ini encoder/decoder for node Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited furthe...

Use-After-Free

sqlite3 is vulnerable to use-after-free. The vulnerability exists in resetAccumulator in select.c due to the parse tree rewrite for window functions is too late...

Cross-Site Scripting (XSS)

MediaWiki is vulnerable to cross-site scripting. An attacker is able to inject and execute arbitrary Javascript in a user's browser by creating a message with javascript:payload xss as a jQuery object with mw.message.parse...

CVE-2020-25814

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it doe...

CVE-2020-25828

An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message.parse doesn't escape HTML. This affects both message contents which are generally safe and the parameters which can be based on user input. When jqueryMsg is loaded...

c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

Gitea Security Vulnerabilities

Gitea is a lightweight Go-based git service developed by the Gitea community. A security vulnerability exists in Gitea versions 0.9.99 through 1.12.x series prior to 1.12.6, which stems from will not prevent the git protocol path from specifying a TCP port number and also contains line breaks wit...

Buffer overflow

u'Buffer over read can happen while parsing mkv clip due to improper typecasting of data returned from atomsize' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8009W,...

kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a DoS

A flaw was found in the way the predicateparse function in the tracing subsystem of the Linux kernel handled resource cleanup on error. This flaw allows an attacker with the ability to produce the error to crash the system...

kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a DoS

A flaw was found in the way the predicateparse function in the tracing subsystem of the Linux kernel handled resource cleanup on error. This flaw allows an attacker with the ability to produce the error to crash the system...

new module: perl:5.30

An update is available for perl-Pod-Perldoc, perl-DBI, perl-Pod-Escapes, perl-Devel-PPPort, perl-Pod-Usage, perl-Sub-Exporter, perl-perlfaq, perl-Object-HashBase, perl-CPAN-Meta-YAML, perl-Digest, perl-podlators, perl-bignum, perl-Text-ParseWords, perl-Text-Template, perl-DBD-MySQL, perl-Text-Glo...

GHSA-2XM2-XJ2Q-QGPJ receiving subscription objects with deleted session

Original Message: Hi, I create objects with one client with an ACL of all users with a specific column value. Thats working so far. Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant crea...

receiving subscription objects with deleted session

Original Message: Hi, I create objects with one client with an ACL of all users with a specific column value. Thats working so far. Then I deleted the session object from one user to look if he can receive subscription objects and he can receive them. The client with the deleted session cant crea...