cacti -- SQL Injection was possible due to incorrect validation order

Cati team reports: Due to a lack of validation, datadebug.php can be the source of a SQL injection...

phpmyfaq -- XSS vulnerability

phpmyfaq developers report: phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags...

ImageMagick6 -- multiple vulnerabilities

CVE reports: Several vulnerabilities have been discovered in ImageMagick: CVE-2021-20309: A flaw was found in ImageMagick in versions before 6.9.12, where a division by zero in WaveImage of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an...

vault -- User Enumeration via LDAP auth

Vault developers report: Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6. An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.1: Hide private participation in Orgs Fix escaping issue in diff...

p11-kit -- Multiple vulnerabilities

The p11-glue project reports: CVE-2020-29363: Out-of-bounds write in p11rpcbuffergetbytearrayvalue functionA heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in...

postsrsd -- Denial of service vulnerability

postsrsd developer reports: PostSRSd could be tricked into consuming a lot of CPU time with an SRS address that has an excessively long time stamp tag...

phpldapadmin -- XSS vulnerability

[email protected] reports: An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via getrequest in lib/function.php...

py-matrix-synapse -- DoS on Federation API

Matrix developers reports: A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /sendjoin, /sendleave, /invite or /exchangethirdpartyinvite request. This can lead to a denial of service in which future events will...

cURL -- Multiple vulnerabilities

The cURL project reports: Trusting FTP PASV responses CVE-2020-8284 FTP wildcard stack overflow CVE-2020-8285 Inferior OCSP verification CVE-2020-8286...

OpenSSL -- NULL pointer de-reference

The OpenSSL project reports: EDIPARTYNAME NULL pointer de-reference High The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a...

jasper -- heap overflow vulnerability

JasPer NEWS: Fix CVE-2020-27828, heap-overflow in cpcreate in jpcenc.c...

LibreSSL -- NULL pointer dereference

The LibreSSL project reports: Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference...

Gitlab -- Multiple vulnerabilities

Gitlab reports: XSS in Zoom Meeting URL Limited Information Disclosure in Private Profile User email exposed via GraphQL endpoint Group and project membership potentially exposed via GraphQL Search terms logged in search parameter in rails logs Un-authorised access to feature flag user list A...

asterisk -- Remote crash in res_pjsip_diversion

The Asterisk project reports: AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri. AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 8 security fixes, including: 1142331 High CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki on 2020-10-26 1138683 High CVE-2020-16038: Use after free in media. Reported by Khalil Zhani on 2020-10-14 1149177 High CVE-2020-16039:...

Unbound/NSD -- Denial of service vulnerability

NLNetLabs reports: Unbound and NSD when writing the PID file would not check if an existing file was a symlink. This could allow for a local symlink \ attack if an attacker has access to the user Unbound/NSD runs as...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.0: Add Allow-/Block-List for Migrate and Mirrors Prevent git operations for inactive users Disallow urlencoded new lines in git protocol paths if there is a port Mitigate Security vulnerability in the git hook feature Disable DSA ssh keys by default Set TLS...

FreeBSD -- Multiple vulnerabilities in rtsold

Problem Description: Two bugs exist in rtsold8's RDNSS and DNSSL option handling. First, rtsold8 failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its...

xorg-server -- Multiple input validation failures in X server XKB extension

The X.org project reports: These issues can lead to privileges elevations for authorized clients on systems where the X server is running privileged. Insufficient checks on the lengths of the XkbSetMap request can lead to out of bounds memory accesses in the X server. Insufficient checks on input...

FreeBSD -- ICMPv6 use-after-free in error message handling

Problem Description: When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols. As a part of this operation, it may parse IPv6 header options from a packet embedded in the ICMPv6 message. The handler for a routing...

binutils -- excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section()

Hao Wang reports: There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption...

sympa -- Unauthorised full access via SOAP API due to illegal cookie

Sympa community reports: Unauthorised full access via SOAP API due to illegal cookie...

raptor2 -- malformed input file can lead to a segfault

Redland Issue Tracker reports: due to an out of bounds array access in raptorxmlwriterstartelementcommon...

mutt -- authentication credentials being sent over an unencrypted connection

Kevin J. McCarthy reports: Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS...

x11vnc -- access to shared memory segments

[email protected] reports: scan.c in x11vnc 0.9.16 uses IPCCREAT|0777 in shmget calls, which allows access by actors other than the current user...

Node.js -- November 2020 Security Releases

Node.js reports: Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request CVE-2020-8277 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.12.6: Prevent git operations for inactive users Disallow urlencoded new lines in git protocol paths if there is a port...

mantis -- multiple vulnerabilities

Mantis 2.24.4 release reports: Security and maintenance release, addressing 6 CVEs: 0027726: CVE-2020-29603: disclosure of private project name 0027727: CVE-2020-29605: disclosure of private issue summary 0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and...

go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo

The Go project reports: A number of math/big.Int methods Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits on 32-bit architectures or 633...

moinmoin -- multiple vulnerabilities

MoinMoin reports: Security fix for CVE-2020-25074: fix remote code execution via cache action Security fix for CVE-2020-15275: fix malicious SVG attachment causing stored XSS vulnerability...

salt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt 3002: CVE-2020-16846: Prevent shell injections in netapi ssh client. CVE-2020-17490: Prevent creating world readable private keys with the tls execution module. CVE-2020-25592: Properly validate eauth credentials and tokens along with...

asterisk -- Outbound INVITE loop on challenge with different nonce

The Asterisk project reports: If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate even if the call is hung up,...

asterisk -- Remote crash in res_pjsip_session

The Asterisk project reports: Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it...

consul -- Fix Consul Connect CA private key configuration

Hashicorp reports: Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 10 security fixes, including: 1138911 High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15 1139398 High CVE-2020-16005: Insufficient policy enforcement in...

Gitlab -- Multiple vulnerabilities

Gitlab reports: Path Traversal in LFS Upload Path traversal allows saving packages in arbitrary location Kubernetes agent API leaks private repos Terraform state deletion API exposes object storage URL Stored-XSS in error message of build-dependencies Git credentials persisted on disk Potential...

darkhttpd -- DOS vulnerability

Mitre reports: flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability...

bouncycastle15 -- bcrypt password checking vulnerability

The Bouncy Castle team reports: The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...

wordpress -- multiple issues

wordpress developers reports: Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues: -Props to Alex Concha of the WordPress Security Team for their work in...

tmux -- stack overflow in CSI parsing

Nicholas Marriott reports: tmux has a stack overflow in CSI parsing...

samba -- Multiple Vulnerabilities

The Samba Team reports: CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify CVE-2020-14323: Unprivileged user can crash winbind CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records...

ImageMagick7 -- multiple vulnerabilities

CVE reports: Several vulnerabilities have been discovered in ImageMagick: CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. CVE-2021-20312: A flaw was found in ImageMagick in versions...

glpi -- Insecure Direct Object Reference on ajax/getDropdownValue.php

MITRE Corporation reports: In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any itemType e.g., Ticket, Users, etc...

glpi -- Insecure Direct Object Reference on ajax/comments.ph

MITRE Corporation reports: In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any database table e.g., glpitickets, glpiusers, etc...

nomad -- multiple vulnerabilities

The HashiCorp team reports: artifact: Fixed a bug where interpolation can be used in the artifact destination field to write artifact payloads outside the allocation directory. template: Fixed a bug where interpolation can be used in the template source and destination fields to read or write fil...

freetype2 -- heap buffer overlfow

The freetype project reports: A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 5 security fixes: 1125337 High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebijp on 2020-09-06 1135018 High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05 1137630 High CVE-2020-16002: Use aft...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 48 new security patches for Oracle MySQL. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8. NOTE: MariaDB only contains CVE-2020-14812 CVE-2020-14765 CVE-2020-14776 and CVE-2020-14789...

jupyter notebook -- open redirect vulnerability

Jupyter reports: 6.1.5 is a security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh CVE to be assigned...