glpi -- SQL injection for all helpdesk instances

MITRE Corporation reports: In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6...

glpi -- Improve encryption algorithm

MITRE Corporation reports: In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure...

glpi -- Remote Code Execution (RCE) via the backup functionality

MITRE Corporation reports: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only...

glpi -- multiple related stored XSS vulnerabilities

MITRE Corporation reports: In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert1" reproduces the attack. This can be exploited by a user with...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Arbitrary File Read when Moving an Issue Path Traversal in NPM Package Registry SSRF on Project Import External Users Can Create Personal Snippet Triggers Decription Can be Updated by Other Maintainers in Project Information Disclosure on Confidential Issues Moved to Private...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description High SECURITY-1774 / CVE-2020-2160 CSRF protection for any URL could be bypassed Medium SECURITY-1781 / CVE-2020-2161 Stored XSS vulnerability in label expression validation Medium SECURITY-1793 / CVE-2020-2162 Stored XSS vulnerability in file parameters...

phpMyAdmin -- SQL injection

phpMyAdmin Team reports: PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password PMASA-2020-3 SQL injection vulnerability relating to the search feature PMASA-2020-4 SQL injection and XSS having to do with displaying results Removing of the...

Python -- multiple vulnerabilities

Python reports: gh-95778: Converting between int and str in bases other than 2 binary, 4, 8 octal, 16 hexadecimal, or 32 such as base 10 decimal now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic...

rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parseuserinput, but didn’t address some other...

FreeBSD -- Kernel memory disclosure with nested jails

Problem Description: A missing NUL-termination check for the jailset2 configration option "osrelease" may return more bytes when reading the jail configuration back with jailget2 than were originally set. Impact: For jails with a non-default setting of children.max 0 "nested jails" a superuser...

FreeBSD -- Incorrect user-controlled pointer use in epair

Problem Description: Incorrect use of a potentially user-controlled pointer in the kernel allowed vnet jailed users to panic the system and potentially execute aribitrary code in the kernel. Impact: Users with root level access or the PRIVNETIFCREATE privilege can panic the system, or potentially...

FreeBSD -- Insufficient ixl(4) ioctl(2) privilege checking

Problem Description: The driver-specific ioctl2 command handlers in ixl4 failed to check whether the caller has sufficient privileges to perform the corresponding operation. Impact: The ixl4 handler permits unprivileged users to trigger updates to the device's non-volatile memory NVM...

FreeBSD -- Insufficient oce(4) ioctl(2) privilege checking

Problem Description: The driver-specific ioctl2 command handlers in oce4 failed to check whether the caller has sufficient privileges to perform the corresponding operation. Impact: The oce4 handler permits unprivileged users to send passthrough commands to device firmware...

FreeBSD -- TCP IPv6 SYN cache kernel information disclosure

Problem Description: When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, the Traffic Class field is not initialized. This also applies to challenge ACK segments, which are sent in response to received RST segments during the TCP connection setup phase. Impact: For each TCP...

drupal -- Drupal Core - Moderately critical - Third-party library

Drupal Security Team reports: The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attack...

Nextcloud -- multiple vulnerabilities

Nextcloud reports: XSS in Files PDF viewer NC-SA-2020-019 Missing ownership check on remote wipe endpoint NC-SA-2020-018...

Okular -- Local binary execution via action links

Albert Astals Cid: Okular can be tricked into executing local binaries via specially crafted PDF files. This binary execution can require almost no user interaction. No parameters can be passed to those local binaries. We have not been able to identify any binary that will cause actual damage, be...

Gitlab -- Vulnerability

Gitlab reports: Email Confirmation not Required on Sign-up...

puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

Puppetlabs reports: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types which may contain sensitive information as we...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Directory Traversal to Arbitrary File Read Account Takeover Through Expired Link Server Side Request Forgery Through Deprecated Service Group Two-Factor Authentication Requirement Bypass Stored XSS in Merge Request Pages Stored XSS in Merge Request Submission Form Stored XSS in Fi...

py-matrix-synapse -- users of single-sign-on are vulnerable to phishing

Matrix developers report: The 1.11.1 release includes a security fix impacting installations using Single Sign-On i.e. SAML2 or CAS for authentication. Administrators of such installations are encouraged to upgrade as soon as possible...

mediawiki -- multiple vulnerabilities

Mediawiki reports: Security fixes: T246602:jquery.makeCollapsible allows applying event handler to any CSS selector...

py-yaml -- FullLoader (still) exploitable for arbitrary command execution

Riccardo Schirone https://github.com/ret2libc reports: In FullLoader python/object/new constructor, implemented by constructpythonobjectapply, has support for setting the state of a deserialized instance through the setpythoninstancestate method. After setting the state, some operations are...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.6: Fix missing authorization check on pull for public repos of private/limited org 11656 11683 Use session for retrieving org teams 11438 11439...

librsvg2 -- multiple vulnerabilities

Librsvg2 developers reports: Backport the following fixes from 2.46.x: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. This is to mitigate malicious SVGs which try to consume all memory, and those which try to consume an...

zeek -- potential denial of service issues

Jon Siwek of Corelight reports: This release addresses the following security issues: Potential Denial of Service due to memory leak in DNS TSIG message parsing. Potential Denial of Service due to memory leak or assertion when compiling with assertions enabled when receiving a second SSH KEX...

Django -- potential SQL injection vulnerability

MITRE CVE reports: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was...

OpenSMTPd -- Local information disclosure

Qualys reports: We discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server: an unprivileged local attacker can read the first line of an arbitrary file for example, root's password hash in /etc/master.passwd or the entire contents of another user's file if this file and...

OpenSMTPd -- LPE and RCE in OpenSMTPD's default install

Qualys reports:...

sympa -- Denial of service caused by malformed CSRF token

Javier Moreno discovered a vulnerability in Sympa web interface that can cause denial of service DoS attack. By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it...

OpenSMTPd -- LPE and RCE in OpenSMTPD's default install

OpenSMTPD developers reports: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the smtpq group. An unprivileged local...

WeeChat -- Multiple vulnerabilities

The WeeChat project reports: Buffer overflow when receiving a malformed IRC message 324 channel mode. CVE-2020-8955 Buffer overflow when a new IRC message 005 is received with longer nick prefixes. Crash when receiving a malformed IRC message 352 WHO...

puppet6 -- Arbitrary Catalog Retrieval

Puppetlabs reports: Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog ca...

Mbed TLS -- Cache attack against RSA key import in SGX

Janos Follath reports: If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported. The attack only requires access to fine grained measurements to cache usage...

webkit-gtk3 -- Multiple vulnerabilities

The WebKitGTK project reports multiple vulnerabilities...

www/py-bleach -- multiple vulnerabilities

bleach.clean behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to bleach.clean with strip=False and math or svg tags and one or more of the RCDATA tags script, noscript, style, noframes, iframe, noembed, or x...

Gitlab -- Vulnerability

Gitlab reports: Incorrect membership handling of group sharing feature...

PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks

The PostgreSQL project reports: Versions Affected: 9.6 - 12 The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is...

ansible - Vault password leak from temporary file

Borja Tarraso reports: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file...

ansible - subversion password leak from PID

Borja Tarraso reports: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading...

ansible - win_unzip path normalization

Borja Tarraso reports: A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the winunzip module as the extracted files are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by...

Flash Player -- arbitrary code execution

Adobe reports: This update resolves a type confusion vulnerability that could lead to arbitrary code execution CVE-2020-3757...

Python -- multiple vulnerabilities

Python reports: bpo-41304: Fixes python3x.pth being ignored on Windows, caused by the fix for bpo-29778 CVE-2020-15801. bpo-39603: Prevent http header injection by rejecting control characters in http.client.putreques...

Squid -- multiple vulnerabilities

The Squid developers reports: Improper Input Validation issues in HTTP Request processing CVE-2020-8449, CVE-2020-8450. Information Disclosure issue in FTP Gateway CVE-2019-12528. Buffer Overflow issue in extlmgroupacl helper CVE-2020-8517...

piwigo -- Multible Vulnerabilities

Piwigo reports: Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the grouplist page...

Node.js -- multiple vulnerabilities

Node.js reports: Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605 Affected Node.js...

clamav -- Denial-of-Service (DoS) vulnerability

Micah Snyder reports: A denial-of-service DoS condition may occur when using the optional credit card data-loss-prevention DLP feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash...

cacti -- multiple vulnerabilities

The Cacti developers reports: When guest users have access to realtime graphs, remote code could be executed CVE-2020-8813. Lack of escaping on some pages can lead to XSS exposure CVE-2020-7106. Remote Code Execution due to input validation failure in Performance Boost Debug Log CVE-2020-7237...

Django -- potential SQL injection vulnerability

MITRE CVE reports: Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter. By passing a suitabl...

InspIRCd websocket module double free vulnerability

The InspIRCd development team reports: The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is GKZ-lined to remotely crash an InspIRCd server...