Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-6511 |
Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Published: July 22, 2020; 1:15:13 PM -0400 |
V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-6510 |
Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Published: July 22, 2020; 1:15:13 PM -0400 |
V3.1: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2020-15396 |
In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root. Published: June 30, 2020; 8:15:12 AM -0400 |
V3.1: 7.8 HIGH V2.0: 7.2 HIGH |
CVE-2020-14004 |
An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user. Published: June 12, 2020; 12:15:10 PM -0400 |
V3.1: 7.8 HIGH V2.0: 4.6 MEDIUM |
CVE-2020-13379 |
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. Published: June 03, 2020; 3:15:10 PM -0400 |
V3.1: 8.2 HIGH V2.0: 6.4 MEDIUM |
CVE-2020-12108 |
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. Published: May 06, 2020; 11:15:11 AM -0400 |
V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-12641 |
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. Published: May 04, 2020; 11:15:14 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-12640 |
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. Published: May 04, 2020; 11:15:14 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-12625 |
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. Published: May 03, 2020; 10:15:11 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-12137 |
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code. Published: April 24, 2020; 9:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-1772 |
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Published: March 27, 2020; 9:15:15 AM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2020-1770 |
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Published: March 27, 2020; 9:15:15 AM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2020-1769 |
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Published: March 27, 2020; 9:15:15 AM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2020-7040 |
storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.) Published: January 21, 2020; 4:15:16 PM -0500 |
V3.1: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2020-1765 |
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Published: January 10, 2020; 10:15:11 AM -0500 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2019-18179 |
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. Published: January 06, 2020; 3:15:12 PM -0500 |
V3.1: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-19918 |
Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c. Published: December 20, 2019; 3:15:12 PM -0500 |
V3.1: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-19917 |
Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c. Published: December 20, 2019; 3:15:12 PM -0500 |
V3.1: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-18622 |
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. Published: November 22, 2019; 4:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-10740 |
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. Published: April 07, 2019; 11:29:00 AM -0400 |
V3.1: 4.3 MEDIUM V2.0: 4.3 MEDIUM |