Riasztások

Ubuntu Secutity Notices · 2020. október 28.

USN-4552-3: Pam-python regression

USN-4552-1 and USN-4552-2 fixed a vulnerability in Pam-python. The update introduced a regression which prevented PAM modules written in Python from importing python modules from site-specific directories. We apologize for the inconvenience. Original advisory details: Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root.
NVD: all CVE · 2020. október 28.

CVE-2020-27974

NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
NVD: all CVE · 2020. október 28.

CVE-2020-27975

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
NVD: all CVE · 2020. október 28.

CVE-2020-27976

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
NVD: all CVE · 2020. október 28.

CVE-2020-27978

Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
Linux security Advisories · 2020. október 28.

RedHat: RHSA-2020-4390:01 Moderate: python-django security update>

An update for python-django is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
Linux security Advisories · 2020. október 28.

RedHat: RHSA-2020-4391:01 Moderate: openstack-cinder security update>

An update for OpenStack Block Storage (cinder) is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
NVD: all CVE · 2020. október 28.

CVE-2020-22552

The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.
NVD: all CVE · 2020. október 28.

CVE-2020-24303

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
NVD: all CVE · 2020. október 28.

CVE-2020-8260

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
NVD: all CVE · 2020. október 28.

CVE-2020-8261

A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
NVD: all CVE · 2020. október 28.

CVE-2020-8262

A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
NVD: all CVE · 2020. október 28.

CVE-2020-8263

A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
NVD: all CVE · 2020. október 28.

CVE-2020-8239

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.
NVD: all CVE · 2020. október 28.

CVE-2020-8240

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the Credential Provider.
NVD: all CVE · 2020. október 28.

CVE-2020-8241

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.
NVD: all CVE · 2020. október 28.

CVE-2020-8248

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
NVD: all CVE · 2020. október 28.

CVE-2020-8249

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow.
NVD: all CVE · 2020. október 28.

CVE-2020-8250

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
NVD: all CVE · 2020. október 28.

CVE-2020-8254

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.