Filtered by vendor Debian
Subscriptions
Filtered by product Debian Linux
Subscriptions
Total
8867 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-26976 | 3 Debian, Mozilla, Redhat | 4 Debian Linux, Firefox, Enterprise Linux and 1 more | 2024-08-04 | 6.5 Medium |
| When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84. | ||||
| CVE-2020-26934 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2024-08-04 | 6.1 Medium |
| phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. | ||||
| CVE-2020-26935 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2024-08-04 | 9.8 Critical |
| An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. | ||||
| CVE-2020-26932 | 2 Debian, Sympa | 2 Debian Linux, Sympa | 2024-08-04 | 4.3 Medium |
| debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) | ||||
| CVE-2020-26880 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2024-08-04 | 7.8 High |
| Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. | ||||
| CVE-2020-26870 | 4 Cure53, Debian, Microsoft and 1 more | 5 Dompurify, Debian Linux, Visual Studio 2017 and 2 more | 2024-08-04 | 6.1 Medium |
| Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. | ||||
| CVE-2020-26570 | 4 Debian, Fedoraproject, Opensc Project and 1 more | 4 Debian Linux, Fedora, Opensc and 1 more | 2024-08-04 | 5.5 Medium |
| The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file. | ||||
| CVE-2020-26664 | 2 Debian, Videolan | 2 Debian Linux, Vlc Media Player | 2024-08-04 | 7.8 High |
| A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | ||||
| CVE-2020-26571 | 4 Debian, Fedoraproject, Opensc Project and 1 more | 4 Debian Linux, Fedora, Opensc and 1 more | 2024-08-04 | 5.5 Medium |
| The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init. | ||||
| CVE-2020-26247 | 3 Debian, Nokogiri, Redhat | 5 Debian Linux, Nokogiri, 3scale Amp and 2 more | 2024-08-04 | 2.6 Low |
| Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. | ||||
| CVE-2020-26572 | 4 Debian, Fedoraproject, Opensc Project and 1 more | 4 Debian Linux, Fedora, Opensc and 1 more | 2024-08-04 | 5.5 Medium |
| The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher. | ||||
| CVE-2020-26421 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Zfs Storage Appliance Kit and 1 more | 2024-08-04 | 4.2 Medium |
| Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | ||||
| CVE-2020-26519 | 3 Artifex, Debian, Fedoraproject | 3 Mupdf, Debian Linux, Fedora | 2024-08-04 | 5.5 Medium |
| Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files allowing attackers to cause a denial of service. | ||||
| CVE-2020-26418 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Zfs Storage Appliance Kit and 1 more | 2024-08-04 | 3.1 Low |
| Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | ||||
| CVE-2020-26258 | 4 Debian, Fedoraproject, Redhat and 1 more | 9 Debian Linux, Fedora, Camel Quarkus and 6 more | 2024-08-04 | 7.7 High |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. | ||||
| CVE-2020-26575 | 4 Debian, Fedoraproject, Oracle and 1 more | 5 Debian Linux, Fedora, Zfs Storage Appliance and 2 more | 2024-08-04 | 7.5 High |
| In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) dissector could enter an infinite loop. This was addressed in epan/dissectors/packet-fbzero.c by correcting the implementation of offset advancement. | ||||
| CVE-2020-26298 | 2 Debian, Redcarpet Project | 2 Debian Linux, Redcarpet | 2024-08-04 | 6.8 Medium |
| Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit. | ||||
| CVE-2020-26558 | 6 Bluetooth, Debian, Fedoraproject and 3 more | 35 Bluetooth Core Specification, Debian Linux, Fedora and 32 more | 2024-08-04 | 4.2 Medium |
| Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. | ||||
| CVE-2020-26259 | 4 Debian, Fedoraproject, Redhat and 1 more | 9 Debian Linux, Fedora, Camel Quarkus and 6 more | 2024-08-04 | 6.8 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. | ||||
| CVE-2020-26237 | 4 Debian, Highlightjs, Oracle and 1 more | 4 Debian Linux, Highlight.js, Mysql Enterprise Monitor and 1 more | 2024-08-04 | 5.8 Medium |
| Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release. | ||||