Security
Headlines
HeadlinesLatestCVEs

Tag

#debian

CVE-2020-35488: GitHub - GuillaumePetit84/CVE-2020-35488

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

CVE
Open in Source
#vulnerability#web#windows#ubuntu#linux#debian#dos#apache#git
CVE-2020-28852: x/text: panic in language.ParseAcceptLanguage while processing bcp47 tag · Issue #42536 · golang/go

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

CVE-2020-35730: #978491 - roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

CVE-2020-35605: Input injection via graphic protocol · Issue #3128 · kovidgoyal/kitty

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.

CVE-2020-29374

An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.

CVE-2020-27744: WDC-20007 My Cloud Firmware Version 5.04.114 | Western Digital

An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges.

CVE-2020-26932: Restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (!1) · Merge requests · Debian Sympa Team / sympa · GitLab

debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)

CVE-2020-26880: [SA 2020-002] Security flaws in setuid wrappers, CVE-2020-10936 · Issue #943 · sympa-community/sympa

Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.