Opensuse Backports Sle vulnerabilities

CVE-2020-10802 [HIGH] CWE-89 CVE-2020-10802: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discover In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be perform

CVE-2020-10803 [MEDIUM] CWE-79 CVE-2020-10803: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered wh In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which w

CVE-2019-12921 [MEDIUM] CWE-77 CVE-2019-12921: In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitra In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG.

CVE-2019-3698 [HIGH] CWE-59 CVE-2019-3698: UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linu UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prio

CVE-2020-7043 [CRITICAL] CWE-295 CVE-2020-7043: An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishand An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishandles certificate validation because hostname comparisons do not consider '\0' characters, as demonstrated by a good.example.com\x00evil.example.com attack.

CVE-2020-7042 [MEDIUM] CWE-295 CVE-2020-7042: An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c misha An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).

CVE-2020-7041 [MEDIUM] CWE-295 CVE-2020-7041: An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c misha An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because an X509_check_host negative error code is interpreted as a successful return value.

CVE-2020-9272 [HIGH] CWE-125 CVE-2020-9272: ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_tex ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function.

CVE-2020-9273 [HIGH] CWE-416 CVE-2020-9273: In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channe In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

CVE-2020-8955 [CRITICAL] CWE-120 CVE-2020-8955: irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode).

CVE-2020-6402 [HIGH] CWE-20 CVE-2020-6402: Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

CVE-2020-6404 [HIGH] CWE-787 CVE-2020-6404: Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attack Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6381 [HIGH] CWE-190 CVE-2020-6381: Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowe Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6398 [HIGH] CWE-908 CVE-2020-6398: Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2020-6416 [HIGH] CWE-20 CVE-2020-6416: Insufficient data validation in streams in Google Chrome prior to 80.0.3987.87 allowed a remote atta Insufficient data validation in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6413 [HIGH] CVE-2020-6413: Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attack Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML page.

CVE-2020-6385 [HIGH] CWE-754 CVE-2020-6385: Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote a Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HTML page.

CVE-2020-6415 [HIGH] CWE-787 CVE-2020-6415: Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote a Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6414 [HIGH] CVE-2020-6414: Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a re Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6390 [HIGH] CWE-787 CVE-2020-6390: Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attac Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.