Opensuse Backports Sle vulnerabilities

CVE-2020-6382 [HIGH] CWE-843 CVE-2020-6382: Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to pot Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6403 [MEDIUM] CVE-2020-6403: Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote a Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-6393 [MEDIUM] CWE-862 CVE-2020-6393: Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote att Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6399 [MEDIUM] CWE-20 CVE-2020-6399: Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6401 [MEDIUM] CWE-20 CVE-2020-6401: Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2020-6391 [MEDIUM] CWE-79 CVE-2020-6391: Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6396 [MEDIUM] CVE-2020-6396: Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacke Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-6394 [MEDIUM] CVE-2020-6394: Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote att Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6408 [MEDIUM] CVE-2020-6408: Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attac Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attacker to obtain potentially sensitive information via a crafted HTML page.

CVE-2020-6412 [MEDIUM] CWE-20 CVE-2020-6412: Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2020-6392 [MEDIUM] CWE-79 CVE-2020-6392: Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an atta Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

CVE-2020-6397 [MEDIUM] CVE-2020-6397: Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote atta Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page.

CVE-2020-6400 [MEDIUM] CWE-203 CVE-2020-6400: Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacke Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2019-15623 [MEDIUM] CWE-359 CVE-2019-15623: Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

CVE-2020-8118 [MEDIUM] CWE-918 CVE-2020-8118: An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.

CVE-2019-3693 [HIGH] CWE-59 CVE-2019-3693: A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SU A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. This issue affects: SUSE Linux Enterprise Server 11 mailman ver

CVE-2019-3692 [HIGH] CWE-59 CVE-2019-3692: The packaging of inn on SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local at The packaging of inn on SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn version 2.6.2-2.2 and prior versions. openSUSE Leap 15.1 inn version 2.

CVE-2019-18932 [HIGH] CWE-59 CVE-2019-18932: log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.i

CVE-2020-7040 [HIGH] CWE-59 CVE-2020-7040: storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.)

CVE-2020-7106 [MEDIUM] CWE-79 CVE-2020-7106: Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.ph Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).