Opensuse Backports Sle vulnerabilities

CVE-2020-6563 [MEDIUM] CVE-2020-6563: Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page.

CVE-2020-15959 [MEDIUM] CVE-2020-15959: Insufficient policy enforcement in networking in Google Chrome prior to 85.0.4183.102 allowed an att Insufficient policy enforcement in networking in Google Chrome prior to 85.0.4183.102 allowed an attacker who convinced the user to enable logging to obtain potentially sensitive information from process memory via social engineering.

CVE-2020-6562 [MEDIUM] CWE-79 CVE-2020-6562: Insufficient policy enforcement in Blink in Google Chrome prior to 85.0.4183.83 allowed a remote att Insufficient policy enforcement in Blink in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6568 [MEDIUM] CVE-2020-6568: Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6571 [MEDIUM] CWE-20 CVE-2020-6571: Insufficient data validation in Omnibox in Google Chrome prior to 85.0.4183.83 allowed a remote atta Insufficient data validation in Omnibox in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2020-6564 [MEDIUM] CWE-281 CVE-2020-6564: Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.

CVE-2020-15966 [MEDIUM] CVE-2020-15966: Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an att Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension.

CVE-2020-6561 [MEDIUM] CVE-2020-6561: Inappropriate implementation in Content Security Policy in Google Chrome prior to 85.0.4183.83 allow Inappropriate implementation in Content Security Policy in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6560 [MEDIUM] CVE-2020-6560: Insufficient policy enforcement in autofill in Google Chrome prior to 85.0.4183.83 allowed a remote Insufficient policy enforcement in autofill in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6565 [MEDIUM] CVE-2020-6565: Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remo Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-6569 [MEDIUM] CWE-190 CVE-2020-6569: Integer overflow in WebUSB in Google Chrome prior to 85.0.4183.83 allowed a remote attacker who had Integer overflow in WebUSB in Google Chrome prior to 85.0.4183.83 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6567 [MEDIUM] CWE-20 CVE-2020-6567: Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prio Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-25032 [HIGH] CWE-22 CVE-2020-25032: An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ di An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

CVE-2020-14352 [HIGH] CWE-22 CVE-2020-14352: A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in

CVE-2020-24972 [HIGH] CWE-116 CVE-2020-24972: The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to exe The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.

CVE-2020-24614 [HIGH] CWE-862 CVE-2020-24614: Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated use Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.

CVE-2020-8233 [HIGH] CWE-77 CVE-2020-8233: A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticate A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.

CVE-2020-8026 [HIGH] CWE-276 CVE-2020-8026: A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUS A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 an

CVE-2020-17353 [CRITICAL] CVE-2020-17353: scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe i scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.

CVE-2020-16118 [HIGH] CWE-476 CVE-2020-16118: In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL poi In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c.