Opensuse Backports Sle vulnerabilities

CVE-2020-6535 [MEDIUM] CWE-79 CVE-2020-6535: Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attack Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a crafted HTML page.

CVE-2020-6511 [MEDIUM] CWE-209 CVE-2020-6511: Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6519 [MEDIUM] CVE-2020-6519: Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass cont Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6529 [MEDIUM] CWE-295 CVE-2020-6529: Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page.

CVE-2020-6521 [MEDIUM] CVE-2020-6521: Side-channel information leakage in autofill in Google Chrome prior to 84.0.4147.89 allowed a remote Side-channel information leakage in autofill in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2020-6528 [MEDIUM] CVE-2020-6528: Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote a Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-6514 [MEDIUM] CWE-200 CVE-2020-6514: Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.

CVE-2020-15396 [HIGH] CWE-362 CVE-2020-15396: In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user- In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.

CVE-2020-8164 [HIGH] CWE-502 CVE-2020-8164: A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which c A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

CVE-2020-14004 [HIGH] CWE-59 CVE-2020-14004: An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the i An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged

CVE-2020-13696 [MEDIUM] CWE-863 CVE-2020-13696: An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does no An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to tri

CVE-2020-13379 [HIGH] CWE-918 CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This v The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid U

CVE-2020-6496 [HIGH] CWE-416 CVE-2020-6496: Use after free in payments in Google Chrome on MacOS prior to 83.0.4103.97 allowed a remote attacker Use after free in payments in Google Chrome on MacOS prior to 83.0.4103.97 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6494 [MEDIUM] CVE-2020-6494: Incorrect security UI in payments in Google Chrome on Android prior to 83.0.4103.97 allowed a remote Incorrect security UI in payments in Google Chrome on Android prior to 83.0.4103.97 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-13614 [MEDIUM] CWE-295 CVE-2020-13614: An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verifi An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.

CVE-2020-6466 [CRITICAL] CWE-416 CVE-2020-6466: Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had com Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6469 [CRITICAL] CWE-276 CVE-2020-6469: Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

CVE-2020-6465 [CRITICAL] CWE-416 CVE-2020-6465: Use after free in reader mode in Google Chrome on Android prior to 83.0.4103.61 allowed a remote att Use after free in reader mode in Google Chrome on Android prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6471 [CRITICAL] CWE-276 CVE-2020-6471: Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

CVE-2020-6467 [HIGH] CWE-416 CVE-2020-6467: Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potenti Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.