Opensuse Backports Sle vulnerabilities

CVE-2020-6484 [MEDIUM] CWE-276 CVE-2020-6484: Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.

CVE-2020-6489 [MEDIUM] CWE-200 CVE-2020-6489: Inappropriate implementation in developer tools in Google Chrome prior to 83.0.4103.61 allowed a rem Inappropriate implementation in developer tools in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had convinced the user to take certain actions in developer tools to obtain potentially sensitive information from disk via a crafted HTML page.

CVE-2020-6486 [MEDIUM] CVE-2020-6486: Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remo Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-12244 [HIGH] CWE-347 CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.

CVE-2020-10995 [HIGH] CWE-400 CVE-2020-10995: PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplific PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the result

CVE-2020-12672 [HIGH] CWE-787 CVE-2020-12672: GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c. GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c.

CVE-2020-12108 [MEDIUM] CWE-74 CVE-2020-12108: /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.

CVE-2020-12641 [CRITICAL] CWE-78 CVE-2020-12641: rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via she rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

CVE-2020-12640 [CRITICAL] CWE-22 CVE-2020-12640: Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via director Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

CVE-2020-12625 [MEDIUM] CWE-79 CVE-2020-12625: An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vul An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

CVE-2020-12050 [HIGH] CWE-362 CVE-2020-12050: SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition lea SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.

CVE-2020-12137 [MEDIUM] CWE-79 CVE-2020-12137: GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME par GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, a

CVE-2020-12066 [HIGH] CWE-20 CVE-2020-12066: CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before 0.7.5 allows remote attackers CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before 0.7.5 allows remote attackers to shut down the server.

CVE-2020-6423 [HIGH] CWE-416 CVE-2020-6423: Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentia Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6451 [HIGH] CWE-416 CVE-2020-6451: Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to pote Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6434 [HIGH] CWE-416 CVE-2020-6434: Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to poten Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6436 [HIGH] CWE-416 CVE-2020-6436: Use after free in window management in Google Chrome prior to 81.0.4044.92 allowed a remote attacker Use after free in window management in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6430 [HIGH] CWE-843 CVE-2020-6430: Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6454 [HIGH] CWE-416 CVE-2020-6454: Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convince Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

CVE-2020-6450 [HIGH] CWE-416 CVE-2020-6450: Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to pote Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.