Opensuse Leap vulnerabilities

CVE-2020-6534 [HIGH] CWE-787 CVE-2020-6534: Heap buffer overflow in WebRTC in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to p Heap buffer overflow in WebRTC in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6533 [HIGH] CWE-787 CVE-2020-6533: Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6516 [MEDIUM] CVE-2020-6516: Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6526 [MEDIUM] CVE-2020-6526: Inappropriate implementation in iframe sandbox in Google Chrome prior to 84.0.4147.89 allowed a remo Inappropriate implementation in iframe sandbox in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6536 [MEDIUM] CVE-2020-6536: Incorrect security UI in PWAs in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who h Incorrect security UI in PWAs in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had persuaded the user to install a PWA to spoof the contents of the Omnibox (URL bar) via a crafted PWA.

CVE-2020-6527 [MEDIUM] CWE-276 CVE-2020-6527: Insufficient policy enforcement in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attac Insufficient policy enforcement in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6531 [MEDIUM] CWE-203 CVE-2020-6531: Side-channel information leakage in scroll to text in Google Chrome prior to 84.0.4147.89 allowed a Side-channel information leakage in scroll to text in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6535 [MEDIUM] CWE-79 CVE-2020-6535: Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attack Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a crafted HTML page.

CVE-2020-6511 [MEDIUM] CWE-209 CVE-2020-6511: Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6519 [MEDIUM] CVE-2020-6519: Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass cont Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6529 [MEDIUM] CWE-295 CVE-2020-6529: Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page.

CVE-2020-6521 [MEDIUM] CVE-2020-6521: Side-channel information leakage in autofill in Google Chrome prior to 84.0.4147.89 allowed a remote Side-channel information leakage in autofill in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2020-6528 [MEDIUM] CVE-2020-6528: Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote a Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2020-6514 [MEDIUM] CWE-200 CVE-2020-6514: Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.

CVE-2020-14039 [MEDIUM] CWE-295 CVE-2020-14039: In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOpti In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

CVE-2020-15586 [MEDIUM] CWE-362 CVE-2020-15586: Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

CVE-2020-15803 [MEDIUM] CWE-79 CVE-2020-15803: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

CVE-2020-0305 [MEDIUM] CWE-362 CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could le In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153467744

CVE-2020-14646 [HIGH] CVE-2020-14646: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Suppor Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.

CVE-2020-14675 [HIGH] CWE-367 CVE-2020-14675: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Suppor Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM Virt