Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability. Date published : 2020-07-02 https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1775 http://www.openwall.com/lists/oss-security/2020/07/02/7
LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. Date published : 2020-07-02 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HM2DS6HA4YZREI3BYGS75M6D76WMW62/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCVKD7PTO7UQAVUTBHJAKBKYLPQQGAMZ/
** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make...
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. Date published : 2020-07-02 http://www.openwall.com/lists/oss-security/2020/07/02/1 https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg09961.html
TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and...
In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6 Date published : 2020-07-02 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj https://github.com/PrestaShop/PrestaShop/commit/bac749bf75a4e0d6312a70b37eb5b0a556f08fbd
In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6 Date published : 2020-07-02 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm https://github.com/PrestaShop/PrestaShop/commit/0f0d6238169a79d94f5ef28d24e60a9be8902f4b
In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in...
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround...
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6 Date published : 2020-07-02 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386...
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are...
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian...
The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection. Date published : 2020-07-02 https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro Payment Form for PayPal Pro
An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user’s profile. The injected...