Multiple security issues were discovered in the Squid proxy caching server, which could result in the bypass of security filters, information disclosure, the execution of arbitrary code or denial of service.
The following vulnerability has been discovered in the libwebkit2gtk-4.0-dev web engine: CVE-2020-3885 Ryan Pickren discovered that a file URL may be incorrectly processed. CVE-2020-3894 Sergei Glazunov discovered that a race condition may allow an application to read restricted memory. CVE-2020-3895 grigoritchy discovered that processing maliciously crafted web content may lead to arbitrary code ...
The update for salt-master for the oldstable distribution released as DSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and CVE-2020-11652. Updated salt-master packages are now available to correct this issue. For reference, the original advisory text follows. Several vulnerabilities were discovered in salt-master, a powerful remote execution manager, which could result in retrieve ...
A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope could create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting and Cross-Site Request Forgery attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation.
Several vulnerabilities were discovered in salt-master, a powerful remote execution manager, which could result in retrieve of user tokens from the salt-master master, execution of arbitrary commands on salt-master minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-master-api hosts.
Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector or a man-in-the-middle attack against the JMX interface.
Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in information disclosure, denial of service or the execution of arbitrary code if malformed image files are processed.
It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform either a Cross-Site Request Forgery forcing an authenticated user to be logged out, or a Cross-Side Scripting leading to execution of arbitrary code.