Blog

FreeType vulnerability CVE-2015-9382 Security Advisory Security Advisory Description FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token ... More info: https://support.f5.com/csp/article/K46641512?utm_source=f5support&utm_medium=RSS

Initial Publication Date: 2020/09/22 8:45AM PST CVE Identifier: CVE-2020-25604 AWS is aware of Xen Security Advisory 336 released by the Xen Security team on September 22nd 2020. Nitro based instances are not affected. Under rare circumstances, a guest may be able to cause a Xen host to reboot. This poses no risk to confidentiality or integrity of customer data, and no customer action is required. We are actively updating the fleet, and will update this security bulletin when complete. More info: https://aws.amazon.com/security/security-bulletins/AWS-2020-003/

Initial Publication Date: 2020/09/22 8:45AM PST CVE Identifier: CVE-2020-25595 AWS is aware of Xen Security Advisory 337 released by the Xen Security team on September 22nd 2020. Nitro based instances are not affected. The issue depends on PCI devices passed through to customer instances exposing behavior outside of the PCI device specification. EC2 is not using such devices, and no customer action is required. More info: https://aws.amazon.com/security/security-bulletins/AWS-2020-004/

Kernel vulnerability CVE-2020-10711 Security Advisory Security Advisory Description A NULL pointer dereference flaw was found in the Linux kernels SELinux subsystem in versions before 5.7. This ... More info: https://support.f5.com/csp/article/K02354867?utm_source=f5support&utm_medium=RSS

Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13669Description: Drupal cores built-in CKEditor image caption functionality is vulnerable to XSS.Solution: Install the latest version:If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.If you are using Drupal 9.0.x, upgrade to Drupal More info: https://www.drupal.org/sa-core-2020-010

D-Bus vulnerability CVE-2019-12749 Security Advisory Security Advisory Description dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart ... More info: https://support.f5.com/csp/article/K25719440?utm_source=f5support&utm_medium=RSS

Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13666Description: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.Solution: Install the latest version:If you are using Drupal 7.x, upgrade to Drupal 7.73.If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.If you are using Drupal 8.9.x, upgrade to More info: https://www.drupal.org/sa-core-2020-007

von Michael Hawkins. The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1Versions fixed:3.9.2Reported by:Kien HoangCVE identifier:CVE-2020-25627Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240Tracker issue:MDL-69240 Stored XSS via moodlenetprofile parameter in user profile More info: https://moodle.org/mod/forum/discuss.php?d=410839&parent=1657001

von Michael Hawkins. The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Luuk VerhoevenCVE identifier:CVE-2020-25628Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340Tracker issue:MDL-69340 Reflected XSS in tag manager More info: https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002

von Michael Hawkins. Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Florence ThiardWorkaround:Remove the "Login as other users" capability from the manager More info: https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003