The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of openSUSE Leap

computer vulnerability CVE-2018-3780

NextCloud: Cross Site Scripting via Autocomplete Field

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Autocomplete Field of NextCloud, in order to run JavaScript code in the context of the web site.
Impacted products: openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 27/08/2018.
Identifiers: CVE-2018-3780, openSUSE-SU-2018:2510-1, openSUSE-SU-2018:2521-1, openSUSE-SU-2018:2521-2, VIGILANCE-VUL-27075.

Description of the vulnerability

The NextCloud product offers a web service.

However, it does not filter received data via Autocomplete Field before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Autocomplete Field of NextCloud, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-8032

Apache AXIS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Apache AXIS, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 23/08/2018.
Identifiers: CVE-2018-8032, FEDORA-2018-8a85ed2f10, openSUSE-SU-2018:3218-1, SUSE-SU-2018:3118-1, SUSE-SU-2018:3119-1, SUSE-SU-2018:3121-1, VIGILANCE-VUL-27069.

Description of the vulnerability

The Apache AXIS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Apache AXIS, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-15605

phpMyAdmin: Cross Site Scripting via File Import Warning Messages

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 22/08/2018.
Identifiers: CERTFR-2018-AVI-404, CVE-2018-15605, FEDORA-2018-f2b24ce26e, openSUSE-SU-2018:2523-1, openSUSE-SU-2018:2525-1, openSUSE-SU-2018:2525-2, PMASA-2018-5, VIGILANCE-VUL-27059.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via warning messages before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Import Warning Messages of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2018-10895

qutebrowser: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of qutebrowser, in order to force the victim to perform operations.
Impacted products: openSUSE Leap.
Severity: 2/4.
Creation date: 30/07/2018.
Identifiers: CVE-2018-10895, openSUSE-SU-2018:2120-1, VIGILANCE-VUL-26868.

Description of the vulnerability

The qutebrowser product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of qutebrowser, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2018-1000559

qutebrowser: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of qutebrowser, in order to run JavaScript code in the context of the web site.
Impacted products: openSUSE Leap.
Severity: 2/4.
Creation date: 30/07/2018.
Identifiers: CVE-2018-1000559, openSUSE-SU-2018:2120-1, openSUSE-SU-2018:2130-1, VIGILANCE-VUL-26867.

Description of the vulnerability

The qutebrowser product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of qutebrowser, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-0618

Mailman: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Fedora, openSUSE Leap, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 02/07/2018.
Identifiers: CVE-2018-0618, DLA-1442-1, DLA-1442-2, DSA-4246-1, FEDORA-2018-f8fd4c5798, JVN#00846677, openSUSE-SU-2018:1858-1, VIGILANCE-VUL-26594.

Description of the vulnerability

The Mailman product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Mailman, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-12581

phpMyAdmin: Cross Site Scripting via Designer Feature

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora, openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES, WindRiver Linux.
Severity: 2/4.
Creation date: 22/06/2018.
Identifiers: CERTFR-2018-AVI-300, CVE-2018-12581, FEDORA-2018-68349e3094, openSUSE-SU-2018:1806-1, openSUSE-SU-2018:1809-1, PMASA-2018-3, VIGILANCE-VUL-26499.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, it does not filter received data via Designer Feature before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Designer Feature of phpMyAdmin, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2018-10188

phpMyAdmin: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Impacted products: openSUSE Leap, phpMyAdmin, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 19/04/2018.
Identifiers: CVE-2018-10188, openSUSE-SU-2018:1058-1, openSUSE-SU-2018:1059-1, PMASA-2018-2, VIGILANCE-VUL-25934.

Description of the vulnerability

The phpMyAdmin product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of phpMyAdmin, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2018-10059 CVE-2018-10060 CVE-2018-10061

Cacti: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cacti, in order to run JavaScript code in the context of the web site.
Impacted products: Cacti, openSUSE Leap.
Severity: 2/4.
Creation date: 26/03/2018.
Identifiers: 1457, CVE-2018-10059, CVE-2018-10060, CVE-2018-10061, openSUSE-SU-2018:0842-1, VIGILANCE-VUL-25643.

Description of the vulnerability

The Cacti product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cacti, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2018-7541

Xen: denial of service via a change of page table type

Synthesis of the vulnerability

A privileged attacker in a guest system can request a change of page table type to Xen without unmapping related pages, in order to make the host crash.
Impacted products: XenServer, Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 27/02/2018.
Identifiers: CERTFR-2018-AVI-102, CERTFR-2018-AVI-145, CERTFR-2018-AVI-171, CTX232096, CTX232655, CVE-2018-7541, DLA-1300-1, DLA-1577-1, DSA-4131-1, FEDORA-2018-0746dac335, FEDORA-2018-c553a586c8, openSUSE-SU-2018:1274-1, SUSE-SU-2018:0678-1, SUSE-SU-2018:0909-1, SUSE-SU-2018:1184-1, VIGILANCE-VUL-25386, XSA-255.

Description of the vulnerability

A privileged attacker in a guest system can request a change of page table type to Xen without unmapping related pages, in order to make the host crash.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about openSUSE Leap: