Risk
High
Patch available
YES
Number of vulnerabilities
6
CVE ID
CVE-2020-15673CVE-2020-15676CVE-2020-15677CVE-2020-15678CVE-2020-15683CVE-2020-15969
CWE ID
CWE-119CWE-79CWE-451CWE-416
Exploitation vector
Network
Public exploit
N/A
Vulnerable softwareSubscribe
OpensuseOperating systems & Components / Operating system
Vendor
Novell
Security Advisory
2) Cross-site scripting
Risk: Medium
CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]
CVE-ID: CVE-2020-15676
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update the ..
Support the originator by clicking the read the rest link below.