#ubuntu

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker who could convince a user to install a malicious snap which used the 'home' plug could use this vulnerability to install arbitrary scripts into the users PATH which may then be run by the user outside of the expected snap sandbox and hence allow them to escape confinement.

Ubuntu Security Notice 6914-1 - Filip Hejsek discovered that the phpCAS library included in OCS Inventory was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account.

Ubuntu Security Notice 6913-1 - Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a vulnerable CASified service. This security update introduces an incompatible API change. After applying this update, third party applications need to be modified to pass in an additional service base URL argument when constructing the client class.

Ubuntu Security Notice 6915-1 - It was discovered that poppler incorrectly handled certain malformed PDF. An attacker could possibly use this issue to cause a denial of service.

Multi Store Inventory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

Ubuntu Security Notice 6912-1 - James Henstridge discovered that provd incorrectly handled environment variables. A local attacker could possibly use this issue to run arbitrary programs and escalate privileges.

Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

Ubuntu Security Notice 6910-1 - Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker could possibly use this issue to terminate the program, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. Peter Stoeckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS.