rpm package
suse/release-notes-susemanager-proxy&distro=SUSE Manager Proxy LTS 4.3
pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%20LTS%204.3
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58190 | — | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-62349 | Med | 6.2 | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Jan 30, 2026 | Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to p | |
| CVE-2025-62348 | Hig | 7.8 | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Jan 30, 2026 | Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. | |
| CVE-2025-11065 | Med | 5.3 | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Jan 26, 2026 | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process | |
| CVE-2025-64751 | — | < 4.3.16.2-150400.3.104.2 | 4.3.16.2-150400.3.104.2 | Nov 21, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcemen | ||
| CVE-2025-53883 | Cri | — | < 4.3.16.1-150400.3.101.2 | 4.3.16.1-150400.3.101.2 | Oct 30, 2025 | A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x86_64/server:latest: from ? before 5.0.28-15060 | |
| CVE-2025-53880 | Hig | — | < 4.3.16.1-150400.3.101.2 | 4.3.16.1-150400.3.101.2 | Oct 30, 2025 | A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restr | |
| CVE-2025-53192 | — | < 4.3.16.1-150400.3.101.2 | 4.3.16.1-150400.3.101.2 | Aug 18, 2025 | ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue, the OGNL engine parses and evaluates the provided expression |
- CVE-2025-58190Feb 5, 2026affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to p
- affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.
- affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
- CVE-2025-64751Nov 21, 2025affected < 4.3.16.2-150400.3.104.2fixed 4.3.16.2-150400.3.104.2
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcemen
- affected < 4.3.16.1-150400.3.101.2fixed 4.3.16.1-150400.3.101.2
A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x86_64/server:latest: from ? before 5.0.28-15060
- affected < 4.3.16.1-150400.3.101.2fixed 4.3.16.1-150400.3.101.2
A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restr
- CVE-2025-53192Aug 18, 2025affected < 4.3.16.1-150400.3.101.2fixed 4.3.16.1-150400.3.101.2
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue, the OGNL engine parses and evaluates the provided expression