SUSE CVE-2009-2690

The encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants read access to private variables with unspecified names, which allows context-dependent attackers to obtain sensitive information via an untrusted 1 applet or 2 application...

SUSE CVE-2009-4018

The procopen function in ext/standard/procopen.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the 1 safemodeallowedenvvars and 2 safemodeprotectedenvvars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, a...

SUSE CVE-2010-1870

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "" protection mechanis...

SUSE CVE-2010-3834

Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service server crash via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable...

SUSE CVE-2011-0054

Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving non-local JavaScript variables, aka an "upvarMap" issue...

SUSE CVE-2011-1769

SystemTap 1.4 and earlier, when unprivileged aka stapusr mode is enabled, allows local users to cause a denial of service divide-by-zero error and OOPS via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs context variable access...

SUSE CVE-2011-4682

The JavaScript engine in Opera before 11.60 does not properly implement the in operator, which allows remote attackers to bypass the Same Origin Policy via vectors related to variables on different web sites...

SUSE CVE-2012-0830

The phpregistervariableex function in phpvariables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885...

SUSE CVE-2012-0831

PHP before 5.3.10 does not properly perform a temporary change to the magicquotesgpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/phpvariables.c, sapi/cgi/cgimain.c, and...

SUSE CVE-2012-3479

lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes eval forms in local-variable sections when the enable-local-variables option is set to :safe, which allows user-assisted remote attackers to execute arbitrary Emacs Lisp code via a crafted file...

SUSE CVE-2013-2239

vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via 1 a crafted ploop driver ioctl call, related to the ploopgetdeviceioc function in...

SUSE CVE-2013-3076

The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hashrecvmsg function in crypto/algifhash.c and the...

SUSE CVE-2013-3241

export.php aka the export script in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request...

SUSE CVE-2013-7108

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service crash via a long string in the last key value in...

SUSE CVE-2014-0106

Sudo 1.6.9 before 1.8.5, when envreset is disabled, does not properly check environment variables for the envdelete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable...

SUSE CVE-2014-0475

Multiple directory traversal vulnerabilities in GNU C Library aka glibc or libc6 before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. dot dot in a 1 LC, 2 LANG, or other locale environment variable...

SUSE CVE-2014-1691

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the formvars form...

SUSE CVE-2014-3158

Integer overflow in the getword function in options.c in pppd in Paul's PPP Package ppp before 2.4.7 allows attackers to "access privileged options" via a long word in an options file, which triggers a heap-based buffer overflow that "corrupts security-relevant variables."...

SUSE CVE-2014-3230

The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the 1 HTTPSCADIR or 2 HTTPSCAFILE environment variable...

SUSE CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the modcgi and modcg...