6585 matches found
kde-runtime -- kdesu: displayed command truncated by unicode string terminator
Albert Aastals Cid reports: A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user...
codeigniter -- multiple vulnerabilities
The CodeIgniter changelog reports: Fixed an SQL injection in the ‘odbc’ database driver. Updated setrealpath Path Helper function to filter-out php:// wrapper inputs...
icingaweb2 -- remote code execution
Eric Lippmann reports: Possibility of remote code execution via the remote command transport...
FreeBSD -- Incorrect argument handling in sendmsg(2)
Problem Description: Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. Impact: Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges...
php5 -- multiple vulnerabilities
The PHP Group reports: Phar: Fixed bug 71498 Out-of-Bound Read in pharparsezipfile. WDDX: Fixed bug 71587 Use-After-Free / Double-Free in WDDX Deserialize...
go -- information disclosure vulnerability
Jason Buberel reports: A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix. The Go team would like ...
gnutls -- double free in certificate DN decoding
gnutls.org reports: Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName DN entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the late...
arj -- multiple vulnerabilities
Several vulnerabilities: symlink directory traversal, absolute path directory traversal and buffer overflow were discovered in the arj archiver...
FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access
Problem Description: A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconvopen3 calls involving HZ or VIQR result in an application crash. Impact: Services where an attacker can control the...
pivotx -- Multiple unrestricted file upload vulnerabilities
Pivotx reports: Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a 1 .php or 2 .php extension, and then accessing it via unspecified vectors...
gnupg -- possible infinite recursion in the compressed packet parser
Werner Koch reports: Special crafted input data may be used to cause a denial of service against GPG GnuPG's OpenPGP part and some other OpenPGP implementations. All systems using GPG to process incoming data are affected...
py-suds -- vulnerable to symlink attacks
SUSE reports: cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/...
bogofilter -- heap corruption by invalid base64 input
David Relson reports: Fix a heap corruption in base64 decoder on invalid input. Analysis and patch by Julius Plenz, FU Berlin, Germany...
bugzilla -- multiple vulnerabilities
A Bugzilla Security Advisory reports: The following security issues have been discovered in Bugzilla: Account Impersonation: When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user accoun...
plib -- buffer overflow
Secunia reports: A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "ulSetError" function src/util/ulError.cxx when creating the error message, which...
caml-light -- insecure use of temporary files
caml-light uses mktemp insecurely, and also does unsafe things in /tmp during make install...
phpLDAPadmin -- Remote PHP code injection vulnerability
EgiX n0b0d13s at gmail dot com reports: The $sortby parameter passed to 'masort' function in file lib/functions.php isn't properly sanitized before being used in a call to createfunction at line 1080. This can be exploited to inject and execute arbitrary PHP code. The only possible attack vector ...
VLC -- Heap corruption in MP4 demultiplexer
VideoLAN project reports: When parsing some MP4 MPEG-4 Part 14 files, insufficient buffer size might lead to corruption of the heap...
maradns -- denial of service when resolving a long DNS hostname
MaraDNS developer Sam Trenholme reports: ... a mistake in allocating an array of integers, allocating it in bytes instead of sizeofint units. This resulted in a buffer being too small, allowing it to be overwritten. The impact of this programming error is that MaraDNS can be crashed by sending...
wordpress -- SQL injection vulnerability
Vendor reports: SQL injection vulnerability in the dotrackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field...
horde-imp -- XSS vulnerability
The Horde team reports: Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability. The major changes compared to IMP version H3 4.3.7 are: Fixed an XSS vulnerability in the Fetchmail configuration...
redmine -- multiple vulnerabilities
Eric Davis reports: This security release addresses some security vulnerabilities found in the advanced subversion integration module Redmine.pm perl script...
bogofilter -- heap underrun on malformed base64 input
Julius Plenz reports: I found a bug in the base64decode function which may cause memory corruption when the function is executed on a malformed base64 encoded string. If a string starting with an equal-sign is passed to the base64decode function it triggers a memory corruption that in some cases...
egroupware -- two vulnerabilities
Egroupware Team report: Nahuel Grisolia from CYBSEC S.A. Security Systems found two security problems in EGroupware: Serious remote command execution allowing to run arbitrary command on the web server by simply issuing a HTTP request!. A reflected cross-site scripting XSS. Both require NO valid...
openx -- sql injection vulnerability
Secunia reports: OpenX can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "bannerid" parameter in www/delivery/ac.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code...
twiki -- Arbitrary code execution in session files
Th1nk3r reports: The version of TWiki installed on the remote host allows access to the 'configure' script and fails to sanitize the 'image' parameter of that script of directory traversal sequences before returning the file contents when the 'action' parameter is set to 'image'. An unauthenticat...
Courier Authentication Library -- SQL Injection
Secunia reports: A vulnerability has been reported in the Courier Authentication Library, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via e.g. the username to the library is not properly sanitised before being used in SQL queries. This can be exploite...
geeklog xss vulnerability
Geeklog reports: MustLive pointed out a possible XSS in the form to email an article to a friend that we're fixing with this release. Please note that this problem only exists in Geeklog 1.4.0 - neither Geeklog 1.4.1 nor any older versions 1.3.x series have that problem...
opera -- multiple vulnerabilities
An advisory from Opera reports: If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code. When accesing frames from differen...
ldapscripts -- Command Line User Credentials Disclosure
Ganael Laplanche reports: Up to now, each ldap command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a ps during the call. This is now avoided by using the -y parameter and ...
dokuwiki -- multiple vulnerabilities
Multiple vulnerabilities have been reported within dokuwiki. dokuwiki is proven vulnerable to: arbitrary PHP code insertion via spellcheck module, XSS attack via "Update your account profile," bypassing of ACL controls when enabled...
freeciv -- Packet Parsing Denial of Service Vulnerability
Secunia reports: Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an error within the handling of the packet length in "common/packets.c". This can be exploited to crash the...
pubcookie-login-server -- cross site scripting vulnerability
Nathan Dors of the Pubcookie Project reports: Multiple non-persistent XSS vulnerabilities were found in the Pubcookie login server's compiled binary "index.cgi" CGI program. The CGI program mishandles untrusted data when printing responses to the browser. This makes the program vulnerable to...
coppermine -- File Inclusion Vulnerabilities
Secunia reports: Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious people and by malicious users to compromise a vulnerable system. 1 Input passed to the "lang" parameter in include/init.inc.php isn't properly verified, before it is used to include files. This can...
cfengine -- arbitrary file overwriting vulnerability
A Debian Security Advisory reports: Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine,...
opera -- download dialog spoofing vulnerability
A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to an error in the handling of extended ASCII codes in the download dialog. This can be...
Macromedia flash player -- swf file handling arbitrary code
A Secunia Advisory reports: A vulnerability has been reported in Macromedia Flash Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to missing validation of the frame type identifier that is read from a SWF file. This value is used a...
oops -- format string vulnerability
A RST/GHC Advisory reports that there is an format string vulnerability in oops. The vulnerability can be found in the MySQL/PgSQL authentication module. Succesful exploitation may allow execution of arbitrary code...
phpbb -- Insuffient check against HTML code in usercp_register.php
Neo Security Team reports: If we specify a variable in the html code any type: hidden, text, radio, check, etc with the name allowhtml, allowbbcode or allowsmilies, is going to be on the html, bbcode and smilies in our signature. This is a low risk vulnerability that allows users to bypass...
gforge -- directory traversal vulnerability
An STG Security Advisory reports: GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. ... malicious attackers can read arbitrary directory lists...
newsgrab -- directory traversal vulnerability
The newsgrab script creates files by using the names provided in the newsgroup messages in a perl open call. This is done without performing any security checks to prevent a directory traversal. A specially crafted newsgroup message could cause newsgrab to drop an attachment anywhere on the file...
kstars -- exploitable set-user-ID application fliccd
A KDE Security Advisory explains: Overview KStars includes support for the Instrument Neutral Distributed Interface INDI. The build system of this extra 3rd party software contained an installation hook to install fliccd part of INDI as SUID root application. Erik Sjölund discovered that the code...
libxine -- buffer-overflow vulnerability in aiff support
Due to a buffer overflow in the openaifffile function in demuxaiff.c, a remote attacker is able to execute arbitrary code via a modified AIFF file...
gaim -- MSN denial-of-service vulnerabilities
The Gaim team discovered denial-of-service vulnerabilities in the MSN protocol handler: After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of...
sudo -- environmental variable CDPATH is not cleared
A sudo bug report says: sudo doesn't unset the CDPATH variable, which leads to possible security problems...
horde -- cross-site scripting vulnerability in help window
A Horde Team announcement states that a potential cross-site scripting vulnerability in the help window has been corrected. The vulnerability appears to involve the handling of the topic and module parameters of the help window template...
php -- php_variables memory disclosure
Stefano Di Paola reports: Bad array parsing in phpvariables.c could lead to show arbitrary memory content such as pieces of php code and other data. This affects all GET, POST or COOKIES variables...
tor -- remote DoS and loss of anonymity
Tor has various remote crashes which could lead to a remote denial-of-service and be used to defeat clients anonymity. It is not expected that these vulnerabilities are exploitable for arbitrary code execution...
mnGoSearch buffer overflow in UdmDocToTextBuf()
Jedi/Sector One reported the following on the full-disclosure list: Every document is stored in multiple parts according to its sections description, body, etc in databases. And when the content has to be sent to the client, UdmDocToTextBuf concatenates those parts together and skips metadata...
Samba 3.0.x password initialization bug
From the Samba 3.0.2 release notes: Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script...