6583 matches found
curl -- Automatic referer leaks credentials
Daniel Stenberg reports: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl...
spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands
The Apache SpamAssassin project reports: Apache SpamAssassin 3.4.5 was recently released 1, and fixes an issue of security note where malicious rule configuration .cf files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release includes 5 security fixes, including: 1167357 High CVE-2021-21191: Use after free in WebRTC. Reported by raven @raidakame on 2021-01-15 1181387 High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser...
libX11 -- Doublefree in locale handlng code
The X.org project reports: There is an integer overflow and a double free vulnerability in the way LibX11 handles locales. The integer overflow is a necessary precursor to the double free...
VirtualBox -- Multiple vulnerabilities
Oracle reports: Vulnerabilities in VirtualBox core can allow users with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of these vulnerabilities can result in unauthorized access to critical data, access to all Oracle V...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: User Email Verification Bypass OAuth Flow Missing Email Verification Checks Notification Email Verification Bypass Undisclosed Vulnerability on a Third-Party Rendering Engine Group Sign-Up Restriction Bypass Mirror Project Owner Impersonation Missing Permission Check on Fork...
salt -- multiple vulnerabilities in salt-master process
F-Secure reports: CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the sendpub method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions ...
nested filters leads to stack overflow
Howard Chu reports: nested filters leads to stack overflow...
mailman -- arbitrary content injection vulnerability via options or private archive login pages
Mark Sapiro reports: A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack. added 2020-05-07 This is essentially the same as...
ansible - win_unzip path normalization
Borja Tarraso reports: A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the winunzip module as the extracted files are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by...
OpenSMTPd -- critical LPE / RCE vulnerability
OpenSMTPD developers report: An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user...
libxml -- multiple vulnerabilities
CVE mitre reports: CVE-2019-20388 xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. CVE-2020-7595 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2020-24977 GNOME project libxml2...
unbound -- parsing vulnerability
Unbound Security Advisories: Recent versions of Unbound contain a vulnerability that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the...
samba -- combination of parameters and permissions can allow user to escape from the share path definition
The samba project reports: On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file...
drupal -- Drupal core - Moderately critical
Drupal Security Team reports: CVE-2019-10909: Escape validation messages in the PHP templating engine. CVE-2019-10910: Check service IDs are valid. CVE-2019-10911: Add a separator in the remember me cookie hash. jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extendtrue...
turnserver -- multiple vulnerabilities
Mihály Mészáros reports: We made 4.5.1.0 release public today that fixes many vulnerabilities. It fix the following vulnerabilities: CVE-2018-4056 CVE-2018-4058 CVE-2018-4059 They will be exposed very soon...
asterisk -- Remote crash vulnerability with SDP protocol violation
The Asterisk project reports: When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash...
Libgit2 -- Fixing insufficient validation of submodule names
The Git community reports: Insufficient validation of submodule names...
phpMyAdmin -- self XSS in central columns feature
The phpMyAdmin team reports: Summary Self XSS in central columns feature Description A self-cross site scripting XSS vulnerability has been reported relating to the central columns feature. Severity We consider this vulnerability to be of moderate severity. Mitigation factor A valid token must be...
xorg-server -- multiple vulnerabilities
Alan Coopersmith reports: X.Org thanks Michal Srb of SuSE for finding these issues and bringing them to our attention, Julien Cristau of Debian for getting the fixes integrated, and Adam Jackson of Red Hat for publishing the release...
Mercurial -- multiple vulnerabilities
Mercurial Release Notes: CVE-2017-1000115 Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116 Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a...
kauth: Local privilege escalation
Albert Astals Cid reports: KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account...
ansible -- Input validation flaw in jinja2 templating system
RedHat security team reports: An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, result in code...
cURL -- potential memory disclosure
The cURL project reports: There were two bugs in curl's parser for the command line option --write-out or -w for short that would skip the end of string zero byte if the string ended in a % percent or \ backslash, and it would read beyond that buffer in the heap memory and it could then potential...
OpenEXR -- multiple remote code execution and denial of service vulnerabilities
Brandon Perry reports: There is a zip file of EXR images that cause segmentation faults in the OpenEXR library tested against 2.2.0. CVE-2017-9110 In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. CVE-2017-9111 In OpenEXR...
xen-kernel -- x86 PV guests may be able to mask interrupts
The Xen Project reports: Certain PV guest kernel operations page table writes in particular need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state...
exim -- DKIM private key leak
The Exim project reports: Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTALDSNINFO=yes is used, the key material is included in the bounce message...
subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s)
The Apache Software Foundation reports: The moddontdothat module of subversion and subversion clients using https:// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of...
xen-kernel -- guest 32-bit ELF symbol table load leaking host data
The Xen Project reports: Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load kernel symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 21 security fixes in this release, including: 645211 High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous 638615 High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN 645122 High CVE-2016-5183: Use after free in PDFium. Credit to...
MySQL -- Multiple vulnerabilities
Oracle reports: The quarterly Critical Patch Update contains 22 new security fixes for Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier...
libreoffice -- use-after-free vulnerability
Talos reports: An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable...
expat2 -- denial of service
Adam Maris reports: It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch...
xercesi-c3 -- multiple vulnerabilities
Apache reports: The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Also, CVE-2016-2099: Use-after-free vulnerability in...
php -- multiple vulnerabilities
The PHP Group reports: BCMath: Fixed bug 72093 bcpowmod accepts negative scale and corrupts one definition. Exif: Fixed bug 72094 Out of bounds heap read access in exif header processing. GD: Fixed bug 71912 libgd: signedness vulnerability. CVE-2016-3074 Intl: Fixed bug 72061 Out-of-bounds reads ...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: MFSA 2016-39 Miscellaneous memory safety hazards rv:46.0 / rv:45.1 / rv:38.8 MFSA 2016-42 Use-after-free and buffer overflow in Service Workers MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets MFSA 2016-45 CSP not applied to pages sent with...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 20 security fixes in this release, including: 590275 High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. 589792 High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. 591785 Medium CVE-2016-1651: Out-of-bounds read in Pdfi...
exim -- local privillege escalation
The Exim development team reports: All installations having Exim set-uid root and using 'perlstartup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim and this is normally any user can gain root privileges. If you do not use 'perlstartup' you should be sa...
upnp -- multiple vulnerabilities
Matthew Garett reports: Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server Shodan says there's rather a lot, and POST a file to /testfile. Then GET /testfile...
prosody -- multiple vulnerabilities
The Prosody Team reports: Fix path traversal vulnerability in modhttpfiles CVE-2016-1231 Fix use of weak PRNG in generation of dialback secrets CVE-2016-1232...
tiff -- out-of-bounds read in tif_getimage.c
LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tifgetimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash...
NSS -- MD5 downgrade in TLS 1.2 signatures
The Mozilla Project reports: Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the acceptin...
Bugzilla security issues
Bugzilla Security Advisory During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap...
mediawiki -- multiple vulnerabilities
MediaWiki reports: T117899 SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA 2015-134 Miscellaneous memory safety hazards rv:43.0 / rv:38.5 MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation MFSA 2015-137 Firefox allows...
java -- multiple vulnerabilities
Oracle reports: This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password...
flash -- remote code execution
Adobe reports: These updates resolve type confusion vulnerabilities that could lead to code execution CVE-2015-7645, CVE-2015-7647, CVE-2015-7648...
elasticsearch -- directory traversal attack via snapshot API
Elastic reports: Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Remediation Summary: Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources...
Adobe Flash Player -- critical vulnerabilities
Adobe reports: Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published...
rubygem-paperclip -- validation bypass vulnerability
Jon Yurek reports: Thanks to MORI Shingo of DeNA Co., Ltd. for reporting this. There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check,...