6583 matches found
mozilla -- arbitrary code execution vulnerability
A Mozilla Foundation Security Advisory reports: Plugins such as flash can be used to load privileged content into a frame. Once loaded various spoofs can be applied to get the user to interact with the privileged content. Michael Krax's "Fireflashing" example demonstrates that an attacker can ope...
cyrus-imapd -- multiple buffer overflow vulnerabilities
The Cyrus IMAP Server ChangeLog states: Fix possible single byte overflow in mailbox handling code. Fix possible single byte overflows in the imapd annotate extension. Fix stack buffer overflows in fetchnews exploitable by peer news server, backend exploitable by admin, and in imapd exploitable b...
squid -- denial of service with forged WCCP messages
The squid patches page notes: WCCPISEEYOU messages contain a 'number of caches' field which should be between 1 and 32. Values outside that range may crash Squid if WCCP is enabled, and if an attacker can spoof UDP packets with the WCCP router's IP address...
Cyrus IMAPd -- IMAPMAGICPLUS preauthentification overflow
When the option imapmagicplus is activated on a server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is especially dangerous because it can be triggered before a...
gnu-radius -- SNMP-related denial-of-service
An iDEFENSE security advisory reports: Remote exploitation of an input validation error in version 1.2 of GNU radiusd could allow a denial of service. The vulnerability specifically exists within the asndecodestring function defined in snmplib/asn1.c. When a very large unsigned number is supplied...
mozilla -- vCard stack buffer overflow
Georgi Guninski discovered a stack buffer overflow which may be triggered when viewing email messages with vCard attachments...
gaim -- multiple buffer overflows
Sean infamous42md reports several situations in gaim that may result in exploitable buffer overflows: Rich Text Format RTF messages in Novell GroupWise protocol Unsafe use of gethostbyname in zephyr protocol URLs which are over 2048 bytes long once decoded...
apache2 -- SSL remote DoS
The Apache HTTP Server 2.0.51 release notes report that the following issues have been fixed: A segfault in modssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. CAN-2004-0751 A potential infinite loop in modssl which could be triggered given...
cvs pserver remote heap buffer overflow
Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. A malicious CVS client can exploit this to run arbitrary code on the server at the...
CVS path validation errors
Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when...
mozilla -- hostname spoofing bug
When processing URIs that contain an unqualified host name-- specifically, a domain name of only one component-- Mozilla will perform matching against the first component of the domain name in SSL certificates. In other words, in some situations, a certificate issued to "www.example.com" will be...
ruby -- Arbitrary memory address read vulnerability with Regex search
sp2ip reports: If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings...
GLPI -- multiple vulnerabilities
GLPI team reports: GLPI 10.0.15 Changelog SECURITY - high Authenticated SQL injection from map search CVE-2024-31456 SECURITY - high Account takeover via SQL Injection in saved searches feature CVE-2024-29889...
OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports: Excessive time spent checking invalid RSA public keys CVE-2023-6237 PKCS12 Decoding crashes CVE-2024-0727...
chromium -- security fix
Chrome Releases reports: This update includes 1 security fix: 1513379 High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg @malcolmst of SODIUM-24, LLC on 2023-12-20...
postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports: Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have...
GnuTLS -- timing sidechannel in RSA decryption
The GnuTLS project reports: A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding. Only TLS ciphertext processing is affected...
Gitlab -- multiple vulnerabilities
Gitlab reports: Account take over via SCIM email change Stored XSS in Jira integration Quick action commands susceptible to XSS IP allowlist bypass when using Trigger tokens IP allowlist bypass when using Project Deploy Tokens Improper authorization in the Interactive Web Terminal Subgroup member...
squid -- Exposure of sensitive information in cache manager
Mikhail Evdokimov aka konata reports: Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The...
Asterisk -- multiple vulnerabilities
The Asterisk project reports: AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download. AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to...
py-httpie -- exposure of sensitive information vulnerabilities
Glyph reports: HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn't distinguish between...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 22 security fixes, including: 1267661 High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07 1267791 High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08 1265806 High CVE-2021-4079: Out ...
Node.js -- October 2021 Security Releases
Node.js reports: HTTP Request Smuggling due to spaced in headers MediumCVE-2021-22959 The http parser accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS. HTTP Request Smuggling when parsing the body MediumCVE-2021-22960 The...
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
The Go project reports: When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. If using wasmexec.js to execute WASM modules, users will need to replace their copy aft...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update contains 19 security fixes, including: 1243117 High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24 1242269 High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23 1223290 Hi...
Gitlab -- Vulnerabilities
Gitlab reports: Stored XSS in DataDog Integration Invited group members continue to have project access even after invited group is deleted Specially crafted requests to apollouploadserver middleware leads to denial of service Privilege escalation of an external user through project token Missing...
consul -- rpc: authorize raft requests
Hashicorp reports: HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation...
Matrix clients -- several vulnerabilities
Matrix developers report: Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element Web/Desktop/Android, FluffyChat, Nheko, Cinny, and SchildiChat. Specifically, in certain circumstances it may be possible to trick vulnerable clients into...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 10 security fixes, including: 1227777 High CVE-2021-30590: Heap buffer overflow in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-09 1229298 High CVE-2021-30591: Use after free in File System API. Reported by SorryMybad...
fetchmail -- 6.4.19 and older denial of service or information disclosure
Matthias Andree reports: When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation...
Rails -- multiple vulnerabilities
Ruby on Rails blog: Rails versions 6.1.3.2, 6.0.3.7, and 5.2.6 have been released! These releases contain important security fixes. Here is a list of the issues fixed: CVE-2021-22885: Possible Information Disclosure / Unintended Method Execution in Action Pack CVE-2021-22902: Possible Denial of...
Gitlab -- vulnerability
The GitLab Team reports: Ability to steal a user's API access token through GitLab Pages...
Node.js -- November 2020 Security Releases
Node.js reports: Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request CVE-2020-8277 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of...
salt -- multiple vulnerabilities
SaltStack reports multiple security vulnerabilities in Salt 3002: CVE-2020-16846: Prevent shell injections in netapi ssh client. CVE-2020-17490: Prevent creating world readable private keys with the tls execution module. CVE-2020-25592: Properly validate eauth credentials and tokens along with...
Django -- multiple vulnerabilities
Django Release notes: CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ On Python 3.7+, FILEUPLOADDIRECTORYPERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static...
Icinga Web 2 -- directory traversal vulnerability
Icinga development team reports: CVE-2020-24368 Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4,...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 15 security fixes, including: 1107433 High CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2020-07-20 1104046 High CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang on 2020-07-10 1108497 High...
FreeBSD -- IPv6 socket option race condition and use after free
Problem Description: The IPV62292PKTOPTIONS set handler was missing synchronization, so racing accesses could modify freed memory. Impact: A malicious user application could trigger memory corruption, leading to privilege escalation...
glpi -- SQL Injection in Search API
MITRE Corporation reports: In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or databa...
ceph14 -- HTTP header injection via CORS ExposeHeader tag
Red Hat bugzilla reports: A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection ...
mail/dovecot -- multiple vulnerabilities
Aki Tuomi reports: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory.. Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash...
py-yaml -- FullLoader (still) exploitable for arbitrary command execution
Riccardo Schirone https://github.com/ret2libc reports: In FullLoader python/object/new constructor, implemented by constructpythonobjectapply, has support for setting the state of a deserialized instance through the setpythoninstancestate method. After setting the state, some operations are...
librsvg2 -- multiple vulnerabilities
Librsvg2 developers reports: Backport the following fixes from 2.46.x: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. This is to mitigate malicious SVGs which try to consume all memory, and those which try to consume an...
cacti -- multiple vulnerabilities
The Cacti developers reports: When guest users have access to realtime graphs, remote code could be executed CVE-2020-8813. Lack of escaping on some pages can lead to XSS exposure CVE-2020-7106. Remote Code Execution due to input validation failure in Performance Boost Debug Log CVE-2020-7237...
FreeBSD -- EAP-pwd side-channel attack
Problem Description: Potential side channel attacks in the SAE implementations used by both hostapd and wpasupplicant see CVE-2019-9494 and VU871675. EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there i...
Gitlab -- Group Runner Registration Token Exposure
Gitlab reports: Group Runner Registration Token Exposure...
clamav -- multiple vulnerabilities
Clamav reports: An out-of-bounds heap read condition may occur when scanning PDF documents An out-of-bounds heap read condition may occur when scanning PE files An out-of-bounds heap write condition may occur when scanning OLE2 files An out-of-bounds heap read condition may occur when scanning...
Gitlab -- Multiple vulnerabilities
Gitlab reports: Arbitrary file read via MergeRequestDiff CSRF add Kubernetes cluster integration Blind SSRF in prometheus integration Merge request information disclosure IDOR milestone name information disclosure Burndown chart information disclosure Private merge request titles in public projec...
joomla3 -- vulnerabilitiesw
JSST reports: Inadequate escaping in modbanners leads to a stored XSS vulnerability. Inadequate escaping in comcontact leads to a stored XSS vulnerability Inadequate checks at the Global Configuration Text Filter settings allowed a stored XSS. Inadequate checks at the Global Configuration helpurl...
FreeBSD -- Resource exhaustion in TCP reassembly
Problem Description: One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. Impact: An attacker who has the ability to send...