6585 matches found
file -- Heap buffer overflow possible
mitre reports cdfreadpropertyinfo in cdf.c in file through 5.37 does not restrict the number of CDFVECTOR elements, which allows a heap-based buffer overflow 4-byte out-of-bounds write...
xymon-server -- multiple vulnerabilities
Japheth Cleaver reports: Several buffer overflows were reported by University of Cambridge Computer Security Incident Response Team...
asterisk -- Remote Crash Vulnerability in chan_sip channel driver
The Asterisk project reports: When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed o...
asterisk -- Remote crash vulnerability with MESSAGE messages
The Asterisk project reports: A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash...
bro -- Unsafe integer conversions can cause unintentional code paths to be executed
Jon Siwek of Corelight reports: The following Denial of Service vulnerabilities are addressed: Integer type mismatches in BinPAC-generated parser code and Bro analyzer code may allow for crafted packet data to cause unintentional code paths in the analysis logic to be taken due to unsafe integer...
moodle -- Login CSRF vulnerability
moodle reports: The login form is not protected by a token to prevent login cross-site request forgery...
chromium -- Incorrect handling of CSP header
Google Chrome Releases reports: 1 security fix contributed by external researchers: 845961 High CVE-2018-6148: Incorrect handling of CSP header. Reported by Michal Bentkowski on 2018-05-23...
rails-html-sanitizer -- possible XSS vulnerability
OSS-Security list: There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is...
irssi -- multiple vulnerabilities
Irssi reports: Use after free when server is disconnected during netsplits. Found by Joseph Bisch. Use after free when SASL messages are received in unexpected order. Found by Joseph Bisch. Null pointer dereference when an “empty” nick has been observed by Irssi. Found by Joseph Bisch. When the...
LibreOffice -- Remote arbitrary file disclosure vulnerability via WEBSERVICE formula
LibreOffice reports: LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL e.g file:// which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can opera...
mbed TLS (PolarSSL) -- remote code execution
Simon Butcher reports: When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in bo...
w3m - multiple vulnerabilities
Tatsuya Kinoshita reports: CVE-2018-6196 table.c: Prevent negative indent value in feedtableblocktag. CVE-2018-6197 form.c: Prevent invalid columnPos call in formUpdateBuffer. CVE-2018-6198 config.h.dist, config.h.in, configure, configure.ac, main.c, rc.c: Make temporary directory safely when /.w...
powerdns-recursor -- insufficient validation of DNSSEC signatures
PowerDNS Security Advisory reports: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in...
ruby -- Command injection vulnerability in Net::FTP
Etienne Stalmans from the Heroku product security team reports: There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the pip...
chromium -- multiple vulnerabilities
Google Chrome releases reports: 3 security fixes in this release, including: 765433 High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14 752423 High CVE-2017-5122: Out-of-bounds access in V8...
libraw -- buffer overflow
libraw developers report: LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file...
FFmpeg -- multiple vulnerabilities
FFmpeg security reports: Multiple vulnerabilities have been fixed in FFmpeg 3.3.4. Please refer to the CVE list for details...
libsndfile -- out-of-bounds reads
Xin-Jiang on Github reports: CVE-2017-14245 Medium: An out of bounds read in the function d2alawarray in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVE-2017-14246 Medium: An out of...
ansible -- information disclosure flaw
ansible developers report: Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the nolog directive where the information may not be sanitized properly...
Cacti -- Cross-site scripting (XSS) vulnerability in link.php
kimiizhang reports: Cross-site scripting XSS vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter...
libgcrypt -- side-channel attack on RSA secret keys
GnuPG reports: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"...
heimdal -- bypass of capath policy
Viktor Dukhovni reports: Commit f469fc6 2010-10-02 inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With...
samba -- symlink race allows access outside share definition
Samba team reports: A time-of-check, time-of-use race condition can allow clients to access non-exported parts of the file system via symlinks...
collectd5 -- Denial of service by sending a signed network packet to a server which is not set up to check signatures
marcinguy reports: After sending this payload, collectd seems to be entering endless while loop in packetparse consuming high CPU resources, possibly crash/gets killed after a while...
GnuTLS -- Memory corruption vulnerabilities
The GnuTLS project reports: It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. GNUTLS-SA-2017-2 It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificat...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 4 security fixes in this release, including: 643948 High CVE-2016-5199: Heap corruption in FFmpeg. Credit to Paul Mehta 658114 High CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han 660678 Medium CVE-2016-5201: Info leak in extensions. Credi...
xen-kernel -- use after free in FIFO event channel code
The Xen Project reports: When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon...
gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output
Werner Koch reports: There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions...
xen-kernel -- x86: Privilege escalation in PV guests
The Xen Project reports: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. A malicious PV guest administrato...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 3 security fixes in this release, including: 620742 CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives...
p7zip -- heap overflow vulnerability
Cisco Talos reports: An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution...
cacti -- multiple vulnerabilities
The Cacti Group, Inc. reports: Changelog bug:0002667: Cacti SQL Injection Vulnerability bug:0002673: CVE-2016-3659 - Cacti graphview.php SQL Injection Vulnerability bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access regression...
firefox -- Same-origin-policy violation using Service Workers with plugins
The Mozilla Foundation reports: MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a servic...
pcre -- stack buffer overflow
Philip Hazel reports: PCRE does not validate that handling the ACCEPT verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow...
phpmyadmin -- XSS vulnerability in normalization page
The phpMyAdmin development team reports: With a crafted table name it is possible to trigger an XSS attack in the database normalization page. We consider this vulnerability to be non-critical. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token...
radicale -- multiple vulnerabilities
Radicale reports: The multifilesystem backend allows access to arbitrary files on all platforms. Prevent regex injection in rights management...
kea -- unexpected termination while handling a malformed packet
ISC Support reports: ISC Kea may terminate unexpectedly crash while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packe...
libpng buffer overflow in png_set_PLTE
libpng reports: CVE for a vulnerability in libpng, all versions, in the pngsetPLTE/pnggetPLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bitdepth less than 8. Some applications might read the bit depth from the IHDR chunk and...
wireshark -- Pcapng file parser crash
Wireshark development team reports: The following vulnerability has been fixed. wnpa-sec-2015-30 Pcapng file parser crash. Bug 11455...
p5-HTML-Scrubber -- XSS vulnerability
MITRE reports: Cross-site scripting XSS vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment...
optipng -- multiple vulnerabilities
ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service uninitialized memory read via a crafted GIF file. The bmpreadrows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service invalid memory...
libvpx -- multiple buffer overflows
The Mozilla Project reports: Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in...
vorbis-tools, opus-tools -- multiple vulnerabilities
Paris Zoumpouloglou reports: I discovered an integer overflow issue in oggenc, related to the number of channels in the input WAV file. The issue triggers an out-of-bounds memory access which causes oggenc to crash. Paris Zoumpouloglou reports: A crafted WAV file with number of channels set to 0...
FreeBSD -- shell injection vulnerability in patch(1)
Problem Description: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch1 to pass certain ed1 scripts to the ed1 editor, which would run commands. Impact: This issue could be exploited to execute arbitrary commands as the user invoking patch1...
subversion -- multiple vulnerabilities
Subversion reports: CVE-2015-3184: Subversion's modauthzsvn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by...
bind -- denial of service vulnerability
ISC reports: An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit...
devel/ipython -- remote execution
Kyle Kelley reports: Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects use...
www/chromium -- multiple vulnerabilities
Google Chrome Releases reports: 4 security fixes in this release: 464922 High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. 494640 High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. 497507 Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit...
logstash -- Directory traversal vulnerability in the file output plugin
Elastic reports: An attacker could use the File output plugin with dynamic field references in the path option to traverse paths outside of Logstash directory. This technique could also be used to overwrite any files which can be accessed with permissions associated with Logstash user. This relea...
suricata -- TLS/DER Parser Bug (DoS)
OISF Development Team reports: The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of issues in the 2.0 series. The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported b...