6585 matches found
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 50 security fixes in this release, including: 223962270758271161284785284786 Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG. 260667 Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky. 265221 Medi...
FreeBSD -- Privilege escalation via mmap
Due to insufficient permission checks in the virtual memory system, a tracing process such as a debugger may be able to modify portions of the traced process's address space to which the traced process itself does not have write access...
ruby -- Object taint bypassing in DL and Fiddle in Ruby
Ruby Developers report: There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in...
Joomla! -- XXS and DDoS vulnerabilities
The JSST and the Joomla! Security Center report: 20130405 - Core - XSS Vulnerability Inadequate filtering leads to XSS vulnerability in Voting plugin. 20130403 - Core - XSS Vulnerability Inadequate filtering allows possibility of XSS exploit in some circumstances. 20130402 - Core - Information...
puppet26 -- multiple vulnerabilities
Moses Mendoza reports: A vulnerability found in Puppet could allow an authenticated client to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the 'template' or...
linux-flashplugin -- multiple vulnerabilities
Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...
libjpeg-turbo -- heap-based buffer overflow
The Changelog for version 1.2.1 says: Fixed a regression caused by 1.2.06 in which decompressing corrupt JPEG images specifically, images in which the component count was erroneously set to a large value would cause libjpeg-turbo to segfault. A Heap-based buffer overflow was found in the way...
rssh -- arbitrary command execution
Derek Martin rssh maintainer reports: Henrik Erkkonen has discovered that, through clever manipulation of environment variables on the ssh command line, it is possible to circumvent rssh. As far as I can tell, there is no way to effect a root compromise, except of course if the root account is th...
libtasn1 -- ASN.1 length decoding vulnerability
Mu Dynamics, Inc. reports: Various functions using the ASN.1 length decoding logic in Libtasn1 were incorrectly assuming that the return value from asn1getlengthder is always less than the length of the enclosing ASN.1 structure, which is only true for valid structures and not for intentionally...
chromium -- Errant plug-in load and GPU process memory corruption
Google Chrome Releases reports: 117620 117656 Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie...
bugzilla Cross-Site Request Forgery
A Bugzilla Security Advisory reports: The following security issues have been discovered in Bugzilla: Due to a lack of validation of the enctype form attribute when making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious...
dropbear -- arbitrary code execution
The Dropbear project reports: Dropbear SSH Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a use-after- free error. If a command restriction is enforced, an attacker could exploit this vulnerability to execute arbitrary code on the system with...
mozilla -- heap-buffer overflow
The Mozilla Project reports: MFSA 2012-11 libpng integer overflow...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 105803 High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team scarybeasts. 106336 Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz. 108695 High CVE-2011-3017: Possible use-after-free in database handlin...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 81753 Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community. 95465 Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team Inferno. 98809 Medium CVE-2011-3906:...
asterisk -- Multiple Vulnerabilities
Asterisk project reports: It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. When the "automon" feature is enabled in features.conf, it is possibl...
Xorg server -- two vulnerabilities in X server lock handling code
Matthieu Herrb reports: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. This is caused by the fact that the X server is behaving differently if the lock file already exists as a symbolic link pointing to an existing or non-existing file. It...
Unbound -- an empty error packet handling assertion failure
Unbound developer reports: NLnet Labs was notified of an error in Unbound's code-path for error replies which is triggered under special conditions. The error causes the program to abort...
Drupal Views plugin -- cross-site scripting
Drupal security team reports: The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting XSS...
php5 -- Denial of Service in php_date_parse_tzfile()
MITRE CVE team reports: Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service memory consumption by triggering many strtotime function calls, which are not properly handled by the phpdateparsetzfile cache...
OpenTTD -- Denial of service (server/client) via invalid read
The OpenTTD Team reports: When a client disconnects, without sending the "quit" or "client error" message, the server has a chance of reading and writing a just freed piece of memory. The writing can only happen while the server is sending the map. Depending on what happens directly after freeing...
bzip2 -- integer overflow vulnerability
Secunia reports: A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise a vulnerable system. The vulnerability is caused due to an integer overflow in the "BZ2decompress" function in decompress.c and can be...
wireshark -- DOCSIS dissector denial of service
A vulnerability found in the DOCSIS dissector can cause Wireshark to crash when a malformed packet trace file is opened. This means that an attacker will have to trick a victim into opening such a trace file before being able to crash the application...
krb5 -- KDC double free vulnerability
The MIT Kerberos team reports: An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution...
MoinMoin -- cross-site scripting vulnerabilities
The MoinMoin developers reports: Fix XSS in Despam action CVE-2010-0828 Fix XSS issues by escaping template name in messages by fixing other places that had similar issues...
pligg -- Cross-Site Scripting and Cross-Site Request Forgery
secunia reports: Russ McRee has discovered some vulnerabilities in Pligg, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. Input passed via the "Referer" HTTP header to various scripts e.g. admin/adminconfig.php, admin/adminmodules.php,...
opera -- multiple vulnerabilities
Opera Team reports: An unspecified error in the processing of JPEG images can be exploited to trigger a memory corruption. An error can be exploited to execute arbitrary script code in a different domain via unspecified plugins. An unspecified error has a "moderately severe" impact. No further...
curl -- cURL/libcURL Location: Redirect URLs Security Bypass
Secunia reports: The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially...
FreeBSD -- Cross-site request forgery in ftpd(8)
Problem Description: The ftpd8 server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. Impact: This could, with a specifically crafted command, be used in a cross-site request forgery attack. FreeBSD...
opera -- multiple vulnerabilities
The Opera Team reports: Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be...
syslog-ng2 -- startup directory leakage in the chroot environment
Florian Grandel reports: I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it. This opens up ways to work around t...
nagios -- web interface privilege escalation vulnerability
securityfocus reports: An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks...
enscript -- arbitrary code execution vulnerability
Ulf Harnhammar of Secunia Research reports: Stack-based buffer overflow in the readspecialescape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e aka special escapes processing option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafte...
FreeBSD -- nmount(2) local arbitrary code execution
Problem Description: Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount2 into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient...
clamav -- CHM Processing Denial of Service
Hanno Boeck reports: A fuzzing test showed weakness in the chm parser of clamav, which can possibly be exploited. The clamav team has disabled the chm module in older versions though freshclam updates and has released 0.94 with a fixed parser...
FreeType 2 -- Multiple Vulnerabilities
Secunia reports: An integer overflow error exists in the processing of PFB font files. This can be exploited to cause a heap-based buffer overflow via a PFB file containing a specially crafted "Private" dictionary table. An error in the processing of PFB font files can be exploited to trigger the...
moinmoin -- superuser privilege escalation
MoinMoin team reports: A check in the userform processing was not working as expected and could be abused for ACL and superuser privilege escalation...
openfire -- unspecified denial of service
Secunia reports: A vulnerability has been reported in Openfire, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an unspecified error and can be exploited to cause a Denial of Service...
dovecot -- Specific LDAP + auth cache configuration may mix up user logins
Dovecot reports: If two users with the same password and same passfilter variables log in within authcachettl seconds 1h by default, the second user may get logged in with the first user's cached passattrs. For example if passattrs contained the user's home/mail directory, this would mean that th...
linux-realplayer -- multiple vulnerabilities
Secunia reports: Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system. An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted...
ImageMagick -- multiple vulnerabilities
Multiple vulnerabilities have been discovered in ImageMagick. ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers 1 an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or 2 an infinite...
FreeBSD -- IPv6 Routing Header 0 is dangerous
Problem Description There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same links many times. Impact An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the...
claws-mail -- APOP vulnerability
CVE reports: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle MITM attacks that use crafted message IDs and MD5 collisions...
ktorrent -- multiple vulnerabilities
Two problems have been found in KTorrent: KTorrent does not properly sanitize file names to filter out ".." components, so it's possible for an attacker to create a malicious torrent in order to overwrite arbitrary files within the filesystem. Messages with invalid chunk indexes aren't rejected...
WebCalendar -- "noSet" variable overwrite vulnerability
Secunia reports: A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system. Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite...
dbus -- match_rule_equal() Weakness
Secunia reports: D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS Denial of Service. An error within the "matchruleequal" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus...
gtar -- GNUTYPE_NAMES directory traversal vulnerability
Teemu Salmela reports: There is a tar record type, called GNUTYPENAMES an obsolete GNU extension, that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files...
ImageMagick -- SGI Image File heap overflow vulnerability
SecurityFocus reports about ImageMagick: ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execu...
punbb -- NULL byte injection vulnerability
CVE Mitre reports: PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to adminoptions.php with an avatarsdir parameter ending in %00. NOTE:...
linux-flashplugin7 -- arbitrary code execution vulnerabilities
Adobe reports: Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, ema...