6585 matches found
mozilla -- heap-buffer overflow
The Mozilla Project reports: MFSA 2012-11 libpng integer overflow...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 105803 High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team scarybeasts. 106336 Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz. 108695 High CVE-2011-3017: Possible use-after-free in database handlin...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 81753 Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community. 95465 Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team Inferno. 98809 Medium CVE-2011-3906:...
asterisk -- Multiple Vulnerabilities
Asterisk project reports: It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. When the "automon" feature is enabled in features.conf, it is possibl...
Xorg server -- two vulnerabilities in X server lock handling code
Matthieu Herrb reports: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. This is caused by the fact that the X server is behaving differently if the lock file already exists as a symbolic link pointing to an existing or non-existing file. It...
Unbound -- an empty error packet handling assertion failure
Unbound developer reports: NLnet Labs was notified of an error in Unbound's code-path for error replies which is triggered under special conditions. The error causes the program to abort...
php5 -- Denial of Service in php_date_parse_tzfile()
MITRE CVE team reports: Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service memory consumption by triggering many strtotime function calls, which are not properly handled by the phpdateparsetzfile cache...
OpenTTD -- Denial of service (server/client) via invalid read
The OpenTTD Team reports: When a client disconnects, without sending the "quit" or "client error" message, the server has a chance of reading and writing a just freed piece of memory. The writing can only happen while the server is sending the map. Depending on what happens directly after freeing...
bzip2 -- integer overflow vulnerability
Secunia reports: A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise a vulnerable system. The vulnerability is caused due to an integer overflow in the "BZ2decompress" function in decompress.c and can be...
wireshark -- DOCSIS dissector denial of service
A vulnerability found in the DOCSIS dissector can cause Wireshark to crash when a malformed packet trace file is opened. This means that an attacker will have to trick a victim into opening such a trace file before being able to crash the application...
krb5 -- KDC double free vulnerability
The MIT Kerberos team reports: An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution...
MoinMoin -- cross-site scripting vulnerabilities
The MoinMoin developers reports: Fix XSS in Despam action CVE-2010-0828 Fix XSS issues by escaping template name in messages by fixing other places that had similar issues...
pligg -- Cross-Site Scripting and Cross-Site Request Forgery
secunia reports: Russ McRee has discovered some vulnerabilities in Pligg, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. Input passed via the "Referer" HTTP header to various scripts e.g. admin/adminconfig.php, admin/adminmodules.php,...
opera -- multiple vulnerabilities
Opera Team reports: An unspecified error in the processing of JPEG images can be exploited to trigger a memory corruption. An error can be exploited to execute arbitrary script code in a different domain via unspecified plugins. An unspecified error has a "moderately severe" impact. No further...
curl -- cURL/libcURL Location: Redirect URLs Security Bypass
Secunia reports: The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially...
FreeBSD -- Cross-site request forgery in ftpd(8)
Problem Description: The ftpd8 server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. Impact: This could, with a specifically crafted command, be used in a cross-site request forgery attack. FreeBSD...
opera -- multiple vulnerabilities
The Opera Team reports: Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be...
syslog-ng2 -- startup directory leakage in the chroot environment
Florian Grandel reports: I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it. This opens up ways to work around t...
nagios -- web interface privilege escalation vulnerability
securityfocus reports: An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks...
enscript -- arbitrary code execution vulnerability
Ulf Harnhammar of Secunia Research reports: Stack-based buffer overflow in the readspecialescape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e aka special escapes processing option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafte...
FreeBSD -- nmount(2) local arbitrary code execution
Problem Description: Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount2 into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient...
clamav -- CHM Processing Denial of Service
Hanno Boeck reports: A fuzzing test showed weakness in the chm parser of clamav, which can possibly be exploited. The clamav team has disabled the chm module in older versions though freshclam updates and has released 0.94 with a fixed parser...
FreeType 2 -- Multiple Vulnerabilities
Secunia reports: An integer overflow error exists in the processing of PFB font files. This can be exploited to cause a heap-based buffer overflow via a PFB file containing a specially crafted "Private" dictionary table. An error in the processing of PFB font files can be exploited to trigger the...
moinmoin -- superuser privilege escalation
MoinMoin team reports: A check in the userform processing was not working as expected and could be abused for ACL and superuser privilege escalation...
linux-realplayer -- multiple vulnerabilities
Secunia reports: Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system. An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted...
ImageMagick -- multiple vulnerabilities
Multiple vulnerabilities have been discovered in ImageMagick. ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers 1 an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or 2 an infinite...
FreeBSD -- IPv6 Routing Header 0 is dangerous
Problem Description There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same links many times. Impact An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the...
claws-mail -- APOP vulnerability
CVE reports: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle MITM attacks that use crafted message IDs and MD5 collisions...
ktorrent -- multiple vulnerabilities
Two problems have been found in KTorrent: KTorrent does not properly sanitize file names to filter out ".." components, so it's possible for an attacker to create a malicious torrent in order to overwrite arbitrary files within the filesystem. Messages with invalid chunk indexes aren't rejected...
WebCalendar -- "noSet" variable overwrite vulnerability
Secunia reports: A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system. Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite...
dbus -- match_rule_equal() Weakness
Secunia reports: D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS Denial of Service. An error within the "matchruleequal" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus...
gtar -- GNUTYPE_NAMES directory traversal vulnerability
Teemu Salmela reports: There is a tar record type, called GNUTYPENAMES an obsolete GNU extension, that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files...
ImageMagick -- SGI Image File heap overflow vulnerability
SecurityFocus reports about ImageMagick: ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execu...
punbb -- NULL byte injection vulnerability
CVE Mitre reports: PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to adminoptions.php with an avatarsdir parameter ending in %00. NOTE:...
linux-flashplugin7 -- arbitrary code execution vulnerabilities
Adobe reports: Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, ema...
gnutls -- RSA Signature Forgery Vulnerability
Secunia reports: A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forg...
mambo -- SQL injection vulnerabilities
The Team Mambo reports that two SQL injection vulnerabilities have been found in Mambo. The vulnerabilities exists due to missing sanitation of the title and catid parameters in the weblinks.php page and can lead to execution of arbitrary SQL code...
clamav -- Freshclam HTTP Header Buffer Overflow Vulnerability
Secunia reports: A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS Denial of Service and potentially to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the HTTP client in the Freshclam command line...
xine -- multiple remote string vulnerabilities
c0ntexb reports: There are 2 format string bugs in the latest version of Xine that could be exploited by a malicious person to execute code on the system of a remote user running the media player against a malicious playlist file. By passing a format specifier in the path of a file that is embedd...
mplayer -- Multiple integer overflows
Secunia reports: The vulnerabilities are caused due to integer overflow errors in "libmpdemux/asfheader.c" within the handling of an ASF file, and in "libmpdemux/aviheader.c" when parsing the "indx" chunk in an AVI file. This can be exploited to cause heap-based buffer overflows via a malicious A...
mediawiki -- cross site scripting vulnerability
The mediawiki development team reports that there is an site scripting vulnerability within mediawiki. The vulnerability is caused by improper checking of encoded links which could allow the injection of html in the output generated by mediawiki. This could lead to cross site scripting attacks...
ipfw -- IP fragment denial of service
Problem description: The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. Impact: An attacker can cause the firewall...
openvpn -- arbitrary code execution on client through malicious or compromised server
James Yonan reports: A format string vulnerability in the foreignoption function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if a the client's TLS negotiation...
mantis -- "t_core_path" file inclusion vulnerability
Secunia Research reports: Input passed to the "tcorepath" parameter in "bugsponsorshiplistviewinc.php" isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources...
bogofilter -- heap corruption through excessively long words
Matthias Andree reports: Bogofilter's/bogolexer's input handling in version 0.96.2 was not keeping track of its output buffers properly and could overrun a heap buffer if the input contained words whose length exceeded 16,384 bytes, the size of flex's input buffer. A "word" here refers to a...
openssl -- potential SSL 2.0 rollback
Vulnerability: Such applications are affected if they use the option SSLOPMSIESSLV2RSAPADDING. This option is implied by use of SSLOPALL, which is intended to work around various bugs in third-party software that might prevent interoperability. The SSLOPMSIESSLV2RSAPADDING option disables a...
libxine -- format string vulnerability
Gentoo Linux Security Advisory reports: Ulf Harnhammar discovered a format string bug in the routines handling CDDB server response contents. An attacker could submit malicious information about an audio CD to a public CDDB server or impersonate a public CDDB server. When the victim plays this CD...
xloadimage -- buffer overflows in NIFF image title handling
Ariel Berkman reports: Unlike most of the supported image formats in xloadimage, the NIFF image format can store a title name of arbitrary length as part of the image file. When xloadimage is processing a loaded image, it is creating a new Image object and then writing the processed image to it. ...
freeradius -- multiple vulnerabilities
The freeradious development team reports: Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlmsqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues...
pcre -- regular expression buffer overflow
The pcre library is vulnerable to a buffer overflow vulnerability due to insufficient validation of quantifier values. This could lead execution of arbitrary code with the permissions of the program using pcre by way of a specially crated regular expression...