6585 matches found
wordpress -- full path disclosure
Dedi Dwianto reports: A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker...
openvpn -- denial of service: client certificate validation can disconnect unrelated clients
James Yonan reports: DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error...
zlib -- buffer overflow vulnerability
Problem description A fixed-size buffer is used in the decompression of data streams. Due to erronous analysis performed when zlib was written, this buffer, which was belived to be sufficiently large to handle any possible input stream, is in fact too small. Impact A carefully constructed...
qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests
Georgi Guninski writes: There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem not counting the memory consumtion dos, which just helps. Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wi...
coppermine -- IP spoofing and XSS vulnerability
GHC team reports about coppermine The lack of sanitizing of user defined variables may result in undesirable consequences such as IP spoofing or XSS attack. Generally users of Coppermine Gallery can post comments. Remote address & x-forwarded-for variables are logged for admin's eyes...
gaim -- AIM/ICQ remote denial of service vulnerability
The GAIM team reports that GAIM is vulnerable to a denial-of-service vulnerability which can cause GAIM to freeze: Certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim when parsing the SNAC. The remote user would need a custom client, able to generate...
gnupg -- OpenPGP symmetric encryption vulnerability
Serge Mister and Robert Zuccherato reports that the OpenPGP protocol is vulnerable to a cryptographic attack when using symmetric encryption in an automated way. David Shaw reports about the impact: This attack, while very significant from a cryptographic point of view, is not generally effective...
squid -- correct handling of oversized HTTP reply headers
The squid patches page notes: This patch addresses a HTTP protocol mismatch related to oversized reply headers. In addition it enhances the cache.log reporting on reply header parsing failures to make it easier to track down which sites are malfunctioning. It is believed that this bug may lead to...
squid -- buffer overflow in WCCP recvfrom() call
According to the Squid Proxy Cache Security Update Advisory SQUID-2005:3, The WCCP recvfrom call accepts more data than will fit in the allocated buffer. An attacker may send a larger-than-normal WCCP message to Squid and overflow this buffer. Severity: The bug is important because it allows remo...
p5-DBI -- insecure temporary file creation vulnerability
Javier Fernández-Sanguino Peña reports: The DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library...
groff -- pic2graph and eqn2graph are vulnerable to symlink attack through temporary files
The eqn2graph and pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files...
pcal -- buffer overflow vulnerabilities
Danny Lungstrom has found two buffer overflow vulnerabilities in pcal which can lead to execution of arbitrary code by making a user run pcal on a specially crafted calendar file...
phpmyadmin -- file disclosure vulnerability
A phpMyAdmin security announcement reports: File disclosure: on systems where the UploadDir mecanism is active, readdump.php can be called with a crafted form; using the fact that the sqllocalfile variable is not sanitized can lead to a file disclosure. Enabling PHP safe mode on the server can be...
fcron -- multiple vulnerabilities
An iDEFENSE Security Advisory states: Multiple vulnerabilities have been found in Fcron. File contents disclosure Configuration Bypass Vulnerability File Removal and Empty File Creation Vulnerability Information Disclosure Vulnerability...
zgv -- exploitable heap overflows
infamous41md reports: zgv uses malloc frequently to allocate memory for storing image data. When calculating how much to allocate, user supplied data from image headers is multiplied and/or added without any checks for arithmetic overflows. We can overflow numerous calculations, and cause small...
apache mod_include buffer overflow vulnerability
There is a buffer overflow in a function used by modinclude that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability...
unarj -- directory traversal vulnerability
unarj has insufficient checks for filenames that contain ... This can allow an attacker to overwrite arbitrary files with the permissions of the user running unarj...
gaim -- malicious smiley themes
The Gaim Security Issues page documents a problem with installing smiley themes from an untrusted source: To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command...
mozilla -- NULL bytes in FTP URLs
When handling FTP URLs containing NULL bytes, Mozilla will interpret the file content as HTML. This may allow unexpected execution of Javascript when viewing plain text or other file types via FTP...
Pavuk HTTP Location header overflow
When pavuk sends a request to a web server and the server sends back the HTTP status code 305 Use Proxy, pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP...
gnats -- format string vulnerability
Gnats suffers from a format string bug, which may enable an attacker to execute arbitary code...
Gallery 1.4.3 and ealier user authentication bypass
A flaw exists in Gallery versions previous to 1.4.3-pl1 and post 1.2 which may give an attacker the potential to log in under the "admin" account. Data outside of the gallery is unaffected and the attacker cannot modify any data other than the photos or photo albums...
"Content-Type" XSS vulnerability affecting other webmail systems
Roman Medina-Heigl Hernandez did a survey which other webmail systems where vulnerable to a bug he discovered in SquirrelMail. This advisory summarizes the results...
exim buffer overflow when verify = header_syntax is used
A remote exploitable buffer overflow has been discovered in exim when verify = headersyntax is used in the configuration file. This does not affect the default configuration...
racoon security association deletion vulnerability
A remote attacker may use specially crafted IKE/ISAKMP messages to cause racoon to delete security associations. This could result in denial-of-service or possibly cause sensitive traffic to be transmitted in plaintext, depending upon configuration...
Buffer overflow in pam_smb password handling
Applications utilizing pamsmb can be compromised by any user who can enter a password. In many cases, this is a remote root compromise...
ProFTPD ASCII translation bug resulting in remote root compromise
A buffer overflow exists in the ProFTPD code that handles translation of newline characters during ASCII-mode file uploads. An attacker may exploit this buffer overflow by uploading a specially crafted file, resulting in code execution and ultimately a remote root compromise...
ecartis buffer overflows and input validation bugs
Timo Sirainen reports multiple buffer overflows that may be triggered while parsing messages, as well as input validation errors that could result in disclosure of mailing list passwords. These bugs were resolved in the August 2003 snapshot of ecartis...
cscope -- symlink attack vulnerability
cscope is vulnerable to a symlink attack which could lead to an attacker overwriting arbitrary files with the permissions of the user running cscope...
mailman XSS in user options page
From the 2.1.1 release notes: Closed a cross-site scripting vulnerability in the user options page...
icecast 1.x multiple vulnerabilities
icecast 1.3.11 and earlier contained numerous security vulnerabilities, the most severe allowing a remote attacker to execute arbitrary code as root...
jenkins -- Denial of service vulnerability in bundled json-lib
Jenkins Security Advisory: Description High SECURITY-3463 / CVE-2024-47855 Denial of service vulnerability in bundled json-lib...
qt5-webengine -- Multiple vulnerabilities
Backports for 6 security bugs in Chromium: CVE-2024-5496: Use after free in Media Session CVE-2024-5846: Use after free in PDFium CVE-2024-6291: Use after free in Swiftshader CVE-2024-6989: Use after free in Loader CVE-2024-6996: Race in Frames CVE-2024-7536: Use after free in WebAudio...
GLPI -- multiple vulnerabilities
GLPI team reports: GLPI 10.0.16 Changelog SECURITY - high Account takeover via SQL Injection in AJAX scripts CVE-2024-37148 SECURITY - high Remote code execution through the plugin loader CVE-2024-37149 SECURITY - moderate Authenticated file upload to restricted tickets CVE-2024-37147...
qt5-webengine -- Multiple vulnerabilities
Backports for 5 security bugs in Chromium: CVE-2024-3837: Use after free in QUIC CVE-2024-3839: Out of bounds read in Fonts CVE-2024-3914: Use after free in V8 CVE-2024-4058: Type confusion in ANGLE CVE-2024-4558: Use after free in ANGLE...
Intel CPUs -- multiple vulnerabilities
Intel reports: Potential security vulnerabilities in some Intel Trust Domain Extensions TDX module software may allow escalation of privilege. Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of...
R -- arbitrary code execution vulnerability
HiddenLayer Research reports: Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS R Data Serialization formatted file or R package to run arbitrary code on an end user's system...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 331237485 High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26 328859176 High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao zx Pham and Toan suto Pham of Qrious Secure on 2024-03-...
OpenSSL -- Unbounded memory growth with session handling in TLSv1.3
The OpenSSL project reports: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions...
Gitlab -- Vulnerabilities
Gitlab reports: Bypassing CODEOWNERS approval allowing to steal protected variables Guest with manage group access tokens can rotate and see group access token with owner permissions...
electron27 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2024-1283. Security: backported fix for CVE-2024-1284...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 12 security fixes: 41495060 High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26 41481374 High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim@cassidy6564 on 2023-12-06 41487933 Medium...
Grafana -- Data source permission escalation
Grafana Labs reports: The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source. By default, only organization Administrators are allowed to create a da...
electron{25,26} -- use after free in WebAudio
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5996...
postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports: Documentation says the pgcancelbackend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update includes 20 security fixes: 1487110 Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27 1062251 Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17 1414936 Medium...
FreeBSD -- arm64 boot CPUs may lack speculative execution protections
Problem Description: On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. Impact: No speculative execution workarounds are installed on CPU 0...
11/libX11 multiple vulnerabilities
The X.Org project reports: CVE-2023-43785: out-of-bounds memory access in XkbReadKeySyms When libX11 is processing the reply from the X server to the XkbGetMap request, if it detected the number of symbols in the new map was less than the size of the buffer it had allocated, it always added room...
mediawiki -- multiple vulnerabilities
Mediawikwi reports: T264765, CVE-2023-PENDING SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission. T333050, CVE-2023-PENDING SECURITY: Fix infinite loop for self-redirects with variants conversion. T340217, CVE-2023-PENDING SECURITY: Vector 2022:...
Django -- multiple vulnerabilities
Django reports: CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uritoiri...