6583 matches found
chromium -- multiple security fixes
Chrome Releases reports: This update includes 22 security fixes: 349198731 High CVE-2024-6988: Use after free in Downloads. Reported by lime@limeSec from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25 349342289 High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on...
electron29 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-5499. Security: backported fix for CVE-2024-5493. Security: backported fix for CVE-2024-5494. Security: backported fix for CVE-2024-5495. Security: backported fix for CVE-2024-5496...
go -- multiple vulnerabilities
The Go project reports: archive/zip: mishandling of corrupt central directory record The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 11 security fixes: 339877165 High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim@cassidy6564 on 2024-05-11 338071106 High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01 338103465 High CVE-2024-5495: U...
electron{27,28} -- Object lifecycle issue in V8
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2024-2625...
dns/c-ares -- malformatted file causes application crash
c-ares project reports: Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash...
electron{26,27} -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-0518. Security: backported fix for CVE-2024-0517...
FreeBSD -- TCP spoofing vulnerability in pf(4)
Problem Description: As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence...
glpi-project -- SQL injection in ITIL actors in GLPI
[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to...
FreeBSD -- Wi-Fi encryption bypass
Problem Description: The net80211 subsystem would fallback to the multicast key for unicast traffic in the event the unicast key was removed. This would result in buffered unicast traffic being exposed to any stations with access to the multicast key. Impact: As described in the "Framing Frames:...
OpenSSL -- AES-SIV implementation ignores empty associated data entries
The OpenSSL project reports: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence...
electron{23,24} -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2023-3422. Security: backported fix for CVE-2023-3421. Security: backported fix for CVE-2023-3420...
vscode -- VS Code Information Disclosure Vulnerability
VSCode developers reports: VS Code Information Disclosure Vulnerability A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. A...
tailscale -- security vulnerability in Tailscale SSH
Tailscale team reports: A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules...
glpi -- multiple vulnerabilities
glpi Project reports: Multiple vulnerabilities found and fixed in this version: High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request. High CVE-2023-28632: Account takeover by authenticated user. High CVE-2023-28838: SQL injection through dynamic reports. Moderate...
Grafana -- Stored XSS in TraceView panel
Grafana Labs reports: During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel. The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and...
Asterisk -- multiple vulnerabilities
The Asterisk project reports: AST-2022-007: Remote Crash Vulnerability in H323 channel add on AST-2022-008: Use after free in respjsippubsub.c AST-2022-009: GetConfig AMI Action can read files outside of Asterisk directory...
freerdp -- clients using `/parallel` command line switch might read uninitialized data
MITRE reports: FreeRDP based clients on unix systems using /parallel command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected...
VirtualBox -- Multiple vulnerabilities
Oracle reports: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently...
mutt -- mutt_decode_uuencoded() can read past the of the input line
Tavis Ormandy reports: muttdecodeuuencoded, the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys...
flac -- fix encoder bug
The FLAC 1.3.4 release reports: Fix 12 decoder bugs found by oss-fuzz. Fix encoder bug CVE-2021-0561...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description Medium SECURITY-2558 / CVE-2022-20612 CSRF vulnerability in build triggers...
hiredis -- integer/buffer overflow
hiredis maintainers report: Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk array-like replies, hiredis fails to check if count sizeofredisReply can be represented in SIZEMAX. If it can not, and the callo...
py39-pycares -- domain hijacking vulnerability
Philipp Jeitner and Haya Shulman report: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS Domain Name Servers can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability ...
py-matrix-synapse -- malicious push rules may be used for a denial of service attack.
Matrix developers report: "Push rules" can specify conditions under which they will match, including eventmatch, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processi...
mantis -- multiple vulnerabilities
Mantis 2.25.1 and 2.25.2 releases report: Security and maintenance release, PHPMailer update to 6.5.0 0028552: XSS in managecustomfieldeditpage.php CVE-2021-33557 0028821: Update PHPMailer to 6.5.0 CVE-2021-3603, CVE-2020-36326...
upnp -- stack overflow vulnerability
Mitre reports: A stack overflow in pupnp 1.16.1 can cause the denial of service through the ParserparseDocument function. ixmlNodefree will release a child node recursively, which will consume stack space and lead to a crash...
FreeBSD -- jail_remove(2) fails to kill all jailed processes
Problem Description: Due to a race condition in the jailremove2 implementation, it may fail to kill some of the processes. Impact: A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process...
redis -- Integer overflow on 32-bit systems
Redis Development team reports: Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer...
mutt -- denial of service
Tavis Ormandy reports: rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service mailbox unavailability by sending email messages with sequences of semicolon characters in RFC822 address fields aka terminators of empty groups. A small email message from the attacker can...
glpi -- Insecure Direct Object Reference on ajax/comments.ph
MITRE Corporation reports: In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any database table e.g., glpitickets, glpiusers, etc...
powerdns -- Leaking uninitialised memory through crafted zone records
PowerDNS Team reports CVE-2020-17482: An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via...
FreeBSD -- bhyve privilege escalation via VMCS access
Problem Description: AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure VMCS on Intel CPUs, and the Virtual Machine Control Block VMCB on AMD CPUs. Insufficient acces...
Multi-link PPP protocol daemon MPD5 remotely exploitable crash
Version 5.9 contains security fix for L2TP clients and servers. Insufficient validation of incoming L2TP control packet specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 4.0 that brought in initial support for L2T...
mozjpeg -- heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file
NIST reports: Heap-based buffer over-read in getrgbrow in rdppm.c via a malformed PPM input file...
znc -- Authenticated users can trigger an application crash
Mitre reports: ZNC 1.8.0 up to 1.8.1-rc1 allows attackers to trigger an application crash with a NULL pointer dereference if echo-message is not enabled and there is no network...
vlc heap-based buffer overflow
Thomas Guillem reports: A heap-based buffer overflow in the hxxxAnnexBtoxVC function in modules/packetizer/hxxxnal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service application crash or execute arbitrary code via a crafted H.264 Annex-B video .avi f...
clamav -- multiple vulnerabilities
Micah Snyder reports: CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and...
bftpd -- Multiple vulnerabilities
Bftpd project reports: Bftpd is vulnerable to out of bounds memory access, file descriptor leak and a potential buffer overflow...
openvpn -- illegal client float can break VPN session for other users
Lev Stipakov and Gert Doering report: There is a time frame between allocating peer-id and initializing data channel key which is performed on receiving push request or on async push-reply in which the existing peer-id float checks do not work right. If a "rogue" data channel packet arrives durin...
glpi -- able to read any token through API user endpoint
MITRE Corporation reports: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All apitokens which can be used to do privileges escalations or...
FreeBSD -- Use after free in cryptodev module
Problem Description: A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module. Impact: An unprivileged process can overwrite arbitrary kernel memory...
libssh -- Unsanitized location in scp could lead to unwanted command execution
The libssh team reports: In an environment where a user is only allowed to copy files and not to execute applications, it would be possible to pass a location which contains commands to be executed in additon. When the libssh SCP client connects to a server, the scp command, which includes a...
Mbed TLS -- Side channel attack on ECDSA
Janos Follath reports: Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it as it is smaller than RSA keys and not guaranteed to have only large prime factors, and then, by brute force, recover the key...
Loofah -- XSS vulnerability
GitHub issue: This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...
Ghostscript -- Security bypass vulnerabilities
Cedric Buissart Red Hat reports: A flaw was found in, ghostscript versions prior to 9.50, in the .pdfhookDSCCreator procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protecti...
mediawiki -- multiple vulnerabilities
Mediawiki reports: Security fixes: T230402, CVE-2019-16738 SECURITY: Add permission check for suppressed account to Special:Redirect...
Mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-11703: Heap buffer overflow in icalparser.c A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parsergetnextchar when processing certain email messages, resulting in a potentially exploitable crash. CVE-2019-11704: Heap buffer...
Jupyter notebook -- open redirect vulnerability
Jupyter blog: Login pages tend to take a parameter for redirecting back to a page after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so that you aren't disrupted too much if you try to visit a page, but have to authenticate first. An Open Redirect Vulnerability is when a...
Ghostscript -- Security bypass vulnerability
Cedric Buissart Red Hat reports: It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by...