6585 matches found
mysql -- remote dos via malformed password packet
MySQL reports: A malformed password packet in the connection protocol could cause the server to crash...
mod_jk -- information disclosure
Kazu Nambo reports: URL decoding the the Apache webserver prior to decoding in the Tomcat server could pypass access control rules and give access to pages on a different AJP by sending a crafted URL...
w3m -- format string vulnerability
An anonymous person reports: w3m-0.5.1 crashes when using the -dump or -backend options to open a HTTPS URL with a SSL certificate where the CN contains "%n%n%n%n%n%n"...
clamav -- Multipart Nestings Denial of Service
Secunia reports: Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending...
phpmyadmin -- XSRF vulnerabilities
phpMyAdmin team reports: We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link...
trac -- reStructuredText breach of privacy and denial of service vulnerability
The Trac 0.9.6 Release Notes reports: Fixed reStructuredText breach of privacy and denial of service vulnerability found by Felix Wiemann. The discovered vulnerability requires docutils to be installed and enabled. Systems that do not have docutils installed or enabled are not vulnerable. As of...
drupal -- multiple vulnerabilities
The Drupal team reports: Vulnerability: SQL injection A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer. Vulnerability: Execution of arbitrary files Certain -- alas, typical -- configurations of...
phpmyadmin -- 'set_theme' Cross-Site Scripting
Secunia reports: A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "settheme" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTM...
kpdf -- heap based buffer overflow
The KDE team reports: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code...
FreeBSD -- Local kernel memory disclosure
Problem description: A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. CVE-2006-0379 A logic error in computing a buffer length may allow too much data to be copied into userland. CVE-2006-0380 Impact: Portions of kernel memory may be...
pf -- IP fragment handling panic
Problem description: A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. Impact: By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub...
clamav -- possible heap overflow in the UPX code
The Zero Day Initiative reports: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Clam AntiVirus installations. Authentication is not required to exploit this vulnerability. This specific flaw exists within libclamav/upx.c during the unpacking of executable files...
tkdiff -- temporary file symlink privilege escalation
Javier Fernández-Sanguino Peña reports a vulnerability in tkdiff which allows local users to gain priveleges of the user running tkdiff due to insecure temporary file creation...
opera -- multiple vulnerabilities
Opera reports: It is possible to make a form input that looks like an image link. If the form input has a "title" attribute, the status bar will show the "title". A "title" which looks like a URL can mislead the user, since the title can say http://nice.familiar.com/, while the form action can be...
lynx -- remote buffer overflow
Ulf Härnhammar reports: When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian...
gallery2 -- file disclosure vulnerability
Michael Dipper wrote: A vulnerability has been discovered in gallery, which allows remote users unauthorized access to files on the webserver. A remote user accessing gallery over the web may use specially crafted HTTP parameters to access arbitrary files located on the webserver. All files...
openvpn -- denial of service: malicious authenticated "tap" client can deplete server virtual memory
James Yonan reports: A malicious authenticated client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its...
cacti -- multiple vulnerabilities
Stefan Esser reports: Wrongly implemented user input filters lead to multiple SQL Injection vulnerabilities which can lead f.e. to disclosure of the admin password hash. Wrongly implemented user input filters allows injection of user input into executed commandline. Alberto Trivero posted his...
trac -- file upload/download vulnerability
Stefan Esser reports: Trac's wiki and ticket systems allows to add attachments to wiki entries and bug tracker tickets. These attachments are stored within directories that are determined by the id of the corresponding ticket or wiki entry. Due to a missing validation of the id parameter it is...
kdewebdev -- kommander untrusted code execution vulnerability
A KDE Security Advisory reports: Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code. Impact: Remotly supplied kommander files from untrusted sources are executed without confirmation...
perl -- Directory Permissions Race Condition
Secunia reports: Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when...
gftp -- directory traversal vulnerability
A Debian Security Advisory reports: Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client CAN-2004-1376 which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to ...
tiff -- tiffdump integer overflow vulnerability
Dmitry V. Levin found a potential integer overflow in the tiffdump utility which could lead to execution of arbitrary code. This could be exploited by tricking an user into executing tiffdump on a specially crafted tiff image...
mc -- multiple vulnerabilities
Andrew V. Samoilov reported several vulnerabilities that were corrected in MidnightCommand 4.6.0: Format string issues CVE-2004-1004 Buffer overflows CVE-2004-1005 Denial-of-service, infinite loop CVE-2004-1009 Denial-of-service, corrupted section header CVE-2004-1090 Denial-of-service, null...
phpbb -- arbitrary command execution and other vulnerabilities
The ChangeLog for phpBB 2.0.11 states: Changes since 2.0.10 Fixed vulnerability in highlighting code very high severity, please update your installation as soon as possible Fixed unsetting global vars - Matt Kavanagh Fixed XSS vulnerability in username handling - AnthraX101 Fixed not confirmed sq...
apache2 multiple space header denial-of-service vulnerability
It is possible for remote attackers to cause a denial-of-service scenario on Apache 2.0.52 and earlier by sending an HTTP GET request with a MIME header containing multiple lines full of whitespaces...
ImageMagick -- EXIF parser buffer overflow
There exists a buffer overflow vulnerability in ImageMagick's EXIF parsing code which may lead to execution of arbitrary code...
gdk-pixbuf -- image decoding vulnerabilities
Chris Evans discovered several flaws in the gdk-pixbuf XPM image decoder: Heap-based overflow in pixbufcreatefromxpm Stack-based overflow in xpmextractcolor Integer overflows in io-ico.c Some of these flaws are believed to be exploitable...
gaim -- heap overflow exploitable by malicious GroupWise server
Sean infamous42md reports that a malicious GroupWise messaging server may be able to exploit a heap buffer overflow in gaim, leading to arbitrary code execution...
imlib -- BMP decoder heap buffer overflow
Marcus Meissner discovered that imlib's BMP decoder would crash when loading the test BMP file created by Chris Evans for testing the previous Qt vulnerability. It is believed that this bug could be exploited for arbitrary code execution...
icecast -- Cross-Site Scripting Vulnerability
Caused by improper filtering of HTML code in the status display, it is possible for a remote user to execute scripting code in the target user's browser...
phpBB IP address spoofing
The common.php script always trusts the X-Forwarded-For' header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists ACLs...
setsockopt(2) IPv6 sockets input validation error
From the FreeBSD Security Advisory: A programming error in the handling of some IPv6 socket options within the setsockopt2 system call may result in memory locations being accessed without proper validation. It may be possible for a local attacker to read portions of kernel memory, resulting in...
Buffer overflows in XFree86 servers
A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on...
FreeBSD -- Use-after-free bug in the IPV6_MSFILTER socket option handler
Problem Description: The kernel handler for IPV6MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed...
MariaDB -- Multiple vulnerabilities
The MariaDB project reports: Multiple vulnerabilities in MariaDB Cluster Galera...
Gitlab -- vulnerabilities
Gitlab reports: Partial Bypass for Device OAuth flow using Cross Window Forgery Denial of service by abusing Github import API Group IP restriction bypass allows disclosing issue title of restricted project...
Gitlab -- Vulnerabilities
Gitlab reports: Cross-site Scripting XSS through merge-request error messages Cross-site Scripting XSS through improper rendering of certain file types Admin Privileges Persists After Role is Revoked External user can access internal projects Prompt injection in Amazon Q integration may allow...
PostgreSQL -- SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID
PostgreSQL project reports: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when...
PostgreSQL -- Prevent unauthorized code execution during pg_dump
PostgreSQL project reports: An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pgdump session with the privileges of the role running pgdump which is often a superuser. The attack involves replacing a sequence or similar object...
firefox -- multiple vulnerabilities
[email protected] reports: Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack...
netatalk3 -- Multiple vulnerabilities
[email protected] reports: This entry documents the following three vulnerabilities: Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuflen to '\0' in FPMapName in afpmapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 2 security fixes: 335003891 High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao @Kipreyyy on 2024-04-16 333508731 High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09...
forgejo -- HTTP/2 CONTINUATION flood in net/http
[email protected] reports: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's heade...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 12 security fixes: 327740539 High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou@refrainareu of ChaMd5-H1 team on 2024-03-01 40945098 Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim@cassidy6564 ...
electron{27,28} -- vulnerability in libxml2
Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2024-25062...
null -- null
[email protected] reports: On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node....
Composer -- Code execution and possible privilege escalation
Copmposer reports: Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php. Several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions...
electron26 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2023-6345. Security: backported fix for CVE-2023-6346. Security: backported fix for CVE-2023-6347. Security: backported fix for CVE-2023-6350...
redis -- Possible bypassing Unix socket permissions
Redis core team reports: The wrong order of listen2 and chmod2 calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup...