6585 matches found
Account takeover via SQL Injection in UI layout preferences in GLPI
[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL...
routinator -- Possible path traversal when storing RRDP responses
[email protected] reports: NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests. The location of these store...
redis -- Possible bypassing ACL configuration
yangbodong22011 reports: Redis does not correctly identify keys accessed by SORTRO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration...
clamav -- Possible denial of service vulnerability in the HFS+ file parser
Steve Smith reports: There is a possible denial of service vulnerability in the HFS+ file parser...
Gitlab -- Vulnerabilities
Gitlab reports: ReDoS via ProjectReferenceFilter in any Markdown fields ReDoS via AutolinkFilter in any Markdown fields Regex DoS in Harbor Registry search Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality Stored XSS in Web IDE Beta...
py39-redis -- can send response data to the client of an unrelated request
drago-balto reports: redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time in the case of a non-pipeline operation, and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete...
drupal9 -- multiple vulnerabilities
Drupal reports: CVE-2022-31175: Cross-site scripting XSS caused by the editor instance destroying process...
FreeBSD -- 802.11 heap buffer overflow
Problem Description: The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. Impact: While a FreeBSD Wi-Fi client is in scanning mode i.e., not associated with a SSID a malicious beacon frame may overwrite kernel...
py-Scrapy -- exposure of sensitive information vulnerability
ranjit-git reports: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1...
varnish -- Request Smuggling Vulnerability
Varnish Cache Project reports: A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client...
rubygem-cgi -- buffer overrun in CGI.escape_html
chamal reports: A security vulnerability that causes buffer overflow when you pass a very large string 700 MB to CGI.escapehtml on a platform where long type takes 4 bytes, typically, Windows...
strongswan - denial-of-service vulnerability in the gmp plugin/denial-of-service vulnerability in the in-memory certificate cache
Strongswan Release Notes reports: Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Fixed a denial-of-service vulnerability ...
pglogical -- shell command injection in pglogical.create_subscription()
2ndQuadrant reports: Fix pgdump/pgrestore execution CVE-2021-3515 Correctly escape the connection string for both pgdump and pgrestore so that exotic database and user names are handled correctly. Reported by Pedro Gallegos...
py-numpy -- Missing return-value validation of the function PyArray_DescrNew
Numpy reports: At most call-sites for PyArrayDescrNew, there are no validations of its return, but an invalid address may be returned...
libX11 -- Arbitrary code execution
The X.org project reports: XLookupColor and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application for instance a color name that can be emitted via a terminal control sequence it can lead to the...
Rails -- multiple vulnerabilities
Ruby on Rails blog: Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those version are security releases and addresses two issues: CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter. CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware...
wavpack -- integer overflow in pack_utils.c
The wavpack project reports: src/packutils.c - issue 91: fix integer overflows resulting in buffer overruns CVE-2020-35738 - sanitize configuration parameters better improves clarity and aids debugging...
vault -- User Enumeration via LDAP auth
Vault developers report: Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6. An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method...
powerdns-recursor -- cache pollution
PowerDNS Team reports: CVE-2020-25829: An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a...
typo3 -- multiple vulnerabilities
Typo3 Team reports: In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This...
FreeBSD -- posix_spawnp(3) buffer overflow
Problem Description: posixspawnp spawns a new thread with a limited stack allocated on the heap before delegating to execvp for the final execution within that thread. execvp would previously make unbounded allocations on the stack, directly proportional to the length of the user-controlled PATH...
coturn -- information leakage
Felix Dörre reports: The issue is that STUN/TURN response buffer is not initialized properly. CWE 665 This is a leak of information between different client connections. One client an attacker could use their connection to intelligently query coturn to get interesting bytes in the padding bytes...
glpi -- Unauthenticated Stored XSS
MITRE Corporation reports: In GLPI before version 9.5.2, the install/install.php endpoint insecurely stores user input into the database as urlbase and urlbaseapi. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure...
IMAP fcc/postpone machine-in-the-middle attack
mutt 1.14.3 updates: CVE-2020-14093 - IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response...
Nextcloud -- Password share by mail not hashed
The Nextcloud project reports: NC-SA-2020-026 low: Password of share by mail is not hashed when given on the create share call A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call...
Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents
The Apache Openofffice project reports: CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents Description A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description High SECURITY-1774 / CVE-2020-2160 CSRF protection for any URL could be bypassed Medium SECURITY-1781 / CVE-2020-2161 Stored XSS vulnerability in label expression validation Medium SECURITY-1793 / CVE-2020-2162 Stored XSS vulnerability in file parameters...
Python -- multiple vulnerabilities
Python reports: bpo-41304: Fixes python3x.pth being ignored on Windows, caused by the fix for bpo-29778 CVE-2020-15801. bpo-39603: Prevent http header injection by rejecting control characters in http.client.putreques...
cyrus-sasl -- Fix off by one error
Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports: Fix off by one error...
py-psutil -- double free vulnerability
ret2libc reports: psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...
cacti -- Authenticated users may bypass authorization checks
The cacti developers reports: In Cacti through 1.2.6, authenticated users may bypass authorization checks for viewing a graph via a direct graphjson.php request with a modified localgraphid parameter...
nexus2-oss -- Multiple vulerabilities
Sonatype reports: Several RCE vulnerabilities have been found and corrected in 2.14.15: CVE-2019-16530: An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the...
FLAC -- out-of-bounds read
Oss-Fuzz reports: There is a possible out of bounds read due to a heap buffer overflow in FLACbitreaderreadricesignedblock of bitreader.c...
FreeBSD -- IPv6 remote Denial-of-Service
Problem Description: Due do a missing check in the code of mpulldown9 data returned may not be contiguous as requested by the caller. Impact: Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS denial-of-service attack with certain Ethernet...
FreeBSD -- Privilege escalation in cd(4) driver
Problem Description: To implement one particular ioctl, the Linux emulation code used a special interface present in the cd4 driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read...
FreeBSD -- Kernel stack disclosure in UFS/FFS
Problem Description: A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 byt...
www/varnish7 -- Denial of Service
The Varnish Development Team reports: A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of...
Istio -- Security vulnerabilities
Istio reports: Two security vulnerabilities have recently been identified in the Envoy proxy. The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These vulnerabilities impact Istio features that rely on Envoy ...
FreeBSD -- System call kernel data register leak
Problem Description: The callee-save registers are used by kernel and for some of them %r8, %r10, and for non-PTI configurations, %r9 the content is not sanitized before return from syscalls, potentially leaking sensitive information. Impact: Typically an address of some kernel data structure use...
slixmpp -- improper access control
NVD reports: slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin Persistent Storage of Private Data via PubSub options profile, used for the configuration of default access model that can result in all of the...
Mbed TLS -- Local timing attack on RSA decryption
Janos Follath reports: An attacker who can run code on the same machine that is performing an RSA decryption can potentially recover the plaintext through a Bleichenbacher-like oracle...
powerdns-recursor -- Crafted query can cause a denial of service
powerdns Team reports: CVE-2018-16855: An issue has been found in PowerDNS Recursor where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash. When the PowerDNS Recursor is run...
mailman -- content spoofing with invalid list names in web UI
Mark Sapiro reports: A URL with a very long text listname such as http://www.example.com/mailman/listinfo/Thisisalongstringwithsomephishingtext will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site...
Gitlab -- multiple vulnerabilities
Gitlab reports: Wiki XSS Sanitize gem updates XSS in urlforparams Content injection via username Activity feed publicly displaying internal project names Persistent XSS in charts...
global -- gozilla vulnerability
MITRE reports: gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL...
wireshark -- multiple security issues
wireshark developers reports: wnpa-sec-2017-47: The IWARPMPA dissector could crash. CVE-2017-17084 wnpa-sec-2017-48: The NetBIOS dissector could crash. Discovered by Kamil Frankowicz. CVE-2017-17083 wnpa-sec-2017-49: The CIP Safety dissector could crash. CVE-2017-17085...
cacti -- multiple vulnerabilities
cacti reports: Changelog issue1057: CVE-2017-16641 - Potential vulnerability in RRDtool functions issue1066: CVE-2017-16660 in remoteagent.php logging function issue1066: CVE-2017-16661 in view log file issue1071: CVE-2017-16785 in globalsession.php Reflection XSS...
wget -- Heap overflow in HTTP protocol handling
Antti Levomäki, Christian Jalio, Joonas Pihlaja: Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of...
GitLab -- multiple vulnerabilities
GitLab reports: Cross-Site Scripting XSS vulnerability in the Markdown sanitization filter Yasin Soliman via HackerOne reported a Cross-Site Scripting XSS vulnerability in the GitLab markdown sanitization filter. The sanitization filter was not properly stripping invalid characters from URL schem...
Node.js -- remote DOS security vulnerability
Node.js reports: Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception depending on the version...