6585 matches found
binutils -- excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section()
Hao Wang reports: There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption...
sympa -- Unauthorised full access via SOAP API due to illegal cookie
Sympa community reports: Unauthorised full access via SOAP API due to illegal cookie...
mantis -- multiple vulnerabilities
Mantis 2.24.4 release reports: Security and maintenance release, addressing 6 CVEs: 0027726: CVE-2020-29603: disclosure of private project name 0027727: CVE-2020-29605: disclosure of private issue summary 0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and...
py-ansible -- multiple vulnerabilities
abeluck reports: A flaw was found in Ansible Base when using the awsssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. A flaw was found in Ansible Base...
FreeBSD -- IPv6 Hop-by-Hop options use-after-free bug
Problem Description: Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface. Impact: Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic...
glpi -- leakage issue with knowledge base
MITRE Corporation reports: In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ...
FreeRDP -- Integer overflow in RDPEGFX channel
Bernhard Miklautz reports: Integer overflow due to missing input sanitation in rdpegfx channel All FreeRDP clients are affected The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client...
xrdp -- Local users can perform a buffer overflow attack against the xrdp-sesman service and then inpersonate it
Ashley Newson reports: The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350...
FreeBSD -- Insufficient packet length validation in libalias
Problem Description: libalias3 packet handlers do not properly validate the packet length before accessing the protocol headers. As a result, if a libalias3 module does not properly validate the packet length before accessing the protocol header, it is possible for an out of bound read or write...
vlc -- Multiple vulnerabilities fixed in VLC media player
VideoLAN reports: Details A remote user could: Create a specifically crafted image file that could trigger an out of bounds read Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues Impact If successful, a malicious third...
glpi -- Improve encryption algorithm
MITRE Corporation reports: In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure...
FreeBSD -- Insufficient ixl(4) ioctl(2) privilege checking
Problem Description: The driver-specific ioctl2 command handlers in ixl4 failed to check whether the caller has sufficient privileges to perform the corresponding operation. Impact: The ixl4 handler permits unprivileged users to trigger updates to the device's non-volatile memory NVM...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: Directory Traversal to Arbitrary File Read Account Takeover Through Expired Link Server Side Request Forgery Through Deprecated Service Group Two-Factor Authentication Requirement Bypass Stored XSS in Merge Request Pages Stored XSS in Merge Request Submission Form Stored XSS in Fi...
ISC KEA -- Multiple vulnerabilities
Internet Systems Consortium, Inc. reports: A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate CVE-2019-6472 Medium An invalid hostname option can cause the kea-dhcp4 server to terminate CVE-2019-6473 Medium An oversight when validating incoming client requests can le...
Mozilla -- Stored passwords in 'Saved Logins' can be copied without master password entry
Mozilla Foundation reports: CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored...
mongodb -- Attach IDs to users
Mitch Wasson of Cisco's Advanced Malware Protection Group reports: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones...
FreeBSD -- File description reference count leak
Problem Description: If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file...
FreeBSD -- Bhyve out-of-bounds read in XHCI device
Problem Description: The pcixhcidevicedoorbell function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. Impact: A misbehaving bhyve guest could crash the system or access memory that it should not be able to...
bzip2 -- multiple issues
bzip2 developers reports: CVE-2016-3189 - Fix use-after-free in bzip2recover Jakub Martisko CVE-2019-12900 - Detect out-of-range nSelectors in corrupted files Albert Astals Cid. Found through fuzzing karchive...
buildbot -- OAuth Authentication Vulnerability
Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user. The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios. If an attacker h...
serendipity -- XSS
MITRE: Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/mediachoose.tpl Editor Preview feature or the templates/2k11/admin/mediaitems.tpl Media Library feature...
py39-sqlalchemy11 -- multiple SQL Injection vulnerabilities
21k reports: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the orderby parameter. nosecurity reports: SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
py39-sqlalchemy10 -- multiple SQL Injection vulnerabilities
21k reports: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the orderby parameter. nosecurity reports: SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
qutebrowser -- Remote code execution due to CSRF
qutebrowser team reports: Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code...
Libgit2 -- multiple vulnerabilities
The Git community reports: Out-of-bounds reads when reading objects from a packfile...
mozilla -- use-after-free in compositor
The Mozilla Foundation reports: CVE-2018-5148: Use-after-free in compositor A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash...
Gitlab -- multiple vulnerabilities
GitLab reports: SSRF in services and web hooks There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentiall...
libvorbis -- multiple vulnerabilities
NVD reports: Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbisanalysisheaderout in info.c when vi-channels=0, a similar issue to Mozilla bug 550184. In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the...
Loofah -- XSS vulnerability
GitHub issue: This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team. Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML...
firefox -- Arbitrary code execution through unsanitized browser UI
The Mozilla Foundation reports: Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution...
shibboleth-sp -- vulnerable to forged user attribute data
Shibboleth consortium reports: Shibboleth SP software vulnerable to forged user attribute data The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type...
asterisk -- DOS Vulnerability in Asterisk chan_skinny
The Asterisk project reports: If the chanskinny AKA SCCP protocol channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind...
xrdp -- local user can cause a denial of service
xrdp reports: The scpv0saccept function in the session manager uses an untrusted integer as a write length, which allows local users to cause a denial of service buffer overflow and application crash or possibly have unspecified other impact via a crafted input stream...
chromium -- out of bounds read
Google Chrome Releases reports: 1 security fix in this release, including: 782145 High CVE-2017-15428: Out of bounds read in V8. Reported by Zhao Qixun of Qihoo 360 Vulcan Team on 2017-11-07...
rubygem-passenger -- arbitrary file read vulnerability
Phusion reports: The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue...
jenkins -- multiple issues
jenkins developers report: A total of 11 issues are reported, please see reference URL for details...
asterisk -- Buffer overflow in CDR's set user
The Asterisk project reports: No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. The earlier AST-2017-001 advisory for the CDR user field overflow w...
kio: Information Leak when accessing https when using a malicious PAC file
Albert Astals Cid reports: Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part...
FreeBSD -- bhyve(8) virtual machine escape
Problem Description: The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow. Impact: For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access ...
ipsec-tools -- remotely exploitable computational-complexity attack
Robert Foggia via NetBSD GNATS reports: The ipsec-tools racoon daemon contains a remotely exploitable computational complexity attack when parsing and storing isakmp fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly...
moinmoin -- XSS vulnerabilities
Thomas Waldmann reports: fix XSS in AttachFile view multifile related CVE-2016-7148 fix XSS in GUI editor's attachment dialogue CVE-2016-7146 fix XSS in GUI editor's link dialogue CVE-2016-9119...
moodle -- multiple vulnerabilities
Marina Glancy reports: MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed...
kdelibs -- directory traversal vulnerability
David Faure reports: A maliciously crafted archive .zip or .tar.bz2 with "../" in the file paths could be offered for download via the KNewStuff framework e.g. on www.kde-look.org, and upon extraction would install files anywhere in the user's home directory...
p7zip -- Null pointer dereference
MITRE reports: A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams, as used in the 7z.so library and in 7z applications, will cause a crash and a...
dnsmasq -- denial of service
reports: Dnsmasq before 2.76 allows remote servers to cause a denial of service crash via a reply with an empty DNS address that has an 1 A or 2 AAAA record defined locally...
ansible -- use of predictable paths in lxc_container
Ansible developers report: CVE-2016-3096: do not use predictable paths in lxccontainer do not use a predictable filename for the LXC attach script don't use predictable filenames for LXC attach script logging don't set a predictable archivepath this should prevent symlink attacks which could resu...
squid -- multiple vulnerabilities
Squid security advisory 2016:3 reports: Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets. This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information...
chromium -- same origin bypass
Google Chrome Releases reports: 583431 Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous...
hadoop2 -- unauthorized disclosure of data vulnerability
Arun Suresh reports: RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster...
dhcpcd -- remote code execution/denial of service
MITRE reports: The printoption function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of...