6585 matches found
cyrus-imapd -- Remote authenticated users could bypass intended access restrictions on certain server annotations.
Cyrus IMAP 3.4.1 Release Notes states: Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote...
opengrok -- Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok.
Bobby Rauch of Accenture reports: I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok 1.6.8 and was reported to Oracle. The vulnerabili...
gitea -- quoting in markdown text
The Gitea Team reports for release 1.13.5: Update to goldmark 1.3.3...
Gitlab -- Multiple vulnerabilities
Gigtlab reports: Remote code execution via unsafe user-controlled markdown rendering options...
asterisk -- Remote crash in res_pjsip_diversion
The Asterisk project reports: If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of...
gitea -- multiple vulnerabilities
The Gitea Team reports for release 1.13.0: Add Allow-/Block-List for Migrate and Mirrors Prevent git operations for inactive users Disallow urlencoded new lines in git protocol paths if there is a port Mitigate Security vulnerability in the git hook feature Disable DSA ssh keys by default Set TLS...
py-matrix-synapse -- XSS vulnerability
Matrix developers reports: The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting XSS attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities,...
Ghostscript -- SAFER Sandbox Breakout
NVD reports: A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32t...
upnp -- denial of service (crash)
CVE mitre reports: Portable UPnP SDK aka libupnp 1.12.1 and earlier allows remote attackers to cause a denial of service crash via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/servicetable/servicetable.c...
FreeBSD -- Memory disclosure vulnerability in libalias
Problem Description: The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel for the in-kernel NAT implementation or from the process space for natd for the userspace implementation. Impact: A malicious...
Wagtail -- potential timing attack vulnerability
Wagtail release notes: CVE-2020-11037: Potential timing attack on password-protected private pages This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through ...
puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API
Puppetlabs reports: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types which may contain sensitive information as we...
puppet6 -- Arbitrary Catalog Retrieval
Puppetlabs reports: Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog ca...
RabbitMQ-C -- integer overflow leads to heap corruption
alanxz reports: When parsing a frame header, validate that the framesize is less than or equal to INT32MAX. Given framemax is limited between 0 and INT32MAX in amqplogin and friends, this does not change the API. This prevents a potential buffer overflow when a malicious client sends a framesize...
KDE Frameworks -- malicious .desktop files execute code
The KDE Community has released a security announcement: The syntax Key$e=$shell command in .desktop files, .directory files, and configuration files typically found in /.config was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people...
doas -- Prevent passing of environment variables
Jesse Smith upstream author of the doas program reported: Previous versions of "doas" transferred most environment variables, such as USER, HOME, and PATH from the original user to the target user. Passing these variables could cause files in the wrong path or home directory to be read or written...
gitea -- multiple vulnerabilities
The Gitea Team reports: This release contains two security fixes, so we highly recommend updating...
znc -- Denial of Service
Mitre reports: ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial of Service crash via invalid encoding...
glpi -- stored XSS
MITRE Corporation reports: inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
botan2 -- Side channel during ECC key generation
botan2 developers reports: A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise. Found by Ján Jančár using...
OpenEXR -- heap buffer overflow, and out-of-memory bugs
Cary Phillips reports: OpenEXR IlmBase v2.4.0 fixes the following security vulnerabilities: CVE-2018-18444 Issue 351 Out of Memory CVE-2018-18443 Issue 350 heap-buffer-overflow The relevant patches have been backported to the FreeBSD ports...
FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability
Problem Description: When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but...
X11 Session -- SDDM allows unauthorised unlocking
MITRE reports: An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. The default configuration of SDDM on...
Gitlab -- multiple vulnerabilities
GitLab reports: Confidential issue comments in Slack, Mattermost, and webhook integrations. Persistent XSS in milestones data-milestone-id. Persistent XSS in filename of merge request...
moodle -- multiple vulnerabilities
moodle reports: Unauthenticated users can trigger custom messages to admin via paypal enrol script. Suspended users with OAuth 2 authentication method can still log in to the site...
libXfont -- permission bypass when opening files through symlinks
the freedesktop.org project reports: A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue...
FreeBSD -- POSIX shm allows jails to access global namespace
Problem Description: Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. Impact: A malicious user that has access to a jailed system is able to abuse shared...
FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)
Problem Description: Not all information in the struct ptracelwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of informatio...
node -- access to unintended files
node developers report: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules...
libraw -- Out-of-bounds Read
libraw developers report: In LibRaw through 0.18.4, an out of bounds read flaw related to kodak65000loadraw has been reported in dcraw/dcraw.c and internal/dcrawcommon.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash...
libbson -- Denial of Service
mongodb developers report: In MongoDB libbson 1.7.0, the bsonitercodewscope function in bson-iter.c miscalculates a bsonutf8validate length argument, which allows remote attackers to cause a denial of service heap-based buffer over-read in the bsonutf8validate function in bson-utf8.c, as...
FreeBSD -- ipfilter(4) fragment handling panic
Problem Description: ipfilter4, capable of stateful packet inspection, using the "keep state" or "keep frags" rule options, will not only maintain the state of connections, such as TCP streams or UDP communication, it also maintains the state of fragmented packets. When a packet fragments are...
asterisk -- Buffer Overrun in PJSIP transaction layer
The Asterisk project reports: A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By...
phpMyAdmin -- bypass 'no password' restriction
The phpMyAdmin team reports: Summary Bypass $cfg'Servers'$i'AllowNoPassword' Description A vulnerability was discovered where the restrictions caused by $cfg'Servers'$i'AllowNoPassword' = false are bypassed under certain PHP versions. This can allow the login of users who have no password set eve...
FreeBSD -- Possible login(1) argument injection in telnetd(8)
Problem Description: An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended. Impact: An attacker who controls the sequence of memory allocation failures and success...
collectd -- Network plugin heap overflow
The collectd Project reports: Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable...
jansson -- local denial of service vulnerabilities
QuickFuzz reports: A crash caused by stack exhaustion parsing a JSON was found...
kamailio -- SEAS Module Heap overflow
Stelios Tsampas reports: A remotely exploitable heap overflow vulnerability was found in Kamailio v4.3.4...
xymon-server -- multiple vulnerabilities
J.C. Cleaver reports: CVE-2016-2054: Buffer overflow in xymond handling of "config" command CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications CVE-2016-2057: Incorrect...
FreeBSD -- Linux compatibility layer setgroups(2) system call
Problem Description: A programming error in the Linux compatibility layer setgroups2 system call can lead to an unexpected results, such as overwriting random kernel memory contents. Impact: It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privileg...
php -- multiple vulnerabilities
PHP reports: Core: Fixed bug 70755 fpmlog.c memory leak and buffer overflow. GD: Fixed bug 70976 Memory Read via gdImageRotateInterpolated Array Index Out of Bounds. SOAP: Fixed bug 70900 SoapClient systematic out of memory error. Wddx Fixed bug 70661 Use After Free Vulnerability in WDDX Packet...
Salt -- information disclosure
Salt release notes report: CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserte...
redmine -- multiple vulnerabilities
Redmine reports: Potential changeset message disclosure in issues API. Data disclosure on the time logging form...
codeigniter -- multiple XSS vulnerabilities
The CodeIgniter changelog reports: Fixed a number of XSS attack vectors in Security Library method xssclean thanks to Frans Rosén from Detectify...
pcre -- heap overflow vulnerability
Guanxing Wen reports: PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compileregex. The Heap Overflow vulnerability is caused by the followi...
squid -- Improper Protection of Alternate Path with CONNECT requests
Squid security advisory 2015:2 reports: Squid configured with cachepeer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses. The bug is important because it allows remote clients to bypass security in an explicit gateway proxy. However, the bug is...
Joomla! -- Core - Open Redirect vulnerability
The JSST and the Joomla! Security Center report: 20150601 - Core - Open Redirect Inadequate checking of the return value allowed to redirect to an external page...
xen-tools -- PCI MSI mask bits inadvertently exposed to guests
The Xen Project reports: The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. Interrupts may be observed by Xen at...
FreeBSD -- Insecure default GELI keyfile permissions
Problem Description: The default permission set by bsdinstall8 installer when configuring full disk encrypted ZFS is too open. Impact: A local attacker may be able to get a copy of the geli8 provider's keyfile which is located at a fixed location...
ha -- Directory traversals
Alexander Cherepanov reports: Version 0.999b and older of ha archiver is susceptible to directory traversal vulnerabilities via absolute and relative paths...