6585 matches found
mambo -- "register_globals" emulation layer overwrite vulnerability
A Secunia Advisory reports: peter MC tachatte has discovered a vulnerability in Mambo, which can be exploited by malicious people to manipulate certain information and compromise a vulnerable system. The vulnerability is caused due to an error in the "registerglobals" emulation layer in...
fetchmail -- fetchmailconf local password exposure
The fetchmail team reports: The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed the mode to 0600 rw-------. Writing the file, which usually contains passwords, before making it unreadable to other users, can...
acroread -- plug-in buffer overflow vulnerability
A Adobe Security Advisory reports: The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe...
phppgadmin -- "formLanguage" local file inclusion vulnerability
A Secunia Advisory reports: A vulnerability has been reported in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information. Input passed to the "formLanguage" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited...
tcpdump -- infinite loops in protocol decoding
Problem Description Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops. Impact An attacker can inject specially crafted packets into the network which, when processed by tcpdump, could lead to a denial-of-service. After the attack, tcpdump...
ppxp -- local root exploit
A Debian Advisory reports: Jens Steube discovered that ppxp, yet another PPP program, does not release root privileges when opening potentially user supplied log files. This can be tricked into opening a root shell...
mozilla -- "Wrapped" javascript: urls bypass security checks
A Mozilla Foundation Security Advisory reports: Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute...
squid -- DNS lookup spoofing vulnerability
The squid patches page notes: Malicious users may spoof DNS lookups if the DNS client UDP port random, assigned by OS as startup is unfiltered and your network is not protected from IP spoofing...
rkhunter -- insecure temporary file creation
Gentoo reports: Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux Security Team have reported that the checkupdate.sh script and the main rkhunter script insecurely creates several temporary files with predictable filenames. A local attacker could create symbolic links in the...
yamt -- buffer overflow and directory traversal issues
Stanislav Brabec discovered errors in yamt's path name handling that lead to buffer overflows and directory traversal issues. When processing a file with a maliciously crafted ID3 tag, yamt might overwrite arbitrary files or possibly execute arbitrary code. The SuSE package ChangeLog contains:...
curl -- authentication buffer overflow vulnerability
Two iDEFENSE Security Advisories reports: An exploitable stack-based buffer overflow condition exists when using NT Lan Manager NTLM authentication. The problem specifically exists within Curlinputntlm defined in lib/httpntlm.c. Successful exploitation allows remote attackers to execute arbitrary...
unrtf -- buffer overflow vulnerability
Yosef Klein and Limin Wang have found a buffer overflow vulnerability in unrtf that can allow an attacker to execute arbitrary code with the permissions of the user running unrtf, by running unrtf on a specially crafted rtf document...
bugzilla -- cross-site scripting vulnerability
A Bugzilla advisory states: This advisory covers a single cross-site scripting issue that has recently been discovered and fixed in the Bugzilla code: If a malicious user links to a Bugzilla site using a specially crafted URL, a script in the error page generated by Bugzilla will display the URL...
ecartis -- unauthorised access to admin interface
A Debian security advisory reports: A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings...
bogofilter -- RFC 2047 decoder denial-of-service vulnerability
The bogofilter team has been provided with a test case of a malformatted non-conformant RFC-2047 encoded word that can cause bogofilter versions 0.92.7 and prior to try to write a NUL byte into a memory location that is either one byte past the end of a flex buffer or to a location that is the...
squid -- SNMP module denial-of-service vulnerability
The Squid-2.5 patches page notes: If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error. This only affects squid installations where SNMP is explicitly enabled via "make config". As a workaround, SNMP can be disabled by defining "snmpport 0" in squid.conf...
gnomevfs -- unsafe URI handling
Alexander Larsson reports that some versions of gnome-vfs and MidnightCommander contain a number of extfs' scripts that do not properly validate user input. If an attacker can cause her victim to process a specially-crafted URI, arbitrary commands can be executed with the privileges of the victim...
cyrus-sasl -- potential buffer overflow in DIGEST-MD5 plugin
The Cyrus SASL DIGEST-MD5 plugin contains a potential buffer overflow when quoting is required in the output...
ident2 double byte buffer overflow
Jack of RaptureSecurity reported a double byte buffer overflow in ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID nobody', but with group-ID wheel'...
mksnap_ffs clears file system options
The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnapffs8 command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value. A regularly...
kpopup -- local root exploit and local denial of service
Mitre CVE reports: Format string vulnerability in main.cpp in kpopup 0.9.1-0.9.5pre2 allows local users to cause a denial of service segmentation fault and possibly execute arbitrary code via format string specifiers in command line arguments. misc.cpp in KPopup 0.9.1 trusts the PATH variable whe...
Apache httpd -- Multiple vulnerabilities
The Apache httpd project reports: See links for details...
Post-Auth Remote Code Execution found in Roundcube Webmail
Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v...
sudo -- privilege escalation vulnerability through host and chroot options
Todd C. Miller reports, crediting Rich Mirch from Stratascale Cyber Research Unit CRU: Sudo 1.9.17p1: Fixed CVE-2025-32462. Sudo's -h --host option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the use...
MongoDB -- crash due to improper validation of explain command
[email protected] reports: When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 5 security fixes: 398065918 High CVE-2025-1920: Type Confusion in V8. Reported by Excello s.r.o. on 2025-02-21 400052777 High CVE-2025-2135: Type Confusion in V8. Reported by Zhenghang Xiao @Kipreyyy on 2025-03-02 401059730 High CVE-TBD: Out of bounds...
keycloak -- Multiple security fixes
Keycloak reports: This update includes 5 security fixes: CVE-2024-10451: Sensitive Data Exposure in Keycloak Build Process CVE-2024-10270: Potential Denial of Service CVE-2024-10492: Keycloak path trasversal CVE-2024-9666: Keycloak proxy header handling Denial-of-Service DoS vulnerability...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 5 security fixes: 365254285 High CVE-2024-9120: Use after free in Dawn. Reported by Anonymous on 2024-09-08 363538434 High CVE-2024-9121: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-09-01 365802567 High...
firefox -- Potential memory corruption and exploitable crash
[email protected] reports: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash...
FreeBSD -- Multiple vulnerabilities in libnv
Problem Description: CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. CVE-2024-45288 is a...
firefox -- multiple vulnerabilities
[email protected] reports: This entry contains 8 vulnerabilities: CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. CVE-2024-8382: Internal browser event interfaces were exposed to web...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 353034820 Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15 352872238 High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13 354748060 High...
Django -- multiple vulnerabilities
Django reports: CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save. CVE-2024-39614:...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 329130358 High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao @Kipreyyy on 2024-03-12 329965696 High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17 330760873 High...
Unbound -- Denial-of-Service vulnerability
NLNet Labs reports: Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an...
GLPI -- multiple vulnerabilities
GLPI team reports: GLPI 10.0.12 Changelog SECURITY - moderate Reflected XSS in reports pages CVE-2024-23645 SECURITY - moderate LDAP Injection during authentication CVE-2023-51446...
Request Tracker -- multiple vulnerabilities
Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST...
File deletion through document upload process in GLPI
[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files...
FreeBSD -- Network authentication attack via pam_krb5
Problem Description: pamkrb5 authenticates the user by essentially running kinit1 with the password, getting a ticket-granting ticket' tgt from the Kerberos KDC Key Distribution Center over the network, as a way to verify the password. Normally, the system running the pamkrb5 module will also hav...
libX11 -- Sub-object overflows
The X.Org project reports: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 CVE-2023-3138 The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, usi...
jenkins -- CSRF protection bypass vulnerability
Jenkins Security Advisory: Description High SECURITY-3135 / CVE-2023-35141 CSRF protection bypass vulnerability...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: Denial of Service via arbitrarily large Issue descriptions CSRF via file upload allows an attacker to take over a repository Sidekiq background job DoS by uploading malicious CI job artifact zips Sidekiq background job DoS by uploading a malicious Helm package...
FreeBSD -- Memory disclosure by stale virtual memory mapping
Problem Description: A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. Impact: An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read...
py-httpx -- input validation vulnerability
lebr0nli reports: Encode OSS httpx =1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copywith...
syncthing -- crash due to malformed relay protocol message
syncthing developers report: syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field. The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field...
asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests
The Asterisk project reports: Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession...
darkhttpd -- DOS vulnerability
Mitre reports: flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability...
py-Flask-Cors -- directory traversal vulnerability
praetorian-colby-morgan reports: An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...
glpi -- SQL injection for all usages of "Clone" feature
MITRE Corporation reports: In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1...
sympa - Security flaws in setuid wrappers
A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers: FastCGI wrappers newaliases wrapper The FastCGI wrappers wwsympa-wrapper.fcgi and sympasoapserver-wrapper.fcgi were used to make t...