6583 matches found
xv -- filename handling format string vulnerability
A Gentoo Linux Security Advisory reports: Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the handling of image filenames by xv. Successful exploitation would require a victim to process a specially crafted image with a malformed filename, potentially resulting in the...
yamt -- buffer overflow and directory traversal issues
Stanislav Brabec discovered errors in yamt's path name handling that lead to buffer overflows and directory traversal issues. When processing a file with a maliciously crafted ID3 tag, yamt might overwrite arbitrary files or possibly execute arbitrary code. The SuSE package ChangeLog contains:...
curl -- authentication buffer overflow vulnerability
Two iDEFENSE Security Advisories reports: An exploitable stack-based buffer overflow condition exists when using NT Lan Manager NTLM authentication. The problem specifically exists within Curlinputntlm defined in lib/httpntlm.c. Successful exploitation allows remote attackers to execute arbitrary...
unrtf -- buffer overflow vulnerability
Yosef Klein and Limin Wang have found a buffer overflow vulnerability in unrtf that can allow an attacker to execute arbitrary code with the permissions of the user running unrtf, by running unrtf on a specially crafted rtf document...
bugzilla -- cross-site scripting vulnerability
A Bugzilla advisory states: This advisory covers a single cross-site scripting issue that has recently been discovered and fixed in the Bugzilla code: If a malicious user links to a Bugzilla site using a specially crafted URL, a script in the error page generated by Bugzilla will display the URL...
ecartis -- unauthorised access to admin interface
A Debian security advisory reports: A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings...
bogofilter -- RFC 2047 decoder denial-of-service vulnerability
The bogofilter team has been provided with a test case of a malformatted non-conformant RFC-2047 encoded word that can cause bogofilter versions 0.92.7 and prior to try to write a NUL byte into a memory location that is either one byte past the end of a flex buffer or to a location that is the...
squid -- SNMP module denial-of-service vulnerability
The Squid-2.5 patches page notes: If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error. This only affects squid installations where SNMP is explicitly enabled via "make config". As a workaround, SNMP can be disabled by defining "snmpport 0" in squid.conf...
gnomevfs -- unsafe URI handling
Alexander Larsson reports that some versions of gnome-vfs and MidnightCommander contain a number of extfs' scripts that do not properly validate user input. If an attacker can cause her victim to process a specially-crafted URI, arbitrary commands can be executed with the privileges of the victim...
cyrus-sasl -- potential buffer overflow in DIGEST-MD5 plugin
The Cyrus SASL DIGEST-MD5 plugin contains a potential buffer overflow when quoting is required in the output...
ident2 double byte buffer overflow
Jack of RaptureSecurity reported a double byte buffer overflow in ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID nobody', but with group-ID wheel'...
mksnap_ffs clears file system options
The kernel interface for creating a snapshot of a filesystem is the same as that for changing the flags on that filesystem. Due to an oversight, the mksnapffs8 command called that interface with only the snapshot flag set, causing all other flags to be reset to the default value. A regularly...
Apache httpd -- Multiple vulnerabilities
The Apache httpd project reports: See links for details...
MongoDB -- crash due to improper validation of explain command
[email protected] reports: When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 5 security fixes: 398065918 High CVE-2025-1920: Type Confusion in V8. Reported by Excello s.r.o. on 2025-02-21 400052777 High CVE-2025-2135: Type Confusion in V8. Reported by Zhenghang Xiao @Kipreyyy on 2025-03-02 401059730 High CVE-TBD: Out of bounds...
keycloak -- Multiple security fixes
Keycloak reports: This update includes 5 security fixes: CVE-2024-10451: Sensitive Data Exposure in Keycloak Build Process CVE-2024-10270: Potential Denial of Service CVE-2024-10492: Keycloak path trasversal CVE-2024-9666: Keycloak proxy header handling Denial-of-Service DoS vulnerability...
firefox -- Potential memory corruption and exploitable crash
[email protected] reports: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash...
FreeBSD -- Multiple vulnerabilities in libnv
Problem Description: CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. CVE-2024-45288 is a...
firefox -- multiple vulnerabilities
[email protected] reports: This entry contains 8 vulnerabilities: CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. CVE-2024-8382: Internal browser event interfaces were exposed to web...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 353034820 Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15 352872238 High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13 354748060 High...
electron29 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-6291. Security: backported fix for CVE-2024-6293. Security: backported fix for CVE-2024-6290. Security: backported fix for CVE-2024-6292...
Django -- multiple vulnerabilities
Django reports: CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save. CVE-2024-39614:...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 3 security fixes: 329130358 High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao @Kipreyyy on 2024-03-12 329965696 High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17 330760873 High...
Unbound -- Denial-of-Service vulnerability
NLNet Labs reports: Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an...
GLPI -- multiple vulnerabilities
GLPI team reports: GLPI 10.0.12 Changelog SECURITY - moderate Reflected XSS in reports pages CVE-2024-23645 SECURITY - moderate LDAP Injection during authentication CVE-2023-51446...
Request Tracker -- multiple vulnerabilities
Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST...
File deletion through document upload process in GLPI
[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files...
GLPI vulnerable to reflected XSS in search pages
[email protected] reports: GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link...
FreeBSD -- Network authentication attack via pam_krb5
Problem Description: pamkrb5 authenticates the user by essentially running kinit1 with the password, getting a ticket-granting ticket' tgt from the Kerberos KDC Key Distribution Center over the network, as a way to verify the password. Normally, the system running the pamkrb5 module will also hav...
libX11 -- Sub-object overflows
The X.Org project reports: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 CVE-2023-3138 The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, usi...
jenkins -- CSRF protection bypass vulnerability
Jenkins Security Advisory: Description High SECURITY-3135 / CVE-2023-35141 CSRF protection bypass vulnerability...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: Denial of Service via arbitrarily large Issue descriptions CSRF via file upload allows an attacker to take over a repository Sidekiq background job DoS by uploading malicious CI job artifact zips Sidekiq background job DoS by uploading a malicious Helm package...
Grafana -- Stored XSS in geomap panel plugin via attribution
Grafana Labs reports: During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin. The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to...
dendrite -- Incorrect parsing of the event default power level in event auth
Dendrite team reports: The power level parsing within gomatrixserverlib was failing to parse the "eventsdefault" key of the m.room.powerlevels event, defaulting the event default power level to zero in all cases. In rooms where the "eventsdefault" power level had been changed, this could result i...
FreeBSD -- Memory disclosure by stale virtual memory mapping
Problem Description: A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. Impact: An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read...
py-httpx -- input validation vulnerability
lebr0nli reports: Encode OSS httpx =1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copywith...
syncthing -- crash due to malformed relay protocol message
syncthing developers report: syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field. The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field...
asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests
The Asterisk project reports: Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession...
darkhttpd -- DOS vulnerability
Mitre reports: flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability...
py-Flask-Cors -- directory traversal vulnerability
praetorian-colby-morgan reports: An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...
glpi -- SQL injection for all usages of "Clone" feature
MITRE Corporation reports: In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1...
sympa - Security flaws in setuid wrappers
A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers: FastCGI wrappers newaliases wrapper The FastCGI wrappers wwsympa-wrapper.fcgi and sympasoapserver-wrapper.fcgi were used to make t...
glpi -- Reflexive XSS in Dropdown menus
MITRE Corporation reports: In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6...
sympa -- Denial of service caused by malformed CSRF token
Javier Moreno discovered a vulnerability in Sympa web interface that can cause denial of service DoS attack. By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it...
x11/cde -- Local privilege escalation via CDE dtsession
Marco Ivaldi marco.ivaldi mediaservice net reports: A buffer overflow in the CheckMonitor function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 Update 11 and earlier, allows local users to gain root privileges via a long palet...
Mbed TLS -- Side channel attack on deterministic ECDSA
Janos Follath reports: Mbed TLS does not have a constant-time/constant-trace arithmetic library and uses blinding to protect against side channel attacks. In the ECDSA signature routine previous Mbed TLS versions used the same RNG object for generating the ephemeral key pair and for generating th...
FreeBSD -- Insufficient message length validation in bsnmp library
Problem Description: A function extracting the length from type-length-value encoding is not properly validating the submitted length. Impact: A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in ...
FreeBSD -- Kernel memory disclosure in freebsd32_ioctl
Problem Description: Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. Impact: A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kern...
pango -- buffer overflow
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pangolog2visgetembeddinglevels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when...
vlc -- Double free in Matroska demuxer
The VLC project reports: mkv: Fix potential double free...